k

Security Testing of A Government Project

A Security Testing Project Case Study

Client

A government project with a budget of +20M USD, provides a wide range of governmental services for 40 countries in the world. Because of legal constraints, we are not allowed to expose much info about this project and all relevant services.

Challenges

The project needs to solve the following major problems within 2 months only:

            • Facing many attack surfaces such as Personally Identifiable Information (PII), system and network configurations, Payment Process Application, Approval Certificate Application
            • Minimum service downtime under the attacks like DNS failure, DDoS, Router failure.
            • Diverse adversaries with both targeted and untargeted attacks
            • Facing with time & resources limits
            • Hard to meet and work with key stakeholders

Solutions

Our goal is to provide an effective and actionable blueprint for 2-month security testing. Our solution is designed to determine the feasibility of realistic, advanced attacks against sensitive data and services. This is a 4-phase solution as follows:

Phase Key Activities How
Security Scope Identification, Info Gathering
  • Interview key stakeholders
  • Review and scan network and systems
  • Initiate the scope
  • Identify data collection and protected data

Pairwise working with functional team and dev team to understand the application domains and identify groups of adversary.

Combine various tools like: Whois, nslookup, netcraft, nmap, google dorking to spot out network threats and system misconfigurations.

Interview key stakeholders to identify protected data and system architectures

Threat Modeling
  • Understand adversaries and attacks can be performed
  • Identify both internal and external threats

By understanding the motivation factors of all adversaries, there are 3 groups identified.

Individual Small Group: Individual and small group adversaries are motivated primarily by profit and notoriety.

  • Unlikely to target attack
  • Untargeted attacks, may not discriminate

Political Groups: These adversaries are motivated by political gain

  • Target attack, may choose specific services and protected data

Organized Crime: These adversaries are motivated by financial gain and other related systemic criminal activities

  • Untargeted attacks, may not discriminate
  • Target attack, may choose specific services and protected data
Vulnerability Analysis and Exploit & Test performance
  • Assess security risk against threats
  • Determine attacks with risk assessment
  • Design real-world attacks
  • Launch attacks
  • Gather results
  • Demonstrate empirical threats

Identify & assess all risks against threats. Create a risk-level matrix with risk level, its impacts and action items

Design & perform empirical attacks based on the data collected and risk assessment.

Our Attack Anatomies including:

System Compromise: These scenarios are to demonstrate that without ever targeting systems directly an adversary can cause actions within the organization to occur that could harm to the services or data

  • Step 1: Construct attacks like: XSS, Buffer Overflow, Brute Force, DDoS
  • Step 2: Construct attack payload
  • Step 3: Launch the attacks
  • Step 4: Log In and Manipulate records

External Attack to manipulate active services

  • Step 1: Exploit vulnerabilities in the server to gain control of the web server
  • Step 2: Pivot the network to perform scans of the internal network without detection and identify systems on another network segment that appeared vulnerable
  • Step 3: Probe the network
  • Step 4: Compromise the access

Application Compromise

  • Step 1: Exploit vulnerabilities in the application, inputs fields considered
  • Step 2:  Construct malware like injecting executable/ malicious code into images, SQL injection,…
  • Step 3: Launch the attacks
  • Step 4: Compromise the access or perform intended actions

A combination of tools to bring more effectively: Nessus, Nexpose, Exploit-DB, Metasploit, Burp Suite, ZAP ….

Reporting
  • Conduct risk assessment report
  • Document results to allow additional policies, procedures.
  • Conduct risk assessment report to key stakeholders
  • Conduct Security and Bug List Reports
  • Document all necessary procedures for handover
  • Deliver training to client’s teams for security awareness

Results

          • The testing attempted to primary goals, providing blueprints and solutions to protect the services
          • Minimized security risks by assessing the infrastructure and application vulnerabilities and recommended solutions with proven methods to enhance security
          • 24 security bugs raised in categories of Handling Inputs, Authorization, XSS, Data breach, insecure direct object reference, Server Configurations, Firewall configurations. All findings were a big surprise for key stakeholders when the team was limited by given testing time
          • Successfully defined follow-up actions, mitigation plans and continuous procedures to minimize security risks

Case Study Full Version

    Previous Project
    Next Project