Non-Profit Sector Pro Bono Penetration Test Case Study

We provided a pro bono penetration test to a charity that supports blind and partially sighted people.

In this project, our consultants were able to identify a variety of vulnerabilities across multiple attack surfaces. We followed this up by providing remedial advice, allowing the charity to then apply the necessary changes to their technologies, resulting  in a greatly enhanced security standing.

Last year, we launched a £500,000 charity support fund, designed to help charities understand, locate, and protect their organisation from cybersecurity threats. The perfect opportunity to put this fund into action came in November, when a respected industry CISO put out a call on LinkedIn for cybersecurity companies to help a small charity address their technical security concerns in the form of a penetration test.

The security community were quick to respond, with many highly regarded organisations reaching out to offer their services. Ultimately, the CISO chose us, due to our “consultative approach, breadth of knowledge, and pragmatism.”

“Secarma understood that this is a charity; they don’t have the skills and experience necessary to perform in-house security assurance, or red team activity. Secarma’s experts were able to scale the project appropriately to fit the charity’s needs – giving them the value and assurance they required, while not being overly burdensome on their small technical team.” – Industry CISO for a global tech company.

The Challenge

The charity we worked with provides essential services to partially sighted people and had recently launched a website and online CMS. Due to resource constraints, cyber security is naturally an area that charities can fall short on. Many charities’ beneficiaries can be classed as vulnerable people, so a data breach to a charity can have an extremely detrimental effect, as it interrupts vital services that are heavily relied upon. As a result, shielding their data is extremely important. Passionate about protecting their beneficiaries, this charity has placed data security high on up its agenda, and also wanted to address their website to ensure their organisation was sufficiently fortified against cyber-criminals – especially during a time when cyberattacks on UK charities are at an all-time high.

Wanting to improve your cybersecurity is a great first step, but what happens when you don’t have the staff in place to carry out this important task? This charity didn’t have an in-house security manager but were able to work with the previously mentioned CISO, who offered guidance on everything from identity and access management through to infrastructure security. The CISO knew that offensive security is an important part of any cybersecurity strategy, which is when he sought out pro bono penetration test services, and we answered the call.

What We Did

The first stage of our pro bono penetration test including the charity giving our experts access to their systems, so they could simulate a real-life cyber-attack. This offensive security method is designed to give organisations an idea of how a malicious actor could find and exploit vulnerabilities within their systems. We gave the charity a hacker’s perspective on their core web application, external infrastructure, and CMS – locating security issues and offering remediation guidance.

This engagement was a great eye opener for the charity; we found a vulnerability that seemed to not cause any problems at first glance, as it appeared that the exploit couldn’t be executed due to restrictions, but when our experts combined that vulnerability together with a second issue, they could bypass the restrictions. This provided them with full access to the area to carry out an execution. We were able to demonstrate to the charity’s head of operations – and the industry CISO who liaised with us on the charity’s behalf – how a threat actor could chain together vulnerabilities, leading to a full business compromise. This is something that the charity’s head of operations “didn’t realise was possible” until now.

One of our talented security consultants, who took the lead on this engagement, had this to say:

“The vulnerability in this case existed in a backend system that only administrative users have access to. As this test was a greybox engagement, where the client provided us with an administrative account, we were able to identify this issue, its location and the risks associated with it, whereas in a blackbox engagement this may have gone unnoticed. While there is a definite benefit to performing blackbox assessments to determine a baseline security posture, there is no substitute for a fully authenticated engagement where the consultant is given access to all user levels and functionalities.”

Rather than simply running automated tools and providing our client with a vulnerability report, we chained events together and utilised a variety of exploitation methods to further infiltrate the organisation. As standard, our feedback is designed to help organisations reach their security goals, so rather than handing the charity a list of problems, we consulted with them on what we did, how we were able to do it, and what they’d need to do to stop nefarious parties from doing it in future.

Making a Difference

The charity’s head of operations was very pleased to tell us that thanks to our experts, a number of the organisation’s security issues were highlighted and have now been resolved. Due to the nature of the charity’s work, they had sensitive information residing within their database, and by working with us to get security assurance on their systems, they were able to keep this data protected and improve their GDPR compliance.

“We are extremely grateful that Secarma were able to help us and very kindly offered their support with no charge. I was really impressed with the work carried out and, having addressed the issues that were flagged up, we now have confidence in the security of our system. Everyone was very helpful, and it all went smoothly.” – The Charity’s Head of Operations

They also spoke highly of our level of technical skill, the knowledge of our consultants, our project management and communication  – awarding us 5 stars out of 5 in every feedback category.

No Organisation is Off-Limits

Some people may think that threat actors would be less likely to attack charities, but the opposite is actually true. While a non-profit organisation may not be the most lucrative potential victim, they are often easy targets. We asked the CISO we worked alongside for his opinion on the current threat landscape for charities:

“Any organization that’s storing or processing sensitive information is potentially a target. Criminals know that charities probably won’t always have millions of dollars to spend on cybersecurity defence, and if anything, there may be certain types of actors who would target charities specifically, because the bar to entry in those environments is likely to be a lot lower than it would be in a financial services organization, for example.

Now, some may think ‘we’re just a charity, why would anybody want to compromise our environment?’ It’s important that non-profit organisations understand the process of threat modelling, doing OpSec, understanding the sensitivity of the data they hold and who may want to access it, then understanding the tools, techniques, and procedures that cyber-criminals might use to obtain access to that information.

That’s where Secarma was able to really add value, their consultants are able to get leaders within an organisation to realise breaching their organisation isn’t impossible, to actually see for themselves how it’s done and how to stop it.” – Industry CISO

Unfortunately, there will always be nefarious actors looking to cause chaos for all types of organisations – and charities aren’t exempt. However, by adopting strong security practices (and making offensive security an essential part of that strategy) charities of all kinds can fight back and protect their vital services from cyber-criminals.

How Secarma Can Benefit Your Business

We offer our expert consultancy, training, and offensive security services to businesses of all sizes, ensuring that no-matter your level of security maturity, our experts can help. We work with you to develop your cybersecurity posture, code more securely, and fortify your business against threats.

By investing in penetration testing, you get the benefit of a new pair of eyes that examine your organisation’s security from a hacker’s perspective. We offer flexible cybersecurity services: anything from one-off pentests, to collaborating with your security team on a long-term basis, building that familiarity and rapport, and working towards the continuous development of your security standing.

Our skilled security consultants use a wide range of ethical hacking methodologies and are constantly undergoing training to keep on top of the latest techniques. This means they’re able to hit the ground running; finding system weaknesses, recognising linked vulnerabilities, and working out issues from the ground up as an extension of your own security or IT team.

To find out more about our consultative approach to offensive security, head to our penetration testing page, or reach out to our experts here.

If you represent a charity, or know of a good cause that could use a pro bono penetration test, please contact us today.