IT Infrastructure Penetration Testing for a US Transport Trade Union

About Our Customer

The Customer is a US trade union with 120,000 members across 50 states. It represents the interests of transport workers and offers them affordable insurance plans and discount programs.

Need for Comprehensive Insights into Security Issues

In view of the latest much-publicized security breaches, the Customer became concerned about the safety of its members' sensitive information. It wanted to see if a potential attacker could break through the external cybersecurity perimeter and move around the internal network. Knowing how widespread social engineering attacks are, the Customer also wanted to check if its employees could resist manipulative messages. So, the Customer was looking for a competent vendor that could perform pentesting of its extensive IT infrastructure, as well as simulate phishing and vishing attacks. Having considered multiple security testing vendors, the Customer decided to entrust the project to ScienceSoft.

Pentesters Detected Easily Exploitable Vulnerabilities

Considering the project's big scope, ScienceSoft assigned five security testers and appointed an experienced project manager to ensure smooth communication with the Customer, transparent reporting, and timely delivery.

ScienceSoft started with black box penetration testing of 1 web application, 1 API, 2 web services, and a DMZ subnet with 24 IP addresses. Having strictly limited information about the targets, the testers first used automated tools to discover potential entry points. Then they manually validated the findings to identify exploitable vulnerabilities and launch all possible attacks.

As a result, they found 19 security issues of different severity. Real-world attackers with little technical skills could easily use some of the flaws to gain full control of the web application or remote hosts. Here are some examples of such vulnerabilities:

• Web application transmitting data from/to the server over an unencrypted channel. Intruders with network sniffing tools could, for example, retrieve user credentials and hijack the user’s account. ScienceSoft’s team recommended converting the web app to HTTPS or at least redirecting sensitive data transfer to HTTPS.
• The remote hosts had open unsecured ports available from the internet without a proxy, VPN, etc. To eliminate this ctitical vulnerability, it was necessary to block access from the internet to the services using unsecured ports and protocols and allow access to the local resources only via a VPN, proxy, jump host, or secured ports.

After that, ScienceSoft’s security team got user credentials to test the Customer’s internal subnets, including 350 IP addresses, 8 Wi-Fi access points and 1 Active Directory according to the gray box approach. They revealed 10 security issues, including such critical vulnerabilities as:

• Multiple cases of outdated versions of Microsoft Windows, Microsoft SQL Server, Apache Tomcat, and other software. Attackers could easily identify the software type and version and find exploits. They could perform remote code execution, spoofing, DDoS, and other attacks. Our team recommended updating the software to the current versions as soon as possible.
• Default SNMP agent community names. This vulnerability enabled potential intruders to view or change configurations of network devices. ScienceSoft’s security testers recommended disabling the SNMP service if it is not needed or changing the default community strings.

Having analyzed all the detected security weaknesses and misconfigurations, ScienceSoft’s experts could put most of them into four groups:

• Weak network segmentation.
• Using default credentials.
• Lacking brute-force protection.
• Outdated, vulnerable software.

To protect the IT environment and be sure that the same vulnerabilities wouldn’t occur repeatedly, ScienceSoft’s team recommended reviewing the network architecture and implementing network device auditing and security events monitoring.

At the final stage of the pentesting project, ScienceSoft’s team provided clear and informative reports with manually validated vulnerabilities and actionable corrective measures. We offered the Customer further consulting and continuous support on the reported findings and remediation steps.

Social Engineering Testing Proved High User Vigilance

During the phishing campaign, ScienceSoft's team ran several attack scenarios against 270 email addresses provided by the Customer. Most of the tested employees were cautious: they didn't follow the links in the malicious emails. However, one employee clicked the link and submitted the required data.

Simulating a vishing attack, our tester called the Customer's staff members and introduced himself as a Microsoft Azure support specialist who was trying to solve the problem with Azure Active Directory synchronization. The employees redirected the calls to the Customer's IT team. The in-house IT specialists contacted Microsoft support to validate the suspicious calls.

Based on the results of social engineering testing, ScienceSoft's experts evaluated employees' cyber resilience as high. They emphasized the necessity to educate newcomers on cyber threats and best security practices to be sure that a single person's failure doesn't compromise the whole security system.

Quick and Efficient Vulnerability Remediation

As a result of thorough penetration testing of the external and internal IT infrastructure components, the Customer learned about multiple critical security issues that could result in a security breach. With the detailed vulnerability description and corrective measures offered by ScienceSoft, its IT team could quickly improve the company’s overall security level.

Technologies and Tools

Metasploit, Wireshark, Nessus, Burp Suite, Acunetix, Nmap, Dirb.