Utility Network Security
Working with a large regional utility company, DISD performed a "blind" external penetration test and dial-up connection security assessment. DISD performed realistic, unassisted target reconaissance and enumeration, pausing briefly to verify the identified targets before continuing with the external testing. Concurrently utilizing dozens of leased Voice-over-IP (VoIP) provider lines, DISD enumerated and fingerprinted over 50,000 DID numbers within a week, and identified weak authentication credentials for several connected systems, left unprotected by modern network security defenses.
Electronic Health Record Service Attestation
DISD performed pre-deployment penetration tests for an electronic health record (EHR) software-as-a-service (SaaS) provider during their beta testing period. This engagement included authenticated testing of multiple web applications and services, as well as the supporting infrastructure. DISD also performed post-remediation testing, and provided a Letter of Attestation describing the testing scope, methodologies, original results and post-remediation results, allowing the provider to demonstrate their commitment to secure development processes.
Hospital Wireless Security
DISD performed a wireless site survey, identifying potential rogue access points, and wireless network and client penetration test at a hospital campus. This project uncovered insecure authentication mechanisms, weak encryption protocols, and network segmentation issues. DISD provided tailored recommendations to the client to address each of these issues, including Active Directory Group Policy guidance to deploy hardened wireless settings for several thousand client systems.
Ticket Data Processing Compliance
DISD assisted a major ticket sales and distribution company in their PCI compliance efforts by performing penetration tests for a wide variety of cardholder data-processing applications. These ran the gamut from legacy thick client applications affected by issues such as connectionless transport protocols and insecure local storage, to web applications and web services vulnerable to SQL injection, and interactive voice response (IVR) systems and kiosk interfaces affected by parameter tampering issues.
Banking Fraud Detection
DISD developed device integration modules to capture credit and debit transaction data for an international banking client's security information and event management (SIEM) system.