Case Study

Large Technology Distributor Performs Penetration Test to Measure Effectiveness of IT Controls and Identify Potential Vulnerabilities

Technical risk assessment identifies vulnerabilities and tests for best practices

Challenge

A large technology distributor looking to improve their security posture, enlisted us to perform a security penetration test of their information technology assets exposed to the Internet and accessible to internal personnel.

The assessment would measure the effectiveness of the organization’s security efforts and solutions in place to detect and prevent the compromise of critical data assets.

The organization performs security penetration tests twice a year with numerous vendors in rotation. In the past, we had not been a part of the vendor rotation, but we won this engagement after an executive briefing with the organization’s CIO.

Solution

The penetration test encompassed three assessments and various aspects of the organization’s infrastructure

  • External vulnerability assessment – The organization identified a number of their global Class C address ranges available on the Internet and gave WWT solution architects access for review. From here, we performed a host-based scan of all assets found within these ranges and identified high and medium risk vulnerabilities.
  • Wireless security assessment – WWT wireless engineers inspected the organization’s wireless configurations at multiple designated locations. This inspection checked for high encryption and best practices.
  • Social engineering exercise – A WWT security architect tested the organization’s internal response to suspicious emails by sending over a thousand emails to employees within the organization.

All of these aspects are key components for every information security program. 

Conclusion

WWT successfully performed the penetration test for the organization and scored a perfect 10 on the customer’s professional services survey.

In moving forward, WWT has identified future opportunities for the organization and will begin a six-month to year-long social engineering engagement to help the organization continue to educate their employees about social engineering threats.