A Security Project Case Study
A government project with the budget +20M USD,
The project needs to solve following major problems within 2 months only:
- Facing with many attack surfaces such as: Personally Identifiable Information (PII), system and network configurations, Payment Process Application, Approval Certificate Application
- Minimum service downtime under the attacks like DNS failure, DDoS, Router failure.
- Diverse adversaries with both targeted and untargeted attacks
- Facing with time & resources limits
- Hard to meet and work with key stakeholders
Our goal is to provide an effective and actionable blueprint for 2-month security testing. Our solution is designed to determine the feasibility of realistic, advanced attacks against sensitive data and services. This is a 4-phase solution as follows:
|Security Scope Identification, Info Gathering||
Pairwise working with functional team and dev team to understand the application domains and identify groups of adversary.
Combine various tools like: Whois, nslookup, netcraft, nmap, google dorking to spot out network threats and system misconfigurations.
Interview key stakeholders to identify protected data and system architectures
By understanding the motivation factors of all adversaries,
Individual Small Group:
|Vulnerability Analysis and Exploit & Test performance||
Design & perform empirical attacks based on the data collected and risk assessment.
Our Attack Anatomies including:
System Compromise: These scenarios are to demonstrate that without ever targeting systems directly an adversary can cause actions within the organization to occur that could harm to the services or data
External Attack to manipulate active services
A combination of tools to bring more effectively: Nessus, Nexpose, Exploit-DB, Metasploit, Burp Suite, ZAP ….
- The testing attempted to primary goals, providing blueprints and solutions to protect the services
- Minimized security risks by assessing the infrastructure and application vulnerabilities and recommended solutions with proven methods to enhance security
- 24 security bugs raised in categories of Handling Inputs, Authorization, XSS, Data breach, insecure direct object reference, Server Configurations, Firewall configurations. All findings were a big surprising for key stakeholders when the team was limited by given testing time
- Successfully defined follow-up actions, mitigation plans and continuous procedures to minimize security risks