Penetration testing verified existing processes
An international company in the field of trade was satisfied with Innofactor's testing, and the results were as expected
An international company in the field of trade was satisfied with Innofactor's testing, and the results were as expected
Information security is a very current topic for many companies. While some companies have extensive information security processes, others are still wondering, which measures are sufficient.
A well-known company in the field of trade already has rather specific operating models in place regarding information security. This is partly thanks to the considerable size of the company. Their Risk Management Manager says that they follow a very typical risk management process that mainly focuses on identification, analysis, and taking the necessary information to the decision-makers.
"Information security is basically risk management that is also subject to plenty of regulation. Firstly, we make estimates and recognize risks. Secondly, we make a thorough analysis of the impacts and the likelihood of these possible risks. Finally, we evaluate our risk-taking ability and willingness", the Risk Management Manager describes.
The company underwent a Red Team assessment or otherwise known as physical penetration testing. It means that a simulated attack was performed on their security systems, processes, and practises. Social manipulation was part of the assessment as well.
"We had a great connection with Innofactor from the get-go. We wanted them to tell us more about this new type of testing", the Risk Management Manager explains.
After the preliminary evaluation, the project was put out to tender. In the end, Innofactor was chosen to carry out the project's final stages.
"The trust in the execution and the quality of the work was already built in the preliminary evaluation stage. We highly appreciated the quality of their work. Additionally, Innofactor was also chosen thanks to their competitive pricing", the Risk Management Manager reminisces.
The testing followed the so called black box model, which means that the attacking party gets no foreknowledge of the system they are penetrating. They operate solely with what they can find out themselves before and during the attack. This approach was chosen to thoroughly test the company's own identification work and to see whether the system has any blind spots that have not previously been accounted for.
"The planning was meticulous. We had four experts from Innofactor at our disposal, but we kept the team at our end as small as possible. The aim was that our employees would have no knowledge that this type of testing was taking place", the Risk Management Manager clarifies.
The carefully executed planning before the testing itself played a central role. When the planning was done, a schedule was set for executing the testing. No one within the company knew the exact timing of the cyberattack.
"Even I didn't know when the actual penetration test took place. I also noticed that I was unsure as to how I would react if I accidentally bumped into a familiar face at our office. Luckily, I didn't run into anyone who was involved in the project, so nothing was revealed", the Risk Management Manager says with a smile.
After the assessment, the experts from Innofactor went over the results with the team and the management of the company in the form of reports. The conversations with the experts were fruitful, and all questions were answered.
"The results were what we expected. No actual blind spots were discovered during the testing. A few things were left for us to consider internally, and we are contemplating whether they require us to take action," the Risk Management Manager describes the project.
This was the first time the company had such testing done. The aim was to specifically get reassurance that the company already had sufficient information security measures in place.
"We got positive reassurance about our processes. We also got corroboration that human factors matter. In other words, how people in our processes encounter such situations and know how to navigate them," the Risk Management Manager summarizes.
"It is difficult to say, how often such testing should be done. We were motivated to undergo penetration testing due to changes in the operating environment. It is critical to stay on top of the situation," the Risk Management Manager ponders.
They only have good things to say about working with Innofactor. In their opinion, Innofactor's expertise to execute such projects is sufficient, to say the least.
"Our goal was to learn and gain experience from a partner that is familiar with the topic. Innofactor's team had a versatile mix of experts with very different points of view. We were left with a very positive feeling about working with them. I can recommend working with them to others. The quality and thoroughness only grew stronger during the project," the Risk Management Manager concludes.
"Our goal was to learn and gain experience from a partner that is familiar with the topic. Innofactor's team had a versatile mix of experts with very different points of view. We were left with a very positive feeling about working with them. I can recommend working with them to others."
The solution delivered to the international company in the field of trade required expertise in the following areas: