Security assessment: audits and penetration tests

1
Security audit of industrial information and operational technologies for a brewery
The security audit of a large brewery was started with the inventory of IT and OT assets. We helped the customer compile a complete register of active devices (computers, PLCs, operator panels, frequency converters, managed and unmanaged switches, etc.). Then we checked the system access mode and found serious violations. Then we checked for passwords on all devices that support it.

During the audit, we checked the availability of source code for all programmable devices. Some source code was stored in an unreliable state. We checked the correspondence of the offline and online versions, and synchronized several versions.

After that, we checked the PLC firmware versions (Siemens S7-315, S7-416, S7-1215, S7-1515, Schneider Electric Quantum, M251) and the HMI/SCADA software versions (WinCC SCADA, Citect SCADA) for critical updates.

Also at this stage, we examined the availability and strength of encryption of all networks supporting it.

Then we checked all systems for viruses, ransomware, crypto miners and other malware, as well as for technical vulnerabilities in systems.

Finally, we assessed the risks and made recommendations to address deficiencies and reduce risks. All results were presented as a detailed security assessment report.

Learn more about security of industrial IT and OT and SCADA security.
2
The pentest for PCI DSS compliance in a financial organization
A small financial organization, connected to the international payment systems Visa and Mastercard, faced the need to comply with the requirements of PCI DSS standard. Among them, there is a requirement to perform an external and internal penetration test regularly. During the analysis of the infrastructure scope (cardholder data environment), detailed parameters of the external pentest were agreed. The parameters included grey-box and black-box modes, and the list of target objects, namely, the Internet-facing services and Web applications.

As a result of the pentest, multiple vulnerabilities in the web applications were discovered (PHP injections, cross-site scripting, direct object references, missing software update mechanisms, insecure default Web server configurations, no access control on the functional level, buffer overflows, an error in the web application code).

During the project, no real penetration ways were found, but potential vulnerabilities were present. The customer received a comprehensive report on the vulnerabilities and how to enhance the security of the infrastructure. The report was made in accordance with the requirements of PCI DSS, including a description of the penetration test methodology that was used during the project.

Learn more about penetration testing.
3
Analysis of a retail company’s infrastructure
A medium-sized retailer implemented internal and external information security requirements. Some of them required a complete analysis of the enterprise's infrastructure, including penetration tests in grey-box and white-box modes. During the pentest, the following vulnerabilities and weaknesses were found:
  • Vulnerabilities in the web applications (no validity checks of requests in the applications, data transfer through an unencrypted HTTP channel).
  • Deficiencies in privilege management (domain accounts for various services and applications had too high privileges).
  • The possibility of e-mail forgery (no DKIM / DMARC signature systems on mail servers).
  • Deficiencies in monitoring processes of security events (no "auditd" customization for events).
  • The possibility of an unauthorized device connecting to the network (DHCP snooping, no port security).
During the pentest, as a demonstration of vulnerability, unauthorized access to the network equipment was emulated. The customer received a full report on the vulnerabilities and the recommendations how to eliminate them. Learn more about pentest.
4
Internal pentest for a big industrial plant
A big industrial plant with about 10,000 employees needed an assessment of IT infrastructure compliance with security requirements. The plant ordered penetration test in a grey-box and white-box modes. Local area network servers were chosen as the pentest target objects. During the project, the following vulnerabilities and weaknesses were found:

  • Deficiencies in the event monitoring and security incident response processes (lack of measures to prevent intrusions, and recover from incidents).
  • Deficiencies in configuration management (uncontrolled test and guest network hosts in the corporate domain).
  • Deficiencies in access and privilege management (open login via ssh for the standard root account; single administrator account for DC, network equipment, and user workstation management).
  • Other technical vulnerabilities (proxy auto-detection for software was enabled).

Unauthorized access by insiders was modeled during the project. The customer received a full report on vulnerabilities and how to eliminate them.

Learn more about penetration testing.
5
Grey-box and white-box pentest for a telecom company
A mid-sized telecommunication company, motivated to comply with external security requirements, requested the implementation of a complex information security system and overall security assessment. The customer chose grey-box and white-box penetration testing modes. The target objects of the pentest were external servers, DMZ, web applications, and internal nodes of the local area network. During the project, the following vulnerabilities and deficiencies were discovered:
  • Network configuration errors, lack of segmentation (lack of separate VLAN for management interfaces iLO, IMPI, IP KVM, etc.).
  • Weak passwords on the active network devices.
  • Hidden resources were accessible (ADMIN$, C$, D$, etc.).

As a result of the vulnerability exploitation, documents containing confidential data were extracted. Therefore, unauthorized access by an intruder was emulated. The customer received a comprehensive report about the vulnerabilities and their remediation methods.

Learn more about penetration testing.
6
Network pentest for a nationwide pharmacy network
A nationwide pharmacy network ordered an external pentest of their computer network. Black-box mode was chosen.

During the project, it was discovered that all critical IT infrastructure was behind a firewall. It seemed, there were no chances to penetrate. Then we decided to check the points of sales so checked several pharmacies. One of them had a Mikrotik router with a default password. This type of router has a blank default password, so the router was "compromised". It had OpenVPN, locally stored certificates, and allowed sniffing. We intercepted the traffic and found confidential information of the sales and accounting system. Then we extracted certificates from the compromised router, made a fake point of sale, and connected to the VPN server. We impersonated one of the pharmacies in the network. This way we penetrated the customer’s internal IT infrastructure that was protected by the firewall and seemed impenetrable. We explored the Active Directory network, found an SQL server with domain authentication and penetrated it using a password that had been extracted using ‘mimikatz’ utility.

The project was completed with the conclusion that penetration was possible, and the customer's information security level was low. The customer received the risk assessment results, information about the vulnerabilities, and recommendations on how to remediate them and harden the IT infrastructure.

Learn more about penetration testing.
7
Pentest of functionality of a cryptocurrency exchange
We were approached by a company that was planning to enter the promising cryptocurrency market. To accomplish this goal, the company had developed a cryptocurrency exchange web application. Before publishing the application on the Internet, the company decided to perform an information security audit, using penetration testing methods according to the OWASP methodology. They requested such a service from us.

The testing was conducted in black-box mode: at the initial stage, the auditors had at their disposal only the URL of the application that was being tested.

In the course of the pentest, we found that attackers were able to do the following:

  • Take advantage of the missing input filtering in the ‘meeting room’ functionality and conduct an XSS attack on a user or administrator. This was successfully confirmed when the dialog was opened by a test victim (the user or administrator who received the message). The script functionality could be anything: for example, hidden mining, a fake authentication form, etc., up to complete control over the victim's computer.
  • Take advantage of flaws in the file upload functionality of the web application and access the server file system (ability to read, upload, delete files), execute arbitrary commands on the server, execute SQL queries, make connections from the server interface to other systems, i.e. the attacker could gain complete control over the server and the data could be completely compromised.
  • After gaining control over the server, take advantage of the deficiencies in cryptographic protection (in particular, no integrity control of transaction data in the application) and make changes to the account balance.
  • Bypass the check when sending messages and impersonate another user or administrator, therefore mislead the victim and commit fraudulent actions.
  • Identify registered users.
  • Attack user passwords.
  • Receive unauthorized access to files that other users have downloaded.

The customer received an exhaustive report on vulnerabilities and how to fix them. After the vulnerabilities were eliminated, the auditors checked again that the system was now secure. And only after this was the web application published on the Internet.

Therefore, the audit using penetration testing methods saved the customer from possible reputational and financial losses.

Learn more about penetration testing.