Pentesting a major Beverage company

The Engagement

Background

The client company was looking to improve both its internal and external security posture. Before engaging Secmentis to perform External Attack & Penetration Testing and Internal Attack & Penetration Testing, the client informed Secmentis they had completed the implementation of additional IT security protections to safeguard both their external and internal IT infrastructure.

The goal of the client company in engaging Secmentis to perform External and Internal Penetration Testing was to evaluate the effectiveness of the IT security controls implemented, and to understand whether their investments in IT security were worthwhile.

Get A free quote

Objectives

The objectives of the penetration testing engagement were set as follows:

External Penetration Test

  • Infiltrate from the outside (i.e. from the point of view of an unknown, malicious, blackhat attacker)
  • Extract/Exfiltrate any kind of sensitive information (e.g. account credentials, customer data, trade secrets, etc.)
  • Test the company's wireless network, to determine whether the wireless network could be compromised from the outside

Internal Penetration Test

  • Attack & Compromise any sensitive servers (e.g. file server, ERP server, CRM server, etc.)
  • Extract/Exfiltrate any kind of sensitive information (e.g. account credentials, customer data, trade secrets, etc.)
  • Be as stealthy as possible, not to raise suspicion with the employees of the company

Secmentis Penetration Tests are performed from a "blackbox" perspective (i.e. zero initial information, apart from the target company's name) in order to make the ethical hacking attacks more realistic.

Process

Secmentis uses the same tools and tactics used by the bad guys against your business. We use both manual and automated testing methods, and take advantage of both custom-built and industry available tools.

"Insider threat" attacks are usually more deadly than external attacks, as this engagement demonstrated to the company. Despite the increased IT security measures, the company discovered that its internal security was still lacking. For the Internal Penetration Test, a Secmentis consultant was placed on-site.

The External Penetration Test targeted a select number of the company's public-facing domains and services (e.g. website, email services, VPN services, etc.), and again, yielded good results.

At the end of our testing, a detailed report was provided to the company, including an executive summary, and our technical findings/evidence and remediation recommendations.

Results

Secmentis consultants achieved spectacular results, some of which are summarized below.

Sensitive information that could be extracted: The company's Internet banking information and credentials, building PINs, customer data, business data (e.g. plans), financial info (e.g. payroll, etc.), and other confidential data.

Need help with security? Don't hesitate to ask.

Talk to us today to find out how our experts can best help you