Network Pentesting of 2,000 IPs for a HIPAA-Compliant Healthcare IT Company
Customer
The Customer is one of the leading US healthcare IT companies. They provide cloud-based EHR and telehealth solutions to medical professionals across the globe.
Challenge
The Customer puts great efforts into preventing HIPAA compliance breaches and service downtimes that can be caused by cyberattacks. As one of the key steps in their security management plan, the Customer undergoes quarterly security testing of their network. Satisfied with previous security testing services provided by ScienceSoft, the Customer reached out to ScienceSoft’s team again to perform network penetration testing.
Solution
To simulate real-life cyberattacks, ScienceSoft opted for black box penetration testing. The testing engineers assigned to the project had no prior knowledge of the Customer’s network.
ScienceSoft’s security team conducted pentests targeting ~2000 IPs, and evaluated the overall network security level as medium. Due to the Customer’s consistent and efficient vulnerability management, their network was free of severe vulnerabilities. However, the testers still detected a few security issues that required fixing to ensure top-level protection of the IT network: a load balancer disclosing IP information, an insecure SSL encryption, outdated TLS in use.
ScienceSoft’s security experts provided the Customer with a detailed guidance on network vulnerability remediation. The corrective measures included:
- Encrypting cookies that disclosed confidential information about the internal infrastructure.
- Disabling weak hashing algorithms of a SSL certificate.
- Using the latest TLS version.
- Disabling unused public ports to reduce the network attack surface.
ScienceSoft’s security testing team used the NIST 800-115 methodology and classified detected vulnerabilities according to the NIST CVSS. The whole penetration testing project took 24 days from planning and execution to analyzing the results and reporting.
Results
The Customer received a comprehensive report on the performed penetration testing activities and their results, including a remediation plan for the revealed security issues. The Customer’s security team was able to fix the found vulnerabilities in time and achieve a high level of network security.
Technologies and Tools
Nessus, Burp Suite, Nmap, SSLScan, sqlmap, cURL, dirb, Wireshark. Custom scripts (Python, PHP, JavaScript and Perl-scripts for the exploitation of vulnerabilities).