Large-Scale Security Project for a Gulf-Based Retail Bank
Customer
The Customer is a large Gulf-based retail bank with around 550 branches, providing comprehensive banking services to more than 2.5 million clients.
Challenge
The Customer needed to test the security controls deployed within their IT infrastructure. For this reason, they were looking for a qualified security testing provider knowledgeable in the banking industry to conduct:
- Vulnerability assessment and penetration testing of the networkâs external perimeter.
- Vulnerability assessment and penetration testing of the networkâs internal environment (servers, firewalls, etc.).
- Security risk assessment of the client digital channels (internet banking, mobile banking, mPOS merchant service, QR code payments, clientsâ payments, and communication in social networks).
- Simulation of social engineering attacks at the employeesâ emails to check their susceptibility to phishing.
Solution
ScienceSoftâs team of certified cybersecurity specialists carried out the following scope of security testing services:
- Vulnerability assessment and penetration testing of 60 external IP addresses.
- Internal network vulnerability assessment and penetration testing.
- Security risk assessment of the client digital channels (internet banking, mobile banking, mPOS merchant service, QR code payments, clientsâ payments, and communication in social networks).
- Simulation of social engineering attacks.
Vulnerability assessment and penetration testing of the networkâs external perimeter
ScienceSoftâs team conducted black box penetration testing of the external perimeter of the Customerâs network. The ethical hackers didnât manage to penetrate the network with no credentials, so they proceeded with the gray box testing method using user login details but having no access to the entire network. Gray box penetration testing revealed a vulnerability of the Customerâs remote server to external manipulations. ScienceSoft recommended the Customer address the vendor of server software to fix the issue.
Among other recommendations was eliminating the leakage of internal IP addresses from the DNS server to web pages visible to the Customerâs clients.
Vulnerability assessment and penetration testing of the internal network
ScienceSoftâs security engineers scanned the Customerâs internal network for vulnerabilities and exploited the discovered vulnerabilities using the gray box penetration testing method. They discovered a server using the obsolete HTTPS protocol, which was critical for the banking environment storing clientsâ data.
Moreover, our experts executed a remote command on the Customerâs firewall configured by a third-party vendor and could read the files of all network groups. Such a vulnerability could allow potential intruders to obtain user privileges and take over the Customerâs server. ScienceSoftâs recommendations on remediation of the internal network issues included:
- Updating the HTTPS protocol.
- Updating or changing firewall software.
Security risk assessment of the client digital channels
ScienceSoftâs team analyzed potential security risks of the following client digital channels: internet banking, mobile banking, mPOS merchant service, QR code payments, clientsâ payments, and communication in social networks. The team revealed several risks in the payment and communication service used by the Customerâs clients:
- Initiating malicious operations (e.g., fund transfers) with clientsâ contacts.
- Initiating malicious communications with the clientsâ contacts (including contacts in social networks).
Our recommended treatment actions included:
- Adding functionality to authenticate users of the payment and communication service to prevent malicious communications.
- Adding functionality to confirm payments and other fund transfers.
Social engineering simulation
ScienceSoftâs security specialists simulated phishing attacks at the bank employeesâ emails. The ethical hackers managed to convince 65% of targeted employees to send personal data via email, which could potentially allow intruders to take over user credentials.
We recommended that the Customer hold social engineering and email phishing training sessions for employees and share knowledge about current cybersecurity threats.
Results
The Customer received detailed reports of the conducted network vulnerability assessment, penetration testing, and the security risk assessment of the client digital channels with recommendations to mitigate the discovered vulnerabilities. After fixing all the issues according to the provided remediation plan, the Customer ran retesting, which showed the increased security level of the networkâs external perimeter and internal environment.
As the next step, the Customer plans to commission ScienceSoft to perform cyber-compromise assessment to detect the potential threat actors and red teaming services to test the detection and response capabilities to real hacker attacks.
Technologies and Tools
Nmap, Nessus, Burp Suite, Gophish, Metasploit, Netcat, DIRB, Nikto, SSLScan, Firefox Developer Tools