We present below some mission types, in order to respond to the questions of students who are interested in a computer security consultant’s missions. These questions often come up during the discussions they have during their computer security internships.
Auditing the security of a SAP transaction website
Customer’s needs: the agent for the mission wanted to audit the security of a SAP-based transaction website. This solution used a means of authentication based on specific material calculators. The database architecture was based on an Oracle platform and the entire solution was outsourced to a third-party company. It provided the maintenance, development, and security of the application in a partially shared environment.
Results of the mission: the audit highlighted flaws in the processing of user sessions, so a disruption in the Oracle database operation was possible.
ROI for the customer: this audit allowed our customer to increase his security level; therefore, the solution publisher could amend its application as a result.
Defining a transactional platform quickly
Customer’s needs: to define the security level of a transactional platform before being quickly put into production and to obtain technical advice facing the software solution publisher.
Results of the mission: during this consultancy mission following the penetration test, we highlighted serious weaknesses revealing significant gaps in programming with the solution publisher.
ROI for the customer: our mission helped the customer discover vulnerabilities in an application that was already in production with one of its subsidiaries and secure a new deployment by a modification in the application’s source code and the installation of an application filtering solution (reverse proxy filtering).
Audit the security of an ATM machine
Customer’s needs: to audit the security of an ATM before it is put into production. This ATM machine is made by a company that edits centralization software and provides cash deposit systems.
Results of the mission: during this penetration test we were able to analyze the protocol used by the ATM machine and the centralization software. Therefore, we were able to perform a “proof of concept”: HelloOtto software. This application allowed us to freeze financial deposits or perform fictitious ones.
ROI for the customer: This approach enabled the agent on the mission to get a modification to his application, free of charge, in order to take into account the flaws discovered during our audit. An important development in the architecture and isolation of different bricks was also made.
Obtaining the security level of an electronic signature solution
Customer’s needs: to get a clear picture of the security level of an electronic signature solution that allows people to sign and authenticate transactions completed online. The entire solution is hosted by a third party, and it is based on a proprietary solution.
Results of the mission: this analysis allowed us to validate the security level of the chip used to hold certificates, but the penetration test also revealed the possibility of bypassing user authentication and downloading a certificate before the official customer takes possession of it.
ROI for the customer: our customer was able to take advantage of a free portal change by the publisher, and the mission’s agent, with full knowledge, was able to decrease the maximum allocated amount for any transaction signed with this technology.
Evaluating the porosity of the internal network and SWIFT applications
Customer’s needs: to evaluate the porosity of the internal network and SWIFT applications as much at the AIX systems level as at the Windows platforms.
Results of the mission: With a single employee’s rights, this penetration test allowed the SWIFT transaction application’s SSO authentication to be broken and all kinds of operations to be performed on the targeted system. In addition, it was possible for us to take control of all the AIX and Windows network.
ROI for the customer: this mission allowed the release of a budget to establish a place where the infrastructure’s critical areas can be isolated, to create systems hardening procedures, and to control deviant behaviors.
Feel free to contact us at stage@talsion.com, if you’re looking for an internship in computer security in 2016.