Petit Gateau: Proactive Shielding, Customer Trust Yielding

Petit Gateau successfully protected the products of its partner Dai-ichi Life, a leading worldwide company in the insurance industry, thanks to the application of Penetration Testing performed by the CyStack experts team.

Petit Gateau (formerly Starseed) is a renowned advertising and marketing company based in France, specializing in consulting and providing services in various fields such as development, design, and advertising. In a website development outsourcing project for Dai-ichi Life, a reputable life insurance company in Vietnam and globally, Petit Gateau took the initiative to find a security partner to ensure peace of mind for its customers.

Petit Gateau successfully deployed an insurance product information website for Dai-ichi Life, along with an accompanying admin page to manage the content of this insurance product information site. The insurance product information website offers various interactive features, including search bars, contact forms, and insurance plan price calculators, allowing users to engage with the site.

The admin page provides essential functions for designing individual landing pages for each life insurance product. It also enables customization of banners, headers, footers, content, and other components. Moreover, the admin page acts as a centralized hub for receiving and managing contact forms from customers, with distinct permissions assigned to different internal user groups within Dai-ichi Life.

Petit Gateau received a request from a partner to conduct a security assessment for an outsourced product. This product belongs to Dai-ichi Life, and as it is newly deployed, ensuring its security is of utmost importance. To comprehensively evaluate Dai-ichi Life's product, it was necessary to perform an inspection by a third party in addition to the self-assessment conducted by Petit Gateau's internal team.

After careful consideration, Petit Gateau agreed to utilize the Penetration Testing method for this project. CyStack, the chosen security partner, conducted testing in parallel with Petit Gateau's development process. As a result, the project was divided into two distinct phases:

• Phase 1: August 9, 2023 - August 25, 2023
• Phase 2: September 29, 2023 - October 6, 2023

Testing scope: The client provided a list of functional groups and URLs to be prioritized for testing on the insurance product information website.

Additionally, CyStack recommended and performed testing on the admin page of this information site, using test accounts provided by the customers.

The chosen approach was Blackbox testing. This involves testing the system without any prior knowledge or information about its inner workings. The experts simulate the actions of a real hacker, searching for vulnerabilities within the system and assessing its resilience against external attacks. This method enables businesses to determine the level of risk and develop an effective security plan to prevent potential attacks from occurring.

Penetration testing is a well-suited solution for the insurance industry due to the following reasons:

• Protecting customer data: Insurance product websites often contain a significant amount of highly sensitive customer information. Conducting security testing helps ensure that this data is protected at the highest possible level, minimizing the risk of leakage.
• Legal and compliance: Insurance companies are subject to strict regulations regarding the security of personal information, such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and local data protection laws like Decree 13/2023/ND-CP in Vietnam. By undergoing security testing, businesses can ensure compliance with legal requirements and reduce the likelihood of breaches.
• Cyber attack prevention: Insurance websites are prime targets for hackers seeking access to customers' highly sensitive personal information. Conducting security testing helps identify and address security vulnerabilities, preventing unauthorized access and attacks on the system.
• Enhancing customer reputation and trust: In the insurance industry, customer trust is paramount, especially in a competitive market. Regular and transparent security testing enhances customer reputation and trust. Customers feel more secure knowing that their personal information is rigorously protected on the business's website.

The working process with Petit Gateau involves the following steps:

1. Planning and exploration: CyStack defines the test scope and objectives, including applications, databases, and network infrastructure. Potential risks related to information security and personal data protection are identified, along with potential vulnerabilities in the credit card system. Information about the target environment is collected to better understand its operations and potential vulnerabilities.
2. Vulnerability analysis: CyStack experts utilize advanced techniques, including vulnerability scanning, network scanning, and evaluation of configurations, to identify potential vulnerabilities in Dai-ichi Life's testing environment. Common vulnerabilities such as zero-day flaws and CVEs are assessed.
3. Exploitation: This phase involves actual attacks, where CyStack experts utilize techniques to gain unauthorized access to the system and exploit security vulnerabilities in the website system.
4. Post-exploitation: After gaining access, CyStack experts maintain their presence in Dai-ichi Life's system and attempt to escalate privileges. This allows them to further search for potential security vulnerabilities that may still exist.
5. Reporting: CyStack prepares a comprehensive report upon project completion. This report includes a summary of the testing process, details of identified security vulnerabilities, and recommendations and measures to improve the security of Dai-ichi Life's life insurance products.

Despite the changes to the implementation timeline, the project remained on track thanks to the team’s ability to adapt quickly throughout the testing and security assessment process. The results showed that the system contained risks across multiple severity levels, enabling the team to promptly prioritize the appropriate remediation measures.

The recommended improvements focused on strengthening application security, enhancing access control, protecting output data, and reinforcing the necessary security layers throughout request processing. This contributed to improving the overall protection of the system before it went live in the production environment.

After the implementation process, the website was deployed according to the required timeline. CyStack received positive feedback from both Petit Gateau and Dai-ichi Life, indicating the successful prevention of significant security risks through the application of security measures.

Following the implementation phase, the website was launched according to the required timeline. CyStack received positive feedback from both Petit Gateau and Dai-ichi Life. Through the application of appropriate security measures, our testing team successfully mitigated a range of critical security risks.

Furthermore, our security measures have effectively mitigated the risk of unnecessary information leaks. Our experts verified the system's security features in safeguarding users' personal information and critical data. Measures such as data encryption, access controls, and logging were implemented to prevent unauthorized access and ensure the integrity and confidentiality of information.

Overall, the application of these security measures has proven effective in ensuring the system's safety. Petit Gateau and Dai-ichi Life have completed an implementation project that meets high-security requirements. This achievement fosters trust and satisfaction between all parties involved and represents a significant milestone in safeguarding customer information and data.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 25,000 users around the world, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/