The Problem

JUMPSEC WAS CONTACTED BY THE CHIEF INFORMATION SECURITY OFFICER (CISO) OF PROMINENT UK INSURANCE COMPANY. THE COMPANY HAD SUFFERED AN INCIDENT WHEREBY ALL THEIR EMAILS HAD BEEN TREATED AS SPAM, AND BLOCKED BY A NUMBER OF LARGE INTERNET SERVICES PROVIDERS AND TIER 1 CARRIERS. THE CAUSE OF THIS WAS IDENTIFIED TO BE AN ‘OPEN MAIL RELAY’ VULNERABILITY ON THEIR MAIL SERVER, WHICH HAD BEEN EXPLOITED BY A SPAMMER.
THE DISCOVERY OF THIS VULNERABILITY RAISED GRAVE CONCERNS OVER THE INTEGRITY OF PREVIOUS PENETRATION TESTING RESULTS.

The Solution

A series of tests were commissioned with JUMPSEC, as a new provider, to establish the following:

• What was the level of security in the Organisation’s external infrastructure and web applications?
• How effective was the physical security at their 3 primary UK sites?
• What level of security awareness was held among their staff?
• How resilient was the internal network security to an unauthorised and low level user attack?
• What level of security protects the Organisation’s information when stored on authorised thumb drives or laptops?

In addition to these areas being challenged in isolation, the CISO also wanted to know what level of impact might be achievable should information from any one area be used to further attacks in others.

The following testing was conducted as part of this review:

• Penetration testing against all external infrastructure
• Application testing of all public facing web applications using the functionality and user levels available to any member of the public
• Physical penetration testing of the 3 primary UK locations 
• Social engineering, both electronic in the form of spear phishing, over the phone and face to face
• Stolen laptop testing

External Infrastructure and Application Penetration Testing identified that the systems were for the most part well configured and secure. The mail relay issue was indeed resolved. The applications tested had been well developed, and although there were a few security vulnerabilities identified, none would have put the organisation at an unacceptable level of risk.

The Physical Testing exercise identified significant issues with the organisation security processes. It was possible to enter and roam unchallenged in all three locations with little difficulty, utilising socially engineered entry and tail gating. Once inside the buildings there was no effective control or segregation of areas. A wireless bridge was installed to a network socket behind a photocopier which was then successfully used to conduct internal testing from the car park. The wireless bridge required authentication and used strong encryption to ensure that only JUMPSEC consultants could access it. The device went undiscovered for a three week period, whereupon our client kindly returned it to us.

Internal Penetration Testing discovered a number of procedural failings, with insecure services being used for administration, password policy being weakly enforced and patching policy not being enforced thoroughly. This led to a number of key servers being infiltrated, which in turn lead to the domain being fully compromised. This coupled with the wireless bridge represented a critical risk.

The Stolen Laptop Testing demonstrated that data was securely encrypted when the laptop was powered down.

Social Engineering was used throughout the testing and contributed to facilitating entry to the buildings, extracting various passwords to the network.

The projected impact should this attack be carried out by a determined attacker is severe; Total compromise of confidentiality, integrity and availability of the entire organisation\’s system and data assets being achievable.

The Result

JUMPSEC’s comprehensive report was used as a baseline tool to enhance the security in the areas which needed it most. Our Client was able to arrange an emergency contingency budget from the board to address the significant issues which included;

• Installing card controlled access throughout the buildings
• Implementing an updated security awareness training programme
• Tightening policy control for the distribution of passwords
• Decommissioning legacy systems
• Enhancing network logging and monitoring
• Tightening policy on administration of key infrastructure

The Problem

HERTFORDSHIRE COUNTY COUNCIL WORKS WITH CENTRAL GOVERNMENT AND OTHER ORGANISATIONS TO DELIVER SERVICES SUCH AS LOCAL SCHOOLS, LIBRARIES, SUPPORT FOR ELDERLY/VULNERABLE PEOPLE AND THE ROADS AND PAVEMENTS TO MORE THAN A MILLION PEOPLE WHO LIVE, WORK, AND TRAVEL IN THE COUNTY. SERVICES ARE ALL PROVIDED BY THE COUNTY COUNCIL.

EMPLOYING OVER 33,000 PEOPLE, AND OPERATE FROM 4 KEY LOCATIONS AS WELL AS APPROXIMATELY 250 OTHER SITES, HERTFORDSHIRE HAVE INVESTED HEAVILY IN INFORMATION TECHNOLOGY TO STREAMLINE THEIR BUSINESS PROCESSES AND ENSURE COST EFFECTIVE DELIVERY OF THE SERVICES THEY MAINTAIN.
SUCH A LARGE, COMPLEX AND DYNAMIC IT ENVIRONMENT IS A MAJOR CHALLENGE TO KEEP SECURE.

The Solution

Hertfordshire have implemented a regular testing and assurance programme with JUMPSEC as part of their operational security lifecycle to protect their assets.

Jaswant Golan, Hertfordshire’s Information Security Manager, says:

“The quality of JUMPSEC’s testing and reporting, coupled with their well managed and flexible approach to delivery, make them a preferred supplier when it comes to penetration testing and assurance.

What JUMPSEC understand is that the key to managing information security effectively is to gain a clear understanding of the risks affecting to your technology, your people and your process.

I heartily recommend JUMPSEC to anyone looking for a reliable supplier in this high profile area.”

The Result

By implementing a regular penetration testing and assurance programme into their operational security lifecycle, the council are now able to continually measure and improve the performance of their systems and networks with regards to security, ensuring that council assets and information are appropriately protected at all times.

If you are interested in learning more about JUMPSEC’s operation security assessment programmes and development lifecycle services please don’t hesitate to get in touch.

