Network Vulnerability Assessment for a US Mobile Services Provider
The end Customer delivers mobile services providing users with instant access to their credit reports and scores, alerts on any changes to their credit profiles, analysis of credit actions and tracking of results on a daily basis.
As the Customer was processing and storing credit card holders’ sensitive information, the Customer was getting ready to pass PCI DSS validation required for all entities dealing with cardholder data. To become PCI DSS compliant, the Customer requested ScienceSoft’s experts to perform vulnerability assessment to detect security issues and risks pertaining to the related systems to prioritize and execute remediating actions before the validation.
ScienceSoft performed vulnerability assessment of the Customer’s internal subnetworks and wireless Service Set Identifiers (SSIDs). The assessment consisted of the following phases:
Reconnaissance and Host Identification
The first phase was focused on identifying the Customer’s hosts through such reconnaissance methods as web searches, Internet Assigned Numbers Authority (IANA) queries, Domain Name System (DNS) crawling and website inspection for leaked host information. Live hosts were identified through a variety of methods, including standard Internet Control Message Protocol (ICMP) echo requests, Address Resolution Protocol (ARP) requests, ICMP timestamp requests, Transmission Control Protocol (TCP) SYN and TCP ACK packets, as well as raw IP packets.
Port and Application Analysis
The target subnetworks were scanned to enumerate open and listening ports and fingerprint running services and operating systems. This procedure was accomplished via sending requests to the host and analyzing its response.
Automated vulnerability scanning was performed against the target subnetworks using industry-standard vulnerability assessment tools. Only “safe” tests were carried out, i.e. those which were not to crash a system or service.
False Positives Reduction
The vulnerability assessment results were correlated with versioning and fingerprinting information to better inspect running services. Additionally, ScienceSoft’s experts carried out manual verification of the scanner results using dedicated inspection tools in order to remove false positives.
Though the Customer’s subnetworks showed a high overall security level, ScienceSoft’s team discovered a number of vulnerabilities that could potentially lead to the compromise and disclosure of sensitive information, thus causing financial losses or affecting the Customer’s business reputation. Among them, there were:
- An unsupported version of Microsoft Windows Server. The lack of support implied that no new security patches for the product were released by the vendor. As a result, the Customer’s network contained a range of security vulnerabilities.
- The Remote Desktop Protocol Server (terminal server) was vulnerable to a man-in-the-middle (MiTM) attack that could allow an attacker to obtain sensitive information, including authentication credentials.
- Null session vulnerability. One of the Customer’s hosts could allow an attacker to log into it using a null session (i.e., with no login or password). Depending on the configuration, it might be possible for an unauthenticated, remote attacker to leverage this vulnerability to get information about the remote host.
- Several web interfaces were exposed to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.
In general, the Customer’s network showed a high protection level. However, the vulnerability assessment revealed over 300 security issues of different severity levels, including critical ones that could lead to compromising the Customer’s network and sensitive data disclosure. The assessment allowed the Customer to fix identified vulnerabilities and get ready for PCI DSS validation.
Technologies and Tools
Nessus, OpenVAS, nmap, arp-scan.