Case Studies

PCI-DSS

Introduction:

A large bank approached Cybernetic Gl for PCI-DSS certification. The bank was facing challenge of achieving PCI-DSS certification due to complexity of the infrastructure and the use of legacy applications. They had engaged one cyber security firm for PCI-DSS implementation support. But that firm was not a PCI-DSS QSA firm, hence they wasted the time as well as money on the PCI-DSS compliance.

Being non-PCI-DSS certified, the client had received the warning from their regulators to suspend the banking license. The bank had significant financial risks in terms of fines and penalties.

Challenge:
  • Ex-cyber security firm appointed by the bank had not determined PCI-DSS scope.
  • That cyber security firm had sold various solutions to the bank claiming those are required to achieve PCI-DSS compliance.
  • The bank had vast network of branches, integration with various financial institutions and payment gateways.
  • The client was providing ATM switching to other member banks.
  • The client was violating PCI-DSS principles about storage, processing and transmission of the card holder data.
  • The client has huge volume of transactions which made the protection of card holder data paramount.

Solution:

  • Initial Consultation: Cybernetic GI cyber experts had kick-off meeting with all the stakeholders from the bank. During kick-off meeting, our team took the brief understanding of various banking processes being carried out from main office and other branches.
  • Requested prerequisites: During kick-off meeting, we share an email of pre-requisites required before commencing the audit.
  • Gap assessment (First round): After reviewing the prerequisites documentation, our team started onsite gap assessment. During this process, our team interviewed various bank’s departments and took detailed understanding of their processes and IT infrastructure.
  • Scope reduction: Based on the gap assessment, we prepared the plan to reduce PCI-DSS scope. We recommended the changes in various processes, handling of cardholder data and LAN segmentation.
  • Presented Scope reduction plan: We discussed the scope reduction plan with all stakeholders and explained them the benefits of it. Some departments had some concerns on the suggested recommendations. We discussed it and provided them alternative recommendation.
    All stakeholders signed off the scope reduction plan and provided the tentative date of implementation.
  • Documentation: Meanwhile, our team started working on the mandatory documentation required for PCI-DSS compliance.
  • Gap Assessment (Second round): After receiving the confirmation from our client that they have implemented all the recommendations provided in scope reduction report, we performed the second round of gap assessment.
  • Gap Assessment Report: We submitted gap assessment report on the non-compliant requirements along with recommendations.
  • Remote Assessment: After finalizing the scope, our assessment experts, performed internal VAPT, External VA, ASV, Web application PT etc. Post the testing they submitted detailed reports along with the recommendations.
  • Retesting round: We had to perform 3 rounds of retesting to ensure all vulnerabilities have been closed.
  • Final PCI-DSS QSA audit: Our experts walked our client through the audit process and asked them to keep all evidences and access ready at the time of audit. Our team scheduled PCI-DSS QSA audit after discussing with the client. PCI-DSS QSA came onsite and completed the audit.
  • RoC and AoC preparation: After audit, PCI-DSS QSA started writing Report on Compliance (RoC) and Attestation of Compliance (AoC). After QA round, Cybernetic GI released the RoC and AoC. Our client had successfully achieved PCI-DSS certification.

ISO 27001 – 1

Company: SaaS application development firm, Australia

Employees: 45

Key drivers:

ISO 27001 is an essential part of security management, and the certification demonstrates to customers and investors that company properly managing the security and integrity of their clients’ data. It also helps to accelerate the acceptance of company’s products and services during the sales process.

Challenges:

To establish a strong security foundation in an incredibly fast changing and growing company
‘Bake-in’ security in a startup culture and operations for security to scale with the business.

Result:

The team prepared comprehensive roadmap to rapidly eliminate nonconformities, detailed recommendations following ISO 27001 best practice guidance. These controls include but are not limited to incident response, Antivirus controls, Vulnerability management, Security awareness, Remote work controls etc.

Testimonial:

The entire Cybernetic GI team has far exceeded our expectations. CGI team has provided detailed guidance to enable us to make use of all our resources. Our applications had been tasted by our multiple clients and they did not find any vulnerability. This has helped us to gain the trust of our clients.
CGI had invested this level of effort in our success, and we are very grateful to CGI team. Long may it continue.


