SecQuest were engaged by a global financial management company, who had concerns that their cyber security controls could permit unauthorised access to client and company data. The Board were also unsure if the physical security controls, managing third-party access to meeting rooms, effectively protected access to their IT infrastructure.
Although the company’s security function did identify and remediate technical security weaknesses, the Board required assurance that the security function could detect and respond to a cyber attack in a timely manner.
In conjunction with the Board, SecQuest shaped an on-site ‘Red Team’ Penetration Testing Service that emulated the steps of a cyber attack – by a malicious user – who had gained internal access to the company building.
The Penetration Testing Service took a phased approach to ensure the service had clear checkpoints to assess that we were meeting the Board’s ‘ask’ and providing timely insight to risks and issues within each phase. This also confirmed / shaped the configuration of the next phase of the Penetration Testing Service.
As an example, the ‘Network Attack Phase’ deployed a graduated covert attack to determine the level of noise at which the security function detected our controlled attack. In parallel, another phase assessed the technical security vulnerabilities – of defined key infrastructure components – against accepted industry severity ratings, such as CVSS.
The Board’s concern of unauthorised access to company infrastructure and information via their Meeting Rooms was realised when the SecQuest team gained a ‘Toehold’ on the network, via a meeting room PC. Several company systems were accessible for file exchange purposes which enabled the team to gain company user credentials.
The team swiftly attached to the company domain, and using a cyclic probe and attack methodology they increased network privileges to domain administrator level, thus permitting full control over company systems and information.
Company passwords were stored using a commercial password safe; however, as there was a backup in an unprotected spreadsheet, this gave the team further access to CCTV systems, backup services, VoIP telephony and call recording systems, physical building access control management interfaces, public facing web servers, and offsite backup data centre hosts.
The outcome was that the company was open to an internal cyber attack and solely relied on physical perimeter controls to protect their information.
The SecQuest Penetration Testing Service enabled the Board to smartly invest in their company security function to ensure they could demonstrate a return on investment in areas such as monitoring and responsive solutions, that protected company information to a level that was expected by their regulators, clients and internal risk tolerances.
SecQuest continues to work with the Board providing timely technical assurance services for both their internal and internet-facing business systems.