External and Internal Penetration Testing for Large County
Updated: Dec 18, 2022
Facing increasing cyber security threats, a large county that provides critical services to more than a million citizens needed to identify the most vulnerable points in their infrastructure. Their overall objective was to proactively address those gaps against hackers and build a resilient and secure infrastructure.
With an intent to validate their cyber defense abilities, the county needed:
External penetration testing to discover and exploit vulnerabilities in hosts publicly accessible via the Internet. The pen test team would act as an attacker on the open Internet and attempt to breach those web-facing assets.
Internal penetration testing to assess the scenarios where an insider with legitimate access to the internal network, such as an employee, contractor, or vendor, accesses parts of the network they are not authorized to use.
While the county did have an internal cybersecurity team, it had never conducted a penetration test and wanted to engage a third-party expert in penetration testing. Hence, it engaged Strategic Alliance Consulting (SAC) to spearhead the project.
External and Internal Penetration Testing Solution
SAC deployed a team with a senior cybersecurity ethical hacker who had experience working with large mission critical public sector clients such as the Department of Defense (DoD) and NASA. After understanding the county’s requirements, the expert leveraged SAC’s five-step methodology:
1. Planning & Preparation Phase
• Identify goals and scope of penetration testing by meeting with stakeholders
• Strategize depending on the needs above
• Prepare by acquiring the appropriate access, permissions, and authorizations
2. Discovery & Intelligence Gathering Phase
• Collect comprehensive system data, usernames, and passwords
• Scan and probe into the ports
• Check for current vulnerabilities of the system
3. Penetration Attempt & Exploitation Phase
• Based on the findings of Discovery, mobilize the attack using industry standard tools such as Kali Linux, NMAP or Metasploit
• Identify vulnerabilities, threats, and exploits
4. Analysis and Reporting Phase
• A comprehensive report is created that focuses on data-driven analysis, which includes:
• Risks of vulnerabilities found and their impact on business
• Recommendations and solutions to address current and emerging threats
5. Mitigation Recommendations
• In-depth debriefing to management and technical teams
• Strategizing to prioritize and prepare a mitigation plan for the identified vulnerabilities
The penetration tester adopted the following approaches:
External Penetration Testing: This phase concentrated on issues such as dumped credentials, weak authentication, login portal access, and exposed VPNs, file servers, and more.
Internal Penetration Testing: The focus of this step was on unauthorized access attacks so that the County could quickly identify and remediate any vulnerabilities.
All testing performed was based on the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, OWASP Testing Guide, and SAC customized testing frameworks.
External and Internal Penetration Testing Results:
The penetration testing revealed that the county had an average risk of an external data breach. Also, there were a few high-risk vulnerabilities that were discovered:
Unsupported Web Server Detection
The county’s remote web server was obsolete, making it extremely vulnerable to emerging security threats.
Industrial System Access
The county’s industrial systems were accessible via VPN, meaning that a hacker could shut down or alter the behavior of critical infrastructure.
Cyber-Physical Attacks: Battery Backup Access
A variety of UPS control dashboards were utilizing default admin credentials, meaning that an attacker could cause relatively untraceable disruption by accessing critical power sources.
Following the testing, SAC compiled a list of recommendations, including:
Secure Configuration of Enterprise Assets and Software
Create a configuration process for network devices and deployment
Manage default accounts on all enterprise assets.
Implement a patch management plan that tests and deploys patches in under 48 hours
Network and device segmentation to provide defense in-depth
Utilize SSO and MFA to secure accounts
Create dedicated admin accounts for higher authority tasks, and an inventory of all admin and service accounts to quickly remove and reset access as necessary
Conduct general computing activities from the user’s primary, non-privileged account to minimize exposure
Thanks to SAC’s external and internal penetration testing, the county was made aware of the vulnerabilities and has been provided with the remediations to close those gaps. This has assured citizen data privacy and confidentiality, while creating an hacker-proof resilient infrastructure for mission-critical services for its citizens. The county subsequently re-engaged SAC for a comprehensive NIST Cyber Security Framework (NIST CSF) assessment for identifying the gaps in their governance, risk management, and compliance policies and procedures.