ISO 27001 -2

Company: Telecommunication Firm

Employees: 1,100

Key Drivers:

  • Company’s senior executives were complaining about unauthorized access to confidential data
  • Confidential data was taken out of the company.
  • Company was facing physical security issues.
  • Company was collecting PII at the time of issuing new SIM and wanted to protect this PII.
Challenges:
  • Company did not have information security leadership and team.
  • Employees did not have cyber security awareness.
  • Company was struggling to effectively manage and protect its information assets due to a lack of standardized policies and procedures.
  • The company was also facing challenges with ensuring compliance with relevant regulations and industry standards.
Result:
  • Security was given organizational level priority and is owned directly at the director level
  • CGI had periodically conducted multiple rounds of cyber security awareness trainings targeting senior executives and employees.
  • Successfully set up a team of security champions across various departments, ensuring all key business stakeholders are involved.
  • Successfully achieved ISO 27001 certification and completed 1st surveillance audit as well. CGI acted on behalf of the client through the certification process.
Testimonial:

CYBERNETIC GI cyber experts are well informed in the cybersecurity industry; they really know what they are doing. They keep our systems updated, compliant, and ahead of the cyber curve. Ever since we have started working with CYBERNETIC GI, our cyber security strategy is more effective in responding to threats and our security posture has improved greatly. The cyber team at Cybernetic GI providing us with the virtual CISO services have saved our business the need to hire cyber team to fill the positions in meeting our companies cyber security compliance requirements to global standards.


ISO 27001 -3

Company: Construction and facilities management company

Employees: 900

Key drivers:

Establish and implement ISMS and achieve ISO 27001 certification

Challenges:
  • The nature of the business requires sharing, processing, and storing data which posed a significant risk to information security, with sensitive data being susceptible to accidental or deliberate compromise.
  • Here challenge of implementing ISO 27001 was not convincing leadership — as they recognised the importance of protecting data. The challenges were not having an information security leadership, a dedicated information security team, and the absence of an ISMS made it challenging to ensure consistency in its operational activities and management practices.
Result:
  • To ensure that the ISMS was aligned with best practices established in the ISO 27001 standard, CGI conducted a comprehensive review of client’ existing security policies and procedures, as well as interviews with key business stakeholders. This allowed CGI to understand the existing risk culture and set the tone of the ISMS documentation and policies.
  • Developed an ISMS framework, which served as a clear and unified set of agreed documents to manage the implementation of policies and procedures for ensuring the confidentiality, availability, and integrity of informational assets.
  • CGI created a framework aligned to the following ISO 27001-mandated baseline clauses which serve as the foundation of client’s ISMS.
Testimonial:

CYBERNETIC GI team really are experts in the field of cyber security. They are flexible in meeting our needs and listening to our challenges.  I greatly appreciate Cybernetic GI cyber team and hands on support. They listened and responded to our needs and provided us with numerous options and solutions meeting cyber compliance required standards for our business and without straining our business budgets. I highly recommend Cybernetic GI to any business seeking cyber security services.


IT Audit

Introduction:

A manufacturing firm has several offices across the country. They were concerned about the rise in cyber-attacks. Since long time they had not performed any cyber security assessment. They wanted to allot the budget for cyber security. Hence, they wanted to assess the current level of controls implemented and which new controls required to mitigate the risks. They approached Cybernetic GI to perform a detailed IT audit of their IT infrastructure.

Solution:

  • Initial Consultation: Cybernetic Global Intelligence initiated the project with a kick-off meeting with all stakeholders. In that meeting, CGI experts explained the importance of IT audit and discussed the audit plan.
  • Requested prerequisites: In the kick-off meeting, CGI cyber experts shared the list of documentation required before the start of the audit like network diagram, policies and procedures.
  • Confirmed the scope: In the kick-off meeting, our experts confirmed the scope of the audit that was documented in the proposal.
  • Audit Plan: CGI experts discussed the audit plan and got the confirmation about the audit dates and execution approaches.
  • Offsite documentation review: After receiving the prerequisites, our team reviewed the documentation and prepared the audit points.
  • Onsite audit: Onsite audit was conducted as per the schedule. During this audit team checked all security processes, data center and all branches. IT team was interviewed to understand various processes being followed and not being followed.
  • Remote Assessment: Internal and external VAPT, Web Application PT were performed remotely.
  • Comprehensive Reporting: Detailed reports for onsite IT audit and various assessment activities were prepared and delivered to the client. The report provided thorough recommendations for fixing identified issues.
  • Project Closure: The project was concluded after a final review and sign-off by the senior management.

