Hackers against hackers

In order to ensure the security of its own network, Österreich Werbung regularly conducts A1 Digital penetration tests in order to detect and correct vulnerabilities before others do.

Österreich Werbung (ÖW) based in Vienna is Austria’s national tourism organisation. The central concern of the ÖW, together with all Austrian tourism partners, is to ensure that the competitiveness of Austria as a tourist country is maintained or enhanced. On www.austria.info, ÖW offers a wealth of articles in eight thematic areas and holiday offers all year round to all those who are looking for inspiration and information about holidays in Austria. The website currently consists of 22 languages for 27 countries worldwide and is optimised for all devices. Around 200 employees in Vienna and the 21 agencies abroad work on these tasks worldwide.

The increasing networking in the course of digitalisation increases the potential attack surface and serves as a possible “gateway” for data thieves and hackers. For this reason, öW regularly conducts penetration tests, in which professional hackers detect vulnerabilities in order to be able to fix them in a targeted manner. This time the ÖW commissioned A1 Digital International GmbH from Vienna with a penetration test of its infrastructure accessible via the intranet, its internal applications and its Windows clients. An essential part of the penetration test of the A1 Digital experts is to recreate the attack patterns that are also used by cybercriminals.

In preparation for the penetration test, the A1 digital experts, so-called White Hat Hackers, analysed the operating environment of the ÖW and discussed the objective and the way forward. In the subsequent kick-off meeting, the procedure of the security assessment was discussed together with the client. The test subject to be checked was defined and it was clarified how to deal with the identification of potential hazards. In the course of the penetration test, the ÖW provided the A1 Digital experts with a list of anonymised internal IP addresses and explicitly ordered intrusive attacks (“Permission to Attack”), as these would otherwise be illegal. Intrusive attacks attempt to bypass technical safeguards and exploit any existing vulnerabilities.

As part of client analysis, ÖW provided a standard client that was checked for vulnerable software. The analysis included installed or available software programmes, anti-virus protection, and ongoing enabled services. In addition, the secure configuration of the device, such as group guidelines, encryption, administrator rights, and network integration, was also verified.

In their tests, the experts took a Timebox and Greybox approach. This means that uncovering security risks was subject to Timebox and resource limitations, as well as knowledge of system internals (Greybox). In this way, the test scope determined jointly with the ÖW was checked. The whole process lasted four weeks. The results of the security assessment as well as the resulting concrete recommendations for action were presented in a report.

“For its penetration test, A1 Digital has used methods and techniques used by real attackers or hackers to ensure that as many vulnerabilities as possible can be found. The planning and implementation of a penetration test tailored to our IT systems is very comprehensive. In this respect, the results have helped us to identify previously unknown vulnerabilities and to quickly fix them. A1 Digital has proven to be a reliable and professional partner in dealing with potential hacker attacks.”

Daniela Rechberger, Head of It & FM Österreich Werbung