Support
About UD
LoginContact Sales
EN
UD Blockchain
InfiniAI
Security
Cloud Server
Network
Cloud Hosting
Domain
Solution
UD Blog
LoginContact Sales
Support
About UD
EN
UD Blockchain
InfiniAI
Security
Cloud Server
Network
Cloud Hosting
Domain
Solution
UD Blog

UD Blog

Unveiling Perspectives and Delivering Insights Related to Tech

Penetration Test Case Study: Enterprise Annual Audit Check

Protect your sensitive information with advanced technique and manual testing

Case Study
2021-01-14

For a higher security level

Many companies have their own IT and security team. Yet, a third party security checkup is required for some business to satisfy regulatory needs. It is to ensure that they are capable to cope with security threats from hackers. However, many traditional cybersecurity service providers treat testing as a trivial routine task and may not have the capacity and willingness to perform thorough penetration test. To truly reinforce your system, a white-hat hacker with years of experience is needed.

Client background

The client is a giant global commercial group, with businesses in real estate, shopping mall, F&B and so on. They are required to perform security check for all the computer systems every year. The test lasted for 3 months and involved more than 100 domains, including e-commerce sites, mobile application and internal systems for staff. Some tests for ad hoc company events are also needed to meet regulatory requirements and prevent data leakage. Therefore, they approached UDomain for penetration test service.

Test process and results

Penetration test is performed by a qualified “pentester” to simulate an attack on a target computer system, in order to find its vulnerabilities and prevent real hacker intrusion. UDomain’s Cybersecurity Analyst Chris Chan says “Penetration test is to analyze a system from an outsider’s angle, according to established procedures and technique. It’s nothing like what movies have been showing. You can’t do it with a few clicks.”

1. Information Gathering Phase

The test starts with locating publicly available information related to the client to better understand the target, such as the version of their CMS system. Using that information, the pentester can seek way to exploit and get into the systems. We found serious vulnerabilities at this stage already.

2. Vulnerability Scanning

The target system was then scanned remotely by automated software in a non-intrusive way. Since not every scanning result is genuine, it is not meaningful to simply report these findings. Hence, the pentester had to verify the findings one by one to eliminate useless results.

3. Manual Test

What penetration test differs from vulnerability scanning is the manual part, which requires experience from the pentester and could identify much more types of flaws.

Logic vulnerability 1:
There is a “business logic vulnerability” in one of the client’s online shopping sites. Right before sending out an order, the hacker could change the price and get the product without paying a single dime. “To website which has a large amount of order every day, it is very hard to notice such problem. But the hacker could have received the products already, causing loss to the company,” Chris explained.
Logic vulnerability 2:
The other one is an online game. Players compete to finish a task and the fastest one could get a prize in real life. The time used is counted by the players’ device. Similarly, a hacker could shorten the time used before sending the result back to the server and win the game. This kind of vulnerability involves the sequencing of events and is impossible to be identified by scanning software.
Breaking through firewall:
Some systems of the client is protected by a world-renowned brand of firewall and also allows internal IP address to access. But our pentesters still found a way to bypass the firewall. Chris says “this shows that setting up firewall doesn’t mean you have enough protection. The firewall’s setting must also be tested.”
IoT devices:
There are biometric authentication devices in the client’s offices. The vendor claims that it is the most secure version. However, these devices still need to connect to a backend application software. Therefore, we can acquire login information by hacking into the backend system. Then we are able to control the access to different areas of the office building and can even unlock doors.
Other problems:
In the 3 months of testing, we found many unprotected databases, configuration files, login name and password, ports that shouldn’t be opened, private keys etc.. “All of these problems relates to the confidentiality and integrity of the data and is an important part of cybersecurity. So it is the responsibility of a pentester to find them.”
4. Reporting Phase

A test involving more than 100 domains and system will result in a large amount of information. It would be hard to clearly express the findings. In order to let the client more easily to understand the results, we grouped similar problems together and gave detailed explanation and recommendation. Even there isn’t any vulnerability, we also listed out what tests we conducted. At last, we organized a debriefing session with the client. “However, when we found any serious data breaches like login name and password, we notified the client immediately to avoid loss. We will not wait for the reporting to disclose such important information,” Chris says.

Information Gathering
Vulnerability Scanning
Manual Testing
Reporting

Why UDomain’s penetration test?

OSCE advanced qualification

UDomain’s pentesters have the OSCE qualification for performing penetration test. The skill required to pass the examination is more than what is needed for penetration test. Programming and other advanced testing technique is required for the examination that lasts for days.

Years of experience

The number and quality of vulnerabilities identified by pentester depends on the experience of the said pentester himself. UDomain’s pentesters have perform tests on websites, mobile application and infrastructure for banks, social service organizations, schools. There is no reason to doubt our expertise.

Authenticity

Some “penetration tests” performed by some cybersecurity company are, in fact, merely vulnerability scanning. There is no manual test. Yet, the charge could be horrifying. UDomain’s penetration test service is 100% authentic and can guard you against hackers.

Key Takeaways

“The technique of hacking is improving every day. Simply deploying firewall or password is not enough to stop all attacks. Whether to meet regulatory requirements or better protect company data, penetration test should be conducted,” Chris concludes. Yet, it is not easy to find a qualified and experienced pentester in Hong Kong. UDomain’s “white hat hacker” team with our years of experience will do everything we can to protect you and your invaluable data.

Penetration Test Service Enquiry

For more details, feel free to call
(852) 2554 7545

UD Blockchain Newsletters

The smart way to stay informed on how blockchain, cryptocurrencies and digital assets are transforming global business!

unBLOCK the future unCHAIN opportunities
LinkedIn
BlockchainInfiniAISecurityCloud ServerNetworkCloud HostingDomainSolution
UD BlogAbout UDContact UsSupport
Blockchain
InfrastructureDevelopmentNFTBlockchain Security
InfiniAI
Private AI BizHubAI Traffic MagnetAI Lead GeniusAI UMail AssistantPrivate Mini AIAI Chatbot Master
Security
MSSPSRAAPenetration TestPhishing Email TestVulnerability ScanningSSL CertificateUDetective
Cloud Server
Managed Cloud ServerMulti-Cloud SolutionOpenCloudDedicated ServerServer Colocation
Network
Global CDNChina CDNHong Kong CDNVideo CDNDynamic CDNSmart CDN
Cloud Hosting
Cloud Hosting & EmailCloud Email HostingCloud StorageDomain Registration
Solution
UD x Jodoo SolutionWeb DesignLive StreamingEmail MarketingDIY Site BuilderSMS Marketing PlatformChina Solution
UD
About UDContact UsPaymentSupportUD Blog
Copyright © 1998 - All rights reserved. UDomain Web Hosting Company Limited Privacy | Terms APNIC AS No. 23881, OFCA ISP & IVANS No. 1117
UDomain Whatsapp