THOUGHT LEADERSHIP AND CASE STUDIES
Explore our case studies to learn how we've helped clients worldwide become clearly secure. To learn more about the world of digital security, browse our thought leadership articles and gain strategic insights based on our annual digital security survey.
CASE STUDIES
Permission to Launch in a Fintech Startup
Another example of ongoing support, we’re currently helping a...➜
Guarding the Guard in a Tech Startup
For three years running, we’ve performed web application...➜
Business As Usual in the Banking Sector
Along with standalone projects, we’re also able to work...➜
Unsafe Objects in the Retail Industry
Working as subject matter experts within the internal audit...➜
Beware the Black Swan
Here’s a useful example of our work with Mobius...➜
One in a Thousand
An oil and gas company with global operations required...➜
Unintentional Discount in the Retail Industry
A large retailer with an e-commerce solution asked us...➜
The Talkative Chatbot in the Banking Sector
A bank with operations across multiple African countries asked...➜
Reassurance in the Insurance Industry
A large insurer asked us to perform a wide...➜
Excavation becomes A SERIOUS PROSPECT
A listed gold mining company asked us to perform an...➜
From Weak Spots to Fort Knox
A retail client partnered with Mobius Binary to enhance...➜
Industry: Fintech
Permission to launch in a fintech startup
Looking at another example of ongoing support, we’re currently helping a fintech startup on its journey towards launch.
Like any startup, the company has been developed from scratch, with the necessary testing performed to ensure the environment is secure. Thus far, we’ve done all the testing for their mobile and web apps and their hosting environment: an end-to-end pentest of their entire solution in preparation for their go-live date, ensuring they have the maturity to meet regulatory requirements.
Besides the usual benign hiccups experienced by every business in development, it’s been smooth sailing. We’re playing our part to make sure it stays that way.
Industry: SAAS
Guarding the guard in a tech startup
For three years running, we’ve performed web application pentesting for a client’s B2B SaaS platform. Since they’re an organisation targeting ISO27001 certification, it should come as no surprise that regular pentesting is part of their information security requirements.
Given that the platform is a tool used by large corporates to assess third-party risk, our client can’t very well be the weak link themselves. We play an important role in ensuring they’re not.
Industry: Banking
Business as usual in the banking sector
Along with standalone projects, we’re also able to work for clients on an ongoing basis, providing extra capacity for internal pentesting teams. By way of example, we do much of the repeatable work for a particular bank, allowing their internal teams to concentrate on strategic concerns without becoming overwhelmed by time-consuming mundane requirements, many of which arrive unannounced.
The bank has a sensible requirement that nothing can go live without a pentest, but this often entails a simple feature change rather than a new product release, so we add the capacity to ensure delivery deadlines are met. This allows the security function to meet the internal business demands and in turn ensures customers are protected by our client’s banking platforms.
Whatever your sector, we can provide the same kind of support for you.
Industry: Retail
Unsafe objects in the retail industry
Working as subject matter experts within the internal audit function of a large retailer, we performed an external pentest to provide technical feedback to management as well as reporting to the audit and risk committee.
The retailer’s website had a function to accept applications, requiring customers to submit supporting documents containing sensitive information. Within this function, we found an insecure direct object reference, which allowed us to access all other applications and supporting documents. From a financial perspective the risk to the retailer was likely quite low, but the same can’t be said about the individual, whose information could have been accessed by malicious actors.
Full credit to the retailer for implementing an immediate fix, thereby protecting their customers and their own reputation.
Industry: Mining
Beware the black swan
Here’s a useful example of our work with Mobius Consulting. A listed mining house required an information security health check comprising internal and external pentests as well as a threat simulation.
The Mobius Consulting team performed a gap assessment against the NIST Cybersecurity Framework, which is normally an interview-based and document review exercise. In this case, the gap assessment was validated by the results of our pentesting services, which mapped almost perfectly to the NIST results. All told, the client was assessed to be mature in Protect, but not in Respond and Recover.
