“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
In both environments, our team of experts was able to operate through the eyes of a malicious actor, carrying out cyber attack simulations using real world TTP’s (tactics, techniques, and procedures). This approach enabled us to follow the realistic route of a potential hacker and identify any vulnerabilities they could exploit.
Following our pro-active testing methodology, our ethical hackers strategically conducted various stages of the penetration testing lifecycle. This included:
Although both penetration tests followed a similar assessment methodology, the projects themselves were extremely varied in terms of the endpoints and assets that were examined within their environment.
Web application penetration test
The areas of assessment we covered for geo included:
– Looking for broken access controls: Here we were looking to exploit potential vulnerabilities in geo’s security systems that grant access to accounts and data
– Identifying potential cryptographic failures: Our team were looking at uncovering passwords that potentially weren’t sufficiently encrypted and could be broken to reveal sensitive information
– Testing for security misconfigurations: Here we look at security controls that are left insecure or incorrectly configured that could expose systems to potential breaches
– Investigating potentially vulnerable and outdated components: If software is no longer supported by its developer, the component can become susceptible to cyber attacks – we were looking for vulnerabilities in unpatched software
– Searching for software and data integrity failures: If an application relies on plugins, libraries or modules from an untrusted source or repository, the infrastructure might fail to protect against integrity violations.
Internal and external infrastructure penetration test
Our internal and external infrastructure pen tests aim to assess the effectiveness of existing security policies and potential misconfigurations in essential networks and systems. This included:
– Exploring insecure configuration parameters: Insecure system configuration risks stem from flaws in the security settings, configuration and hardening of the different systems across the infrastructure, often resulting in ‘low hanging fruits’ for attackers looking to expand their foothold within an environment
– Examining potentially insufficient firewalls: Traffic on the external network/internet gets inspected by firewall software as it comes in and out, however our team look to exploit any vulnerable rules, policies and controls in the software
– Identifying unpatched systems and software flaws: Unpatched software means there are potentially vulnerabilities in a program or code that organisations are unaware of – something our ethical hackers want to utilise to their advantage
– Uncovering possible weak encryption conventions: A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken into – our team aim to exploit any encryption weaknesses.
This assessment enabled geo to continue to comprehensively defend its valuable information from cyber attacks, and operate with an elevated understanding of what modern cyber security looks like in today’s threat landscape.
If you want to know more about how our Crest certified penetration testing services can improve your cyber resilience, you can find out more here and get in touch today