BLOG POST

Bulletproof Security Testing Team Identifies Vulnerability in a Platform Used by Numerous Higher Education Organizations 

 

With cyberattacks happening on an ever-increasing scale of frequency and sophistication, keeping tabs on current vulnerabilities is a critical part of maintaining a secure digital environment for your organization. With that in mind, it’s critical for your business to reduce cybersecurity risks through penetration testing as it’s one of the most cost-effective and invaluable tools in your company’s security arsenal—and of the technology security community at large.  

Icons (42)-2

The average cost of a breach has risen from $3.85M to $4.24M!*

*Cost of Data Breach 2021, IBM

Strong Cybersecurity Community, Strong Cybersecurity Posture

WHY BULLETPROOF COLLABORATES WITH CVE?

Bulletproof proudly participates with Common Vulnerabilities and Exposures (CVE), which is a program owned by the MITRE Corporation. MITRE is a non-profit organization in the United States that collaborates with government agencies like national security, homeland security, cybersecurity association, and more, to solve problems for the public to create safer digital spaces on a global scale 

WHAT IS CVE?

CVE is a portal created by MITRE for the technical community to report any system or program vulnerabilities they discover. This shared knowledge makes it easier for IT security professionals to stay on top of new risks and can be a key factor in platforms developing patches for their software so that it is more secure for all users.   

CVE Logo

How Using CVE Can Make a Difference

To illustrate just how helpful the network created by CVE can be, we’ll share a real-world example. Our Information Security Services team was conducting a penetration test for Saint Mary's University (SMU) when our team lead discovered that one of the platforms that the school was using had a systemic vulnerability that not only affected their software but others who use it. The platform, Terminalfour, is used worldwide by universities and higher education organizations to support student recruitment and retention, digital marketing, and alumni fundraising, which meant this vulnerability could put other universities at risk.  

To inform the wider community, we worked with the vendor to get this case reported on the CVE site. This alerted both other users and Terminalfour of the vulnerability so immediate action could be taken to resolve the issue. Thanks to the proactive measures SMU undertook to protect their security and the effective action taken by our Information Security Services team, the issue has been resolved and Terminalfour is now an even more secure platform. We worked with CVE and Terminalfour to undergo responsible disclosure, making sure to publish details only when all parties agreed it was safe to do so once a fix was available and applied for all Terminalfour clients. Since CVE disclosed the issue, making it public knowledge, other diligent users of the software can check their systems, update their platforms, and ensure their systems are secured.  

Get the Breakdown of our Terminalfour Vulnerability Discovery  

Responsible Disclosure definition

 

Pen Testing: Not Just for Compliance

A key lesson from this scenario is the importance of being proactive when it comes to cybersecurity. The cost of a Pen Test is nothing compared to the cost of a breach. According to IBM, the average cost of a breach has risen from $3.85M to $4.24M, the highest average total cost in the history of their report. There’s a myth that penetration testing, or pen testing, is needed solely for legal and compliance reasons. In fact, there are many reasons why this type of technical security testing is valuable. Effective pen testing can: 

Determine what security vulnerabilities your network has and if it’s already been compromised. 

Identify vulnerabilities and central weaknesses allowing you to make informed risk-based business decisions. 

Detect and mitigate vulnerabilities before they’re exploited. 

A fourth advantage is that leveraging a third-party testing company provides an external and unbiased perspective. Often, it may be difficult for internal IT or security teams to see every problem because they are focused on running day-to-day operations. Third-party pen testers are fully committed to ethical hacking and are up to date with the latest cyberattack tactics. Partnering with a third party allows your organization to improve security, increase user awareness, identify new vulnerabilities or gaps, and access controls without compromising your company’s (and IT team’s) existing workload. 

Pen Testing vs. Vulnerability Assessment: What’s Right for You

What sets pen testing apart from other types of vulnerability testing? The active nature of its execution. Vulnerability assessments identify vulnerabilities in a predictable manner and with a general scope, resulting, typically, in a report listing recommendations and action items.  

Pen testing, on the other hand, involves actively working to bypass your security controls to obtain network resources. It’s highly focused and, like actual hacking, can have unpredictable results. When you’re signing on for pen testing, you’re agreeing to let IT security professionals penetrate and exploit your network. It can be a daunting realization for some companies but, as we’ve seen in the case of Terminalfour, can result in immediately actionable outcomes and overall, a stronger, more secure tech stack.  

So You Had a Security Assessment is written in white font atop an image of a hand holding a smartphone up in front of a laptop.

Learn how Bulletproof can help prepare and safeguard your organization 

In our ON-DEMAND webinar, So, You Had a Security Assessment...Now What?, you’ll learn a deeper understanding of your next steps; actionable tasks; and the confidence to complete them.

WATCH NOW

Why Bulletproof?

BULLETPROOF CREDENTIALS

  • Microsoft 2021 global Security Partner of the Year Winner
  • 5X Microsoft Canada IMPACT Award Winner
  • Committed to building deep working relationships with customers. We will become an integral part of your team, and we take your security personally. 
  • Decades of global gaming knowledge.
  • State-of-the-art 24/7 Security Operations Centre (SOC).
  • Penetrated more than 220 casinos and lotteries with a 90%+ success rate.
  • Performed 100s of risk assessments for gaming clients.
  • Our team of professionals holds industry-recognized certifications, including ISO/IEC 27001, WLA-SCS, CISSP, CISA, CEH, CPT, OSCP, and PCI-QSA.
  • Users on six continents trust Bulletproof to secure their networks, data, and people from 24/7 threat monitoring to employee training and emergency incident response.

Bulletproof Microsoft Gold Partner

“I am honored to announce the winners and finalists of the 2021 Microsoft Partner of the Year Awards. These remarkable partners have displayed a deep commitment to building world-class solutions for customers—from cloud-to-edge—and represent some of the best and brightest our ecosystem has to offer.”

-Rodney Clark, Corporate Vice President, Global Partner Solutions, Channel Sales and Channel Chief, Microsoft

Call Us

1.866.328.5538