https://images.ctfassets.net/ic8vz4cuikua/30RpBpydtHG37Fa4iAODaF/25cae7ceccd594c21ff3231e4733c940/professional-showing-system-security.png?w&h&fm&fl

Penetration testing and social engineering for a healthtech company

Industry:

Healthcare

Company size:

800 employees, 5 offices

Type of service:

Penetration testing + Social engineering

Time:

~7 days

pen-testing-healthcare-results-background

About the project

Our client, an international outsourcing company with a HQ in Europe, teamed up with us to complete a penetration testing round for its web apps and internal networks and check the employees’ caution when it comes to cybersecurity threats.

Penetration
testing

Internal network
testing

Social
engineering

Remediation and re-testing

Cybersecurity

Something to pay attention to

75%

increase in cloud environment intrusions over the past year.

4 in 10

cyberattacks result in sensitive data leakage.

90%+

of malware is delivered by email.

1/3

of small businesses consider phishing to be the biggest threat to their security.

Phishing

cyberattacks result in sensitive data leakage.is still the most common email attack method.

The leading

causes of falling for phishing emails are tiredness and distraction.

The scope of the project

Here’s what our team was working with

Networks

External, internal, active directory.

Applications

Several public-facing web applications.

Employees

Email phishing for 100 employees, spear phishing for 10 management team members.

What we did

For their web service

We identified critical vulnerabilities in public-facing web applications. Also, we uncovered weaknesses in the external network perimeter.

pen-testing-what-we-did

For the internal network

Our team discovered misconfigurations and minor vulnerabilities that allowed us to successfully compromise an admin-level system and gain access to the C-level corporate network.

pen-testing-what-we-did

To complete a social engineering campaign, we used two approaches

During email phishing, we executed email phishing against 100 employees and successfully gathered data from around 30 interactions. The data included full profiles with AD usernames and passwords. Also, we tested and verified password reuse on external services.

The second approach included conducting spear phishing against 10 management team members. As a result, we successfully trapped a management-level employee and obtained access credentials.

The remediation process lasted approximately 1.5 months and addressed identified vulnerabilities and misconfigurations. And with a quick re-testing campaign, we identified remaining issues and confirmed fixes.

Model used: Gray box

During the project, we used the Grey box testing model. It’s a security assessment approach where the tester has partial knowledge of the system. It can include credentials, architecture diagrams, or internal documentation. This approach can simulate an insider threat or an attacker with limited access to the system.

Pen testing

Results

  • The engagement provided valuable insights into the organization's security posture. The success of the social engineering campaigns underscored the importance of user awareness and training.

  • The remediation process and subsequent re-testing rounds demonstrated a commitment to enhancing security measures.

This site uses cookies to improve your user experience. If you continue to use our website, you consent to our Cookies Policy