Business cases of the projects we completed
We were approached by a company that was planning to enter the promising cryptocurrency market. To accomplish this goal, the company has developed a web application with the functionality of cryptocurrency exchange. Before publishing the application to the Internet, the company decided to perform an information security audit for it, using penetration testing methods according to the OWASP methodology. They requested such service from us.
The testing was conducted in the “black box” mode: at the initial stage, the auditors had at their disposal only the URL of the application under test.
In the course of the Pentest, the following actions that could be committed by attackers were identified and confirmed:
- Take advantage of the lack of input filtering in the ‘meeting room’ functionality and conduct an XSS attack on a user or administrator. This was successfully confirmed when the dialog was opened by the test victim (the user or the administrator to whom the message was transmitted). The script functionality can be anything. For example, hidden mining, a fake form of authentication, etc., up to complete control over the victim's computer.
- Take advantage of the flaws in the file upload functionality in the web application and access the server file system (ability to read, upload, delete files), execute arbitrary commands on the server, execute SQL queries, make connections from the server interface to other systems, i.e. the attacker gains complete control over the server and the data can be completely compromised.
- After gaining control over the server, take advantage of the drawbacks of cryptographic protection. In particular, the lack of control over the integrity of transaction data in the application, and make changes to the account balance.
- Bypass the check when sending messages and impersonate another user or administrator, thus mislead the victim and commit fraudulent actions.
- Identify registered users.
- Attack user passwords.
- Receive unauthorized access to files that other users have downloaded.
The customer received an exhaustive report on vulnerabilities and how to fix them. After the elimination of vulnerabilities, the auditors verified the elimination of deficiencies discovered earlier. And only after this web application was published on the Internet.
Thus, the audit using penetration testing methods saved the customer from possible reputational and financial losses.
A nationwide pharmacy network ordered an external pentest of their computer network. Black box mode was chosen.
During the project, it was discovered that all critical IT infrastructure was behind the firewall. It seemed, there were no chances to penetrate. Then we decided to check points of sales, and checked several drugstores. One of them had a Mikrotik router with default password. This type of routers has blank default passwords, so the router was "compromised". It had OpenVPN, locally stored certificates, and allowed sniffing. We intercepted traffic and found confidential information of the sales and accounting system. Then we extracted certificates from the compromised router, made a fake point of sale, and connected to the VPN server. We impersonated ourselves as an ordinary drugstore. This way we penetrated the internal IT infrastructure of the customer that was protected by the firewall and seemed impenetrable. We explored the Active Directory network, found SQL server with domain authentication and penetrated it using a password that had been extracted by mimikatz utility before.
The project was completed with the conclusion that the penetration is possible, and the customer's information security level is low. The customer received risk assessment results, information about the vulnerabilities, and recommendations how to remediate them and harden the IT infrastructure.
A mid-sized telecommunication company motivated to comply with external security requirements requested implementation of the complex information security system and overall security assessment. The customer chose grey box and white box as the penetration testing modes. Target object of the pentest were external servers, DMZ, web applications, and internal nodes of the local area network. During the project, the following vulnerabilities and drawbacks were discovered:
- Network configuration errors, lack of segmentation (lack of separate VLAN for management interfaces iLO, IMPI, IP KVM, etc.).
- Weak passwords in active network devices.
- Hidden resources were accessible (ADMIN$, C$, D$, etc.).
As a result of vulnerability exploitation, the documents containing confidential data were extracted. Thus, unauthorized access by an intruder was emulated. The customer received a comprehensive report about the vulnerabilities and their remediation methods.
A big industrial plant with about 10,000 employees needed an assessment of IT infrastructure compliance with security requirements. The plant ordered the penetration test in grey box and white box modes. Local area network servers were chosen as the pentest target objects. During the project, the following vulnerabilities and weaknesses were found:
- Drawbacks in the event monitoring and security incident response processes (lack of measures to prevent intrusions, and recover from incidents).
- Drawbacks in configuration management (uncontrolled test and guest network hosts in the corporate domain).
- Drawbacks of access and privilege management (open login via ssh for the standard root account; single administrator account for DC, network equipment, and user workstation management).
