Penetration Testing Case Study

The internal audit department at a very large financial institution was concerned about actual risk exposure to their internal environment. The IT security department which is an entirely separate division of the company had engaged a national firm in prior years to conduct their security assessments, but leaders of the internal audit division questioned the thoroughness of the assessments and sought a professional firm with enough expertise to determine if the past assessments were accurate.

TrustCC was called and an engagement scheduled to perform an internal security assessment at the organization. The larger, national security firm that had performed previous assessments had noted only minimal vulnerabilities – which is typical of a company that only runs automated tools. After just 3 days of effort, TrustCC consultants identified massive security weaknesses and obtained complete enterprise administration privileges in their environment. It only took a few minutes to identify poor control practices regarding the use of administrative level accounts and passwords.

These issues were discovered using manual techniques and our deep knowledge of IT practices in general. The methods by which these types of issues are discovered require actual human knowledge and intervention and will often go undetected by automated tools.

Once the results were gathered, a report was prepared which gave the audit department the ammunition necessary to change the way the organization managed their security controls. TrustCC consultants also worked with the audit department and the IT security personnel to demonstrate and explain the methods used to discover their vulnerable systems so that the organization did not have to rely on a third party vendor to identify weaknesses.