Mobile Application PT

Introduction:

One of our clients has developed SaaS web application and mobile application to manage flight tickets. This application also allows users to book accommodation during the flight delay. The client has developed Android and iOS mobile applications. They have integrated various payment gateways as per airlines’ requirements. This client was processing cardholder data and was collecting PII during flight and hotel booking. The client approached Cybernetic GI to perform mobile application testing for Android and iOS along with Web application PT.

Solution:

  • Initial Consultation: Cybernetic Global Intelligence initiated the project with a kick-off meeting with respective stakeholders to clarify the testing objectives and requirements.
  • System Overview: The team reviewed the web application and mobile application architecture with insights from the technical team to understand its functionalities and potential vulnerabilities.
  • Pre-requisites Confirmation: During the kick-off meeting, Cybernetics ensured that all necessary pre-requisites for testing were in place. The client shared the mobile application installation files along with the application documentation.
  • Business cases prepared: Based on the discussion with the technical team, our team had prepared a list of possible security attack vectors.
  • Non-Intrusive Testing: The initial phase involved non-intrusive tests to gather baseline information and perform technical reconnaissance.
  • Tool Selection and Manual Testing: Based on preliminary scan results, appropriate tools were selected, and manual testing was conducted on the mobile applications and web infrastructure.
  • Vulnerability Reporting: Critical vulnerabilities discovered during testing were immediately reported to the technical team.
  • Intrusive Testing: Team had not performed the intrusive testing as the client had not given the permission for it. 
  • Comprehensive Reporting: A detailed report, including proof-of-concept (PoC) where applicable, was prepared and delivered to the client. The report provided thorough recommendations for fixing identified issues.
  • Re-testing round: The client had opted for a retesting round. After receiving the confirmation from the client that his team has closed all the reported vulnerabilities, our team had performed the retesting round to ensure all vulnerabilities have been closed successfully.
  • Project Closure: The project was concluded after a final review and sign-off by the senior management.
  • Our client’s applications were enhanced due to our structured approach and testing done by our experts. It helped our client to gain the trust of this customers about the applications.


WAPT

Introduction

A private bank in Australia offers comprehensive e-banking services to a wide range of users, including individuals, banking institutions, and payment gateway providers. The e-banking platform facilitates critical financial operations such as money transfers, balance inquiries, utility payments, and loan payments. Given its critical nature, the platform must operate continuously, 24/7/365, and any downtime or security breach could significantly impact its users.

The bank sought to enhance the security of its web application by conducting penetration testing aligned with PCI-DSS and international cybersecurity standards. They required both black box and gray box testing to safeguard against external and internal threats. To achieve these objectives without disrupting service, the bank engaged Cybernetic Global Intelligence for their expertise in cybersecurity.

Solution

  • Initial Consultation: Cybernetic Global Intelligence initiated the project with a kick-off meeting involving the bank’s senior management to clarify the testing objectives and requirements.
  • System Overview: The team reviewed the web application architecture with insights from the bank’s technical team to understand its functionalities and potential vulnerabilities.
  • Pre-requisites Confirmation: During the kick-off meeting, Cybernetics ensured that all necessary pre-requisites for testing were in place.
  • Non-Intrusive Testing: The initial phase involved non-intrusive tests to gather baseline information and perform technical reconnaissance.
  • Infrastructure Testing: Recommendations were made to include penetration testing of the web server and network components such as firewalls, switches, and routers.
  • Tool Selection and Manual Testing: Based on preliminary scan results, appropriate tools were selected, and manual testing was conducted on the network and web infrastructure.
  • Vulnerability Reporting: Critical vulnerabilities discovered during testing were immediately reported to the bank’s technical team, who promptly addressed and resolved them. Cybernetics confirmed the remediation within the same testing cycle.
  • Intrusive Testing: At the client’s request, more intrusive tests, including password brute force attacks and denial of service attacks, were performed during off-business hours to ensure no disruption to services 
  • Comprehensive Reporting: A detailed report, including proof-of-concept (PoC) where applicable, was prepared and delivered to the client. The report provided thorough recommendations for fixing identified issues.
  • Project Closure: The project was concluded after a final review and sign-off by the bank’s senior management, as re-testing was not included in the initial scope.
  • This structured approach ensured that the bank’s e-banking platform enhanced its security posture without impacting its operational performance.


