Web Application and Network Penetration Testing for a US Contract Services Company
Customer
The Customer is a large US company that provides contract security, transportation and facility management services.
Challenge
Being a large company with several divisions, the Customer has a complex IT infrastructure that keeps growing and modifying, which creates a real security challenge for the in-house IT unit. The Customer handles big amounts of clients’ information and strives to ensure its confidentiality, integrity, and availability as required by SOC 2. As a service provider that accepts online payments, it must also comply with PCI DSS.
To prepare for PCI DSS and SOC 2 compliance audits, the Customer needed to check its web applications, network, and employees’ vigilance to detect vulnerabilities that could lead to compliance breaches. The Customer was looking for an independent expert security team to perform penetration and social engineering testing within the shortest possible time (not more than two weeks).
Solution
With 19 years in cybersecurity and an impressive track of successfully completed security testing projects, including PCI DSS compliance assessment, ScienceSoft turned out to be the right candidate for the Customer.
Having considered the tight deadline and an extensive testing scope, ScienceSoft’s security experts offered to perform gray box penetration testing. The Customer provided our team with user credentials to examine the exploitable vulnerabilities in the testing targets: 4 web applications, the external network perimeter and the internal network. During the pentesting, ScienceSoft’s team detected 14 security issues of high and medium severity, for example:
- Unlimited number of login attempts and no notification about multiple failed login attempts. As a result, a potential attacker can easily brute-force user account credentials.
- Remote file inclusion vulnerability. Any user could access the folder with write permissions on the Active Directory domain controller, download the payload and use it to compromise the domain security.
- Insecure session protection: missing the Secure and SameSite cookie attributes that help prevent man-in-the-middle attacks and cross-site request forgery.
- An administrator account on the domain controller with insecure configuration: no password expiration date. This could allow the potential attackers to brute-force the administrator password as long as they wanted and subsequently compromise a domain.
- Using an inherently vulnerable Address Resolution Protocol (ARP). An intruder could perform an ARP spoofing attack to modify, disrupt or spy on the network traffic.
ScienceSoft’s team evaluated the overall security level of the Customer’s IT infrastructure as low. To eliminate the existing security loopholes, we described the required corrective measures, such as:
- Limiting the number of failed login attempts. If the limit is exceeded, blocking the user by IP or locking the account under attack for a few minutes and alerting the account owner via email; adding a CAPTCHA.
- Moving the folder with write permissions from the Active Directory domain controller to the file server.
- Applying the missing attributes that enhance cookie security.
- Enforcing password update at least once in 90 days. If possible, using complex passwords stored in a password manager and adding multifactor authentication.
- Implementing network segmentation, enabling the network switch features that offer protection against ARP spoofing (Dynamic ARP inspection, DHCP Snooping, Port Security), encrypting network traffic, and ensuring secure physical access to network devices.
With ScienceSoft's remediation guidance, the Customer’s IT team fixed the revealed vulnerabilities. After that, ScienceSoft’s security experts retested the targets. Our team was pleased to report that all the security issues endangering the Customer’s sensitive data and IT infrastructure were properly remediated.
Phishing
As a result of open-source intelligence, ScienceSoft's team discovered 70 email addresses of the Customer's employees. Following the Customer's request to check its email security tools along with employees' security awareness, we first tried every possible scenario to bypass the email filtering system. We were glad to state that it offered reliable protection against malicious emails. After that, the Customer whitelisted our security testers' IPs so that we could deliver phishing emails to the target employees. The social engineering campaign proved a high level of user vigilance: none of the employees even opened the phishing emails.
However, ScienceSoft's team found out that several email addresses in scope had been pwned: i.e., exposed as a result of some previous data breach. Therefore, our experts strongly recommended that users should thoroughly check their email settings and change the passwords for their accounts everywhere.
It took ScienceSoft's team 14 days to complete the project: plan and perform penetration and social engineering testing, report on the results, and run another testing round to validate vulnerability remediation.
Results
Thanks to penetration testing by ScienceSoft, the Customer got a complete view of vulnerabilities in its applications and IT infrastructure. Applying corrective measures outlined by ScienceSoft's security experts, the Customer achieved a high security level of its IT environment. The phishing campaign proved the efficiency of the existing security awareness management strategy. Also, the Customer got comprehensive project reports to complement its compliance documentation. As a result, the Customer could ensure reliable protection against numerous cyber threats and feel confident about the upcoming PCI DSS and SOC 2 audits.
Technologies and Tools
Metasploit, Wireshark, Nessus, Gophish, Wifite2, BurpSuite, Acunetix, Nmap, Dirb.