Case Study - ERP Software Developer
This organisation is a well-established software development company providing bespoke ERP solutions.
Employing 350+ IT professionals, their clients include high profile manufacturing companies who typically operate wide-area critical infrastructure.
As IT operations are business-critical to both the ERP provider and their client base, a high standard of cyber security is maintained to ensure digital assets are protected at all times.
Because the ERP provider is part of their client's 3rd Party Supply Chain, it’s also important that they do not expose other members of the supply chain to unnecessary threats or vulnerabilities as this would lead to not only financial costs but also reputational damage within their market sector.
Many of the ERP providers’ clients supply products and services to utility companies operating in densely populated areas. Cyber-attacks against the military, Oil & Gas and Energy sectors can cause widespread disruption and potential environmental disaster and so each software update released needs to be delivered securely without the risk of harm to their clients’ network.
While preparing to deliver one such software update, the ERP provider felt it prudent to have a Compromise Assessment carried out on their network before releasing their new software update to clients. The release update team in conjunction with their IT Security team wanted peace of mind regarding their environment and to ensure they minimised any possibility of causing harm to their clients’ infrastructure.
A Compromise Assessment would assess their cyber posture as well as identify any potentially dangerous malware that could infect their clients’ network. The ERP provider needed to understand if they had any vulnerabilities within their own organisation.
One of the main priorities for the ERP provider was to identify any previously undetected breaches on their network and so they chose GuardYoo to deliver a Compromise Assessment. As the GuardYoo solution gathers and analyses historical data that is already available, (does not involve deploying people or devices to monitor the network) it satisfied the ERP provider’s parameters for the project.
As the ERP provider has a relatively small infrastructure but possesses a high level of IT automation, all Windows Log Files were gathered within 2 days and uploaded to the GuardYoo cloud.
GuardYoo proprietary algorithms prepared the data for analysis and passed the results to the GuardYoo analytics engine.
GuardYoo technology ensured the customer had full visibility of proceedings via their secured private account, allowing them to monitor each phase of the assessment process.
The entire network was mapped within a 24hour period and GuardYoo highlighted many areas that could potentially be exploited by hackers.
When the final report was delivered to the customer GuardYoo's Threat Hunting Team outlined a list of Corrective Actions that should be adopted by the ERP provider as part of their long-term strategic plan for cyber security.
Unauthorised use of PSEXEC on Business-Critical Servers
Non-encrypted data accessible to external connections
Multiple cases of unauthorised remote access software being used
Malware present within the network which had been dormant for over 3 months
Multiple cases of open administrative sessions between various servers
"We offer our utmost gratitude to the GuardYoo team for a nearly instant compromise assessment service. We were very impressed with the fact that our urgent tasks could be solved so quickly and in such a concise manner". CIO, ERP Software Company
Compromise Assessment Results
- 7 areas that had the potential to permit Critical Threats from external access
- 6 cases of Moderate Threats were discovered
Examples of these threats included:
- Unauthorised use of PSEXEC on Business-Critical servers by accounts that were potentially compromised. The pattern on these servers indicated a high possibility that attackers had previously gained access to the infrastructure.
- Non-Encrypted authentication data was accessible via external connections.
- The unauthorised use of Remote Access tools created a gap in the network that could be exploited by external attackers remotely
- Malware that had been dormant for over 3 months was discovered within the network which indicated a successful attack had most likely occurred within in the previous 12 months.
- There was a large number of Open Admin Sessions still active between various servers.
GuardYoo’s Compromise Assessment would lead to an organisation-wide review of the ERP provider’s existing cyber security strategy.
Because of the nature of the vulnerabilities found and the potential threat to the wider Supply Chain, some software updates were postponed.
GuardYoo’s Compromise Assessment helped the ERP provider’s cyber team identify which cyber security projects needed to be prioritised.
The ERP provider agreed that the Compromise Assessment provided much more relevant results in comparison to penetration tests taken in the past. As a result, the customer committed to undertake regular GuardYoo Compromise Assessments as part of their overall cyber security strategy.