Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

Overview

Raising the bar by uncovering vulnerabilities across a bank’s estate

Having previously used other providers to perform pen testing, a bank commissioned Redscan to take a fresh approach to its information security by uncovering vulnerabilities that may have been overlooked by the other testers. Redscan’s support has given the bank the additional insight and guidance it needs to ensure the security of its estate and better meet its compliance obligations.

Case Study - Specialist Bank
Industry
Finance
HQ
UK

The Challenge

Summary

  • Hybrid infrastructure
  • High volume of cloud workloads
  • Rigorous compliance requirements

A specialist bank recognised that it needed to review its approach to cyber security to adapt to digital transformation and the rapidly evolving threat landscape. The bank processes a high volume of sensitive data, making it an attractive target for cybercriminals. It was also concerned that its security risk had grown due to a recently launched online banking portal and an increasing number of workloads moving to the Amazon Web Services (AWS) Cloud.

Because it wanted to review its approach to uncovering vulnerabilities, the bank recognised the need to undertake penetration testing in addition to that already undertaken by other companies. The bank recognised that Redscan’s offensive security expertise would provide the in-depth insight it needed and further support its compliance with the requirements of the Financial Conduct Authority, the Prudential Regulation Authority and the GDPR. This initiative would build on the already strong relationship the bank had with Redscan as a subscriber to its Managed Detection and Response (MDR) service.

“The penetration testing that Redscan performed provided some very credible findings and outlined clear improvements that we were able to implement. The whole process raised the bar of our cyber security defences.”
Head of Cyber Security
Specialist Bank

The Solution

Over the course of a week, Redscan’s team of CREST-accredited pen testers performed a range of tests to assess every element of the bank’s network. The focus was on establishing the extent to which hackers could gain unauthorised access to the bank’s critical systems and data. The six phases of testing covered internal infrastructure testing, external infrastructure testing (assessing security from the viewpoint of a potential hacker), web application testing, build testing, configuration testing and a firewall review.

Undertaking tests both on-premises and remotely at the same time, the Redscan team liaised closely with the bank’s Cyber Security Manager and IT Manager to complete the process smoothly without impacting the bank’s business operations. In doing so, the team uncovered a number of threats previously overlooked by other pen testers. These included default legacy protocols within the network that hadn’t been updated and a number of weak configurations, including one which had been set up by a third-party supplier.

The Benefits

Streamlined scoping process
Before the pen testing took place, Redscan worked closely and consultatively with the bank to understand its requirements and put together a custom plan that clearly defined the aims of the overall engagement. This also helped to ensure that the testing was performed in accordance with the strictest legal, technical and ethical standards.
Comprehensive testing
Redscan’s pen testers assessed many different areas of the organisation, giving the bank a comprehensive view of its security posture. By organising identified vulnerabilities according to each key area of the business in six testing phases, they ensured that the process was streamlined and manageable.
Deeper understanding of risks
For each vulnerability discovered, the Redscan team provided detailed context around ease of exploitation which enabled the bank to gain greater insight into the true severity of the risks it faces. This was supported by actionable advice on how to best remediate these risks.
Clear reporting and communication
Post-assessment, Redscan’s pen testing team created in-depth reports which provided the insight the bank needed to make tangible, lasting improvements to its security. All Redscan’s pen testing reports include an executive summary highlighting key findings and a more detailed description of the technical details and practical implications of each vulnerability, which assets were affected, how they were discovered and what actions an attacker could have taken if the vulnerabilities had been left unaddressed. The summary was supported by clear verbal communication from Redscan’s pen testers – all providing more direct and personalised support than that given by automated scans.
Offensive mindset
The bank benefited significantly from the insight provided by Redscan’s offensive security team. In order to more closely replicate the approach of real-life adversaries and identify vulnerabilities that other pen testing companies overlook, Redscan places emphasis on testers using manual tools and processes as well as applying creative thinking.
Easier compliance
The pen testing engagements and reporting provided by Redscan supports the bank in better demonstrating a continuous commitment to the security of its systems and data. This has helped the bank to more effectively meet the compliance requirements of the GDPR, the Financial Conduct Authority and the Prudential Regulation Authority.
High-quality remediation advice
Redscan’s focus was not just on finding vulnerabilities but on helping the bank to remediate them. As well as searching for and uncovering specific vulnerabilities, the team provided helpful advice in reports which detailed how the bank could address weaknesses and mitigate risks.