Raising the bar by uncovering vulnerabilities across a bank’s estate
Having previously used other providers to perform pen testing, a bank commissioned Redscan to take a fresh approach to its information security by uncovering vulnerabilities that may have been overlooked by the other testers. Redscan’s support has given the bank the additional insight and guidance it needs to ensure the security of its estate and better meet its compliance obligations.
- Hybrid infrastructure
- High volume of cloud workloads
- Rigorous compliance requirements
A specialist bank recognised that it needed to review its approach to cyber security to adapt to digital transformation and the rapidly evolving threat landscape. The bank processes a high volume of sensitive data, making it an attractive target for cybercriminals. It was also concerned that its security risk had grown due to a recently launched online banking portal and an increasing number of workloads moving to the Amazon Web Services (AWS) Cloud.
Because it wanted to review its approach to uncovering vulnerabilities, the bank recognised the need to undertake penetration testing in addition to that already undertaken by other companies. The bank recognised that Redscan’s offensive security expertise would provide the in-depth insight it needed and further support its compliance with the requirements of the Financial Conduct Authority, the Prudential Regulation Authority and the GDPR. This initiative would build on the already strong relationship the bank had with Redscan as a subscriber to its ThreatDetect™ Managed Detection and Response (MDR) service.
Over the course of a week, Redscan’s team of CREST-accredited pen testers performed a range of tests to assess every element of the bank’s network. The focus was on establishing the extent to which hackers could gain unauthorised access to the bank’s critical systems and data. The six phases of testing covered internal infrastructure testing, external infrastructure testing (assessing security from the viewpoint of a potential hacker), web application testing, build testing, configuration testing and a firewall review.
Undertaking tests both on-premises and remotely at the same time, the Redscan team liaised closely with the bank’s Cyber Security Manager and IT Manager to complete the process smoothly without impacting the bank’s business operations. In doing so, the team uncovered a number of threats previously overlooked by other pen testers. These included default legacy protocols within the network that hadn’t been updated and a number of weak configurations, including one which had been set up by a third-party supplier.