Case Studies

VAPT

Introduction

A telecommunication company has branches across the country. Due to the nature of their business, the company had complex network of suppliers and partners. The company has been providing MPLS connectivity to other organizations in the country and at the same time they were hosting data center providers too.

During the SIM card registration process, company was collecting users’ personal information like passport, national identity card, photo, address etc. Being it’s a critical infrastructure they had threats from state-sponsored cyber attacks. Under these circumstances, they must provide services 24/7/365 and any downtime or security breach could significantly impact its users.

The company sought to test vulnerabilities in their external and internal network, various web applications used for customer’s onboarding. To achieve these objectives without disrupting service, the company engaged Cybernetic Global Intelligence for our expertise in cybersecurity.

Solution

  • Initial Consultation: Cybernetic Global Intelligence initiated the project with a kick-off meeting involving the senior management to clarify the testing objectives and requirements.
  • System Overview: The team reviewed the web application architecture with insights from the company’s technical team to understand its functionalities and potential vulnerabilities.
  • Pre-requisites Confirmation: During the kick-off meeting, Cybernetic team ensured that all necessary pre-requisites for testing were in place.
  • Non-Intrusive Testing: The initial phase involved non-intrusive tests to gather baseline information and perform technical reconnaissance.
  • Infrastructure Testing: Recommendations were made to include penetration testing of the web server and network components such as firewalls, switches, and routers.
  • Tool Selection and Manual Testing: Based on preliminary scan results, appropriate tools were selected, and manual testing was conducted on the network and web infrastructure.
  • Vulnerability Reporting: Critical vulnerabilities discovered during testing were immediately reported to the company’s technical team, who promptly addressed and resolved them. Cybernetic team confirmed the remediation within the same testing cycle.
  • Intrusive Testing: At the client’s request, more intrusive tests, including password brute force attacks and denial of service attacks, were performed during off-business hours to ensure no disruption to services
  • Comprehensive Reporting: A detailed report, including proof-of-concept (PoC) where applicable, was prepared and delivered to the client. The report provided thorough recommendations for fixing identified issues.
  • Project Closure: The project was concluded after a final review and sign-off by the company’s senior management, as re-testing was not included in the initial scope.

This structured approach ensured that the company realized the gaps in their environment and it helped them to enhance their security posture without impacting its operational performance.