en flag +1 214 306 68 37
Black Box, Phishing, and Vishing Testing for an Investment Advisor

Black Box, Phishing, and Vishing Testing for an Investment Advisor

Industry
Investment

About Our Customer

The Customer is a US financial advisor firm offering retirement account services. Its web application helps invest and manage retirement savings plans.

Need for Expertise in IT Security and Investment Software

To ensure the maximum security of its clients’ data, the Customer was looking for an experienced cybersecurity vendor with a hands-on background in investment software. The Customer found the required competence with ScienceSoft and turned to us to examine its retirement planning solution and evaluate its employee’s cybersecurity awareness.

Real-World Attack Simulation to Verify Cyber Resilience

Black box penetration testing

ScienceSoft’s experts performed black box pentesting of the Customer’s retirement planning solution according to the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology. The testing area included a customer-facing web application, API, and a public network comprising 5 IP addresses.

Our pentesters scanned the targets for known vulnerabilities and validated the findings to eliminate false positives. To evaluate the potential impact of the identified security gaps, ScienceSoft’s team attempted to exploit the vulnerabilities by simulating a real-life cyber attack.

During the pentesting, ScienceSoft revealed three medium-severity and seven low-severity vulnerabilities, classified based on OWASP TOP 10, OWASP API TOP 10, and NIST CVSS. The detected weaknesses could be exploited by an attacker to steal sensitive data, distribute malware, and affect web server performance. To seal the gaps, our pentesters suggested pragmatic corrective measures, such as:

  • Implementing strict input validation and sanitization to prevent injection attacks.
  • Replacing FTP with a more secure file transfer protocol like SSH to take advantage of built-in encryption.
  • Introducing brute force protection: using SSH keys and disabling password authentication where possible, configuring the firewall to allow connections to the remote hosts only from selected IPs, adding CAPTCHA, enforcing a limit on failed login attempts, and blocking an account or IP when the limit is reached.
  • Updating vulnerable software to its latest version to prevent memory corruption and remote execution of attacker-controlled code.
  • Preventing malicious cross-domain requests by properly configuring Access-Control-Allow-Origin header and setting up server-side protection of sensitive data (e.g., authentication and session management).
  • Configuring the missing HTTP headers, such as X-Frame-Options to improve the protection against clickjacking attacks, Strict-Transport-Security to enforce protection against man-in-the-middle attacks by only using HTTPS, and X-Rate-Limit to mitigate the risk of attackers overwhelming the system with too many requests.

Phishing and vishing simulation

ScienceSoft’s team ran several social engineering scenarios against 25 employee emails and 2 corporate phone numbers. During the phishing attack simulation, most of the employees followed safety precautions and ignored emails with unknown links. However, 2 of 25 employees submitted their personal data in the Google form that was controlled by ScienceSoft’s pentesters. For the vishing simulation, our experts attempted to call during different hours but didn’t get a response.

Based on the social engineering testing results, ScienceSoft recommended organizing security awareness training for the Customer’s employees.

Insights into Cybersecurity Risks and the Ways of Reducing Them

In two weeks, ScienceSoft conducted black box pentesting and simulated phishing and vishing attacks. As a result, the Customer received a report detailing the detected vulnerabilities and associated risks to its IT infrastructure and client data. The report also featured remediation recommendations that helped the company quickly fortify the cyber defense of its retirement planning solution.

Satisfied with the assessment results, the Customer plans to engage ScienceSoft in future security testing projects.

Technologies and Tools

Acunetix, Metasploit, Nessus, Hydra, SSLScan, Nikto, Burp Suite, Nmap, DirB, WhatWeb, Python, C, Perl.

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

More Case Studies