technical, physical & social engineering testing

Problem


A regional utility with nearly 80,000 customers was having recurrent attempted and successful security breaches and attempts at one of its sales and operations offices and a nearby substation. Because of this vulnerability, there was an imminent threat of a cyber attack that would affect the regional power grid as well as result in the theft of sensitive information. The utility increased its visual security efforts by posting additional signs, perimeter cameras and fencing. Despite these efforts, threats and breaches to their physical security continued. The utility brought our team in to assess ongoing vulnerabilities and make the infrastructure more secure, and to ultimately protect and secure company assets and customer data and service.


Solution


When our team conducted its initial security assessment, It became immediately clear that current security strategies were insufficient. The office buildings had numerous security vulnerabilities as a result of internal and third party security weaknesses. Additionally, security technology was dated as was easily manipulated and breached. By simulating real cyber-physical attacks, we were able to demonstrate to the client how weak their security measures were, even after their perceived increase in security controls. We did this by, for example, exploiting numerous blind spots in security cameras, using social engineering attacks to get third party contractors to give us access to sensitive inner-office areas, and exploiting weaknesses in electronic access controls to allow us entry into other restricted areas. Out of eleven areas of assessment, we were able to breach nine. After implementing improved security controls, we were able to reduce that number to two.


Results


By testing and exploiting major security weaknesses, we were able to provide to this client the answers to their continued problems with security vulnerabilities. We used new technologies and strategies to assess vulnerabilities, and used similarly new technologies to patch them. By working with the client to update their policies and procedures as they relate to third party contractors, using social engineering mitigation training, and using better cyber-physical security controls and technologies, we were able to resolve 88 percent of this company technologies, we were able to resolve 88 percent of this company’s security vulnerabilities. As a result, the company was able to save significant money by paying lower insurance premiums, as well as costs that would incurred due to a massive security breach.

image17

Problem


One of the 75 largest automotive groups in the United States completed a multi-week security assessment. Several vulnerabilities were found in their IT infrastructure, and those holes were patched. After re-testing with the same penetration testing tools, the project was considered a success and was completed. Just several weeks later, a hacker found his way in and could have taken down the entire internal network, and with it all of the customer data, financial records including payroll and accounts payable and receivable, vehicle delivery information and scheduling, and other sensitive information. The v26 team was contacted.


Solution


Confronted with a need to gather information from a threat assessment standpoint, our team worked with this organization to locate security holes that were missed by the automated penetration testing that was performed weeks earlier. It became clear that employees were unfamiliar with methods by which hackers can bypass their firewalls and other security hardware and software using newly developed attacks coupled with technical social engineering. By simulating spear phishing as well as other attacks, we were able to demonstrate to the client how their network and infrastructure continued to be vulnerable to cyber attacks that were not detectable using automated scanning tools. We completed a fresh analysis of the client’s then-current security protocols and discovered new attacks to which they were vulnerable. We were able to utilize security awareness training to help strengthen their security weaknesses based on a customized security assessment.


Results


As security threats are ongoing and always changing, conversations and assessments continue on an ongoing basis. We were able to help this client save more than $100,000 and a public relations nightmare by showing them what was missed in a standard series of penetration tests. By simulating real world attacks, we were able to illustrate to the client how much their vulnerability could cost them. While cyber criminals count on new exploits and a lack of security awareness on the part of their small and medium business targets, we were able to catch these vulnerabilities in time. in time. We continue to monitor this client’s risk.