AWS Penetration Testing Gives In-Depth Cyber Risk Insight to Specialist Bank

Having previously used other providers to perform penetration testing, a bank commissioned Kroll to take a fresh approach to its information security by uncovering vulnerabilities that may have been overlooked by the other testers. Kroll’s support has given the bank the additional insight and guidance it needs to ensure the security of its estate and better meet its compliance obligations.

The Challenge

A specialist bank recognized that it needed to review its approach to cyber security to adapt to digital transformation and the rapidly evolving threat landscape. The bank processes a high volume of sensitive data, making it an attractive target for cybercriminals. It was also concerned that its security risk had grown because of a recently launched online banking portal and an increasing number of workloads moving to the Amazon Web Services cloud.

Because it wanted to review its approach to uncovering vulnerabilities, the bank recognized the need to undertake penetration testing in addition to that already performed by other companies. The bank recognized that Kroll’s offensive security expertise would provide the in-depth insight it needed and further support its compliance with the requirements of the Financial Conduct Authority, the Prudential Regulation Authority and the GDPR. This initiative would build on the already-strong relationship the bank had with Kroll as a subscriber to its Kroll Responder managed detection and response (MDR) service.

 

“The penetration testing that Kroll performed provided some very credible findings and outlined clear improvements that we were able to implement. The whole process raised the bar of our cybersecurity defenses.” – Head of Cybersecurity, specialist bank

Kroll's Solution

Over the course of a week, Kroll’s team of CREST-accredited pen testers performed a range of tests to assess every element of the bank’s network. The focus was on establishing the extent to which hackers could gain unauthorized access to the bank’s critical systems and data. The six phases of testing covered internal infrastructure testing, external infrastructure testing (assessing security from the viewpoint of a potential hacker), web application testing, build testing, configuration testing and a firewall review.

Undertaking tests both on-premises and remotely at the same time, the Kroll team liaised closely with the bank’s Cybersecurity Manager and IT Manager to complete the process smoothly without impacting the bank’s business operations. In doing so, the team uncovered a number of threats previously overlooked by other pen testers. These included default legacy protocols within the network that hadn’t been updated and a number of weak configurations, including one which had been set up by a third-party supplier.

The Impact

Streamlined Scoping Process

Before the pen testing took place, Kroll worked closely and consultatively with the bank to understand its requirements and put together a custom plan that clearly defined the aims of the overall engagement. This plan also helped ensure that the testing was performed in accordance with the strictest legal, technical and ethical standards.

Comprehensive Testing

Kroll’s pen testers assessed many different areas of the organization, giving the bank a comprehensive view of its security posture. By organizing identified vulnerabilities according to each area of the business in six testing phases, they ensured that the process was streamlined and manageable.

Deeper Understanding of Risks

For each vulnerability discovered, the Kroll team provided detailed context around ease of exploitation, insight which enabled the bank to gain greater insight into the true severity of the risks it faces. This context was supported by actionable advice on how to best remediate these risks.

Clear Reporting and Communication

Post-assessment, Kroll’s pen testing team created in-depth reports which provided the insight the bank needed to make tangible, lasting improvements to its security. All Kroll’s pen testing reports include an executive summary highlighting key findings and a more detailed description of the technical details and practical implications of each vulnerability, which assets were affected, how they were discovered and what actions an attacker could have taken if the vulnerabilities had been left unaddressed. The summary was supported by clear verbal communication from Kroll’s pen testers—all providing more direct and personalized support than that given by automated scans.

Offensive Mindset

The bank benefited significantly from the insight provided by Kroll’s offensive security team. To more closely replicate the approach of real-life adversaries and identify vulnerabilities that other pen testing companies overlook, Kroll places emphasis on testers using manual tools and processes as well as applying creative thinking.

Easier Compliance

The pen testing engagements and reporting provided by Kroll supports the bank in better demonstrating a continuous commitment to the security of its systems and data. This has helped the bank more effectively meet the compliance requirements of the GDPR, the Financial Conduct Authority and the Prudential Regulation Authority.

High-quality Remediation Advice

Kroll’s focus was not just on finding vulnerabilities but on helping the bank to remediate them. As well as searching for and uncovering specific vulnerabilities, the team provided tailored advice, detailing how the bank could address weaknesses and mitigate risks.

Learn more about Kroll’s Penetration Testing services.