The Bulgarian National Revenue Agency is a specialized state institution under the jurisdiction of the Minister of Finance. Its primary function is to administer taxes and social security contributions. It also has to collect other public and private state receivables. The NRA is one of the few entities that provide e-government services to Bulgarian citizens. The institution handles sensitive data, including:
- Information about citizens’ income taxes;
- patent taxes;
- VAT and corporate taxes;
- health insurance;
- pension insurance;
- additional mandatory pension insurance data.
It shouldn’t come as a surprise that the NRA is a desirable target for many cybercriminals. Moreover, the cyber risks for the NRA are further enhanced by the lack of qualified IT employees in Bulgarian public agencies and noncompetitive salaries compared to the private sector, as a 2018 government report suggests. According to the report cited by segabg.com, “technical, technological and personnel deficits in state institutions and companies of national security importance are of a lasting nature, and the measures taken to eliminate them, remain insufficient to counter modern challenges”.
NRA’s Challenge
As with any other large organisation or enterprise, the NRA is also challenged with finding well-experienced professionals who are willing to become part of the team and contribute to the cybersecurity of the agency. Back in 2020, NRA’s existing cybersecurity staff had to ensure the cyber resilience of the agency’s networks and systems to avoid and minimize any potential incidents in the future. To do this, the NRA needed to:
- Enhance the cybersecurity awareness of the agency’s Information Security team;
- А key goal for the agency was to ensure that its InfoSec team had an understanding of cyberattack approaches gained through practical experience;
- Getting a clear view of potential cyberattack impacts was also a priority for the NRA.
“We needed a professional and competent partner for advanced cybersecurity penetration testing training to teach our internal team techniques used by cybercriminals for real-world cyberattacks.” – NRA’s team
Additional pressure came from the public and media, given the fact that not so long ago there was a huge scandal involving the NRA in a security breach of the data of almost all citizens of Bulgaria.
The biggest challenge for the agency at that moment, however, was the fact that they needed to conduct the training in a very short time. Just over a month before the deadline, the NRA contacted 3Cyber-Sec as a part of the regular tender process, explaining their specific needs.
3Cyber-Sec’s Solution
To improve the cybersecurity awareness of NRA’s InfoSec team, 3Cyber-Sec had to urgently conduct a comprehensive penetration testing training, which needed to focus on the specific vulnerabilities and risks faced by the agency. What 3Cyber-Sec did for the NRA involved:
- The penetration testing (also referred to as ethical hacking) training – had the goal of educating NRA’s InfoSec team about the organization’s potential vulnerability to cyberattacks;
- 3Cyber-Sec’s team provided advice and instructions to NRA’s staff on how to practically compromise NRA’s networks – this would help them gain an in-depth understanding of the potential hacking strategies cybercriminals may use to attack NRA’s networks;
- Through practical experience, NRA’s InfoSec team will acquire better visibility of the critical vulnerabilities and weak spots in the agency’s defense systems.
With no internal knowledge of NRA’s networks and systems, the biggest challenge for 3Cyber-Sec was the tight deadline and specific technology requirements they were faced with. For less than a month, 3Cyber-Sec’s team developed a customized training environment and sessions tailored for the NRA team. They were also aligned with the specifics of the technology toolset used by the company.
Based on the requirements, 3Cyber-Sec outlined key topics for the training and created a list of practical tasks and challenges, which could enable NRA’s InfoSec team to ethically hack the agency and thus gain a better understanding of possible attack tactics. Once they prepared the training materials, 3Cyber-Sec conducted a 5-day penetration testing course that was held in an isolated technological environment. The training schedule included both theoretical sessions with lecturers, as well as practical workshops guided by 3Cyber-Sec’s team.
The Outcome
As a result of the intensive 5-day penetration testing course organized and conducted solely by 3Cyber-Sec, five members of NRA’s InfoSec team were fully trained and gained crucial knowledge of potential cyberattack tactics that could penetrate NRA’s defense systems. It’s important to note that some of the trained professionals didn’t have any previous experience with penetration testing tools and methodology. Despite that fact, for just 5 days the NRA’s InfoSec team was able to gain control over 26 machines in a laboratory setting and 14 web-based applications.
“We found an ally in the face of 3Cyber-Sec Ltd. The straightforward approach they took during the 5-day course, did fit very well with our internal team’s needs. The methodical presentations and onsite practical exercises were done with the proficiency and competency we were expecting. As a result, the National Revenue Agency’s information security team managed to gain a thorough understanding of an attacker’s approach.” – NRA’s team
The success of the penetration testing training provided by 3Cyber-Sec was further enhanced by the dedication of NRA’s InfoSec team, who were actively participating with a determination for acquiring precious know-how and enriching their current expertise. Furthermore, 3Cyber-Sec’s team received full support and cooperation from NRA’s management, which enabled them to successfully conduct the training in such a short period.
Without 3Cyber-Sec’s help, NRA’s team would not know the actual methods and attack vectors that could penetrate NRA’s defense systems.
If you’re also not sure which are the weak spots in your organization’s networks, contact us for a free consultation now. As a boutique cybersecurity company, we are always ready to answer the specific needs of each of our clients with tailored cybersecurity solutions.