Case studies public sector's
Secura conducts cutting edge security assessments for (semi) public sector institutions on a national, provincial and municipal level. For reasons of confidentiality, we cannot present you with a list of our clients. To offer an overview of our clients' experiences, you will find some examples of anonymised projects Secura has been involved in below. Specific references are, of course, available on request.
What can we do for you? Read more about our services and training courses suitable for different at-risk areas in diverse sectors. If you have any questions or would like to request a personalised quote, please feel free to contact us without obligation.
National public sector organisation
Project: crystal box security test with code inspection
Target: Web application with Java (server side)
This government institution commissioned a web application to consult a national register and supply it with data. Because this register contains sensitive information, security and privacy are very important. Insufficient attention turned out to have been given to IT security.
Secura concluded that elementary security measures were lacking in many places. No input- or output validation was performed in any way. This allowed us to utilise SQL injection in many ways, providing unauthorised and unauthenticated data access to not only read but also alter and delete data. The available source code allowed us to conclude quickly that this application had not been designed with security in mind. Luckily this assessment took place before the application was put into production. With the aid of the test results, the required security measures were taken and adverse consequences prevented.
Public sector utilities organisation
Project: Black box security test Laptops
This organisation utilises laptops for its fault repair service to allow remote logins on the systems controlling the so-called SCADA systems. The organisation wanted to know what the dangers of a lost or stolen laptop would be. In order to assess this, Secura was provided with a standard laptop as issued to the fault repair service. This laptop appeared to be well secured, but after transferring the hard drive, a fundamental weakness was exposed: the hard drive had not been encrypted. This allowed Secura to crack user and administrator passwords and subsequently log in to the network. Once there, an undesirable amount of systems turned out to be accessible. With these results in hand, the organisation deployed encryption to these and other mobile devices and greatly increased the level of security.
Project: Black box security test internal network
Target: Windows, Linux, Unix, Routers, Firewalls
This department of a large municipality wanted to test for vulnerabilities in their internal network. Internal networks frequently turn out to be very vulnerable and this municipality's internal network was no exception. We discovered passwords that were easy to guess and to crack, unpatched systems, missing authentication services and intrusion detection systems. In combination with an open organisation, where anyone can walk in and out and potentially gain physical access to the network, these findings would lead to an unacceptable level of risk. This municipality made a sensible choice in having its internal network independently examined in a secure environment.
National government institution
Project: Forensic investigation into Website intrusion
Target: web application
This national government institution makes use of an ASP web application. This web application turned out to have suffered a hack, and this had consequences for the government institution involved. The institution immediately contacted Secura. We conducted a preliminary investigation into the way the break in was conducted and where from on the same day. Legal action was taken based on this information and the website issues identified by Secura were repaired. This case clearly shows that the use of web applications through an ASP model does not relieve organisations of IT security threats and the issues those can produce. The conclusion: prevention is better than a cure.