Conducting an External Vulnerability Assessment

Case study on a consumer goods manufacturer identifies vulnerabilities


Hiring: Job announcements on Chinese websites indicate that over the past several months PDQ is hiring for multiple positions ranging from marketing assistants to a general manager position in Beijing. These job postings beg the question if CGM is seeing increases in revenue commensurate with such a potential PDQ expansion.

Proprietary Technology/Equipment: Chinese language documents highlighting CGM’s inclusion in the JV with FC specifically note that one of the values CGM brings to the relationship is its superior manufacturing technology and expertise. This leads TSC analysts to surmise that as part of the agreement, CGM exported manufacturing equipment for PDQ’s use or shared proprietary technologies within limits. TSC believes that the danger to CGM’s long-term expansion into Asia and eventually beyond would be exacerbated by the presence of their manufacturing equipment in the production facility. Without stringent controls and oversight, it would be in line with Chinese strategy to copy the machinery and attempt to duplicate it.  Combined with the curious wording mentioned earlier regarding food product manufacturing equipment, TSC believes it would be prudent for CGM to reevaluate its current arrangement in regards to the equipment and CGM representation at the plant.

Website assessment

Vulnerable Sites: During routine, passive reviews of the CGM website, TSC analysts were able to access areas that should likely be restricted. The documents appear to be Oracle-related, possibly showing the operating sequences to run the backend database. More than 40 total pages of code were readily available via multiple mediums on the Internet. Someone with malicious intent could, in conjunction with other access, cripple CGM business through faulty orders, prices, deliveries, etc.

Vulnerable Information: An often times overlooked yet equally vulnerable penetration point for a commercial company is the network of its suppliers, vendors, distributors and customers. During basic, open-source and passive searches for CGM information on non-CGM websites, TSC analysts uncovered specific pricing information. The prices appear to include what CGM charged the customer for dozens of items as well as a column indicating what the customer then added into the price for resale. TSC believes that it is crucial that CGM conduct an extensive review of all vendors and suppliers to assure that such confidential information is secure. A potential competitor, especially one set-up in a foreign country with cheaper labor, would be ecstatic to learn CGM’s price to a distributor and then undercut it. 

TSC’s experience in protecting national interests reinforces our belief that a competitor or malicious actor will always seek the path of least resistance. In this instance, that path could be through a medium ostensibly out of CGM’s control yet holds the potential for substantive damage to CGM’s interests. TSC discovered the data from just one of CGM’s many suppliers/ vendors/redistributors, all of whom could be potentially and unknowingly leaking similar sensitive price information.

TSC’s experience in the corporate security and industrial espionage world, paired with a history of protecting national interests, gives us a unique perspective when conducting analysis of a U.S. company’s security posture. Specifically, international operations are prone to financial skimming and corporate theft of intellectual property. It is TSC’s professional opinion that CGM has several current areas warranting immediate attention and further investigation. Under the 863 program, otherwise known as the State High-Tech Development Plan, China has made no secret of the fact that it intends to skip generations of R&D costs by partnering with foreign companies and copying their techniques and technologies. Further complicating the problem is the aggressive manner in which the Chinese respond to such allegations. TSC strongly recommends CGM to immediately address these potential vulnerabilities before losses cannot be recuperated.

The TSC process during initial engagements includes conducting open-source research and analysis of CGM. All data used in production of this report was retrieved from openly available sources. Collection from these sources was done following all pertinent laws and in passive methods that would be replicable by someone with low to moderate research and technical expertise. Obviously, in a real-world environment a foreign competitor would not restrict themselves in this way.

  • Enhance Your Experience.

    When you register for SDCExec.com you stay connected to the pulse of the industry by signing up for topic-based e-newsletters and information. Registering also allows you to quickly comment on content and request more infomation.

Already have an account? Click here to Log in.

Enhance Your Experience.

When you register for SDCExec.com you stay connected to the pulse of the industry by signing up for topic-based e-newsletters and information. Registering also allows you to quickly comment on content and request more infomation.

OR

Complete the registration form.

Required
Required
Required
Required
Required
Required
Required
Required
Required
Required
Required