printer friendly version

On the ball or unaware

Whether an organisation is operating at a high level of information security maturity or has dangerous vulnerabilities that could put an entire business at risk, advanced, strategic penetration testing (or pentesting) can uncover its true state of IT security. This is according to Peter Chan, Operations Manager at South African cyber security provider BlueVision ITM.

Peter Chan, Operations Manager.

Chan says, “No matter how mature an organisation’s cybersecurity and risk frameworks are, pentesting is important to validate them. Pentesting is far more in-depth than vulnerability scanning, and it should not be a checkbox exercise. It should be tailored to meet specific needs, with pre- and post-testing engagement to help companies remediate critical vulnerabilities and develop a roadmap to improve their resilience over time.”

He highlights two case studies at the extreme ends of the maturity spectrum, illustrating the importance of pentesting and what it can reveal.

Client financial data at risk through third-party vulnerability

A small financial brokerage with limited in-house IT or information security resources engaged BlueVision to assess its vulnerabilities. The brokerage had an external-facing website and used a third-party ERP and CRM system. Previous general vulnerability assessments had found no vulnerabilities in the business’s environment.

However, during a BlueVision pentest, testers found they were able to cause errors on the ERP and CRM applications.

Chan says, “One of those errors had a very high verbosity level, and actually revealed usernames, passwords, and the location of the backend server. Exploiting a logic problem turned up this crucial vulnerability.”

This vulnerability had not been exploited, but presented a serious security and compliance risk. The brokerage could have risked reputational damage, financial damage and fines, and malicious actors could have used this exposed information to target individual users or clients in that space with very specific phishing campaigns.

“Once we identify a true positive as part of our methodology, we notify the customer immediately of the most critical findings,” he says. “We do not cause panic, we just help customers understand the severity of the vulnerability, and remediate it. In this case, the customers were surprised to learn that a glaring error like this existed. We drafted a response for them, and they took it up with the third-party application developers to remediate the risk immediately. With other findings of lower severity, we helped them prioritise and remediate these risks.”

On the flip side, Chan notes that the customer’s website was sound and secure, “It passed all the tests that we threw at it. This illustrates the fact that one supplier’s standard is not necessarily applicable throughout all your supplier links. Organisations must identify weak links, both in-house and in third party suppliers, and they must ensure that the standards meet the organisation’s requirements.”

As a result of the findings, the brokerage now engages BlueVision to conduct regular pentests to support security, risk management and compliance.

Security and risk teams pass with flying colours

Another BlueVision customer, a major IT distributor, uses pentesting to validate its internal processes. Chan says this customer has a high level of security and risk maturity.

“They have their own in-house security, a risk office, incident response plans, and best practices across the security stack. Even though they are mature, they require penetration testing by an independent party to verify that everything they have in place is working to their expectations.

“In this case, we did the pentest unannounced to their security team. To make it more authentic, we usually have a cloud-hosted environment with an international IP address, which we spin up and destroy after the exercise. Midway through the 5-day test and shortly after we had completed the reconnaissance phase, we got a call from them asking if we were the ones behind the activity. They were about to escalate the case to Interpol.”

The client’s IT and security teams had detected the pentesting activity moving from suspicious to malicious, and escalated the matter throughout the company’s security and risk stack – all the way to governance and management – all while preparing their incident response.

“They went a step further – instead of just blocking it, they also did the investigations necessary to trace where it was coming from and built up sufficient evidence to go to Interpol for a cease-and-desist request. This is impressive.”

An unannounced pentest is a good way to test your security team’s response. In this case, the test triggered everything from tech to governance. Each level of security was actioned on, which was a big win for them. The customer works with BlueVision on an ongoing basis to test its processes and support cyber-resilience.

Custom pentesting for enhanced resilience

Chan says these two cases showcase the importance of pentesting for organisations of all sizes. “Your level of security is based on your weakest link, and pentesting can reveal what that is.”

“BlueVision tailors the penetration test process, as well as the pre-engagement and post-engagement to align with our customers’ needs,” he says. “We plan the set of actions to test the most critical systems, and ensure that if vulnerabilities of a certain criticality emerge, they are addressed immediately. We then strategise on a roadmap activities going forward via the lessons learned during the exercise itself. Whether the customer is a product development house, or is rolling out a service roadmap, we can assist with that.”

While BlueVision offers ad hoc pentesting, Chan recommends a longer term, retainer engagement to ensure resilience.

Share this article:

Further reading: