Pentesting for a 500K+ Member Nonprofit Prevented Data Breaches and Financial Losses
About Our Customer
The Customer is a US nonprofit organization founded almost eight decades ago. Its insurance underwriter is featured on the Forbes list of The World’s Best Insurance Companies 2023. The Customer supports 500,000+ members with life insurance, healthcare, education, and other benefits.
Major Nonprofit Looking for Proven IT Security Expertise
The Customer was looking for an experienced cybersecurity vendor to spot potential vulnerabilities, evaluate the security risk level, and suggest protective measures for its large-scale intranet (up to 800 IP addresses).
Gray Box Pentesting Uncovered 20 Urgent Security Issues
With 20+ years of experience in cybersecurity, ScienceSoft met the Customer's vendor selection criteria and took on the project.
Based on the careful analysis of the Customer's security needs, ScienceSoft's team selected the gray box approach to imitate the actions of an attacker who gained low-privilege access to the intranet.
Our pentesters started with vulnerability assessment: they scanned the network using automated tools and manually validated the scanning results. After excluding false positives, the team attempted to exploit the found security misconfigurations, broken authentication mechanisms, poor access control, and other vulnerabilities. As a result, our pentesters managed to gain unauthorized higher-level access to the infrastructure and sensitive data.
ScienceSoft performed the pentesting activities based on PTES and NIST 800-115 methodology. Using the NIST CVSS threat classification standard, ScienceSoft's cybersecurity experts assessed the vulnerabilities based on their exploitation likelihood and potential impact. They identified 9 high-severity and 11 medium-severity security issues posing the risks of financial losses and reputational damage. These security gaps could cause personal data leakage, sensitive data disclosure, and malware distribution and included:
- Poor access control to the Redis database, network devices, and shared folders with admin credentials and other confidential information.
- Outdated software components with a total of 29 known vulnerabilities across 55 hosts.
- Outdated and vulnerable SSLv3 protocol used by several remote services to encrypt connections.
- Several web servers supported unencrypted plaintext authentication, so an attacker could intercept the traffic to obtain the logins and passwords of valid users.
To fix these issues, our team recommended the following steps:
- Setting up strict access controls according to the principle of least privilege and a strong password policy forbidding default credentials and blank or weak passwords.
- Configuring access control lists and firewall rules so that only selected remote hosts can connect to data storage systems.
- Moving sensitive information from plaintext documents and shared folders to secure storage.
- Updating software to the latest version.
- Disabling the support of SSLv3 and using TLS 1.2 and TLS 1.3 protocols instead.
- Configuring authentication data encryption using HTTPS.
Timely Security Testing Helped Prevent Financial Losses and Reputational Damage
In two weeks, ScienceSoft verified the Customer's private network comprising around 800 IPs and revealed 20 security issues of high and medium severity levels. Following our remediation advice, the Customer successfully reduced the attack surface, which our pentesters confirmed with a retest.
Technologies and Tools
DirB, w3af, cURL, Nikto, Metasploit, Wireshark, Nessus, Nmap, Telnet, SSLScan, SQLmap, John the Ripper, MIB Browser, Hydra, Burp Suite, Acunetix, smbclient, Redis CLI, CrackMapExec, tcpdump, SNMPwalk, Hashcat, Python, PowerShell, PHP, JavaScript, Perl.