Miscellaneous case studies
Secura conducts hundreds of security assessments for major (listed) organisations every year. For reasons of confidentiality, we cannot present you with a list of our clients. To offer an overview of our clients' experiences, you will find some examples of anonymised projects. Specific references are, of course, available on request.
How can we help you? Read more about our services and trainings geared to the individual risk areas for a range of business sectors. Do you have any questions, or are you interested in a tailor-made quotation? Then do not hesitate to contact us; no strings attached!
Organisation in the field of healthcare
Project: Black box security test IT infrastructure
Target: Dial-In modem
For this organisation, Secura conducted a broad assessment of the technical security threats to the organisation's external connections to the outside world. This organisation, which takes IT security very seriously, seemed to have matters well in hand. Until, that is, Secura looked into the dial-up connection. This dial-up connection is used, as it is in many other organisations, to provide admin access to the network in cases of internet connection interruption. The authentication for the use of said internet connection turned out to be handled in the client/server, rather than in the modem itself. By using a different client/server, Secura was easily able to gain access to the modem and thereby to the entire network behind it. After discussing our findings with responsible parties within the organisation, the required measures were taken to remove the risk posed by this internet connection.
Well-known online shop
Project: Crystal box security test with code inspection
Target: Java in combination with Websphere
A well-known online shop fully rebuilt its online shop. Because this kind of rebuild carries a number of IT security risks, this client asked us to execute a crystal box security assessment with code inspection. During this kind of thorough assessment we 'play' with the application, in order to find as many vulnerabilities as possible, and inspect the code for high risk areas. This approach enables us to work very efficiently and uncover vulnerabilities that might otherwise have remained hidden. In this case we found a number of well hidden, severe threats that would, among other things, have allowed customers to make purchases on other people's accounts. We immediately notified our clients and the online shop was able to alter this feature, which would have been very interesting to malicious individuals.
Project: Security awareness
This very large globally operating retailer wanted to make its IT and management officers more aware of information security threats. To this end, the retailer began a security awareness campaign. Secura advised on the campaign format and conducted many IT security awareness sessions in several countries. We enjoyed and appreciated seeing how enthused participants get about information security in general and IT security in particular during these sessions.
Project: Social engineering
This insurer wanted to know whether it was possible to gain physical access to their headquarters without permission, but also without breaking and entering. This required some inventiveness, but three of our planned attack scenarios turned out to be successful. Our hurried guest speaker was quickly believed by reception, provided with a badge and given directions to the meeting room. Once inside, our consultant quickly discovered the back door leading to the outdoor smoking area. This route allowed two other colleagues entry. After holding open the door for this insurer's smokers, they also entered the building. The final scenario, the elevator technician, also always works well. A nice set of coveralls, fake approval stickers and a toolbox opens many doors. The client later used the results of this social engineering attack in security awareness sessions. One's own mistakes, after all, are the best learning experience.