Large Business Assess Case Study
Smith Research Inc.*, a business-to-business marketing company headquartered in NY, brought Kalki in to perform two separate rounds of assessments for their company. Smith* has 23 offices spanning the US, Europe, Asia and Australia with approximately 2,000 employees. Upon engagement with a large, Fortune 500 Company, Smith* was required to complete 3rd party security assessments to satisfy their customer. This customer required a full assessment of all information security practices prior to engaging in a relationship with Smith*. In the following engagement, Smith* brought Kalki in to run a risk assessment and code review of a smaller 50 person firm they had recently acquired.
In the initial engagement, a customer required Smith* to evaluate their information security risks. The customer was subject to strict information security standards and regulations, and they required any business partners to meet their standards before continuing a business relationship.
In the second engagement, following the acquisition of a smaller company, Smith* discovered problems with their systems. When integrating the two companies’ information systems together, Smith* found harmful code in the acquired company’s environment. Smith* halted the integration process to prevent infection of their own systems and brought Kalki in to fully assess the acquired company.
For the first engagement, Kalki conducted technical testing looking at Smith’s* network from the outside in. Penetration tests were run to find out how easily (and how deeply) their network could be accessed from the outside by unauthorized individuals and vulnerability scans were used to find the technical areas where Smith* was leaving themselves exposed.
In the second engagement, Kalki performed a risk assessment of the smaller acquired company to provide Smith* with a full understanding of their information security practices. As part of this assessment, Kalki provided a code review to look for, and remove, any further harmful code before it entered Smith’s* systems.
During the Penetration and Vulnerability scanning, Kalki noted high, medium and low risk findings along with suggested ways to reduce these risks. Some risks found within Smith’s* environment included:
- Outdated software or hardware versions
- Weak login credentials
- Website vulnerability to manipulation
- Ability by unauthorized individuals to view non-public content
- Insufficient user access control
Through the risk assessment in the second engagement, Smith* learned that the acquired company did not have in place many of the controls and processes in line with information security standards. Additionally, the code review revealed further harmful code in their environment. The assessment allowed Smith* to adjust their agreement with the acquired company and fix the problems in their systems before integrating them into the larger environment.
The Road Ahead
Kalki’s report to Smith* in the initial engagement allowed them to fix the existing risks within their environment and satisfy the requirements of their customer, allowing them to enter a lucrative business relationship. Moving forward from that engagement, Smith* maintained a risk management process to continually identify and fix any risks that emerged, allowing them to proactively discover the risks in their acquired company. Following the second engagement, Smith* was able to work with their acquired company to remove the noted risks and integrate their systems into their environment and risk management process.
- Industry: Marketing
- Size: 2,000 employees
- Customer request for 3rd Party Security assessment
- Issues with acquired company including poor security practices and insecure code
- Risk Assessment of acquired company
- Vulnerability Assessment of Smith*
- Penetration Testing of Smith*
- High, Medium and Low risk technical findings for Smith’s* internal network
- Multiple instances of harmful code found in acquired company software
- Poor security practices discovered in acquired company