Defending design IP and physical assets in the pharmaceutical sector

Our client, a global pharmaceutical organisation, was migrating to an outsourced infrastructure and asked us to conduct a penetration test on a range of applications. We were also asked to perform a number of other technical assessments , including a high-level architecture review, internal infrastructure testing and a review of the organisation’s Information Security Management System (ISMS).

Our application assessment revealed multiple security issues that posed a real risk to the integrity, confidentiality and availability of the client’s mission-critical data and assets. These vulnerabilities related primarily to security misconfiguration and poor input validation, and were inter-connected. This meant that exploitation of one vulnerability would lead to exploitation of another. Together these issues had the potential to produce a rapid and massive exploitation and leakage of sensitive information, which could cause very serious damage to the company's business and reputation.

Our high-level architectural review focused on strategic and tactical requirements. We suggested a common methodology, incorporating a traceability matrix, to verify whether all the technical requirements were being met. Our review found there were no restrictions on the usage of devices in the internal network and we advised a stringent policy to address this.

We kept our client informed about the vulnerabilities we found during our assessment, allowing the technical team to ensure that business-critical systems could be properly safeguarded. Our client now has a structured approach to improve its security capabilities, thereby protecting design IP, defending physical assets, and improving the security level of the network, applications and architecture as a whole.