A restaurant chain operating in a foreign country sought to ensure the security of its internal network in compliance with PCI DSS requirements. However, they did not have any IT specialists who could set up a workstation for Security Segmentation Testing. They turned to Tenendo for help.

Tenendo’s specialists provided a solution by installing jumphosts on a micro-computer and fully configuring it to connect to the client’s VPN for scanning. After completing the installation and configuration process, Tenendo sends the mini-computer to the client with clear instructions on turning it on and connecting it to their network.

The client received the mini-computer within three days and could conduct PCI DSS Segmentation Testing without any IT expertise required. Tenendo’s innovative approach allowed the client to meet their security goals and comply with the PCI DSS requirements, ensuring their customers’ data remained secure.

This case example demonstrates Tenendo’s ability to provide effective solutions to clients, regardless of their location and internal IT capabilities. Tenendo’s expertise in cybersecurity allowed the restaurant chain to achieve its security goals, which helped to protect its customers’ data from potential cyber threats.

The Attack Lifecycle

Initial Access

Several mobile jumphosts were created that connected back to our infrastructure over VPN. These were installed in every sampled subnet in scope.

Enumeration

After network access was established, traffic inspection and various types of network scanning were conducted to collect information about the networking setup.

Traffic analysis

Broadcast network traffic was analysed, and exploitable endpoint and router configurations were identified that could allow for MitM attacks (e.g. NBNS poisoning, DHCPv6 poisoning, or abusing dynamic routing protocols).

Conclusion

Despite segmentation testing not being that impressive from a technical perspective, this case demonstrates client accommodation and rapid problem solving that Tenendo is known for. When working with us, you can be sure that we come up with an easy solution to any project constraints or specific requirements that you might have. We are very flexible both with scheduling, and our penetration testing approach.

PCI DSS segmentation testing case

The team created several hardware connect-back appliances and used it in a PCI DSS segmentation testing.

The Challenge

The penetration testing team was tasked with segmentation testing for a sample of the customer's private subnet (both CDE, DMZ, and management subnets). The project required onsite testing, which was not possible with the time constraints of the project (approx. 2 days) and quarantine measures in the Customer's country.

The Solution

The team created and mailed the customer mobile connect-back jumphosts that was later used to establish initial access, conduct network reconnaissance, and discover network and service-level vulnerabilities that may break segmentation.

Application Penetration Testing

Infrastructure Assessment

Cloud Infrastructure

Performance and scalability assessment

Cybersecurity assessment

Red Teaming

Compliance Readiness Services

Purple Teaming

Training

Due Diligence

Insides

Case Studies

Contact Us

About Tenendo

Contact us:

The Attack Lifecycle

Initial Access

Enumeration

Traffic analysis

Conclusion

Tenendo Limited