Classified Vulnerability Assessment Case Study- 4 Steps Process of Mitigating Risk

Website security is a major concern across all business domains. A leak in security could tarnish the image of any business entity considerably. Website credibility depends on its security and robustness against attempted hacking. Here comes the term Cybersecurity Vulnerability Assessment.

cybersecurity-vulnerability-assessment
Vulnerability Assessment Case Study Process

This is the vulnerability assessment case study with one of our clients who had a website that was involved in a partnership with a credit bureau used to analyze and compare credit scores. Due to the incredibly sensitive information involved, the client wanted to ensure their website was hack-free and remove any existing vulnerabilities.

Vulnerability Assessment Case Study

Challenge

The client required a complete evaluation of their system, including network and other core components. It was required to undergo detailed penetration and regression testing to explore the loopholes in the infrastructure and application.

Technology Involved in this vulnerability assessment case study: 

  • Netscaler
  • VeraCode Scan
  • Quttera
  • OWASP Zap
  • W3af
  • Vega
  • Detectify
  • Apache HTTP server
  • OnWebChange

Solution

Based on the client requirements, we began to evaluate the website for incoming and outgoing traffic, source code, and database along with the DNS server and firewalls. Our analysis was based on some of the commonly occurring hacking techniques such as backdoor, phishing, SEO Spam, malware, misconfiguration, vulnerable code, vulnerable plugin/ extension, Brute Force attacks, Defacement, etc.

We manually went through all of the source code, identified all the injected code on the web application, and completely removed them.

We also replaced the existing firewall with Citrix Netscaler AppFirewall. This firewall has built-in features to protect application layers and zero-day threats. On the web server, Apache HTTPD server, we disabled commands like ping, telnet, FTP, etc. This also had a web-links firewall disabled to ensure the monitoring of incoming and outgoing traffic. The HTTP server was checked and hardening of the server was incorporated for issues like –

  • Unmasked NPI data
  • Clickjacking
  • Weak SSL/TLS configuration
  • Hidden Directory Detection and directory listing enabled

Once the web layer was fixed, we started evaluating the application layer for vulnerabilities. We carried out a complete static code scan to evaluate the vulnerabilities such as –

  • Client-Side JavaScript Cookie reference
  • Unrestricted file upload
  • Http-Only Cookie Attribute not set
  • Weak Password policy
  • Cross-Site Scripting vulnerabilities – XSS
  • CRLF Injection
  • SQL Injection
  • Unencrypted Login sessions
  • Email Spoofing
  • Invalid Html content

All of this was evaluated against OWASP Top 10 and other common vulnerabilities. Based on the results, a detailed report along with solutions was provided to the client. Additionally, once these vulnerabilities were fixed at the client end, we used tools like OWASP ZAP, W3af, Vega, Quttera, and Detectify to scan and evaluate further vulnerabilities.

We provided monitoring to the website using OnWebChange to find any suspicious activity being initiated on the website; this also provided alert options such as email, pushover, or http callback.

Once the vulnerabilities were identified and fixed, we also carried a manual pen-test to evaluate the website from a security standpoint. We again shared a detailed report with the client, and the recommended solutions to be implemented.

Result

The key focus was on evaluating the vulnerabilities and tweaking the infrastructure to make it more secure. The client was extremely satisfied with the overall evaluation and solution implementation. Our qualified experts guided the client through fixing every issue, and in cases where the issue was difficult to fix, we provided them with alternative options. With our methodical approach, the client gained immense confidence in our cybersecurity vulnerability assessment services.

TechForing Cybersecurity Vulnerability Assessment Service

Techforing provides a white-glove cybersecurity service that includes Cybersecurity Vulnerability Assessment and Penetration testing Services. It is applicable for both you and the digital assets or your organization. Just E-mail us or contact us. Also you can know more from our other case studies.

Leave a Reply

Your email address will not be published. Required fields are marked *