Our achievements

Case

Disclaimer: The case studies below are inspired by real-life situations, but for confidentiality sake, the cases presented are fictitious and do not correspond to any of our customers.

To help you better understand the objectives and impact of penetration testing, we present here a number of case studies. This will give you a more complete picture than a simple list of services.

Manufacturing

This company specializes in industrial production. It supplies other companies with materials and equipment. It is an SME with 340 employees spread over 3 websites: the head office with the main plant and 2 other plants located in other regions of Quebec.

The biggest risk is the deployment of ransomware. A production line stoppage would have a devastating impact financially, and the resulting production delays could also cause serious problems with customers.

What's more, working for major international groups, it is increasingly challenged on its security measures, and needs to prove to its customers that it is adopting good cybersecurity practices.

This company has invested in security tools:

  • Sentinel One as an EDR
  • Fortinet as a firewall
  • VEEAM as backup solutions

From a more operational point of view, they use the Microsoft 365 suite and have migrated their data to the cloud (Sharepoint). They have a few industry-specific solutions that they are obliged to keep on their local servers.

This company has never carried out penetration testing. We carried out a penetration test on their internal network, since this is their main risk. Apart from Wordpress, they have no websites or web applications.

To keep costs down, we proposed an “assumed breach” scenario. This means that we assume that an employee has been compromised, and ask the company to provide us with credentials.

This company has had problems with a person in accounting who has already been tricked by phishing campaigns several times. So we're going to test 3 types of employee: accounting, reception (the least access in the company) and production (a lot at stake in securing access).

We were able to compromise the domain in 4 different ways. Yes, they received alerts from their EDR for some of our attempts, but we weren't blocked and were able to bypass Sentinel One (all EDRs can be bypassed). The domain was compromised by :

  • non-updated machines, vulnerable to known exploits such as noPac
  • weak, reused passwords
  • poor access management for service accounts
  • Active Directory misconfigurations

On presentation of the report, we brainstormed with our customer to help him implement his action plan. Some critical vulnerabilities could be corrected very quickly by modifying configurations. The company had an update management plan, but we had to review its application.

A major issue, however, was the impossibility of updating certain equipment in the factory, as the machine in question could not run on more recent versions. Changing the machines in the factory was obviously not a realistic short-term solution, so we asked them to better segment their network and completely isolate the machines in question.

In addition to the test results, our customer had 4 hours with us. The first 2 hours were used to help him further prepare his action plan, and we trained him on some free tools we use, which are very useful for his own security management (Bloodhound and Purple Knight).

In addition to the test, we offered to scan their 4 external IPs exposed on the Internet for one year.

Healthcare

This company has developed an application to help healthcare professionals. It has just launched its MVP to test its market and validate that they are on the right track to best meet the needs of their target clientele.

Although the company is still in its early stages, it needs to carry out a penetration test of its application in order to move forward with its development. Indeed, the MSSS requires it to obtain TGV certification, and its private-sector customers also have cybersecurity requirements to consider their application. The data stored in the application is medical, and therefore highly sensitive.

What's more, to further its development, this company is looking for investors who also have expectations in this area.

Their product is a SaaS application. For the moment, there's only a web version, but a mobile application will follow to facilitate its use by users who aren't always in front of a computer. It all works with a REST API.

In order to segment the sensitive data of its various customers, the application is built in multi-tenant mode. For the time being, each organization has two roles: the tenant administrator and its users.

As the application was created very recently, using recent languages, it is unlikely to contain common flaws such as XSS or SQL injection. These tests will of course be carried out, but we propose to focus on the API and business logic.

The biggest issues we're looking at are the possibility of one user accessing another organization's data. We'll be paying particular attention to access management and the possibility of escalating our privileges.

We found that the application did not check permissions correctly before granting access to certain objects. Here, this allowed us to access another organization's tenant. What's more, some checks were carried out on the client side, allowing us to bypass them.

Following the presentation of the report and some discussions with the customer, these vulnerabilities were corrected. This enabled the client to reassure its customers and initiate the process of obtaining TGV certification.

We have signed an annual agreement so that we can test new functions as and when they become available, enabling them to continue reassuring their customers while limiting costs and risks, since tests are carried out in parallel with development and not after they have been pushed into production.

Web

This company develops SaaS applications tailored to the needs of its customers. Once the finished product has been delivered to customers, it also takes care of maintenance and the development of new functionalities as the application's lifecycle progresses.

Its customers are beginning to challenge it more and more on application security development. Its team is trained in the subject and familiar with the OWASP top 10, but this is not always enough to win a contract or reassure its customers.

Some RFPs now require penetration testing to be included in the project.

Each application delivered is different, since they meet the needs of different companies. That said, the company generally chooses to use recent languages (e.g.: backend in GO and frontend in Javascript).

To keep their code as clean as possible, they rely heavily on existing libraries. They pay particular attention to APIs, since this is where the greatest potential for error lies.

The company is eager to increase its cybersecurity skills. When required by the customer, a full penetration test with report will be provided to ensure compliance.

For other projects, a more continuous approach has been chosen: without carrying out penetration tests of the whole application, iterative tests are carried out as applications are developed, so that vulnerabilities can be quickly corrected and not reproduced in other projects.

Integrating regular testing into the project has increased the value of their service offering in the eyes of their customers. This reassures them, and makes it easier for them to sell their applications to their own customers.

What's more, by working together, our two teams were able to enhance each other's skills and gain in efficiency. Indeed, the company's developers were able to learn and produce more secure code from the outset, while at Yack we have a better understanding of their way of working and their challenges, so our recommendations are always more precise and adapted.

Why Yack?

First, for those of you who don't know, the yak is an animal. The energy it radiates (chill with its toupee, but we wouldn't want to piss it off with its horns...) represents us well, and the nerdiest among you might see the little nod to Linux 😉. Of course, Yack's resemblance to Hack is no mere coincidence. It's also a short, punchy name that, once again, sounds like us. Finally, it's a word that earns you 24 points in Scrabble (hello Office de la langue française). Why did you choose .one? In offensive security, all it takes is one attack..."
A little more about us

"Pourquoi Yack?

First, pour ceux qui ne le savent pas, le yack est un animal. L'énergie qu'il dégage (chill avec son toupet, mais on ne voudrait pas l'énerver avec ses cornes...) nous représente bien, et les plus nerds d'entre vous verront peut-être le petit clin d'œil à Linux 😉. Bien sûr, la ressemblance de Yack avec Hack n'est pas une simple coïncidence. C'est aussi un nom court, qui punch, et qui encore une fois, nous ressemble. Enfin, c'est un mot qui te rapporte 24 points au scrabble (bonjour office de la langue française). Pourquoi avoir choisi .one? En sécurité offensive, il suffit d'une (one) attaque..."
Un peu plus sur nous