Finding and Testing Online Assets
Contents
Summary
By combining our passive ASM product with active discovery and testing techniques, we provided a large multinational organisation with a complete picture of its online assets and their vulnerabilities.
Client need
The most exposed attack surface of an organisation is its Internet-connected assets – its external attack surface.
We worked with a large, multinational financial organisation. With disparate IT and cloud teams spread across several countries, keeping on top of their online assets is a difficult, never-ending task.
Such organisations are perfect customers for our ASM product - for this engagement that was the starting point for discovery and testing, and was complemented with a range of active discovery and testing activities.
What we did
Using our Hexiosec ASM platform we discovered over 1000 domains and subdomains for the organisation. This data was the input to an active discovery and testing phase, where we discovered hundreds of live assets that we could test.
We discovered a wide range of security issues, including hijacked subdomains, exposed remote desktop services, a bypass to the web application load balancer, and a wide range of website and TLS issues.
Client benefit
Improvements took a small number of months, but left the organisation with a much healthier online attack surface. They also got an up-to-date list of all their online assets, and a systematic approach to keeping on top of their external attack surface.
We then moved on to a programme of in-depth penetration testing engagements.