- Other technical vulnerabilities (proxy auto-detection for software is enabled).
An unauthorized access of insiders was modelled during the project. The customer received the full report on vulnerabilities and how to eliminate them.
A medium-sized retailer implemented internal and external information security requirements. Some of them required complete analysis of the enterprise infrastructure, including penetration tests in the "grey box" and "white box" modes. During the pentest, the following vulnerabilities and weaknesses were found:
- Vulnerabilities in the web applications (no request validity checks in the applications, data transfer through unencrypted HTTP channel).
- Privilege management drawbacks (domain accounts for various services and applications had too high privileges).
- The possibility of e-mail forgery (no DKIM / DMARC signature systems on mail servers).
- Drawbacks in monitoring processes of security events (no "auditd" customization for events).
- The possibility of unauthorized device connection to the network (DHCP snooping, no port security).
During the pentest, as a demonstration of vulnerability, an unauthorized access to the network equipment was emulated. The customer received the full report on the vulnerabilities and the ways to eliminate them.
A small financial organization connected to the international payment systems Visa and Mastercard faced with the need to comply with the PCI DSS standard requirements. Among them, there is the requirement to perform an external and internal penetration test regularly. During the analysis of the infrastructure scope (cardholder data environment) the detailed parameters of the external pentest were agreed with the customer. The parameters included grey box and black box modes, and the list of target objects, namely, the Internet-facing services and Web applications.
As a result of the pentest, multiple vulnerabilities in the web applications were discovered (PHP injections, cross-site scripting, direct object references, missing software update mechanisms, insecure default Web server configurations, no access control on the functional level, buffer overflows, error in the web application code).
During the project, no real ways of penetration were found, but potential ways were present. The customer received a comprehensive report on the vulnerabilities and how to enhance security of the infrastructure. The report was made in accordance with the requirements of PCI DSS, including the description of the penetration test methodology, which was used during the project.
A small software company was faced with the requirements of their customers to be certified according to ISO 27001 standard. Moreover, the certification body had to hold the highest international accreditation level of UKAS.
Previously, the company took only superficial measures and performed only occasional works related to information security, and only in the field of server and workstation protection. We immediately began working on the scope analysis and outlining the work plan of the initial audit and gap analysis. We performed this work for the client for free. After that, the company saw that we understand their problems, and are able to build realistic plans. Therefore, they signed a contract with us for an audit, gap analysis and development of an implementation plan. In 3 weeks, we completed this work. The customer was once again convinced that our experience and speed exceeded their expectations.
After that, the customer concluded an agreement with us for the implementation of ISO 27001. In 6 months, we developed all the controls required by the standard, described them in 18 policies and procedures, implemented a number of security management registers, and conducted staff training. We paid particular attention to the secure software development life cycle.
Then the question of choosing an independent auditor arose. We recommended one of the largest German auditing firms to our client. We also contacted this auditor, held a discussion with them and prepared them for certification of our client in advance. The client and the auditors signed an agreement for audit and certification.
During the audit, we defended our client and the information security management system that we built. The auditors made minor comments, as they usually do. We took those comments into account, made corrections, and in 2 weeks our client received an official certificate of ISO 27001 compliance.
In order to support the implemented system and confirm the certificate annually, the company subscribed for our ‘Remote Security Manager’ service.
Our client was also interested in our competency not only in security process management, but also in IT security. The company ordered from us advanced services for application security, source code security analysis and penetration testing of their software products.
The company obtained the certificates of compliance with ISO 27001 and the successful passing of security assessment, and published them on their website and in marketing materials. The company advertised their new status and gained significant competitive advantages, which resulted in an increase in the number of orders and sales.
A representative of the German automotive industry engaged in the development of on-board automotive systems contacted us to achieve urgently the compliance with ISO 27001 and the Trusted Information Security Assessment Exchange (TISAX). High competition in the market of automotive systems (security, piloting, navigation, entertainment systems, etc.) forces leading car manufacturers and their contractors (Volkswagen-Audi Group, Porsche, Daimler AG, BMW, Bosch, etc.) to force the launch of new products on the market while maintaining the level of quality, safety and security. This led to the high motivation of our client.
