Network Penetration Testing for a US Insurance Service Provider
The Customer is a US-based property and casualty (P&C) insurance company. They provide their services to homeowners, small businesses, leading retailers, mortgage lenders, etc.
The Customer was interested in checking the protection of their networks situated in two locations. The Customer needed to get penetration testing services to ensure the security of proprietary data and their clients’ personal information stored within these networks.
In terms of an 11-day project, ScienceSoft’s security engineers conducted two penetration tests following the black box approach. The security testing team carried out all the activities remotely.
The penetration tests allowed the security engineers to conclude that the Customer’s networks were well-protected. However, ScienceSoft’s security testing team detected several security weaknesses, which could result in data breaches if exploited. Among the revealed security vulnerabilities were the following:
- The use of outdated SSL/TSL protocols in both networks. Transferring data using these protocols was not safe as attackers could easily encrypt it.
- The configuration of certain servers allowed disclosing their IP addresses to unauthenticated users. Thus, potential black hat hackers could get the information on the servers’ internal IP addresses and further exploit other vulnerabilities existing in the Customer’s networks.
- Internet Key Exchange version 1 (IKEv1) aggressive mode was enabled. This security misconfiguration allowed cybercriminals to hack the pre-shared key of a VPN gateway and get unauthorized access to the Customer’s networks.
- Unauthorized users could send requests with malicious payload to the servers located in the networks and reveal the details about the directory structure. Thus, unauthenticated users could use this internal information to learn about other security weaknesses in the Customer’s networks.
Having completed the testing activities, ScienceSoft’s security engineers compiled a final report with a list of corrective measures to improve the security level of the Customer’s networks. ScienceSoft’s security experts recommended the Customer to change the servers’ configuration, use only updated encryption protocols, disable directory listing, etc.
The Customer got an expert testing of the protection level of their networks. ScienceSoft’s security engineers provided the Customer with detailed recommendations aimed to reduce the probability for cybercriminals to find attack vectors and access the Customer’s sensitive data.
Technologies and Tools
Metasploit, Wireshark, OpenVAS, Nessus, Burp Suite, w3af, Nmap, sqlmap, DIRB, ZMap.