After multiple years using the same vendor the client was questioning whether it was receiving the best return on it’s investment. Vulnerabilities were found, however they were often impractical, good for a presentation at a conference but less useful in terms of actually addressing something that could harm the organization. In essence vendor fatigue had set in.
A performance based assessment was proposed. OccamSec worked with the client to identify a number of “trophies” and set out the rules of engagement. The engagement fee was agreed upon, at which point the following agreement was made – if OccamSec were unable to breach the environment, identify critical vulnerabilities, and obtain a number of trophies, the fee would be reduced. If trophies were obtained, depending on the number, an additional performance bonus would be paid.
The team were able to use a variety of vectors, including a vulnerable cloud based server, a poorly maintained SharePoint site, and an open conference phone system, to ultimately breach the environment and access a number of the trophies.