Situation Aldwyck Housing Group is an awardwinning not-for-profit social housing provider with an annual turnover of over £60 million.
Situation
Aldwyck Housing Group is an award winning not-for-profit social housing provider with an annual turnover of over £60 million. It provides over 11,000 homes and management services for around 25,000 people in a variety of tenures, from rented and part-owned homes to owner-occupiers.
The Group runs its own data centre and a number of linked service websites. Its IT function supports 500 users, including a mobile workforce, and maintains a range of customer facing online services which directly access many thousands of highly sensitive customer records.
Requirement
Vohkus had carried out a major infrastructure upgrade to Aldwyck’s systems, and was subsequently invited to carry out a penetration testing programme to verify the integrity of the estate.
The service delivery manager of Aldwyck explains: “With any IT change you introduce new elements of risk, so it’s essential to make sure things are compliant. We’ve had penetration testing carried out before of course, but we were particularly impressed by the quality and granularity of Vohkus’ proposed approach.”
“In addition, we asked Vohkus to make sure our web apps did not contain any vulnerabilities that would put data at risk. Threats are always evolving, so we know we need to do this periodically.”
Scope
A lot of companies provide simple vulnerability assessments. That process involves running automated remote tools, which generate reams of largely meaningless data. Some organisations may be tempted to think they have got a tick in the compliance box just by going through an exercise like that, but they often do not know how to act on the information they receive. In contrast, Vohkus provides a penetration test service that incorporates a significant proportion of manual analysis by subject matter experts. It structures the tests carefully, correlates the results, and identifies root causes of problems and key remediation actions. The concept is to help the customer prioritise and fix things; the process is repeated until every vulnerability has been eliminated.
Vohkus delivers its penetration testing service at a fixed price. Nobody likes nasty surprises, so Vohkus is rigorous in the way it scopes projects like these. Vohkus drills deep to get specific IP ranges that belong to the client and does a pre-sales ‘crawl’ of the web to establish how long testing will take. In this way Vohkus can also limit any activity that could compromise live services, such as denial-of-service attack tests.
Aldwyck was initially keen to undertake a zero information ‘black box’ test, according to the service delivery manager. “We didn’t realise the physical and legal complexities involved in this or the potential costs this might entail. There could be a whole swathe of systems out there that might appear associated with Aldwyck but that in fact had nothing to do with us; we could have ended paying for the testing of systems we didn’t need to. Also providing information up front reduced the length of time to complete the testing, focusing on our true areas of concern.”
“More importantly, Vohkus explained that if they conducted this research task, they would still need us to verify which assets were ours before they ran tests on systems to avoid them being open to charges of hacking. Vohkus helped us focus our time, effort and money on what was important.”
The project
An initial structured penetration testing programme was carried out on the recently installed and configured Infrastructure over a number of days in November 2015, and a report with recommended fixes was supplied to Aldwyck. When the Group confirmed these had been addressed, a re-test confirmed it was compliant. Vohkus’s work was carried out remotely offsite and out-of-hours, and did not disrupt normal operations.
Although no major obstacles were encountered during the tests, Vohkus did identify a connectivity issue affecting one of Aldwyck’s service providers. “Discovering that was a bonus,” says the service delivery manager, “as the resulting slow performance was having a negative impact on user experience. We were consequently able to fix that too.”
Once the penetration test had been completed, Vohkus systematically worked through all of Aldwyck’s web apps, searching for scripting vulnerabilities that could compromise data. “We operate several websites – some under different branding – that use portals and logins. A successful attack could have severe repercussions for our brand and reputation,” says the service delivery manager. “SQL injection techniques, for example, have caused major damage to a number of household name organisations when customer data has been accessed and stolen. Vohkus’s report gave us the confidence we needed that we were protected from that kind of malicious activity.”
Conclusion
At the end of the exercise Aldwyck was issued with a clean bill of health. Vohkus’ report enabled the Group to demonstrate that its internal audit and governance procedures were working and that it met all external regulatory requirements.
“Importantly, this exercise allows us to show clients, partners and suppliers that we take our responsibilities seriously and that we’re worthy of their trust,” says the service delivery manager. “We will definitely consider Vohkus to carry out annual penetration testing for us from now on, as well as providing interim tests whenever there are changes to our technology infrastructure.”
“Overall, from our perspective, Vohkus provided excellent value, a disciplined approach and a professional outcome.”
