One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. At A-LIGN, our penetration testers emulate the techniques of hackers by developing scenarios and strategies to breach your organization’s information systems, attacking your networks and applications. A-LIGN’s penetration test encompasses:

• Network Layer Testing
• Mobile Application Testing
• Web Application Testing
• Wireless Network Testing
• Social Engineering

Case Study: Claims Adjusting Organization

As hackers become more sophisticated with their attacks, it becomes easier for them to breach a company. The Organization engaged A-LIGN to perform a penetration test to fulfill a compliance requirement and to test their security posture against realistic attacks. The Organization provides insurance companies, self-insured organizations, and government entities claim adjusting and administration services including, but not limited to:

• Workers’ Compensation
• Automobiles, Trucks & Motorcycles
• General Liability
• Medical Malpractice
• Cost Containment, Bill Review
• Risk Management Information Services
• Excess Insurance Placement

A-LIGN conducted a penetration test of the Organization’s technology, people, and processes. Testing included web applications, external IP addresses, internal network components, as well as social engineering attacks. A-LIGN followed a testing methodology that seeks to identify vulnerabilities and, through exploitation, determine the impact on the Organization’s business operations.

Ultimately, A-LIGN leveraged multiple vulnerabilities to gain widespread administrative access to the environment after first gaining a foothold by manipulating users to disclose passwords.

The Penetration Test: Social Engineering Attack

The results of the penetration test indicated that the area of greatest risk for the Organization was found during social engineering attacks. The Organization’s employees were tricked into disclosing their usernames and passwords. Security awareness of employees is an important part of the overall security posture of any organization and it is often overlooked.

The A-LIGN team began the social engineering engagement by sending phishing emails to the Organization, which directed the employees to a spoofed variant and URL of the Organization’s website. The email and website requested that a user change their password and, as part of the process, provide their current username and password.

The phishing email was sent to 25 employees and successfully reached 23 inboxes. The results are shown below, indicating 11 employees clicked the link and 4 entered their credentials providing access to A-LIGN.

At this point, A-LIGN could log into users’ email accounts and search for sensitive information or connect to the internal network. The attack also provided insight into potential patterns in the employee’s creation of passwords, which could result in additional compromise.

A-LIGN’s Solution

To prevent this from happening in the future, the Organization will need to train the employees to check the URL and security of a website before entering any suspicious information into it. Employees should know how to verify the legitimacy of a website and what the Organization’s procedures are on reporting suspicious websites. They should have easy access (such as through email or a ticketing system) to contact management and/or internal information technology staff to ask questions about any website they may encounter.

As the data breach landscape escalates, organizations will need to prioritize information security by educating and training employees on security best practices, and implementing policies and procedures that will help prevent security incidents from occurring. Conducting a penetration test is a cost-effective way to analyze your organization’s infrastructure, applications, people, and processes to identify areas of weakness and the risk of a cyber threat.