Social Engineering and Penetration Testing for a US Healthcare Provider with 10+ Facilities
Customer
The Customer is a large US healthcare provider. It has 10+ facilities that offer a vast range of medical services, including general and emergency care, surgery, dentistry, laboratory and imaging services.
Challenge
The Customer regularly undergoes security testing of their IT environment to detect vulnerabilities that may endanger their HIPAA compliance and lead to security breaches. Due to COVID-related challenges, the Customer had to postpone their scheduled security testing for a few months. Aiming to make up for it, they wanted to conduct a scrupulous inspection of their internal networks, public IPs and check the cybersecurity awareness of their staff members. They turned to ScienceSoft as a recognized penetration testing provider with experience in healthcare IT since 2005.
Solution
Taking into account the Customer’s network complexity, as well as time and budget constraints, ScienceSoft’s security team planned the penetration testing project, choosing gray box testing as the optimal approach. For public IPs, ScienceSoft’s security engineers decided to perform a black box penetration test first to discover potential ways for malicious actors to enter the system. Following the Customer’s request to conduct social engineering testing, ScienceSoft’s team also planned an email phishing campaign.
External penetration testing
To assess the security of the Customer’s 30 public IPs and 5 Wi-Fi access points, ScienceSoft’s security experts conducted black box penetration tests. Our team was happy to discover that there were no vulnerabilities that potential attackers could exploit to access the Customer’s sensitive data and internal infrastructure from outside.
Penetration testing of internal networks
As a result of gray box penetration testing, ScienceSoft’s experts revealed multiple vulnerabilities that could compromise the security of the Customer’s network. The most severe issues included:
- Remote code execution vulnerabilities that allowed potential attackers to enter the network and go as far as to install or disable applications, access or alter the sensitive data, and create new accounts with user rights.
- Outdated software with numerous known vulnerabilities that could enable denial of service or spoofing attacks, as well as lead to data breaches.
- Missing user authentication on several servers and a remote printer.
- Using obsolete SSL versions that could result in man-in-the-middle attacks or decryption of data transferred between the affected components of the Customer’s IT ecosystem.
ScienceSoft’s security experts delivered a comprehensive guide to the corrective measures required to remediate the revealed security issues. They included: applying software security patches and updating the software to the latest versions, setting up proper user authentication where it was missing, disabling SSL and using TLS 1.2 or higher instead, etc.
Social engineering testing
To check the probable social engineering attack scenarios, ScienceSoft’s team simulated email phishing attacks, targeting the Customer’s C-suite and department managers. The testers used emails with malicious links, fake login forms, and executable files.
The level of user vigilance was evaluated as high, as only one third of the targeted employees opened the phishing emails and none of them fulfilled the request contained in the email. ScienceSoft’s security experts provided recommendations on further improvement of the corporate email policy and promotion of cybersecurity awareness among the staff.
The entire pentesting project with the email phishing campaign took 30 days from planning and execution to analyzing the results and reporting.
Results
The Customer got a professional evaluation of their network’s resilience to the most probable cyber threats. They received an exhaustive description of the revealed security gaps, prioritized by their criticality, which enabled the Customer to focus on addressing the most urgent issues first. ScienceSoft also provided the Customer with a comprehensive roadmap on vulnerability remediation required to ensure the high security of their IT infrastructure.
The Customer also received tangible proof that their cybersecurity training for employees was efficient enough to make the staff aware of social engineering attacks.
Technologies and Tools
Metasploit, Nessus, Zenmap, OWASP ZAP, Wireshark.