Context: Securing a Vast and Dynamic Academic Digital Landscape
Universidade do Porto, a leading institution in high-level education, operates within a complex and expansive digital environment. Its attack surface is characterized by being "Huge, Dynamic, and Exposed”, encompassing a wide array of digital assets, including web applications, various software applications, extensive data repositories, and the challenges Shadow IT poses. This broad exposure necessitates a robust and continuous cybersecurity strategy to protect its academic integrity, research, and student data.
Challenge: Navigating a Broad Attack Surface with Diverse Threats
The primary challenge for Universidade do Porto was effectively managing and securing its vast and constantly evolving digital footprint. The institution faced a spectrum of vulnerabilities, from well-known Common Vulnerabilities and Exposures (CVEs) and software bugs to critical misconfigurations and unauthorized access points. The threats were equally diverse, ranging from opportunistic “script kiddies” and ideologically motivated hacktivists to financially driven cybercriminals, all seeking to exploit weaknesses in their systems.
Their specific needs included:
- External Testing (Black-Box): A requirement for comprehensive black-box penetration testing to simulate real-world external attacks, assessing vulnerabilities from an attacker's perspective without prior knowledge of the internal systems.
- Accuracy & Speed: The imperative for precise identification of vulnerabilities, combined with the rapid execution of assessments, crucial for an environment with such a dynamic attack surface.
Solution: Ethiack’s Platform for Continuous Attack Surface Reduction
Ethiack partnered with Universidade do Porto to provide a solution that met their needs for speed, accuracy, and external testing. Leveraging its advanced platform, Ethiack offered a comprehensive approach to discover, treat, and mitigate vulnerabilities associated with the University’s extensive online exposure.
The solution involved:
- AI-Powered Black-Box Pentesting: Ethiack’s platform conducted a single, yet highly effective, AI-driven penetration test, designed to quickly and accurately identify vulnerabilities accessible from an external perspective.
- Continuous Monitoring and Information Provision: The platform provided essential, ongoing information to the University’s InfoSec team, enabling them to discover, prioritize, and address vulnerabilities proactively.
- Focus on Attack Surface Reduction: The core of the solution was to provide tools and insights that directly contributed to the daily tasks of reducing the University’s overall attack surface.
What Has Changed: Enhanced Visibility and Proactive Security Operations
The implementation of Ethiack’s platform brought about significant improvements in Universidade do Porto’s cybersecurity operations. Over a seven-month timeline (September 2024 - present), the university gained unprecedented visibility and control over its digital security. Here are the main improvements:
- Vast Asset Coverage: The platform effectively managed and monitored 1,000 critical assets within a broader landscape of 5,000, demonstrating its scalability and capacity to handle large, complex environments.
- Streamlined Vulnerability Management: While specific findings are not disclosed, the continuous nature of the platform’s insights enabled the university to systematically address vulnerabilities.
- Essential Daily Tool: As articulated by José Augusto Silva, Head of InfoSec at Universidade do Porto: “The Ethiack platform offers a range of essential information for discovering, treating, and mitigating the vulnerabilities associated with our online exposure. It is an essential tool for daily tasks focused on reducing our attack surface. ”
Through this partnership, Universidade do Porto transformed its approach to cybersecurity, moving towards a more proactive and efficient model for managing its vast and dynamic digital assets, ensuring the continued security of its high-level educational services.
Download the full case study here