ROCHESTER — High Bit Security Inc. announced Tuesday that one of its clients, a national staffing firm, engaged Highi Bit to perform penetration testing, and was surprised and disturbed by the results.
“The customer had a fire wall, and had taken numerous other steps they believed would make them secure,” said High Bit Security Chief Business Development Officer Barbara Goushaw. “They engaged us to perform penetration testing,” an external and internal IT security assessment of their network, web applications, workstations, servers, printers and wireless systems.
According to Goushaw, “They genuinely expected our testing would prove them to be secure. They were mortified when their report came back with multiple ways that their contractor personally identifiable information, including names, addresses, social security, drivers license, and health insurance numbers, could have been compromised by a hacker. ”
Added High Bit COO Adam Goslin: “Staffing firms/agencies are routinely targeted, given the significant amount of personal information that is contained on their systems. Our 2012 Annual Report showed over 95 percent of businesses we tested had significant vulnerabilities, and almost all of these companies were running regular vulnerability scanning. There have been numerous recent reports of staffing agencies being hacked then blackmailed by hackers to prevent public disclosure of the breach.” (See www.staffingindustry.com/eng/Research-Publications/Daily-News/Netherlands-Hacker-strikes-again-blackmailing-staffing-firm.)
“Upon receipt of our penetration testing report, the firms’ IT staff was able to begin immediately to fix the vulnerabilities identified,” said Goslin. “The report detailed what we found, where we found it, what it meant, and specifics on how to fix it. Within just a few days, they came back to us and said they were ready to re-test. Once all of the issues had been remediated and confirmed by High Bit Security certified penetration testers, we were able to provide them with a customer facing report, which did not detail the sensitive information about their environment, but did confirm the timing, high level scope and nature of penetration testing performed, along with the confirmations the client desired.”
Said Goushaw: “Performing this testing enabled them to include their security commitment in their sales presentation. They have since decided it is in their best interest, and that of their customers and contractors, to implement an annual penetration testing cycle in addition to their other security measures. They no longer wait for clients to demand proof of security testing. Keeping client information secure is now part of their value proposition.”
The complete report of the vulnerabilities identified during this test can be reviewed on the High Bit Security case studies pages, www.highbitsecurity.com/casestudies-pentesting-staffing.php, along with several other High Bit Security case studies, which anonymously provide details of the testing results of various types of engagements.
“We will continue to update this section of the site, as many business owners and managers have no idea just how insecure their systems may be, and we hope our educational efforts take hold before the hackers visit one of our prospective customers,” Goslin said.