• Defense in Depth Strategic Consulting
• Acquisition Due Diligence Security Audit (Penetration Test)
• Security Development Lifecycle
• Network Penetration Test and Social Engineering
• Network Penetration Test

A national financial institution with over $6 billion in annual revenues engaged IOActive to perform an assessment of the institution and its enterprise-level information security strategy and capabilities. IOActive assessed the set of security objectives, processes, methods, tools, and techniques that formed the foundation of the institution's Defense in Depth strategy and security program. IOActive identified strengths and weaknesses for each of the institution's core security capability areas across three dimensions of people, process, and technology.

IOActive's consultant team reviewed documentation of existing security controls, conducted on-site interviews of key management and staff personnel, and performed physical surveys by observing specific capabilities, processes, and technical safeguards to collect data for the assessment and analysis. IOActive also reviewed reports and work products prepared by the institution, its external auditor, and other entities engaged by the organization for previous security-related reviews. IOActive evaluated core areas of the institution's information security program to determine the maturity level of its:

• Security leadership.
• Security program organization.
• Security policies and procedures.
• Security management processes.
• User management.
• Information asset security.
• Technology protection and Continuity.

Within these broad areas, IOActive assessed the institution's capabilities around:

• Identity and access management.
• Anti-virus and spam control.
• Perimeter network defense.
• Physical security.
• Secure code development.
• Encryption.
• Security awareness.
• Business continuity planning.
• Risk assessment.
• Compliance.
• Security incident response.
• Patch management policies.

IOActive delivered a report to the institution that rated the strength of each Defense in Depth component against the desired future state, relevant regulatory requirements, international standards, and peer organizations. IOActive documented observed weaknesses and opportunities for improvement, and provided detailed recommendations to increase the efficiency and efficacy of security safeguards and controls. IOActive participated in the preparation of material for presentation to the Audit Committee, and assisted with the prioritization of subsequent major security initiatives.

Top of page

As part of due diligence contracting efforts, IOActive was engaged to assist a regional financial institution with assessing the overall security posture of an application service provider's technical operations, specifically as they pertained to the security protections that the ASP would wrap around the financial institution's sensitive customer data.

In evaluating the security of the hosted application service, IOActive reviewed the following areas for potential risks:

• Web application security.
• Network security.
• Physical and organizational security.

For the network security assessment phase, IOActive reviewed network architecture information provided by the ASP and inspected network infrastructure at the ASP's business office and co-location facilities. Additionally, IOActive coordinated with the financial institution's internal Information Security staff, who performed a remote network security scan of the ASP's internet-facing systems to assess the security of their network perimeter.

For the physical and organizational phase, IOActive visited the ASP's office facility and the site of their primary co-location facility, which was operated by a third party. In addition to reviewing the security controls and safeguards in place at the physical premises, ASP and co-location staff were interviewed regarding security-related practices and procedures.

Despite what marketing materials and the sales team asserted, IOActive found that the ASP had not developed or adopted formal security policies or standards directed toward the design and implementation of the application under evaluation. There also was a lack of secure coding knowledge within the ASP's software development team. As a result of these factors, the application fell short of basic secure coding security standards. IOActive consultants identified numerous security vulnerabilities whereby internet-based attackers could access sensitive data without authorization, modify data, and even compromise the application server computer systems.

IOActive's efforts dramatically altered the direction of contract negotiations between the ASP and the financial institution in favor of the financial institution. IOActive also helped the ASP remediate the risks in their code and server settings such that all of their clients ultimately had better protection around their customer's health and financial data.

Top of page

A Global 100 software company hired IOActive to provide expert secure development lifecycle services for one of its most mission-critical products. IOActive is one company of three in the world that have conducted this level of audit on a commercially-available product of this size and class.

IOActive's consultant team reviewed threat model diagrams, data flow diagrams, call trees, and internal kernel source code to identify and expose subtle yet significant software security issues. IOActive's team interviewed and coached key project team members who were responsible for the identified areas of code and provided further instruction during remediation phases. It is our understanding that, to date, this was the largest security code audit in the history of the software industry.

The results of IOActive's participation in this engagement was significant. Through our proven software vulnerability management process, IOActive identified enough "zero-day" vulnerabilities in the product to have saved the client over $5 million in emergency response situations and rapid patch deployment activities.

Top of page

An international non-profit organization with more than $30 billion in endowments and grant commitments commissioned IOActive to review a set of security controls newly implemented to protect their offices in the United Kingdom, Argentina, and Russia. Additionally, IOActive was asked to capitalize on our unique "hacker" perspective to evaluate the security controls implemented by the organization's system administrators.

IOActive quickly foot-printed the network using open source reconnaissance tools and manual techniques. We identified the active network hosts, vulnerable services on those hosts, and operating system version numbers. IOActive then proceeded inward from the network to the application layer.

IOActive found that the system administrators had been diligent in patching and minimizing all unnecessary services on their perimeter network, leaving only four network services to attack. However, since the client had requested a "real world" attack scenario, IOActive used a spoofed email, posing as an internal administrator and asking our client's employees to update their passwords through an IOActive-supplied secure website.

The IOActive team sent ten emails and within five minutes received four login credentials to the client's network. The IOActive penetration testing team logged on to the VPN server, gained access to a web server in the DMZ, exploited a trust relationship between the web server and the database server (which was located on a trusted network), and proceeded to compromise the client's domain controller, TACACS system, payroll systems, and ultimately their building control systems.

IOActive was able to demonstrate that had this been an actual attack, the client would have been required to completely rebuild their IT environment from trusted sources, resulting in millions of dollars in damages from down time, lost data, and breach notifications to their customers. IOActive provided the client with recommendations on changing policies and procedures, implementing two-factor authentication to mitigate the exposures revealed by our work, and continuing to build on the level of security diligence already demonstrated by the system administration team.

Top of page

IOActive was engaged by one of the United States' largest research universities to identify and break into high-value, strategic business systems within a 16-hour time frame.

IOActive committed our teams in Canada, Europe, Argentina, and the United States to complete this strategic project. The IOActive team rapidly compromised multiple systems, including taking control of high-energy particle beam equipment. IOActive captured and recorded personal information that would have cost the institution over $700,000 in breach notification mailings. IOActive also compromised a database containing $350 million dollars in financial assets.

IOActive demonstrated conclusively that unless they undertook rapid remediation steps the university would be exposed to severe risk and injury to its operations, reputation, and financial viability. We delivered both written and oral reports to help our client thoroughly understand our methods and the implications of our findings, and provided actionable recommendations for addressing discrete and aggregate vulnerabilities reported.

Top of page