The client Insurance company was looking to improve both its internal and external security posture. The company had informed Secmentis they would also require web app penetration testing for their custom-built Insurance customer service web application.
The goal of the client company in engaging Secmentis to perform External and Internal Penetration Testing was to evaluate the effectiveness of the IT security controls implemented in safeguarding their trade secrets and customer data, and to understand what their vulnerabilities were, and what should be done to fix them.
The objectives of the penetration testing engagement were set as follows:
Secmentis Penetration Tests are performed from a "blackbox" perspective (i.e. zero initial information, apart from the target company's name) in order to make the ethical hacking attacks more realistic.
Secmentis uses the same tools and tactics used by the bad guys against your business. We use both manual and automated testing methods, and take advantage of both custom-built and industry available tools.
For the Internal Penetration Test, a Secmentis consultant was placed on-site with the full knowledge of the IT manager. The results of the Internal Penetration Test shocked the IT manager and senior management of the company.
The External Penetration Test targeted a select number of the company's public-facing domains and services (e.g. website, email services, etc.), and especially their custom-built web-app, and achieved great results.
At the end of our testing, a detailed report was provided to the company, including an executive summary, and our technical findings/evidence and remediation recommendations.
Secmentis consultants achieved spectacular results, some of which are summarized below.
Our consultants gained full domain admin, which means they had full access and the capability to do anything on all computers and servers within the company's Windows domain, e.g. domain controllers, file servers, Exchange email servers, backup servers, etc.
Full Admin access was achieved on the company's main firewall, giving Secmentis consultants the ability to modify any security rules at will.
Full Admin access on the network routers of the company meant malicious attackers could have done anything they wanted with the company's network.
Full Admin access on the IT Manager's PC would mean "Game Over" for the company, had the attack been made by malicious attackers.
Full Admin access was achieved on all of the company's senior management staff PCs, which would enable attackers to extract very sensitive business information.
Full Admin access was achieved on the company's PBX systems, which would enable attackers to place and record calls, create phone extensions, etc.
Full Admin access was achieved on the server hosting the company's custom-built customer service web application.
Full Admin access was achieved the custom-built customer service web application, independently of taking over the server hosting the web application.
Secmentis consultants were able to impersonate the company's IT Help Desk, by gaining access from the outside. A malicious attacker could have used this to gain further access and perform further malicious activities.
Sensitive information that could be extracted: The company's employee data, proprietary source code, customer data, business data (e.g. plans), financial info (e.g. payroll, etc.), and other confidential data.
Talk to us today to find out how our experts can best help you