VAPT

Introduction

A telecommunication company has branches across the country.
A private bank in Australia offers comprehensive e-banking services to a wide range of users, including individuals, banking institutions, and payment gateway providers. The e-banking platform facilitates critical financial operations such as money transfers, balance inquiries, utility payments, and loan payments. Given its critical nature, the platform must operate continuously, 24/7/365, and any downtime or security breach could significantly impact its users.

The bank sought to enhance the security of its web application by conducting penetration testing aligned with PCI-DSS and international cybersecurity standards. They required both black box and gray box testing to safeguard against external and internal threats. To achieve these objectives without disrupting service, the bank engaged Cybernetic Global Intelligence for their expertise in cybersecurity.

Solution

  • Initial Consultation: Cybernetic Global Intelligence initiated the project with a kick-off meeting involving the bank’s senior management to clarify the testing objectives and requirements.
  • System Overview: The team reviewed the web application architecture with insights from the bank’s technical team to understand its functionalities and potential vulnerabilities.
  • Pre-requisites Confirmation: During the kick-off meeting, Cybernetics ensured that all necessary pre-requisites for testing were in place.
  • Non-Intrusive Testing: The initial phase involved non-intrusive tests to gather baseline information and perform technical reconnaissance.
  • Infrastructure Testing: Recommendations were made to include penetration testing of the web server and network components such as firewalls, switches, and routers.
  • Tool Selection and Manual Testing: Based on preliminary scan results, appropriate tools were selected, and manual testing was conducted on the network and web infrastructure.
  • Vulnerability Reporting: Critical vulnerabilities discovered during testing were immediately reported to the bank’s technical team, who promptly addressed and resolved them. Cybernetics confirmed the remediation within the same testing cycle.
  • Intrusive Testing: At the client’s request, more intrusive tests, including password brute force attacks and denial of service attacks, were performed during off-business hours to ensure no disruption to services 
  • Comprehensive Reporting: A detailed report, including proof-of-concept (PoC) where applicable, was prepared and delivered to the client. The report provided thorough recommendations for fixing identified issues.
  • Project Closure: The project was concluded after a final review and sign-off by the bank’s senior management, as re-testing was not included in the initial scope.
  • This structured approach ensured that the bank’s e-banking platform enhanced its security posture without impacting its operational performance.


Cybersecurity Awareness Training

Company: Construction and facilities management company in Australia

Employees: 900

Key drivers:

Critical concerns faced by CEO and board of directors related to data security and information security. Company had numerous phishing attacks in the past and senior management suspected someone internally was sharing confidential information with the rivals.

Company was managing refugee camp and had huge personal data of migrants.

Challenges:
  • The nature of the business requires sharing, processing, and storing data which posed a significant risk to information security, with sensitive data being susceptible to accidental or deliberate compromise.
  • In this instance, senior management were confident of cyber security controls being implemented, as they recognised the importance of protecting data. The key gaps that were identified were not having an information security leadership, a dedicated information security team, and the absence of an ISMS made it challenging to ensure consistency in its operational activities and management practices.

Solutions:

Traditional one-size-fits-all approaches to security awareness often lead to moderate and indeterminate results. A strategy we have used at our client is to :

  • Prepare cyber security awareness training as per job roles and responsibilities
  • For first year we took quarterly cyber security awareness training. We kept the same content to reinforce good cyber hygiene in employees.
  • Most of the employees were not reporting to main office and they did not have access to internet as well. We went and conducted cybersecurity awareness sessions at some sites.
Result:
  • Increased their employees’ knowledge of cyber security measures
  • Everybody started feeling like they are part of security.
  • We notices changes in the employees’ behaviour. Employees started to report phishing attacks to management. Now they are not afraid to report things. They started feeling that the cybersecurity department is their friend instead of an enemy.
  • Employees started taking extra care while opening external emails.
  • Head of department started questioning while approving access request form and started notifying the changes (like change in employees job responsibility, termination etc.) to IT team.