A global telecoms supplier with important technical infrastructure in the UK commissioned QCC Global to perform a Physical Penetration (Tiger Testing Services) (further details in services section) at two key UK sites.
Through surveillance, research and social engineering the QCC Global team formulated a plan to infiltrate both sites at different times of the day and night. The goal was to penetrate as deep into the premises as possible using non-violent methods in order to evaluate and test existing physical security arrangements. A plan was executed that tested egress points at both locations. In addition an overt approach was made to the building security for access.
QCC Global was successful in gaining full access to both sites during the tiger testing assignment. A detailed and full report was delivered to the client that enabled them to fully understand the process we had used to gain access. The report also identified the failings in the internal security procedures that had enabled the QCC Global tiger team to penetrate into the main part of the building.
The client found this testing and reporting process invaluable in correcting the real world security vulnerabilities identified and exploited by the QCC tiger testing process.
IT Penetration Testing (East European Energy Client)
Having completed TSCM and physical penetration testing services for an East European energy client. We were asked to look at the companies IT systems and infrastructure based in London and a Baltic capital. The IT systems included internal company servers, a time management server system and the main company website.
QCC Global used our qualified IT Penetration testing engineers to examine and evaluate the IT systems, visibility and vulnerabilities from outside the companies premises. Using recognised penetration testing techniques and tools, “White Hat” ethical hacking procedures the servers and website were examined and tested.
The testing looked for common issues such as: weak password protocols, unchanged default login accounts, buffer overflow issues, insecure database services and format string attacks. In addition SQL injection, Cross-Site Scripting, broken authentication, insecure encryption implementation and redirects and forwards on the site that may have vulnerabilities were evaluated. Remote access administration services were examined as well as the potential for Denial of Service attacks.
At the conclusion of the testing process several issues were found that needed to be addressed, the vulnerabilities were presented in a post-test meeting and report, rating the issues as Critical, Important and Minor. QCC Global suggested remedial action for each of the issues uncovered during the test. QCC Global carried out extensive follow ups with the client to implement the patches and residual actions that were needed to make the inspected systems secure.
At the conclusion of the process the IT systems and Website were highly secured against unauthorised intrusion, cyber-attack and Denial of Service. The client implemented a program of ongoing testing to keep the existing and new IT systems at a highly secure and functional level.
Social Engineering Testing
There has been a massive rise in the use of social engineering attacks to help cyber attackers and criminals gain access to company and individual IT systems. A concerned company in Germany asked QCC Global to perform a cyber social engineering test at their premises in Berlin. After the initial consultation meeting with the client to gain an understanding of the companies operating procedures and culture, and the IT security polices and procedures in place. A plan for the social engineering test was formulated.
Based on previous experience QCC Global elected to use a variety of approaches including simulated phishing emails, focusing on collecting live user credentials in order to gaining access to users’ email accounts and the corporate network. Trojan horse USB sticks were left in and around the workplace containing appealing content. Any users who insert and execute the content on the USB sticks (with a harmless payload that report back to QCC Global) is registered. This has proved to be a very effective way for an attacker to escalate his/her privileges and gain access to the company network.
In addition targeted phone calls were also made to individuals within the company (including the IT helpdesk and other key personnel) and attempts were made to entice the staff members to divulge sensitive information. These above tests were very successful with over 80% of staff (being targeted during the operation), either giving up information to the QCC team via the phones calls or phishing emails. In addition the Trojan USB sticks were activated by several users. Some users even distributed the USB sticks to colleagues who then again activated the payload software. Giving multiple alerts and activations. The information breaches by staff were all against the companies distributed IT and security policy.
QCC produced a report that did not name individuals, but revealed to the company the extent of access and the success of the operation. The company implemented new IT security policies. QCC Global were commissioned to write a bespoke training course to be delivered to all staff on how to counter the threat from these types of attack. The course was written with the results of the Social Engineering test in mind.
The success of this operation was measured the following year with a re-test where significant improvements were observed, and very little access was achieved using similar methods.