Information Security Audit For A BPO And Knowledge Management Company

Torrid Networks’ team to organize India’s biggest information security event in New Delhi Visit: (www.securitybyte.org)
August 3, 2009
World’s renowned cyber security experts, CXOs, ethical hackers to participate in four day conference & training
November 12, 2009

The customer offers Information Technology, BPO and Knowledge services to its various clients. Several Blue chip organizations have chosen them as a strategic partner to manage key result oriented areas of Information Technology, due to their strong capabilities across industry verticals, technical strengths and innovative & flexible service delivery models.

Their global delivery model revolves around developing a sustainable competitive advantage for their client through Information Technology services across application development, deployment, maintenance and re-engineering, content & publishing services & outsourcing solutions.

The Challenge

Information stored on the servers is critical to the operation and perhaps even the survival of our client. To protect their information assets and give confidence to all their stakeholders, especially their customers they wanted to go for ISO/IEC 27001 Certification. The certification is the auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls

Keeping in view the importance of the IT infrastructure in their operations, the client opted to have a proactive audit and assessment study of their network before the ISO/IEC 27001 certification. Torrid was asked to do an audit at their branch offices to review the vulnerabilities in infrastructure components like operating systems (Windows Server 2003, Sun Solaris, and Linux), firewalls, routers and switches.

The Solution

Torrid’s threat research team performed a vulnerability assessment against all internally and externally accessible network infrastructures. The vulnerability assessment began with an identification of all targeted hosts within the given network ranges along with the fingerprinting of all the services running. Our team identified a number of process failures related to patch management and misconfigurations. Most of the windows and Solaris machines were found to be unpatched and highly vulnerable. By exploiting these vulnerabilities an attacker can execute arbitrary code on the remote host and can gain access to the sensitive information.

Further, our team was then able to exploit trust relationships within the DMZ which was hosting the database server and a system management client. Due to the fact that default and weak passwords were used at the homepage, it was not a tough job. This allowed the consultants to obtain administrator access to a remote system management server belonging to the client. Through exploitation of this vulnerability attacker can gain access to the organization’s main corporate domain and a number of file servers holding compliance related data in minutes. Once the thorough assessment was completed a detailed report was provided to the client, which included all the findings and their proper remediation.

The Result

Our team successfully demonstrated that the unauthorized access provided by a single poorly configured system on the Internet could provide a malicious and motivated attacker with the ability to gain full access to a vast number of corporate systems and the sensitive data stored in them from within the organization. The findings allowed our client to rectify issues within their critical servers and successfully clear the ISO/IEC 27001 certification.

As a result of the security assessment by Torrid, the client now has peace of mind that comes from an expert, third-party validation of its security policies. Its customers also trust the results of the assessment, and are investing further in leveraging the client’s solution.