Pentesting a major Insurance company

The Engagement

Background

The client Insurance company was looking to improve both its internal and external security posture. The company had informed Secmentis they would also require web app penetration testing for their custom-built Insurance customer service web application.

The goal of the client company in engaging Secmentis to perform External and Internal Penetration Testing was to evaluate the effectiveness of the IT security controls implemented in safeguarding their trade secrets and customer data, and to understand what their vulnerabilities were, and what should be done to fix them.

Get A free quote

Objectives

The objectives of the penetration testing engagement were set as follows:

External Penetration Test

  • Infiltrate from the outside (i.e. from the point of view of an unknown, malicious, blackhat attacker) by any means necessary
  • Extract/Exfiltrate any kind of sensitive information (e.g. account credentials, customer data, trade secrets, etc.)
  • Attack the custom-built web application and extract customer data (without being provided with any account credentials)

Internal Penetration Test

  • Attack & Compromise any sensitive servers (e.g. file server, domain controller server, CRM server, etc.)
  • Extract/Exfiltrate any kind of sensitive information (e.g. account credentials, customer data, trade secrets, etc.)

Secmentis Penetration Tests are performed from a "blackbox" perspective (i.e. zero initial information, apart from the target company's name) in order to make the ethical hacking attacks more realistic.

Process

Secmentis uses the same tools and tactics used by the bad guys against your business. We use both manual and automated testing methods, and take advantage of both custom-built and industry available tools.

For the Internal Penetration Test, a Secmentis consultant was placed on-site with the full knowledge of the IT manager. The results of the Internal Penetration Test shocked the IT manager and senior management of the company.

The External Penetration Test targeted a select number of the company's public-facing domains and services (e.g. website, email services, etc.), and especially their custom-built web-app, and achieved great results.

At the end of our testing, a detailed report was provided to the company, including an executive summary, and our technical findings/evidence and remediation recommendations.

Results

Secmentis consultants achieved spectacular results, some of which are summarized below.

Sensitive information that could be extracted: The company's employee data, proprietary source code, customer data, business data (e.g. plans), financial info (e.g. payroll, etc.), and other confidential data.

Have your systems been breached?

Talk to us today to find out how our experts can best help you