*Note; due to the sensitive nature of the information, all identifying information related to cyber security audits is redacted.
Following a close-call resulting from a ransomware outbreak, [Company Redacted] hired Shinobi IT to perform a full security audit on their network. This audit included a full internal audit, network vulnerability scan, physical security audit, penetration testing, social engineering test and physical security.
[Company Redacted] is a mid-sized [Industry Redacted] firm located in [City Redacted]. Their IT and operations infrastructure is managed by an internal team headed by a very knowledgeable and organized IT manager who was responsible for building most of the infrastructure.
The customer’s primary concerns were a lack of cyber security experience on their team, a need for more visibility into potential weak spots in their infrastructure, and changing the culture of the company to take security more seriously.
Two months before they requested our audit, the customer fell victim to a targeted attack in which an employee of [Company Redacted] was sent a word document containing malicious code. The employee opened the document, placing ransomware on their local workstation as well as the company file server. The in-house team was able to successfully contain the attack, and restore most of the lost data via their dated but functional backup system.
Following the attack, the IT manager reviewed the status of IT security on their network, their skills in house, and the policy and procedure throughout the organization. He determined that the best way improve their security posture was to hire an outside firm to assess and upgrade their infrastructure. Shinobi IT was retained, and our team started work immediately.
Shinobi IT’s initial step was to conduct interviews with key employees, review IT documentation and policy documents, and to review company processes. This process review included everything from incident response to suite access. After the initial review was completed, Shinobi IT set upon assessing all elements of the client infrastructure. This included network topology, Active Directory, file permissions, endpoint security, device auditing, patch management, backup systems, NIDs/NIPs, and the network architecture itself, as well as several other items.
The next step in our assessment was to perform a defensive security audit, starting with a network vulnerability scan. This compares every open and available service on the network to databases of known software vulnerabilities. These databases included lists maintained by The National Institute of Standards and Technology as well as multiple proprietary databases. This scan resulted in a comprehensive assessment of services which could be potentially vulnerable inside the network. After this was completed, we performed a similar scan of all ports and services available via the public internet and a review of the firewall. Combining these two reports, as well as our own penetration testing against publicly available services, we were able to paint a very thorough picture of network vulnerabilities.
The offensive phase of our security assessment started with an attempt to access the WiFi network as an intruder would. We started by assessing the footprint of the network, finding a place that we could covertly perform intrusions without being detected. We were able to access the guest WiFi, which was completely open to the public without any logging or filtering, but was also being occasionally used by employees. Using the guest WiFi network, we were able to gain access to sensitive account data. Our findings showed that the internal WiFi was also vulnerable as it used outdated encryption, giving us full internal access to the company network without being detected.
The second phase of the offensive security assessment was to analyze the client’s attack surface on the public internet for social engineering, phishing, and network attack. We were able to successfully proof-of-concept a potential network attack against an internet facing service. We also found that the client had published too much employee information, and was very vulnerable to targeted spear phishing and social engineering attacks. During this process we also performed covert surveillance of the client site(s), and an overt assessment of physical security.
The final step in our offensive assessment was to stage attacks against the client in the form of social engineering and phishing attacks. The result of the phishing attack was significant, with approximately 75% of recipient clients opening the phishing email and visiting a custom-made rogue site, and approximately 25% supplying their login credentials. The social engineering assessment was completely successful as our agents were able to infiltrate the client office(s) and gain full access to all company resources, client data, and finances.
Upon the completion of our defensive and offensive audits, Shinobi IT provided the customer’s IT department with a full review of our findings, as well as a road map for achieving a security baseline that was appropriate for the business. Shinobi IT presented to the non-technical senior management team, informing them that their IT department was very well run and was doing their job by bringing in an outside firm to perform this assessment. In plain terms we were able to explain the risks and the technologies involved and help them to understand the level of investment that was appropriate for securing their infrastructure. Following this review, we also provided a training session to [Company Redacted] employees on cyber security best practices for end users.
After gaining the buy-in from senior management and end-users, and working closely with the in-house team, Shinobi IT implemented all major suggestions in the road map including network vulnerability remediation, equipment and wifi upgrades, process improvement and network re-architecture. The client’s in-house operations team performed physical security upgrades to meet Shinobi IT’s suggested specifications. A follow-up audit will be scheduled annually.