Case Study

Challenge

Our client, a well-known ecommerce company, had been alerted by their internal tech team of their web applications being attacked several times in a row. The challenge was not only knowing whether the hack was from an internal source, but also how vulnerable was their infrastructure to such attacks.

Solution

As soon as we were approached, our first step was to re-check the logs and sure enough, we found they were being accessed by someone outside their network. What we also found was that there was not any specific pattern to these attacks; they were being targeted from different IPs and from different signatures. The attacks were found to be random.

This is when we decided to Red team the firm; in other words, we went on an offensive security testing - a full-blown multi-layered attack - to measure how well this firm’s physical security controls, computer networks, and software applications could withstand an attack from any hacker. It led us to understand how their network was being exploited to get further access to their data. We identified many vulnerabilities in the process, and finally submitted to them a proper compliance report as per the prevalent international standards.

Next, we undertook another task - a more important and a more difficult one. This step was to provide as much support as we could to their in-house app development team in preventing and mitigating any system vulnerabilities. Our goal was to not just set up, but also get these employees well acquainted with organizational cyber security concepts, such as setting up an incident response plan, web application firewall, CSP, server-side security, and database-level security. In addition, we held workshops to train them in how to create hack-proof applications; we even certified the applications thus created by them.

Outcome

By identifying vulnerabilities and weaknesses in the firm’s security by using advanced attack techniques, Cyber Octet helped in :

• Reducing risk exposure for the client.
• Recommending solutions with tested techniques to further improve security.
• Suggesting cost-effective risk-mitigation measures based on their specific business requirements to ensure security as well as business continuity.
• Providing the much-needed training to the in-house developers to ensure any potential risk to the security infrastructure is at best, prevented, and at worst, identified and dealt with, before it has a dire impact on the overall business.

Challenge

A pharmaceutical company approached us with a case of data breach. They already had reason to believe it was an ex-management employee who had deleted several of their important documents, but they had no proof to be absolutely sure.

Solution

Upon being hired, our first order of business was to look into the said employee’s laptop, email logs, as well as the firewall and end user walls. We performed a complete threat analysis to check for any other potential threats, and a behavioral analysis which involved checking into the timestamps for all the physical and network activities of this employee. Our team also performed open source intelligence analysis to identify and analyze his online presence and activities.

Our private forensic investigation proved things were much out of place from a security point-of-view. There were only certain basic controls, such as an antivirus and a small firewall, that comprised their cyber security infrastructure.

Now, for the specific problem at hand, it was found that during the time the said employee was serving notice period, he had been taking his work laptop home and accessing the same documents every night. It was proven beyond doubt that this employee had in fact deleted those documents.

Our findings led our client to believe that there was a dire need for them to have a proper set of cyber security policies in place. As our next step, we helped the firm do exactly that through:

• the creation of a centralized documentation system,
• ensuring proper log monitoring,
• setting up a centralized threat lock within their management system,
• introducing data loss prevention (DLP) solution to ensure an alert is generated every time an employee tries to send a work document outside the network, as well as
• implementing ISO20001 - international cyber security standard specifically for their international clients.

We also realized that the real challenge was not having these controls in place, but to have the firm’s employees break out of their old practices, and start implementing the new policies on a regular basis. To make this shift easier and more seamless for them, we held special training sessions, making them aware of this one-time incident, its impact, and how they could easily prevent it in the future by having proper controls in place. We trained them on both reactive and proactive management of threats, thereby making the firm more secure towards any possible security threats.

Outcome

While most organizations wait for an incident to happen, the efforts put in by Cyber Octet and the trust out in us by the client ensured that:

• The risk of data loss through human error was minimized
• Data sharing was now more secure.
• No employee could just leave the premises and take intellectual property with them.
• Remote file access was revoked.
• Administrative burden was reduced.

We thus ensured that such an incident never happens again with our client.

Challenge

A well-known tech company came to us with a problem relating to compliance. While the company had already got its product audited, they found that the government certification body had rejected their report and application after having found the product non-compliant. The application was found to be not up to the mark, and therefore, rejected.

Solution

The product was an IoT device, connected to a mobile application and a server. The product itself was absolutely fine. But, the only problem was it did not have the proper compliance.

A product or service can only be deemed compliant if it follows certain guidelines. There are specific processes that need to be carried out within the product development lifecycle, which was missing in this case. It seemed that the development of the application had not been carried out in a secure fashion. And therein lay the problem for our client.

Our role, therefore, was to make sure that every compliance guideline was followed to a T, making sure that the firm could officially claim the same from the auditing body of the government.

Our team of specialists that worked on this challenge included an expert from the IoT domain, an operations expert (someone with full-fledged server operational knowledge as well as of database), a developer, a security professional, and a compliance specialist to ensure no complications arose during the process and after, as well as to give the team a proper direction to work in.

The application we would develop would have to be secure enough to pass every test from a security compliance point of view. We only had a limited amount of time to finish this project; otherwise, the government body would blacklist the company. In addition, they would have to pay a hefty fee for every audit application they would submit. Both, the client as well as we, wanted to avoid such a situation.

In order to achieve seamless project management, we planned every step, worked according to project reports, and allotted a time frame to every project phase. We started by looking into the previous audit report conducted, which told us exactly what was in place and what was missing.

As happens with most technologies, without proper updates and upgrades, they run the risk of turning obsolete after a few years. We did not want the same to happen with our client and save them from again finding developers for the same product, years later, wasting their resources as well as money.

Instead, we decided to develop the product again at this stage only, but this time under the compliance guidelines, integrating SSDLC - a series of cyber security controls integrated into the development process to guarantee that the product is assessed for vulnerabilities at various stages.

Next, we ran a security testing application which could identify any vulnerabilities in the system.  We performed Static Code Analysis (or, Source Code Analysis), employing methods like Data Flow Analysis and Taint Analysis to draw attention to potential vulnerabilities in "static" (non-running) source code.

We also ran SAST (Static Application Security Testing) or "white box testing" to identify security flaws in the app's source code (during the app's early development), and DAST (Dynamic Application Security Testing) or “black box testing” to find security vulnerabilities in the running application (once the app is live).

Our team tested the web application, mobile application, and IoT to yet again identify any vulnerabilities that might have been left unchecked, both manually and through automation, using the best tools available.

Finally, we had a product which was good to go. This was further proven by the fact that the product cleared every guideline, when it was tested again 3 months later, to finally gain full compliance from the government.

Outcome

Product compliance refers to evidence showing that a product complies with all pertinent directives, regulations, as well as harmonized standards. From gaining consumer trust to avoiding unnecessary legal issues to enhancing company value and reputation in the market, our client understood how important it was to make sure their product was 100% compliant, and we were more than happy to help them achieve this goal.