Skip to main content
Measuring the Security Posture of In-Scope Assets with an IT Solutions Provider

About the Client

The client is an IT solutions provider that offers computer hardware, software, and consulting to their clients.

Internal Network Penetration Test

Objectives

The primary objective of the Internal Network Penetration Test was to measure the security posture of in-scope assets and identify any deviating vulnerabilities by measuring them against industry-adopted controls. The target scope for this engagement was a subset of the devices on the internal network. Other hosts existed on the network but were considered out of scope and were thus not included in testing.

Findings

As a result of the Internal Network Penetration Test, unique findings were identified, including two findings rated as a critical severity and recommended to be addressed as soon as possible. The test also gave the client information regarding what a bad actor could do if they were to get on their network (i.e., through phishing attacks or insider threats).

External Network Penetration Test

Objectives

The primary objective of the External Penetration Test was to identify vulnerabilities and misconfigurations within the in-scope assets, which may lead to unauthorized access to systems or data. The target scope for this engagement was six external IP addresses that were measured against PTES controls.

Findings

By combining the results from industry-leading scanning tools and manual testing to enumerate and validate vulnerabilities, configuration errors, and business logic flaws, one finding was found. The vulnerability discovered during testing was associated with information disclosure. While not typically severe, information disclosure-based vulnerabilities help attackers identify specific software or versions of applications to target when looking for known exploits.

Web Application Penetration Test

Objectives

The primary objective of the Web Application Penetration Test was to identify common vulnerabilities, such as those in the OWASP Top 10. The scope of the test involved testing the client's application which lived in a test instance of production.

Findings

As a result of testing, multiple findings were identified. The findings ranged from High to Low severity and included information disclosure related to information leakage about a backend database and the allowance of concurrent login sessions. When an application allows for concurrent login sessions, it indicates the ability of an attacker with valid credentials to maintain concurrent login sessions as a legitimate user.

Key Takeaways

Through in-depth security testing and a comprehensive approach, RedTeam Security provided the client with clear visibility into their existing security vulnerabilities and the real-world likelihood and potential business impact of experiencing a breach. Every engagement with RedTeam Security provides clients with:

  • A clear understanding of the effectiveness of their existing information security program, training, monitoring, and system updating to keep things current.
  • How well their vendors manage the security posture of networks and web applications (for those with a 3rd party IT vendor).
  • A statement of assurance to provide to their customers that they are doing everything they should to keep their data and systems secure.
  • Outlined areas of focus for improving their overall security posture.

All identifying information has been changed to protect our clients and ensure absolute confidentiality.

solutions-provider

Company

Information Technology Solutions Provider

Headquarters

United States

Industry

Information Technology

Services Received

Internal Network Penetration Testing, External Penetration Testing, Web Application Penetration Testing
Schedule a Consultation Learn more about Schedule a Consultation

More Case Studies

Hear What Our Clients Are Saying

  • Friendly, Professional, and Knowledgeable
    "Saint Paul College hired Red Team consultants to perform Web Applications vulnerability scanning and assessment. It was one of best group of people I worked with - from beginning to the end. Everyone I worked with was extremely cooperative, friendly, professional, and knowledgeable. They understand IT security very well. They worked around our schedules, were available when we needed them, and always on time. My staff and I thoroughly enjoyed our relationship with them. The consultants were focused/committed, pointed out the vulnerabilities and worked with my team to remediate them. Red Team also gave us detailed report about each web application. In all, it was a great experience working with Red Team and we will not hesitate to hire them again if needed.

    -Najam Saeed, CIO, Saint Paul College, Saint Paul, MN

  • Reliable and Consistent Communication
    "I hired RedTeam to do both a Network Penetration test and a Social Engineering test on my organization. From start to finish in building our relationship and contract plan all the way through the execution of both of our tests they were helpful, insightful, proactive in reaching out to me, and thorough in their follow up. During the tests I was in constant contact with their testers, getting results as they discovered them along with the full and detailed report afterwards. They not only found my issues, but gave me a very helpful and detailed guide to remedy the issues afterwards. I am going to continue my relationship with them. If you are looking for network testing I cannot recommend them enough."

    -Trevor Keller

  • Highly Skilled Team
    "Contacted RedTeam to do a penetration test. I was very impressed with their ability to perform, not only from a vulnerability analysis, but true "Pen" test to identify REAL risks. Was very impressed with their highly skilled people and resources."

    -Donald Schleede

View all Reviews View all Reviews