NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Transcription

1 A C a s e s t u d y o n h o w Z e n Q h a s h e l p e d a L e a d i n g K E d u c a t i o n & L e a r n i n g S o l u t i o n s P r o v i d e r i n U S g a u g e c a p a c i t y o f t h e i r f l a g s h i p p r o d u c t, i d e n t i f y & a n a l y z e p e r f o r m a n c e b o t t l e n e c k s a n d i m p r o v e e f f i c i e n c y o f t h e a p p l i c a t i o n b y 1 0 t i m e s. z e n q. c o m NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER CASE STUDY: PERFORMANCE TESTING ABSTRACT: A Case study on how ZENQ performed Network Penetration Testing for a Medical Record & Practice management Software Solution Corporation to uncover vulnerabilities and security loopholes which would otherwise have cause huge loss and impact to the business. Client: A leading EHR Management solution provider Industry: Healthcare Offering: Security Testing

2 . Client Client has expertise in web based online health care solutions based in USA. It provides cloud based EHR (Electronic Health Record) and medical practice management solution to its customers. Challenge Our client provides cloud based solutions to medical record management and practice management. The challenge was to assess the vulnerability and penetrate into the network of client. The client has 30 external facing nodes which are of different operating systems and application servers. Vulnerability assessment of the all the platforms and identification of false positives and exploitation was major challenge. Our Approach Our security testing experts, here at ZenQA,. Our security testing experts, here at ZENQ, followed a structured approach based on industry wide standards, best practices and methodologies to effectively conduct External Network Penetration Testing To begin with, Security team interacted with the client to gain a thorough understanding of target systems/network architecture and technology behind the system Threat profiles (based on Microsoft Threat modeling process) are then created. These threat profiles list out all the threats that can pose risk to the clients Network, along with the goals of the adversary in attacking the Network.

3 Detailed Test plan including the Test strategy & Test cases by associating threats attack scenarios on functionalities was created. Test plan was reviewed and agreed upon with the client. Upon approval of the test plan, the Network was decomposed towards the threat, and vulnerabilities were identified using combination of manual tool based techniques to ensure optimal results. Threat scenarios were constructed to exploit the identified vulnerabilities manually to give better understandability of hack to the client. Two detailed reports- Executive review report provided the bigger picture of overall security, issues and their impact at each risk level & the Technical review report provided the test details, scan results, the each vulnerability discovered and the suggestions for remediation, were submitted to the client. Technical in-depth details of the each vulnerability discovered and the Environment Network Range: X.X.X.X/27 Security Test Tools: Nmap, Metasploit, Snmpcheck, Hydra, Netcat, Nessus Upon completion of the test execution/ exploitations. Root cause analysis and recommendations on how vulnerabilities can be addressed /resolved were determined.

4 Results Successfully uncovered vulnerabilities that would have caused huge loss and impact to business. Following are the major vulnerabilities that were identified and confirmed: Web server was vulnerable to DOS attack Blind SQL injection was detected on application hosted on web server. Able to dump the database information SSH was brute forced because of weak password Exploited PHP remote code execution vulnerability and got access to server Incorrectly configured SSL certificates Outcome ZenQ team successfully performed Penetration Testing on client s network. In the end, client received the detailed list of defects found, recommendations on how to enhance the security stature were also provided. Our seamless communication & client interactions, constant updates and continuous efforts has helped the client to uncover some critical vulnerabilities..

5 About ZenQ ZenQ is a global provider of high quality Software Development & Testing Services, offering cost effective valueadd outsourcing solutions to our clients. Our highly competent IT Professionals, Domain experts, combined with industry best practices & our investments in state-of-the-art technologies makes us a dependable and longterm IT service partner to all our clients is an For more information, us at : [email protected] OR Visit us at