Case Study - ​Telecommunications Leader

 

Meeting our Telecom market leader client's expectations of the highest levels of security

Security breaches in the telecoms sector have made headline news in recent years so our client, a leading name in the sector, wanted to understand whether its internal and external infrastructure was sufficiently protected against a potential attack. We undertook a series of penetration tests to find out if we could compromise the system’s security. We also checked for the SANS Top 25 vulnerabilities, a widely used compilation of ‘the most dangerous software errors’, and the OWASP Top 10 vulnerabilities, a list compiled by the Open Web Applications Security Project

Our extensive testing revealed only one serious issue within the platform, relating to missing security patches within the operating system of some critical hosts. Due to this, a malicious user with access to the system could have uploaded a publicly known exploit to escalate their privileges from that of a normal system user to that of a highly privileged user. We were able to perform this attack on several of the infrastructure’s critical systems.

When we probed the application, we found that it was leaking information about the existence of an account through the login page in the error responses. This would have allowed attackers to launch a brute-force attack against the encryption used on the application and identify the various user accounts. We also found that the algorithm used to protect against data tampering was weak and insecure.

We provided detailed information about the issues we had identified, along with recommendations for fixing them. As a result, our client was able to strengthen security to the highest level, commensurate with the company’s profile as a market leader.

If you require a comprehensive penetration test ​secure your data, talk to one of our information security experts today or learn more about our technical information security services.

To develop your in-house technical security capabilities, find out about our range of information security training courses.