SecureState Blog

Read SecureState's award winning blog.

Engagement Background

SecureState’s Profiling Team recently completed its yearly penetration assessments for a long time customer in the retail industry. This company takes both compliance and protecting customer data seriously, and recognizes the value in having a third party continuously validate the effectiveness of their controls. An External Attack and Penetration simulates an attacker attempting to compromise resources across the Internet with no previous knowledge other than the organization’s name. An Internal Attack and Penetration Test simulates an attacker, such as a disgruntled employee or malicious contractor, attached to a company’s internal network.

Why This Engagement Was Interesting

This engagement was interesting for what didn’t happen: no full compromises were achieved. During the Internal Penetration Test, SecureState was able to gain access to an internal database; however, due to effective system hardening,padlock1.jpg5b9ac95e-b934-48a1-8f70-e821a9c0b7b1LargerSecureState was unable to escalate privileges on the system. In addition, several of SecureState’s attacks were detected in an accurate and timely manner. On multiple occasions, SecureState’s connection to the network was completely blocked and had to be enabled by the client’s staff. This type of action is very rare to see, and SecureState was thoroughly impressed by the sophistication of their network-based monitoring and response capabilities.

What the Consultants Had to Say

“These guys are well above average when compared to their peers.” Every year, it is clear that this retailer values their customers’ information. “They hire good people and allocate the necessary funds to enact proper security practices.”

“We are always able to find a few vulnerabilities and provide them some valuable recommendations, but their security measures definitely make it hard on our pentesters.” This of course means that it would be a challenge for malicious hackers to compromise their systems as well. “It is actually great to encounter this level of security, because with many of our clients, it is often far too easy.”