Penetration Testing and Cybersecurity Audit
Client: CIUSSS de l’Estrie – CHUS
The CIUSS de l’Estrie-CHUS wanted to assess the resiliency of its technological infrastructure and maturity of its organizational security, taking into account the new framework established by the Ministère de la Santé et des Services sociaux.
ESI’s assessed the organization’s IT security posture, information security operations and also conducted various penetration tests.
The general objective of this mandate was to offer the necessary support and advice to ensure that CIUSSS de l’Estrie – CHUS has visibility on its 14 local networks based on best practices in cybersecurity. The mandate included testing the computer networks through intrusion tests, writing and updating security policies, coaching for the implementation of patches and raising staff awareness to better educate users to prevent risks.
- Criticality of results and value of the report – executive, functional and technical level
- Technological complexity and method requirements
- Need to work with diverse teams at all levels of the organization, from decision-makers to technical teams
- Need to provide the most accurate overview possible for a wide network of sites
Our team relied on a two-step methodology conducted in parallel; auditing by workshops and penetration tests. First of all, as soon as the intervention protocol was approved by the client, we conducted a series of interviews with the teams responsible for the various departments. These workshops enabled us to collect the necessary data on cybersecurity by keeping a complete record of the evidence provided and classifying it. To complete this information phase, we conducted failure tests to detect vulnerabilities that could be subject to attack. One of the major challenges of this mandate was the importance of total confidentiality of data.
We evaluated the security posture of CIUSSS according to three main areas of intervention. First, through meetings with the operational teams to analyze the conduct of their daily activities. Then, meetings with service managers to obtain a portrait of the prevailing situation. Finally, following various incidents related to cybersecurity, a compilation of the results to provide CIUSSS with a portrait of the positive aspects and elements to be corrected to improve the cybersecurity posture of the organization and its 14 regional networks.
The report produced included a remediation plan, measurable indicators and advice on optimizing the operational structure. The results were presented behind closed doors to the IT directors concerned, including the responsible manager.
Due to the scope of the network and the importance of maintaining the confidentiality of CIUSS information, our specialists obtained safe conduct in the event of problems with the physical security managers of the various facilities.
Intrusion tests were carried out in “black box” mode, including the installation of probes on workstations left unattended or access to connection rooms. Once access to the network was obtained, the consultant proceeded with the scans as well as the evaluation of security breaches.
Subsequently, the severity of the detected faults was evaluated according to the scores of the CVSS and OWASP guidelines.
This exercise was repeated for all 14 networks (internal and external). Medical equipment, for obvious reasons of public protection, was excluded from the scope.