A national financial institution with over $6 billion in annual revenues engaged IOActive to perform an assessment of the institution and its enterprise-level information security strategy and capabilities.  IOActive performed an assessment of the set of security objectives, processes, methods, tools and techniques that form the foundation of the institution’s Defense in Depth strategy and security program.  IOActive has identified strengths and weaknesses for each of the institution’s core security capability areas across three dimensions of people, process and technology. 

As part of due diligence contracting efforts, IOActive was engaged to assist a regional financial institution with assessing the overall security posture of an application service provider’s technical operations, particularly as they pertained to the security protections the ASP would wrap around the financial institution’s sensitive customer data.

In evaluating the security of the hosted application service, IOActive reviewed the following areas for potential risks:

• • Web application security
• • Network security
• • Physical / organizational security

For the network security assessment phase, IOActive reviewed network architecture information provided by the ASP and inspected network infrastructure at the ASP’s business office and co-location facilities.  Additionally, IOActive coordinated with the financial institution’s internal Information Security staff who performed a remote network security scan of the ASP’s internet-facing systems to assess the security of their network perimeter.

For the physical and organizational phase, IOActive visited the ASPs primary office facility and the site of their primary co-location facility, operated by a 3rd party.  In addition to reviewing the security controls and safeguards in place at physical premises, ASP and co-location staff were interviewed regarding security-related practices and procedures.

Despite what marketing materials and the sales team asserted, IOActive found that the ASP had not developed or adopted formal security policies or standards directed towards the design and implementation of the application under evaluation.  There was also a lack of secure coding knowledge within the ASP’s software development organization.  As a result of these factors, the application fell short of basic secure coding security standards.  IOActive consultants identified numerous security vulnerabilities whereby internet-based attackers and could access sensitive data without authorization, modify data, and even take over the application server computer systems themselves.

IOActive’s efforts dramatically altered the direction of contract negotiations between the ASP and the financial institution in favor of the financial institution.  IOActive also helped the ASP remediate the risks in their code and server settings such that all of their clients ultimately had better protection for their customer’s health and financial data.

BACK TO TOP >>

A Global 100 software company hired IOActive to provide expert secure development lifecycle services for one of its most mission critical products.  IOActive is one company out of three in the world that have conducted this level of audit on a commercially available product of this size and class.

IOActive’s consultant team reviewed threat model diagrams, data flow diagrams, call trees and internal kernel source code to identify and expose subtle yet very significant software security issues.  IOActive’s team interviewed and coached key project team members who were responsible for the identified areas of code and provided further instruction during the remediation of the phase.  This was the largest security code audit in the history of the software industry.

An international non-profit philanthropic organization with more than $30 billion in endowments and grant commitments commissioned IOActive to review a newly implemented set of security controls in place to protect their offices in the United Kingdom, Argentina, and Russia.  Additionally, IOActive was asked to capitalize on our unique “hacker” perspective in evaluating the security controls put in place by the organization’s system administrators.

IOActive quickly foot-printed the network using open source reconnaissance tools, and manual techniques.  We identified the active hosts on the network, vulnerable services on those hosts, and version numbers of operating systems.  IOActive then proceeded inward from the network to the application layer.

IOActive found that the system administrators had been diligent in patching and minimizing all unnecessary services on their perimeter network leaving only four network services to attack.  However, since the client had requested a “real world” attack scenario, IOActive used a spoofed email, posing as an internal administrator, asking our client’s employees to update their passwords through an IOActive-supplied secure website.

The IOActive team sent ten emails and within five minutes received four login credentials to the client’s network.  The IOActive penetration testing (“pen-test”) team logged on to the VPN server, gained access to a web server in the DMZ, exploited a trust relationship between the web server and the database server which was located in a trusted network, and proceeded to compromise the client’s domain controller, TACACS system, payroll systems, and ultimately their building control systems.

IOActive was engaged by one of the largest research universities in the United States to identify and break into high-value, strategic business systems within a 16-hour time frame.

IOActive committed our teams in Canada, Europe, Argentina, and the United States to complete this strategic project.  The IOActive team rapidly compromised multiple systems, including taking control of high-energy particle beam equipment.  IOActive captured and recorded personal information that would have cost the institution over $700,000 in breach notification mailings.  IOActive also compromised a database containing $350 million dollars in financial assets.