Shinjiru

Web Hosting

CDN packages

Mobile Operator

Background

  • Mobile Network Operator, existing security assessment practices in place, outsourced IT operations to global IT infrastructure provider.
  • Deployed security vulnerability scanners, patching systems and application security practices.

Test Objectives

  1. Determine maturity of Security Posture with respect to current practices
  2. Ascertain current security infrastructure’s resiliency against latest threats
  3. Benchmark current outsourced IT provider capability in ICT including real-time security management

Assessment Observations

  • Found internal IP address schemes, admin logon ids and passwords in web server (link available in Google)
  • Cross Site scripting errors potentially allowing unauthorised access to backend applications and databases
  • Web server and database applications not current on updated patches

End Results

  1. Identified gaps in patching, coding and assessment procedures
  2. Identified room for tighter integration with existing outsourced provider
  3. Tighter lockdown of web applications that unintentionally expose confidential data

Financial Services Institution

Background

  • Major Financial Institution with retail, corporate and financial services business in APAC region
  • Established Security Operations in-house, supported by outsourced IT applications and MSSP provider
  • Compliance to global security standards, but also require to comply with local monetary authority technology risk management guidelines for periodic security assessment services

Objectives

  1. Determine maturity of Security Posture with respect to local compliance guidelines
  2. Ascertain current security infrastructure’s resiliency against latest threats and hacking attacks
  3. Benchmark current outsourced MSSP provider practices against best practices

Assessment and Testing Observations

  • Managed to gain access to internet banking application resulting in a successful fraudulent transfer of funds to third party account
  • Managed to delete application log of the above activity, due to lack of logging security in application
  • Manage to delete database records of fraudulent transactions through cross site scripting errors

End Results

  1. Complacency on current security practices that require updating
  2. Identified gaps in vendor selection criteria, security coding practices and application security assessment practices


Back to Top