Our client, a regional public water utility servicing multiple cities, towns and government facilities, wanted an in-depth evaluation of their core networks and systems to determine where their systems and services might be susceptible to a motivated attacker. The organization had deployed a variety of security safeguards but needed a third-party evaluation to establish the adequacy of the controls to their senior leadership. Experis was engaged to execute a variety of realistic internal and external attacks against the organization to assess the security measures without disrupting business or customer services.
The engagement used a tailored version of our proven vulnerability assessment and penetration test methodology to initially probe the external and internal defenses of the organization in a covert manner, and then followed those tests with additional techniques designed to validate the vulnerabilities discovered and determine the potential risks and impacts if the issues were exploited by attackers. A Rules of Engagement document, developed in cooperation with the client, explicitly defined the parameters and scope of each included test type and the test windows when execution would occur.
The highly-skilled security professional assigned to the project developed a set of attack scenarios that included various depths of testing to be conducted. Once the plan was approved by the client, Experis executed each of the initial tests followed by exploit verification of the discovered weaknesses. Due to the significant number of vulnerabilities discovered, the exploit verification phase had to be revised to complete the work within the available budget while maintaining the integrity and validity of the results.
In addition to a limited number of weaknesses in the external environment, Experis discovered a significant number of weaknesses in the internal networks and critical information systems. We provided a comprehensive report with detailed results and recommended actions that addressed the root causes for each issue. Despite the number of issues, our recommendations enabled the client to implement corrective actions that quickly and effectively reduced their levels of business risk and exposure from cyber-attacks.