Pentesting a Non-Profit Company
The Engagement
The Scenario
A non-profit organization specializing in providing educational resources to underprivileged communities aimed to bolster their internal and external cybersecurity measures. The organization had recently implemented new IT security protocols to protect its digital infrastructure and wanted to test their effectiveness. Hence, they engaged NextdoorSEC to perform external and internal penetration testing and evaluate whether their investments in IT security had yielded the desired results.
The Goal
The objectives of the penetration testing conducted by NextdoorSEC included:
External Penetration Test:
- Breaching the organization’s digital defenses from an outsider’s perspective is akin to a malicious hacker with no prior knowledge of the organization.
- Uncovering and extracting any sensitive information, such as staff login credentials, donor details, and strategic plans.
- Assessing the security of the organization’s wireless network and whether it could be exploited from the outside.
Internal Penetration Test:
- Targeting and compromising any sensitive servers, such as those holding donor databases, educational content, and staff records.
- Extracting sensitive information without raising suspicion amongst the organization’s employees.
- Emulating an “insider threat” scenario to understand its potential impact.
The Approach
NextdoorSEC employed various strategies using custom-made and industry-standard tools, including manual and automated testing techniques. The penetration tests were performed from a ‘blackbox‘ perspective, mirroring real-world scenarios where attackers do not know the target.
Despite the organization’s improved IT security measures, the internal penetration test revealed a lack of robust internal security. The external penetration test focused on public-facing domains and services like the organization’s website, email services, and remote access systems, which yielded insightful results.
Upon completion, NextdoorSEC provided the organization with a comprehensive report, which included an executive summary, technical findings, and recommendations for remediation.
Results
✅ Payment Gateway Vulnerability
The organization’s payment gateway was susceptible to a critical exploit that allowed the testers to intercept and manipulate transaction data.
✅ Excessive Information Leakage
Various e-commerce platform elements inadvertently revealed excessive information about the organization’s IT infrastructure, which could aid targeted attacks.
✅ Unsecured Customer Data
NextdoorSEC testers gained unrestricted access to the customer database, highlighting a major security flaw that could allow a malicious attacker to steal sensitive customer information.
✅ Administrator Access to Web Servers
Full admin access was achieved on the organization’s web servers. An actual attacker could take over the website or inject malicious code.
✅ Admin Access on Employees’ Systems
Full admin access was obtained on the systems the staff managing the e-commerce platform used. This could allow an attacker to manipulate product listings and prices and even siphon off funds.
✅ Vulnerabilities in User Account Systems
The system for managing user accounts was flawed, potentially allowing an attacker to hijack or create phantom accounts.
Word on the street
We're not like average security penetration testing companies. We've earned a reputation for delivering tailored solutions to businesses of all sizes. From mom-and-pop shops to tech startups, our expertise keeps your data safe and sound. Our clients appreciate our customized approach and commitment to transparency. Join the Nextdoorsec fam, one of the reliable vulnerability assessment companies and rest easy knowing your security is in good hands.
Nextdoorsec is an exceptional security company that provides thorough and detailed reports that are easy to understand. Their team is highly knowledgeable and responsive, always willing to answer any questions and provide guidance on how to properly address security vulnerabilities according to industry best practices. With Nextdoorsec's help, we were able to identify and address previously undetected security gaps in our systems, giving us greater confidence in our overall security posture. We highly recommend Nextdoorsec for any organization looking to improve their security posture and protect their valuable assets.
Pieter van der Meer
Cloud Architect
Nextdoorsec provided our organization with top-notch security services. Their team was incredibly thorough and professional, and their level of communication was outstanding. They kept us informed at every step of the process and were always available to answer any questions we had. We were particularly impressed with their commitment to transparency and their ability to provide actionable recommendations for improving our security posture. We would highly recommend Nextdoorsec to any organization looking to enhance their security and protect their valuable assets.
Lars Jansen
CTO
Get Started
Are you prepared to beef up your cyber defenses and soar to new heights in the digital world?