Case Study #1
A Recently Audited Network That Had Been Determined "Compliant" Was Easily Penetrated By Ra Using "No Special Skills". Having recently purchased a smaller financial services company, the parent organization was assured that their network security was in good shape. The smaller company had just passed an audit, performed by state regulators, which scrutinized information security measures. Based on that audit, they were confident that their security posture was good and their data was secure.
The new owners, having worked with Ra Security Systems in the past, insisted on an independent third party security assessment. Using only the public Internet and no special skills or software, Ra Security Systems (RSS) was able to penetrate their network security and take control of a number of internal servers, including servers that contained sensitive data and performed security functions. By using only basic knowledge and skills along with freely available tools, RSS was able to show the company that they were not only vulnerable to professional attackers, but they were vulnerable to the opportunistic amateur as well. Once they were briefed on the results of the security audit, Ra Security Systems was hired to manage their network security.
Conclusions: Audits are checklists of best practices. They do not ensure security. Only proper policies, enforcement and an experienced security team can reduce information security risk. Another valuable conclusion is that attaching unknown satellite networks to otherwise secured networks elevates risks for the entire organization and can result in costly remediation efforts.
Despite the risk and potential costs, it is a common practice during merger and acquisition integration.
Back to Case Studies Main Page