Petit Gateau: Proactive Shielding, Customer Trust Yielding

Petit Gateau successfully protected the products of its partner Dai-ichi Life, a leading worldwide company in the insurance industry, thanks to the application of Penetration Testing performed by the CyStack experts team.

Petit Gateau (formerly Starseed) is a renowned advertising and marketing company based in France, specializing in consulting and providing services in various fields such as development, design, and advertising. In a website development outsourcing project for Dai-ichi Life, a reputable life insurance company in Vietnam and globally, Petit Gateau took the initiative to find a security partner to ensure peace of mind for its customers.

Petit Gateau successfully deployed an insurance product information website for Dai-ichi Life, along with an accompanying admin page to manage the content of this insurance product information site. The insurance product information website offers various interactive features, including search bars, contact forms, and insurance plan price calculators, allowing users to engage with the site.

The admin page provides essential functions for designing individual landing pages for each life insurance product. It also enables customization of banners, headers, footers, content, and other components. Moreover, the admin page acts as a centralized hub for receiving and managing contact forms from customers, with distinct permissions assigned to different internal user groups within Dai-ichi Life.

The system's deployment infrastructure is On-premise, utilizing technologies such as Nginx, PHP, MySQL, Alpine.js, jQuery, TinyMCE, and Google Analytics.

Petit Gateau received a request from a partner to conduct a security assessment for an outsourced product. This product belongs to Dai-ichi Life, and as it is newly deployed, ensuring its security is of utmost importance. To comprehensively evaluate Dai-ichi Life's product, it was necessary to perform an inspection by a third party in addition to the self-assessment conducted by Petit Gateau's internal team.

After careful consideration, Petit Gateau agreed to utilize the Penetration Testing method for this project. CyStack, the chosen security partner, conducted testing in parallel with Petit Gateau's development process. As a result, the project was divided into two distinct phases:

• Phase 1: August 9, 2023 - August 25, 2023
• Phase 2: September 29, 2023 - October 6, 2023

Test object: Client listed the functional groups and URLs that need to be tested on the insurance product information page.

Additionally, CyStack recommended and performed testing on the admin page of this information site, using test accounts provided by the customers.

The chosen approach was Blackbox testing. This involves testing the system without any prior knowledge or information about its inner workings. The experts simulate the actions of a real hacker, searching for vulnerabilities within the system and assessing its resilience against external attacks. This method enables businesses to determine the level of risk and develop an effective security plan to prevent potential attacks from occurring.

Penetration testing is a well-suited solution for the insurance industry due to the following reasons:

• Customer data protection: Insurance product websites often store sensitive customer information, including personal details, bank accounts, and medical data. Conducting penetration testing ensures the highest level of protection for customer data, minimizing the risk of data breaches.
• Legal and compliance: Insurance companies are subject to strict regulations regarding the security of personal information, such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and local data protection laws like Decree 13/2023/ND-CP in Vietnam. By undergoing security testing, businesses can ensure compliance with legal requirements and reduce the likelihood of breaches.
• Cyber attack prevention: Insurance websites are prime targets for hackers seeking access to customers' highly sensitive personal information. Conducting security testing helps identify and address security vulnerabilities, preventing unauthorized access and attacks on the system.
• Enhancing customer reputation and trust: In the insurance industry, customer trust is paramount, especially in a competitive market. Regular and transparent security testing enhances customer reputation and trust. Customers feel more secure knowing that their personal information is rigorously protected on the business's website.

The working process with Petit Gateau involves the following steps:

1. Planning and exploration: CyStack defines the test scope and objectives, including applications, databases, and network infrastructure. Potential risks related to information security and personal data protection are identified, along with potential vulnerabilities in the credit card system. Information about the target environment is collected to better understand its operations and potential vulnerabilities.
2. Vulnerability analysis: CyStack experts utilize advanced techniques, including vulnerability scanning, network scanning, and evaluation of configurations, to identify potential vulnerabilities in Dai-ichi Life's testing environment. Common vulnerabilities such as zero-day flaws and CVEs are assessed.
3. Exploitation: This phase involves actual attacks, where CyStack experts utilize techniques to gain unauthorized access to the system and exploit security vulnerabilities in the website system.
4. Post-exploitation: After gaining access, CyStack experts maintain their presence in Dai-ichi Life's system and attempt to escalate privileges. This allows them to further search for potential security vulnerabilities that may still exist.
5. Reporting: CyStack prepares a comprehensive report upon project completion. This report includes a summary of the testing process, details of identified security vulnerabilities, and recommendations and measures to improve the security of Dai-ichi Life's life insurance products.

Due to urgent changes in the project timeline, the testing duration was impacted. CyStack's internal team had to swiftly adjust the work and accelerate the testing process to meet the new deadline. Despite the time constraint, CyStack successfully ensured the go-live time of the Dai-ichi Life website while maintaining compliance with all quality requirements.

Following two rounds of testing, a total of 9 vulnerabilities were identified, including 2 critical, 1 high, 5 medium, and 1 info.

Here's how we address each vulnerability:

• Critical: To mitigate injection problems such as SQL Injection, Command Injection, and Code Injection, it is crucial to avoid string concatenation. Measures should be taken to eliminate unnecessary functions that expose sensitive information within the system.
• High: Encoding output data on HTML helps prevent potential security risks. By implementing proper encoding techniques, the vulnerability can be addressed effectively.
• Medium: To address medium-severity vulnerabilities, the authorization system should be thoroughly rechecked. Strict authorization checks need to be performed before executing any requested actions. Additionally, encoding output data on HTML should be implemented as a preventive measure. The validity of CAPTCHA needs to be verified before accepting requests from customers.
• Low: To mitigate the low-severity vulnerability, the web server or reverse proxy should be configured to block access to default pages that may contain sensitive information. This measure helps prevent unauthorized access to sensitive data.

By implementing these recommended fixes, the identified vulnerabilities can be remediated, enhancing the overall security posture of the Dai-ichi Life website.

After the implementation process, the website was deployed according to the required timeline. CyStack received positive feedback from both Petit Gateau and Dai-ichi Life, indicating the successful prevention of significant security risks through the application of security measures.

During testing, our experts thoroughly examined the system's security against attacks involving the injection of malicious data or code into data fields. This rigorous testing helped prevent vulnerabilities such as Injection and Cross-Site Scripting (XSS), ensuring a resilient website that is difficult to exploit and safeguarding user information.

We implemented comprehensive test scenarios to verify that the system only grants access and operates based on each user's assigned role and permissions. This proactive approach prevents unauthorized access to critical functions and protects against potential attacks by malicious users.

The CAPTCHA mechanism was successfully implemented to thwart bypass attempts. We rigorously tested the effectiveness of CAPTCHA in authenticating legitimate users and preventing attacks from bots or automated software. This ensures that only genuine users can access and interact with the system, enhancing overall security.

Furthermore, our security measures have effectively mitigated the risk of unnecessary information leaks. Our experts verified the system's security features in safeguarding users' personal information and critical data. Measures such as data encryption, access controls, and logging were implemented to prevent unauthorized access and ensure the integrity and confidentiality of information.

Overall, the application of these security measures has proven effective in ensuring the system's safety. Petit Gateau and Dai-ichi Life have completed an implementation project that meets high-security requirements. This achievement fosters trust and satisfaction between all parties involved and represents a significant milestone in safeguarding customer information and data.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 25,000 users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/