Technical Assessment

A company with core business of real estate, construction, tourism, mining and financial investment which head quarter is located in Hong Kong with multiple sites in Mainland China

Size
500+ Employees

Service
Vulnerability Assessment and Penetration Test

Challenge
Organization is getting more concerns in information security as there is a significant increase in cyber security attack nowadays. However, limited review and regular technical assessment in this organization causes the system and network vulnerabilities have been accumulated throughout the years. Given with this scenario and the scale of the technical assessment which has to be conducted across different sites, our technical specialist and pentesters have to put extra effort in evaluating the security and risk level in order to define the baseline security level and controls that are being implemented in the organization. Furthermore, it is also critical to provide practical recommendation as to resolve the issues identified in this technical assessment.

Solution
Our certified OSCP, OSWP and GPEN conducted network and web application penetration test to simulate hacker’s activities as to prevent external attack. Internal vulnerabilities assessment is also performed to discover the unmanaged asset. Identify the vulnerabilities with technical tools and manual validation with risk level provided.

Result
Our security specialists have issued a penetration test and vulnerabilities assessment report on the security findings with different level of severity. Critical vulnerabilities and system deficiencies are identified such as SQL injection, missing security patches and remote code execution are identified through exploitation and privilege escalation that are putting company asset at risk. Technical recommendations and advisories are provided according to the existing industrial standard. Latest security protection methods and tools were also suggested for future improvement.

The technical assessment report including:
•    Prioritized list of vulnerabilities
•    Specific information about the vulnerabilities exploited
•    The risk level of the vulnerabilities
•    The description and evidence of the vulnerabilities
•    Potential impact
•    Technical recommendations

Follow-up
After our assessment and in-depth analysis of the security testing, Ringus has provided a detailed report documenting each security issue with a set of security recommendations (methods and tools) and corrective action plans. Findings walkthrough session is also conducted to ensure our client understand the issues and able to implement those plans accordingly. Ringus has also provided follow-up services for the remediation works to verify that the remedial activities had been successful.

Benefit
Our recommendations have provided our client with an up-to-date defense against known vulnerabilities and global hackers, allowing our client to estimate and justify the cost of equipments whenever appropriate in scaling up its security level, providing a continual improvement model. With our comprehensive report, professional recommendations and direct assistance, our client was able to get a realistic idea on the existing security level of their setup. Our work helped the client avert a potential reputational crisis and allowed the company to operate their systems in a confident and secure way.

More Updates

🔐 𝗪𝗵𝗼 𝗜𝘀 𝗜𝗻𝘃𝗼𝗹𝘃𝗲𝗱 𝗶𝗻 𝗛𝗼𝗻𝗴 𝗞𝗼𝗻𝗴’𝘀 𝗡𝗲𝘄 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗟𝗮𝘄?Since 𝟭 𝗝𝗮𝗻𝘂𝗮𝗿𝘆 𝟮𝟬𝟮𝟲, the 𝘗𝘳𝘰𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘰𝘧 𝘊𝘳𝘪𝘵𝘪𝘤𝘢𝘭 𝘐𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦𝘴 (𝘊𝘰𝘮𝘱𝘶𝘵𝘦𝘳 𝘚𝘺𝘴𝘵𝘦𝘮𝘴) 𝘖𝘳𝘥𝘪𝘯𝘢𝘯𝘤𝘦 (𝘊𝘢𝘱. 653) has come into force. The law establishes a comprehensive framework to protect essential services from cyber threats.Under Cap. 653, designated 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 (𝗖𝗜) 𝗢𝗽𝗲𝗿𝗮𝘁𝗼𝗿𝘀 are organizations whose computer systems are essential to maintaining critical societal or economic activities in Hong Kong.🏗 𝗦𝗲𝗰𝘁𝗼𝗿𝘀 𝗗𝗲𝗳𝗶𝗻𝗲𝗱 𝗮𝘀 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗜𝗻𝗰𝗹𝘂𝗱𝗲:1. Energy⚡2. Information Technology💻3. Banking & Financial Services🏦4. Air Transport✈5. Land Transport🚆6. Maritime Transport⚓7. Healthcare Services🏥8. Telecommunications & Broadcasting📡In addition, any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong may also fall within scope.These operators are now legally required to establish cybersecurity governance frameworks — from maintaining dedicated computer-system security management units to reporting incidents, conducting periodic risk assessments and audits, etc.Besides the CI Operator, there are 𝘀𝗼𝗺𝗲 𝗼𝘁𝗵𝗲𝗿 𝗞𝗲𝘆 𝗥𝗼𝗹𝗲𝘀 𝘂𝗻𝗱𝗲𝗿 𝗖𝗮𝗽. 𝟲𝟱𝟯:👥🔹 𝗖𝗼𝗺𝗽𝘂𝘁𝗲𝗿-𝘀𝘆𝘀𝘁𝗲𝗺 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗨𝗻𝗶𝘁Responsible for managing and safeguarding critical computer systems and ensuring compliance with the Ordinance.🔹 𝗦𝘂𝗽𝗲𝗿𝘃𝗶𝘀𝗼𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗨𝗻𝗶𝘁An appointed employee with sufficient cybersecurity expertise, responsible for supervising the unit and notifying the regulating authority of the appointment.💡 𝗖𝗮𝗽. 𝟲𝟱𝟯 𝗺𝗮𝗿𝗸𝘀 𝗮 𝘀𝗶𝗴𝗻𝗶𝗳𝗶𝗰𝗮𝗻𝘁 𝘀𝗵𝗶𝗳𝘁 𝗳𝗿𝗼𝗺 𝗯𝗲𝘀𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲 𝘁𝗼 𝗹𝗲𝗴𝗮𝗹 𝗼𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻.If your organization operates within a potentially designated sector, early preparation is essential.

𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗿𝗴𝗲𝗻𝗰𝗲 𝗼𝗳 𝗣𝗼𝗸𝗲́𝗺𝗼𝗻

🎮 𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗿𝗴𝗲𝗻𝗰𝗲 𝗼𝗳 𝗣𝗼𝗸𝗲́𝗺𝗼𝗻: 𝗛𝗼𝘄 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀 𝗘𝗻𝗮𝗯𝗹𝗲𝘀 𝗤𝘂𝗶𝗰𝗸 𝗮𝗻𝗱 𝗥𝗲𝗹𝗶𝗮𝗯𝗹𝗲 𝗢𝗽𝗽𝗼𝗿𝘁𝘂𝗻𝗶𝘁𝘆 𝗖𝗮𝗽𝘁𝘂𝗿𝗲𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗿𝗴𝗲𝗻𝗰𝗲 𝗼𝗳 𝗣𝗼𝗸𝗲́𝗺𝗼𝗻 𝗮𝗻𝗱 𝗧𝗖𝗚'𝘀 𝗡𝗲𝘄 𝗥𝗶𝘀𝗲Since launching Pokémon Red and Pokémon Green in 1996, the Pokémon series has been a global favorite. Recently, the craze has resurged, driven by the 𝗧𝗿𝗮𝗱𝗶𝗻𝗴 𝗖𝗮𝗿𝗱 𝗚𝗮𝗺𝗲 (𝗧𝗖𝗚)'s explosive growth.Data shows TCG sales soaring, with billions of players worldwide, especially in Hong Kong and Asia, buzzing about new packs and online battles. This phenomenon offers vast business opportunities - companies must act swiftly to engage fans in this fast-paced market.🔎 𝗖𝗮𝘀𝗲 𝗜𝗻𝘀𝗶𝗴𝗵𝘁: 𝗧𝗣𝗖𝗶'𝘀 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗘𝘃𝗲𝗻𝘁 𝗟𝗼𝗰𝗮𝘁𝗼𝗿Facing fan anticipation before Pokémon Day (February 27), The Pokémon Company International (TPCi) needed a 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗘𝘃𝗲𝗻𝘁 𝗟𝗼𝗰𝗮𝘁𝗼𝗿 app to link players with global events.Traditional development couldn't keep up with the surge. OutSystems, a low-code platform for rapid app building, stepped in, showcasing its speed and reliability in this project.🚀 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀' 𝗦𝗽𝗲𝗲𝗱 𝗔𝗱𝘃𝗮𝗻𝘁𝗮𝗴𝗲𝘀TPCi adapted an existing location tool for the new Pokémon Day API under tight deadlines. Using OutSystems, the team and partner valantic met security and performance needs in 10 days, deploying in under a month. The app supports 7 languages, works on desktops, tablets, and mobiles, and includes a backend for easy event updates. Unlike months-long traditional methods, this low-code approach enabled quick iteration, connecting 14,000 players to events and raising attendance by 70%, capitalizing on the TCG wave.🛡 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀' 𝗥𝗲𝗹𝗶𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗔𝗱𝘃𝗮𝗻𝘁𝗮𝗴𝗲𝘀The app handles global traffic and multilingual demands reliably. Load tests simulated 300,000 users in 12 minutes without crashes. Its' UX emphasizes scalability and reusability, embeddable in marketing pages for future use. Backend ensures real-time data accuracy, boosting satisfaction and efficiency, establishing TPCi as a digital leader in TCG's rise.💡 𝗖𝗼𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻: 𝗛𝗮𝗿𝗻𝗲𝘀𝘀 𝗢𝘂𝘁𝗦𝘆𝘀𝘁𝗲𝗺𝘀 𝗳𝗼𝗿 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗔𝗴𝗶𝗹𝗶𝘁𝘆OutSystems' speed and reliability empower enterprises to navigate dynamic markets and drive digital transformation. In fast-paced environments like Hong Kong, it enables rapid app development for customer engagement and operational efficiency.This TPCi case exemplifies low-code platforms' power, delivering scalable solutions that position businesses as innovation leaders.

𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀 𝗳𝗼𝗿 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗣𝗿𝗶𝘃𝗮𝗰𝘆

🔐 𝟳 𝗞𝗲𝘆 𝗗𝗮𝘁𝗮 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀 𝗳𝗼𝗿 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗣𝗿𝗶𝘃𝗮𝗰𝘆The EU General Data Protection Regulation (GDPR) came into force on 𝟮𝟱 𝗠𝗮𝘆 𝟮𝟬𝟭𝟴, which is the one of the world's strictest privacy laws. It aims to standardize data protection rules across the digital single market, enhance individual control over personal information, and adapt governance due to the technological developments and digitalization.The GDPR introduces 7 key data protection principles to ensure organizations handle data legally, securely, and with full transparency and responsibility:✨𝗟𝗮𝘄𝗳𝘂𝗹𝗻𝗲𝘀𝘀, 𝗙𝗮𝗶𝗿𝗻𝗲𝘀𝘀, 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.✨𝗣𝘂𝗿𝗽𝗼𝘀𝗲 𝗟𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻:  Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.✨𝗗𝗮𝘁𝗮 𝗠𝗶𝗻𝗶𝗺𝗶𝘀𝗮𝘁𝗶𝗼𝗻:  Processing should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.✨𝗔𝗰𝗰𝘂𝗿𝗮𝗰𝘆: Personal data must be accurate and, where necessary, kept up to date with reasonable steps taken to erase or rectify inaccuracies.✨𝗦𝘁𝗼𝗿𝗮𝗴𝗲 𝗟𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.✨𝗜𝗻𝘁𝗲𝗴𝗿𝗶𝘁𝘆 𝗮𝗻𝗱 𝗖𝗼𝗻𝗳𝗶𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝗶𝘁𝘆: Personal data must be processed in a manner that ensures security of the personal data using appropriate technical or organisational measures.✨𝗔𝗰𝗰𝗼𝘂𝗻𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆: The controller shall be responsible for, and be able to demonstrate compliance with the principles.The GDPR extends its reach beyond the EU by explicitly requiring compliance from organizations established outside the EU in certain situations. Given the variety of business and transaction models, it is essential for the businesses in Hong Kong to assess whether the GDPR applies to them and to stay informed about ongoing regulatory developments.💡 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗶𝘀 𝗻𝗼 𝗹𝗼𝗻𝗴𝗲𝗿 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹 — 𝗶𝘁’𝘀 𝗮 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗶𝗺𝗽𝗲𝗿𝗮𝘁𝗶𝘃𝗲.