Client Background
VEON is a mobile operator providing converged connectivity and online services to around 160 million customers across six countries with over 7% of the world’s population.
What triggered the project launch
VEON opened a new large office in Lviv to support finance, procurement and HR operations in Ukraine, Armenia, Georgia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan. Implementing the entire IT infrastructure from scratch accompanied the new office launch.
Therefore, immediately after IT services implementation, it was necessary to check security of all components and eliminate vulnerabilities to prevent compromise.
Solution
XRAY CyberSecurity conducted a penetration test to assess IT-infrastructure, eliminate cyber threats and address risks. The scope included external, internal, cloud networks and office wireless.
Several attacker types were modeled: Blackbox – without info/accounts; Greybox – using three user account types within the infrastructure (different department employees).
Methodologies
Our pentesting methodology is based on leading standards like PTES, NIST SP 800-115, OSSTMM and OWASP.
Tools used
During pentesting, a full set of common pentester tools was used, but the main key to success was manual analysis, interconnecting individual vulnerabilities exploitation results to escalate privileges and demonstrate practical IT-infrastructure compromise.
Results
Twelve exploitation scenarios implemented. For each attacker model, ability to compromise IT infrastructure was demonstrated.
Recommendations developed for Technical and Executive levels
- Technical – focused on eliminating vulnerabilities and architectural improvements for increased security.
- Executive – focused on processes/procedures of Information Security Management System for maintaining high protection.
- An Action plan developed to help client prioritize and evaluate resources required to address identified security gaps.
