The Battle for Information Security: KPMG's Security Testing Skills

Information Security: KPMG's Security Testing Skills

It is well known that there is no 100% security when it comes to information protection. You can protect yourself by purchasing state-of-the-art information systems from reputable software vendors or small/niche boutiques who eat and breathe information security but, even in this case, a poor system implementation can leave the door open for potential attackers to get access to your company’s most important asset: information.

1000

Related content

Information security

The battle for information security is and has traditionally been an unequal
fight: on the one hand, you have the software vendors who employ a few hundred or in some cases thousands of “heads” whose job descriptions require them to make sure that whatever the developers write is able stand against a potential “army” of a few billions who make it their own personal mission to find and exploit security weaknesses, either for cash benefits or their own self esteem. Nowadays, more and more organisations are turning to the so called “ethical hackers” for help. Ethical hackers are those individuals who employ the skills, techniques and experience of a regular hacker to identify information systems threats and vulnerabilities so that the organisation can fix them as soon as possible.
 
At KPMG, we recognise this need for information security and have built a
long-term reputation in the market with our suite of Information Protection and Business Resilience Advisory services. To date, we have completed a number of engagements where, amongst other things, we have tested the information security controls implemented by organisations to protect themselves against unauthorised access or information disclosure. We have tested various information systems from e-commerce to internet/online banking, from ATM networks to VOIP telephony systems, mobile devices securitisation systems and others.
 
Recently, we have completed an end-to-end penetration testing project having as its main target EMC’s Documentum content management platform. One of the results of this project was the identification of a few important
vulnerabilities which have been acknowledged by EMC, recognising the
contribution of one of the most successful KPMG in CEE pen-testers team, based in Romania, as detailed below:
 

  • CVE-2015-0547 (Multiple DQL injection vulnerabilities in EMC Documentum D2) - could potentially be exploited by malicious users to retrieve sensitive information from the database 
  • CVE-2015-0549 (Cross-Site Scripting vulnerability in EMC Documentum D2) - could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of injected HTML or scripts in the context of the authenticated user
  • CVE-2015-4529 (Open Redirect vulnerability in EMC Documentum WebTop) – allows users to be redirected to untrusted websites.

 
The discovery of these vulnerabilities shows once again the need for periodic
security testing of the software that we use in our day-to-day business even if
it has been produced by a high profile software vendor. And while the high
profile vendors have implemented clear processes to manage and solve the new vulnerabilities identified, smaller companies may not be at the same maturity level.

 

© 2017 KPMG Bulgaria OOD, a Bulgarian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Connect with us

 

Request for proposal

 

Submit

KPMG's new digital platform

KPMG International has created a state of the art digital platform that enhances your experience, optimized to discover new and related content.