We would be delighted to help keep your organisation secure in the same way.

The Problem

JUMPSEC WERE ENGAGED BY GAME-TECH TO PERFORM AN URGENT ASSESSMENT OF A MULTIPLAYER GAME AND CODEBASE ON BEHALF OF THEIR CLIENT. IT WAS SUSPECTED THAT THE GAME\’S INTEGRITY HAD BEEN COMPROMISED, AND THERE WAS A PRESSING NEED TO IDENTIFY AND FIX THE ISSUES.

“JUMPSEC WERE INSTRUMENTAL IN HELPING US IN WHAT WAS A VERY SENSITIVE AND TIME CRITICAL MATTER.”

“JUMPSEC EXCEEDED OUR EXPECTATIONS”

“THE QUALITY AND PRESENTATION OF THE FINDINGS WERE OF THE HIGHEST ORDER.”

“I HAVE NO HESITATION IN RECOMMENDING JUMPSEC AS A PROVIDER OF PENETRATION TESTING AND WILL BE USING THEM AGAIN”

The Solution

After a rapid scoping process an approach was agreed, and an application security review was organised,comprising of both application penetration testing and application source code review.

As the game is client-server based, written mainly in C++ and python, testing involved the decomposition of the client and server code, whilst mapping functions and calls to the relevant security controls. It was found that through a number of techniques such as DLL injection, manipulation of messaging functionality and injection attacks, vulnerabilities could be recreated to enable the attackers to gain a significant advantage in the gaming environment.

JUMPSEC provided a detailed report outlining all the issues as well as workable mitigation strategies to enable the Game-Tech to promptly address these issues.

Ian Johnson, Client Programme Manager, and Managing Director of Game-Tech said of JUMPSEC:

“JUMPSEC were instrumental in helping us in what was a very sensitive and time critical matter. We had initial concerns due to the highly technical nature and complexity of our code base that value from testing might be limited. Thankfully JUMPSEC exceeded our expectations in their grasp of our technology, and were up and running in a matter of days, building a complete test environment as part of the project and demonstrating their deep understanding of this field. The quality and presentation of the findings were of the highest order, as was our experience throughout the testing process. I have no hesitation in recommending JUMPSEC as a provider of penetration testing and will be using them again.”

More information on Game-Tech can be found on their website:

www.game-tech.co.uk

If you would like to learn more about JUMPSEC’s application assessment services, we would love to hear from you.

The Problem

JUMPSEC WAS CONTACTED BY A LARGE RETAILER IN THE PROCESS OF DRIVING SALES ONLINE, AND AS SUCH, HAD AN AGGRESSIVE SOFTWARE DEVELOPMENT PLAN IN ORDER TO ACHIEVE THIS. THE NATURE OF THE ENGAGEMENT WAS TO CONDUCT WEB APPLICATION TESTING AGAINST THE COMPANY’S APPLICATIONS PRIOR TO THEM GOING INTO PRODUCTION.

AS A RESULT OF OUR TESTING, HIGH RISK SECURITY ISSUES WERE CONSISTENTLY IDENTIFIED IN THE APPLICATIONS’ LOGIC WHICH REQUIRED ON AVERAGE, A SIX WEEK REMEDIATION PROCESS AND DELAY TO RESOLVE. THIS WAS A SUBSTANTIAL DEVELOPMENT OVERHEAD, AND CAUSED SIGNIFICANT FINANCIAL IMPACT AND DISRUPTION TO THE HARD BUSINESS DEADLINES.

The Solution

To address this problem, JUMPSEC worked with the Client to embed security into the development lifecycle. This work took the form of a series of workshops, reviews and the implementation of enhanced security practises during development lifecycle as follows;

Defining security objectives alongside the business objectives

This was conducted as a short workshop using trusted risk assessment methodologies to establish the business criticality and sensitivity of the system as well as the data it would hold. Key areas of concern were noted, relevant legislation and standards (such as the Data Protection Act and PCI DSS) were also identified. The security objectives were then clearly defined and ratified, and could be stated in the programme plan.

Performing early stage threat modelling

Threat modelling was conducted when functionality had been defined and use-case scenarios were documented. At this stage, only a small amount of coding had taken place and it was still possible to make decisions as to what framework and technologies would be finally employed. By combining the use-case scenarios with the security objectives from the previous stage, a trust model was created, mapping out all the trust boundaries, and defining their significance. A security architecture was then defined and coding guidelines drawn up for the security model of the application.

Conducting training and knowledge transfer workshops

In order to effectively utilise the coding guidelines it was necessary to ensure that the development team was comfortable working with them. A workshop was run with the development team to promote awareness of the security concerns, and discuss effective ways of implementing the guidelines without compromising the business efficacy of the application. This workshop ensured the effective transfer of knowledge between the JUMPSEC security experts, and the project development team.

Performing early stage testing and code review

As soon as early stage code became available, reviews were conducted to ensure elements such as the authentication and authorisation modules were aligned with the security needs, and address any issues identified at this early stage.

Being on call as an expert security resource throughout the project

Throughout the project, JUMPSEC where on hand as a virtual security programme resource to answer questions, take part in debate and offer insight.

Conducting a thorough pre-production security assessment

When the final security assessments were conducted, there were no significant vulnerabilities identified within the application logic. Some low impact issues would be identified with the web server deployment; however these did not represent a significant time or cost impact to resolve.

The Result

The Client now has an effective development lifecycle, with security being well integrated into the programme from the earliest stage. Due to this increased visibility, the Client is able to plan effectively for marketing events, holidays, and other deadlines which affect their business. Projects are delivered to deadline; issue remediation has been cut down to an average of 5 days and is now a planned component of the programme.