Cybercrime has become a worrying trend over the past few years, affecting a variety of businesses from different sectors. Bad actors continuously strive to exceed the companies’ capacity to defend against possible threats by exploiting all their entry points. It is no wonder that Cyber Crime Statistics 2023 shows that the global annual cost of cybercrime will reach 8 trillion USD this year.
Testing and exploiting your own company’s vulnerabilities is a great approach to understanding the gaps in your applications, networks, and systems. This way you will be aware of how your networks might perform in the face of skilled opponents. One such practical solution is Penetration Testing - a mature approach to discovering and mitigating security flaws before they actually happen.
In the following lines, you will discover how Zitec's Security Team conducted voluntary pentest exercises for two of our clients. We hope the insights from the two case studies will prove insightful in protecting your digital assets and adopting a proactive approach to your security practices.
Disclaimer: In order to ensure our clients’ ongoing safety, we’ll keep the company names anonymous.
Pentest exercise 1: Client A
One of our clients, let's call him Client A, reached out to us with a bold, yet specific request: test the security of their web infrastructure in a controlled pentest exercise. Given the complexity of its infrastructure, Client A found it challenging to discover the systems that were most vulnerable to outside threats as they only had a short amount of time at their disposal.
We had a meeting with our client to scope out the existing network resources like domains, addresses, etc., then briefed the client on the exact systems, applications, and IP ranges that would be subject to testing and selected our main targets. Our team decided to attack the administrative portal, the application that manages the information stored and displayed on the client’s main web page, our second target.
Once we found the first vulnerability, we applied a potential attacker’s mentality and continued our infiltration into Client A’s system. Using a Remote Code execution process, our pentest attempt was eventually successful. We had exposed enough vulnerabilities to put together a detailed report, together with our team’s recommendations.
During the final debriefing meeting with Client A, we discussed the pentest findings and advised on possible solutions, also staying close during the remediation phase.
Pentest exercise 2: Client B
Another client, let's call him Client B, acknowledged the existing potential cyber threats and contacted us for a full security audit consisting of a White-Box Penetration Testing assessment for its main applications: customers and administrative platforms.
Client B's infrastructure exposes functionalities for product presentation, user management, order flows, payment services, and administrative portals. Due to the sensitivity of the data that travels through the systems in the entire ecosystem, the client was prone to potential cyber-attacks.
During our analysis, we found a critical vulnerability in the application customer portal. However, knowing that an attacker is always interested in getting the highest access level he can get, we carefully investigated issues in the remaining components of the architecture so that we can have a bigger picture and potentially discover more vulnerabilities.
At the end of the assessment, we aggregated the findings identified during code review, the ones obtained while attacking the application, and those reported by our tools into a comprehensive report presented to the client. Moreover, our team delivered cyber security training for our client's development team to improve developers' general security knowledge across different technologies.
We’re always open to discussions about all things security related, so if you have any questions or concerns about your organization’s security level, feel free to get in touch at any time.
Editor’s note: This blog post was originally published on February 25th, 2022, and has been revamped and updated for accuracy and comprehensiveness.
About Zitec
One of Europe's largest and most prominent end-to-end software development services companies, Zitec is the digital transformation partner to companies across over 30 countries, such as the USA, Canada, the UK, Romania, Cyprus, Germany, Italy, Denmark, and the Middle East.
Zitec is one of the few Romanian companies certified Google Cloud Premier Partner, Microsoft Solution Partner - Digital & App Innovation, Microsoft Advanced Specialization - Infrastructure Migration to Azure, Amazon AWS Technology Partner, and provider of the VTEX cloud eCommerce solution platform, as well as Adobe Solution Bronze Partner. The company is ISO:9001, ISO:27001, CREST certified, and acknowledged by DNSC as a NIS Security Auditor. Furthermore, The Manifest recognized Zitec as one of the Global Dev & IT industry frontrunners for 2022, being one of the most reviewed Cloud Consultants in the world.