Penetration Testing Case Study
How PurpleSec Helped ConvertKit Improve Security For Over Half A Million Customers
ConvertKit is an email marketing platform tailored for content creators, bloggers, and online business owners, offering features like customizable opt-in forms, email automation, and subscriber management. Their 600,000+ customers trust ConvertKit to deliver a reliable and secure service to run and grow their businesses.
The Mission/Challenge
PurpleSec was contracted to conduct a web application penetration assessment of internal network environments to evaluate network security posture. All activities were conducted in a manner that simulated a malicious actor engaged in a targeted attack with the goals of:
- Determining whether an attacker could bypass internal controls and compromise the internal domain.
- Determining the impact of a security breach on:
- Confidentiality/Integrity/Availability of Personal Identifiable Information/Personal Health Information (PII/PHI)
The Solution
PurpleSec utilized an “assume breach” methodology when conducting this assessment. “Assume breach” assumes that an attacker has successfully breached an organization’s perimeter controls and obtained a persistent foothold on the internal network.
This approach is commonly used as it allows assessors to focus on testing an organization’s internal network security posture rather than spending limited engagement time on bypassing external controls.
To mimic an adversary that had successfully breached the client’s external defenses, PurpleSec sent a pre-configured form-factor PC onsite that was plugged into the server subnet. Utilizing a secure VPN, PurpleSec assessors then connected to the device and conducted offensive operations against internal networks.
High Level Findings
PurpleSec was able to chain the following three common vulnerabilities together to obtain full domain compromise:
- Over-privileged service/user accounts.
- LLMNR/NetBIOS-NS spoofing.
- SMB signing disabled.
The Breach Report
Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.
“We’ve partnered with PurpleSec to cover our clients’ penetration testing needs and couldn’t be happier! From proposal to service delivery, the PurpleSec team does a fantastic job at communicating and providing a high level of detail in their work.“
– Rachell Moss
Program Manager, ConvertKit
The Outcome
PurpleSec was contracted to conduct a web application penetration assessment of internal network environments to evaluate network security posture. All activities were conducted in a manner that simulated a malicious actor engaged in a targeted attack with the goals of:
- Determining whether an attacker could bypass internal controls and compromise the internal domain.
- Determining the impact of a security breach on:
- Confidentiality/Integrity/Availability of Personal Identifiable Information/Personal Health Information (PII/PHI)
Let's Talk About Your Cybersecurity Needs
We’re on a mission to help SMBs & Startups affordably meet their security requirements. With decades of experience securing organizations of all sizes and complexities, PurpleSec is a proven cybersecurity partner that brings direct experience from the Department of Defense.
Explore Our Security Services
Ready To Get Secure?
Reach Your Security Goals With Affordable Solutions Built For Small Business
