Axians investigated vulnerabilities in the entire IT environment of Elektrotrans a.s.
The service included the following types of penetration tests: external penetration test, internal penetration test, wireless network security test, audit and evaluation of a standard user computer, and test of web applications. A comprehensive scan of vulnerabilities of the entire IT environment was performed as part of the internal penetration tests. Standard user computer was evaluted from the perspective of the external attacker (stolen laptop) and from the perspective of a disgruntled employee who tries to harm the company. The best practice for configuration of Linux and Windows systems was evaluated as part of the security audit. The Open Source Security Testing Methodology Manual (OSSTMM) and Penetration Testing Execution Standard (PTES) were used for internal and external penetration tests, and the Open Web Application Security Project (OWASP) standard was used for evaluation of web applications. The CIS standard was used for evaluation of best practices. A white-box approach was used to perform the tests.
The used standards:
- The Open Source Security Testing Methodology Manual (OSSTMM)
- Penetration Testing Execution Standard (PTES)
- Open Web Application Security Project (OWASP)
- Standard CIS (Center for Internet Security) Benchmark for best practice analysis of operating system settings
- Assessment of enterprise exposure to threats and vulnerabilities
- Verification of efficacy of security controls and security processes.
- Getting input to the development of security and risk management improvement programs
- Helped to achieve compliance objectives.