The Customer is a mobile operator with more than 5 mln subscribers.
Being a company with 5 mln subscribers and almost 2,000 employees, the Customer possesses a large database of sensitive data (including financial information) which is an appealing target for intruders. Moreover, as a mobile services provider, the Customer should pay a lot of attention to the stability of their services.
To ensure that the existing security measures are effective enough to protect all the assets from unauthorized access, the Customer decided to evaluate the security level of the information system and the public web applications; identify possible vulnerabilities and eliminate any revealed security issues. Therefore the Customer was looking for a reliable partner providing penetration testing services.
A team of 2 ScienceSoft penetration testers was commissioned for this project. Penetration testing was conducted in 2 phases: testing of the network perimeter and testing of the public web applications.
To check the security state of the whole perimeter while keeping within time and budget, a combined approach to testing was chosen: fieldwork for the first 2-3 weeks, gathering information about the perimeter, public services, software versions, potential vulnerabilities; cooperative discussion and selection of N vectors (e.g. IP addresses) for testing. At this stage, all the selected elements of the Customer’s network (reachable according to the attacker models) were included in the scope.
Testing was carried out using the “black box” method – only the company name and the URLs of the web applications were known.
Testing of the public web applications
5 public web applications were selected for testing, including the business website, the online shop and the web portal for clients. During the website penetration testing, it was assumed that the intruder had Internet access exclusively.
Testing of the network perimeter
5 targets were selected for this stage, including domain name servers (DNS) and mail servers. Among the selected attacker models the following ones were used: intruder has access to the Internet, to GPRS/3G data services and other.
We aimed to detect at least the following vulnerabilities:
- The possibility to gain control over several network devices using a special control protocol
- Access to the systems using the default admin account
- SQL Injection susceptibility
- Possibility to get the administrative privileges and reading the database with sensitive data
- Systems susceptible to automated brute force
- Systems susceptible to Denial-of-service attacks
- Other less risky issues using social engineering attacks, spoofing, cross-site scripting, etc.
The penetration testing revealed a number of vulnerabilities with different levels of risk for the company assets.
Besides the revealed technical issues, the penetration testing helped evaluate the readiness of the company to recognize an attack and take prompt security measures to eliminate possible negative impact.
As a result of almost 4 months of work ScienceSoft team prepared a technical description of the detected system vulnerabilities with their classification according to how harmful for the system and business they potentially are. We also delivered actionable recommendations to eliminate the revealed security issues, as well as strategic security measures to secure the company’s resources in the long run.
Right after receiving the report the Customer started implementing the recommendations and eliminating the detected issues.
Technologies and Tools
Aircrack-ng, Acunetix Web Vulnerability Scanner, Burp Suite, Immunity Debugger, Metasploit, Nmap, OpenVAS, Skipfish, slowhttptest, sqlmap, XSpider, w3af, Wfuzz, ZAProxy.