Case Study: Penetration Testing For A Central IT Body
Security Brigade Logo
Services | Products | Compliance | Training | Home | Clients | Contact Us
Menu
Services
Products
Training
Compliance
Whitepapers
Case-Studies
News
Media
Contact Us

Clients / Partners

Search
Penetration Testing for a Central IT Body

Our Client’s Needs

The Client decided on conducting an External Penetration Test of the Organizations complete IT Infrastructure. Our scope included: Web Servers, Firewalls, Workstations, Routers and Mobile Devices.

Scope of Engagement

The Client decided on conducting an External Vulnerability Assessment of the systems that would be directly connected to the new Information Sharing system. Our scope included: Web Servers, Firewalls, Workstations, and Routers.

Methodology

Taking in-consideration the Client’s requirements, Security Brigade’s consultants identified the best methodology that would cater to the Client’s goals.

Security Brigade started with zero knowledge of the client’s internal network and personnel. Using public data sources and our proprietary methodologies Security Brigade determined the network address space of the clients and the names and addresses of several key client employees and members of the client’s board of directors. With concurrence from the client’s CEO and CIO, Security Brigade then proceeded with our network attack on the client’s DMZ, remote access points and key employee home networks. Security Brigade personnel utilized their deep knowledge of adversary methodologies to perform a real attack on the client’s information assets. We closely monitored each step of the attack to avoid causing network outages or damage to critical data and to determine the effectiveness of the client’s intrusion detection capabilities.

Penetration

Through this Penetration Test, we were able to gain access to the following:

  • Compromised the firewall and bypassed security mechanisms
  • Compromised the customer database, which contained sensitive information
  • Compromised the web server with administrative access
  • Compromised and gained access to the Client’s Internal EBX systems
  • Compromised and inserted users into the Internal Smart Card Database

Deliverables

At every phase of our assessment, Security Brigade reported on each specific finding. Our initial report detailed the “private” client information that was available from public data resources. In the attack phase of the project, Security Brigade personnel prepared status reports describing vulnerabilities, service identification and exploits for each functional element of the IT architecture. The final status report detailed all of the potential vulnerabilities and the successful exploits. After the attack phase was complete, Security Brigade personnel provided a security recommendations document to assist the client’s technical staff in improving their technical security posture and their information security policies. We also provided an executive summary to client’s senior management to assist them in their risk management decision making process.

Value Delivered

Our Penetration Testing Service allowed the Client to clearly understand and assess their current IT Security Posture. Furthermore the Client gained the following benefits:

  • Risk Benefits: Security Brigade minimized security risks by assessing the customer’s infrastructure vulnerabilities and recommended solutions with proven methods to enhance security.
  • Cost Savings: Security Brigade suggested cost-effective risk-mitigation measures based on the customer’s business requirements that would ensure security and continuity of the business.
  • Customer Satisfaction: Penetration testing was conducted with minimum interruption and damage across customer systems to identify security vulnerabilities, impacts and potential risks.
  • Compliance: As an added bonus, the Client was able to utilize the information gained from this Penetration Test to easily gain industry certifications and provide a higher level of service to its customers.
Copyright 2006 Security Brigade