Tasks and Objectives
A large e-commerce company from Germany approached us concerning a comprehensive security audit. The requirements encompassed an external double blind penetration test of the company's perimeter security as well as audit of their critial internal systems. One main goal of the chief security officer of the client company was to use the security audit by an external expert in order to raise the security awareness within the company, especially on the C-level.
Fast Lane Services and Solution
A team of our experienced penetration testers performed all tests ordered by the client. The first phase encompassed a penetration test without any internal knowledge provided to the penetration testers. As the internal staff was also not informed about the test this was a so-called double blind test. This kind of audit is testing the client's defenses as well as the staff's ability to detect breaches without being aware that a test is being performed. The peformed audits in this phase included:
- Identification of the attack surface of the clients autonomous system and DMZ
- Breach of one server of multiple servers within and outside of the clients DMZ
- Breach of client's OWA and Sharepoint
- Blended spear-phishing attack targeting a small group within the company
- Targeted E-mail based social engineering attack with the goal to acquire screenshots of client company's workstations
- Physical tailgating into the company's building
- Social engineering audit based on dropped USB sticks within the client's premises
During a second phase a so-called grey box audit of the internal systems was performed. Our penetration testers worked together with the client's system owners in order to perform in-depth audits of critical systems.
- Internal penetration test and configuration audit of the Windows domain
- Internal penetration test of the Linux systems
- Vulnerability scan of internal systems
- Audit of the SAP installation
- Interviews with system owners
The project was conculed with a presentation for the company's top management of the comprehensive security audit report containing all found vulnerabilites and detailed remediation suggestions for top management, responsible team leaders and engineers.