Penetration Testing Case Study
Case Study 1
Penetration Testing can be either physical or digital (further broken down to technical/manual or online). A case study for each follows:
Physical Penetration testing services were provided to a large manufacturing plant dedicated to raising their security awareness and trained and re-trained their employees to keep intruders out. Testing was conducted at all entry-exit points including the main entrance/lobby/concierge, docking yard, security booth, and armbar entry/exit lanes. Our services confirmed to the company that their security principles were sound in all the major areas. The company continued using our penetration testing services twice a year to keep their employees aware and in compliance with their security policies.
Case Study 2
Technical or manual penetration testing refers to breaching the security of technology through manual means (exploiting weaknesses within the items hardware and.or software, connecting other technology to it to help breach security.
Penetration testing was conducted at Pearson International Airport where we exploited a weakness in the public terminals offering access to a number of different airline booking interfaces. The interface for Czech airlines bypassed server security measures when the user clicked the "Contact" page and then clicked a google map that was provided illustrating the location of Czech airlines head office. When the map was clicked, the user could then proceed to click "Gmail" unhindered or any of the other google products which unsecured the URL on the browser, now allowing full control to travel the internet where one wished or to use the URL as a command prompt to access the hard drive on the server and establish administrative controls.
Case Study 3
Penetration testing services were conducted at Mississauga Central Library public terminal computers typically used to search for books. A desktop weakness was identified wherein the used could make a new batch file on the desktop to run commands such as command prompt which then allowed access to server and various administrative controls.
Case Study 4
Penetration testing services were conducted at a high-school wherein complaints were made that students had hacked Professors encrypted personal directories. We determined that the school was utilizing hidden letters in the naming of their directories. These directories were often the Professors first initial and last name. For example, if the Professors name was Albert Einstein, the directory on the server would read aeins____. The hidden letters could easily be figured out by students and accessed to observe and in some cases amend grades. Further security measures were suggested to the high-school and then accepted and implemented wherein the students were no longer able to access their professors personal directories.
Case Study 5
A client approached us to conduct penetration testing on her husbands cell phone, as she believed he was cheating on her and at another woman's residence. Through the clients phone we were able to access her husbands phone and determine his GPS coordinates and show our client that he was at his place of work.