Prior to this, the client tried themselves to fill out TISAX compliance forms, but the lack of the necessary competencies did not allow them even to begin the implementation process properly.
TISAX compliance, although built on the basis of ISO 27001, has its own specifics. For example, unlike an ISO 27001 audit, which can take several days, a TISAX auditor spends only one day at the customer's office. But then it takes about 3 months to collect the pieces of evidence for each security process. TISAX audit reporting implies a high degree of automation using modern GRC (Governance, Risk management and Compliance) systems.
During the first 3 months after signing the contract with our client, we thoroughly studied their business processes and developed about 50 documents necessary for compliance with ISO 27001 and TISAX. During the implementation and audit reporting, we used Redmine and Goriscon systems.
In total, from the start of the project till the day they received the TISAX compliance label, 6 months of intense collaboration between our consultants and our client's employees have passed. We conducted several training sessions, performed a series of server and application security assessments, strengthened network security, system life cycle security, implemented risk management, security key performance indicators (KPI), change and incident management processes, etc.
The implemented processes, operations and security systems must be constantly maintained not to lose effectiveness, and therefore our client ordered the ‘Remote Information Security Manager’ service from us. We continued to conduct regular training sessions with our client, monitor information security events, respond to security incidents, perform quarterly vulnerability scans, audit software source code, report to our customer's auditors and clients, etc. That is, to fully perform the functions of an information security manager.
Our customer noted not only an increase in security as a result of this project. During the asset management and technical vulnerability assessment, ineffective use of systems, redundant access, configuration errors that reduce network performance, etc. were discovered. As a side effect of the project, the customer optimized some of their IT operations.
Achieving the official compliance status with ISO 27001 and TISAX allowed our client to get new long-term contracts from one of the giants of the German automotive industry.
A representative of a major government organization of an East European country asked us for help in responding to and investigating a hacker attack. From 5 AM Saturday, the official website of this organization was unavailable due to the hacker attack Drupalgeddon 2, which was carried out automatically by malicious scripts all over the Internet.
As a result of the analysis, it was revealed that the attack did not impact important data and did no harm except for the downtime of the website. However, this downtime caused some damage to the organization’s users, operations and reputation.
We quickly cleaned the website of malicious files, restored it, and collected event logs and other evidence to pass them to the police.
We conducted the investigation by analyzing the event log files of various server services. It was established that the last successful request with return code 200 was from a certain IP address, and after that, there were no logged events. Next, the website scripts were analyzed, and we found that a fragment of PHP code was inserted at the beginning of all executable files, which first turned off logging and then in a surreptitious way launched a shell that could accept remote commands for execution. Malicious insertions were also found in the database.
After cleaning the website and collecting evidence, the server was hardened (configured for security), the CMS Drupal version was updated, additional controls for preliminary testing and security updates were introduced. Besides, a web application firewall (WAF) was deployed to protect the website in real-time, and host-based intrusion detection system (HIDS) was implemented for daily monitoring of the integrity of critical files. We also offered to the organization our comprehensive Continuous Website Protection services, including, but not limited to, full protection against DDoS attacks. The organization has subscribed to this service.
Even though the police did not find the perpetrators, the state organization received a new level of security for their server, which allowed them to detect intrusions successfully and withstand both small and large-scale malicious attacks over the next several months, up to the present.
(Company and organization names are under Non-disclosure Agreements)
Our happy customers
Our clients are product and outsourcing IT companies, e-commerce, industrial, pharmaceutical, telecommunication, retail, and insurance companies, as well as banks and governmental organizations. Some of our happy customers are:
The H-X team has conducted a detailed project planning to assess the security of our infrastructure. They have showed a creative approach, and have properly implemented the security assessment plan. The security assessment has provided valuable information on priorities of security enhancements for our company, including strategic objectives and tactical activities.
We were facing serious challenges related to our customers' requirements for formal compliance with international and industry information security standards. The H-X team very quickly helped us to evaluate and fill the current organizational and technical gaps, and they continue to help.
The H-X team have completed a technical security assessment of one of our products, and we've been surprised by the high quality of the results. They've helped to improve the quality of our development and testing processes.