ITGLOBAL.COM performed penetration test to improve Digital Attitude security
Digital Attitude is the Italian virtual training developer, offering the habit-inspiring platform: the tool that helps to form new soft skills in corporate software usage. The key project of Digital Attitude is Microsoft Office 365 virtual trainer. It teaches the customers a variety of skills: for example, to regularly save files in a folder synchronized with OneDrive – instead of saving just to the computer’s internal memory. As a result the customers start using all core Microsoft products more confidently and effectively.
The habit-inspiring concept is based on the nudge theory of Richard Thaler, the 2017 Nobel Prize winner in (behavioral) Economics. Digital Attitude itself is the “golden partner” of Microsoft, winner of Digital Transformation Champ Awards 2020. The company’s clientele includes oil production, banking, insurance and healthcare.
Caring for protection
Both Digital Attitude network and operations are designed with high security level in mind. As per Denis Sumin, full stack developer and IS specialist of Digital Attitude, “every customer has the ID only. We store no emails, or names, or IP addresses – everything is almost anonymous. Yet we permanently care that even these IDs wouldn’t leak anywhere”.
The habit-inspiring platform is also protected. No developer has access to the production version of habit-inspiring, so an independent production deployment is impossible: it deploys automatically via specific AWS account. Every commit is digitally signed; the forgery is, again, impossible. Each pull request is verified by at least two developers, so the harmful code insertion requires cahoots of at least three individuals.
“We have everything firmly set inside. But the outer area is beyond our control, so we decided for the penetration test to strengthen the network security”, concluded Denis Sumin.
The test & The tester
Black Box pentest model presumes that the intruders have no knowledge of the company and its systems – so only attacks on public resources, starting from the external IP addresses and public URLs, are imitated. Pentest also scrutinizes mail, terminal and file servers, as well as the other web services that revealed an access upon scanning.
ITGLOBAL.COM with the headquarters in Saint-Petersburg, Russia was chosen by Digital Attitude as the pentest performer after thorough consideration. In particular, none of the candidates from the West was able to denote any timeline for pentest preparations and initial procedure. At first Digital Attitude did not consider a Russian company, but ITGLOBAL.COM appeared to suit all the requirements of the Italian developer. “I was into hacking many years ago, so some items were already very familiar to me. Besides, ITGLOBAL.COM specialists from the beginning made clear: how the test would go, what are the attacks’ targets, which tools will be used. I appreciate such a meticulous approach”, noted Denis Sumin.
The outcome: problem positively solved
The penetration test had shown the single medium level vulnerability at Digital Attitude, the Cross-Site Scripting. Imitating the attack, ITGLOBAL.COM testers managed to insert into page their script that was executed on the customer’s side. The vulnerability was immediately patched via Content Security Policy; as of now the scripts at Digital Attitude are signed with the additional certificate. As per Alexander Zubikov, ITGLOBAL.COM IS Head, “even the vulnerabilities of medium scale can lead to large issues. An intruder can obtain the client’s version of habit-inspiring – and get access to a customer’s computer. Or alter the original content of Digital Attitude, thus undermining the trust to the company. Or simply steal customer’s cookies – with well-known aftermaths”.
“Honestly, we were not expecting any security breaches. So kudos to ITGLOBAL.COM for properly pointing out our weakness, albeit the single one. We appreciate the cooperation with the Russian service provider. Everything was very transparent and professional; our partner’s level is truly very advanced”, added Denis Sumin.
ITGLOBAL.COM is the international group of companies, provider of IT products and services, founded in 2008, when it obtained the status of the 1st VMware service provider of Russia. ITGLOBAL.COM specializes in management of the clients’ IT landscapes – apart from its own cloud infrastructure. With the headquarters in Saint-Petersburg, Russia the brand is represented in Moscow, Russia; Minsk, Belarus; Amsterdam, the Netherlands. More than 10 other locations, including Great Britain, Turkey, China, The U.S. and Indonesia, are in progress.