With this weakness identified, the Mobius Consulting team was able to draft a roadmap of activities for the client to remediate the gaps identified and improve their overall security posture.
Industry: Oil & gas
One in a thousand
An oil & gas company with global operations required a pentest to see what would happen if someone had already breached their network from outside. With a standard set of user credentials and remote access, what could they do from there?
Our first goal was to find a way to put the tools we needed on the relevant machine, which we achieved by bypassing the endpoint’s security controls. From there the goal was to move laterally, compromise other hosts on the network, and escalate privileges. This proved an extremely tough exercise, but we eventually found a chink in the armour. Having discovered only one host that wasn’t implemented according to a security baseline, we were able to establish a foothold and run commands that allowed us to escalate privileges and compromise the domain.
All in all, a real-life testament to the offensive security mantra: ‘Try harder’.
Industry: Retail
Unintentional discount in the retail industry
A large retailer with an e-commerce solution asked us to perform a pentest, during which we discovered two main issues. First, we could access sensitive information such as other customers’ details.
The second issue pertained to manipulating shopping baskets, altering the basket value to a nominal amount, and being able to check out. The benefits to the client from our discoveries covered crucial ground in privacy compliance, preventing financial loss, and keeping their reputation intact.
Industry: Banking
The talkative chatbot in the banking sector
A bank with operations across multiple African countries asked us to run pentests across all their web apps, mobile apps, internal networks and public-facing infrastructure – a big chunk of work exceeding a thousand hours of testing.
By far the most interesting and impactful discovery came from an unexpected quarter: a chatbot on the bank’s customer-facing site. The bot had debug mode enabled in its source code. As such, it gave verbose responses intended for developers to monitor functionality, and among these were a set of credentials. As we were testing the client’s broader infrastructure, our team came across another location requiring authentication. Using the details from the chatbot, we gained access and found storage buckets containing sensitive customer data.
A serious compliance issue, but fortunately one with a clear fix. Here’s to thoroughness.
Industry: Insurance
Reassurance in the insurance industry
A large insurer asked us to perform a wide range of pentests – a big exercise involving 600 hours of work. We discovered that their public-facing sites had a blind time-based SQL injection vulnerability. This allowed us, from an unauthenticated perspective, to download the customer database, complete with sensitive information such as home addresses, manifests and financial figures.
It was a critical find, not least because the client had done pentesting the year before and the issue went undiscovered. In a sector as heavily regulated as insurance, the potential fallout regarding compliance and reputation isn’t hard to imagine, especially considering the problem affected ten different portals and an entire stable of brands.
Industry: Mining
Excavation becomes a serious prospect
A listed gold mining company asked us to perform an internal pentest with a twist, adding specific use cases to assess their monitoring and detection systems.
Beginning from a non-domain-joined machine, we got domain admin by five different paths within the first two days and downloaded numerous user credentials. We looked for additional paths and found as many ways as we could to compromise the environment. We then ran the use cases, deleting logs and policies off machines and exfiltrating large volumes of data, doing everything a hacker would’ve done to cover their tracks or establish persistence. Since the client detected virtually none of our activities, it was clear that their monitoring function wasn’t running effectively and that there were holes in their security posture.
Happily, with said gaps identified by our feedback, the client was equipped to tune their monitoring and detection to address their weak points.
Industry: Retail
From weak spots to Fort Knox
A retail client partnered with Mobius Binary to enhance security through regular penetration testing. We were tasked with a threat testing exercise to evaluate automated security controls against potential attacks.
The challenge was to simulate threats using open-source tools, based on the MITRE ATT&CK matrix, to assess the effectiveness of the client’s security. The solution included a detailed report and debrief, revealing that most attack vectors were thwarted, with a few areas for improvement. The client’s security posture improved, justifying their recent security investments.
Thought Leadership
The Mobius Group 2022 Cyber Security Survey
The path to digital trust
