CLIENT SUCCESS

geo

Web Application, Internal and External Penetration Test

The NHS Confederation is the membership organisation that brings together, supports and speaks for the whole healthcare system in England, Wales and Northern Ireland.

They support leaders in innovating and transforming, helping them to improve the NHS and the nation’s health and well-being.

The NHS Confederation join the dots between different parts of the health and care system and connects members and partners, to share learning and develop solutions to common challenges.

Solution

Web Application, Internal and External Penetration Test

The Requirement.

geo understood that to assess their resilience against cyber threats accurately and effectively, a pro-active cyber security assessment needed to be conducted. Recognising the importance of specialist support to protect its enterprise from cyber attacks, and decided to turn to our CREST certified penetration testers for the insights they needed.

The Solution.

After scoping geo’s requirements, our team set out to undertake both a web application pen test, as well as an external and internal infrastructure pen test.
In both environments, our team of experts was able to operate through the eyes of a malicious actor, carrying out cyber attack simulations using real world TTP’s (tactics, techniques, and procedures). This approach enabled us to follow the realistic route of a potential hacker and identify any vulnerabilities they could exploit.

Following our pro-active testing methodology, our ethical hackers strategically conducted various stages of the penetration testing lifecycle. This included:

Although both penetration tests followed a similar assessment methodology, the projects themselves were extremely varied in terms of the endpoints and assets that were examined within their environment.

Web application penetration test

Our web application penetration tests aim to identify potential cyber security vulnerabilities, resulting from insecure development practices in the design, coding and publishing of software or a website.

The areas of assessment we covered for geo included:

– Looking for broken access controls: Here we were looking to exploit potential vulnerabilities in geo’s security systems that grant access to accounts and data
– Identifying potential cryptographic failures: Our team were looking at uncovering passwords that potentially weren’t sufficiently encrypted and could be broken to reveal sensitive information
– Testing for security misconfigurations: Here we look at security controls that are left insecure or incorrectly configured that could expose systems to potential breaches
– Investigating potentially vulnerable and outdated components: If software is no longer supported by its developer, the component can become susceptible to cyber attacks – we were looking for vulnerabilities in unpatched software
– Searching for software and data integrity failures: If an application relies on plugins, libraries or modules from an untrusted source or repository, the infrastructure might fail to protect against integrity violations.

Internal and external infrastructure penetration test

The additional pen test however, explored a separate set of controls and configurations.

Our internal and external infrastructure pen tests aim to assess the effectiveness of existing security policies and potential misconfigurations in essential networks and systems. This included:

– Exploring insecure configuration parameters: Insecure system configuration risks stem from flaws in the security settings, configuration and hardening of the different systems across the infrastructure, often resulting in ‘low hanging fruits’ for attackers looking to expand their foothold within an environment

– Examining potentially insufficient firewalls: Traffic on the external network/internet gets inspected by firewall software as it comes in and out, however our team look to exploit any vulnerable rules, policies and controls in the software

– Identifying unpatched systems and software flaws: Unpatched software means there are potentially vulnerabilities in a program or code that organisations are unaware of – something our ethical hackers want to utilise to their advantage

– Uncovering possible weak encryption conventions: A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken into – our team aim to exploit any encryption weaknesses.

The Benefits.

Following all testing, we provided geo with an in-depth, evidentially supported analysis, with recommendations on how to actively avoid a cyber security breach from taking place in the future.

This assessment enabled geo to continue to comprehensively defend its valuable information from cyber attacks, and operate with an elevated understanding of what modern cyber security looks like in today’s threat landscape.

If you want to know more about how our Crest certified penetration testing services can improve your cyber resilience, you can find out more here and get in touch today

"The assessment reinforced how quickly the threat landscape is changing, and has helped us understand and mitigate potential risks. If I had one piece of advice for someone who has never undertaken a pen test – do it before it’s too late. The rate at which technology is changing is extraordinary, and if you want to stay ahead of the evolving threat landscape, a regular pen test will certainly put you in good standing.” “We were very happy with the professionalism and level of engagement with Stripe OLT. Having them onsite, actively testing our environment and witnessing how they operate I couldn’t recommend them enough.”

geo

Paul Goodyer - Chief Operations Officer

Learn More About Our Penetration Testing Services