Pentest and Audit of Databank's Information Security Infrastructure

The Central Bank requires all financial institutions in Russia to conduct annual penetration tests and security level assessments. Such works simulate cyberattacks on the bank’s information systems.

The procedure can be performed either by the bank itself with the help of security scanners or by a third-party organization that is licensed for such work. This makes the information security check as unbiased as possible. Thus, one of the leading banks in the Udmurt Republic — Databank — invited experts from the ICL group of companies to audit the security of their systems.

Security inside and out: a detailed audit

Before launching the IS infrastructure audit, ICL defined the methods it was going to use, as well as the main objects to be evaluated. Then, the order of work was agreed upon. The ICL team had several important objectives:
1) to identify vulnerabilities,
2) to provide an objective and independent assessment of the current level of security, and 
3) to form a comprehensive program of measures to improve the security of the bank’s systems.

Over a month, the IS specialists of the ICL group of companies tried to «crack the nut» — or, in other words, to hack the bank’s infrastructure, get access to the internal network, and understand what data could fall into the hands of intruders. For this purpose, the company conducted penetration tests and assessed the possibility of an attack within the network.

To test the external security loop, ICL experts examined the bank’s network infrastructure, server systems, public web applications, and services. Then, these hosts were analyzed with security scanners. The specialists also checked what version of the software was installed on each device and whether it had any vulnerabilities. If one of the ports was running outdated software, the specialists manually checked whether the identified vulnerability was critical for Databank systems.

The stage of internal testing implies the simulation of the actions of intruders who managed to gain unauthorized access to critical resources of the bank’s local network.

Recommendations for enhancing security systems

Having finished the evaluation of Databank’s internal and external security loops, the ICL team prepared a report for the bank’s financial management and technical specialists, which included all the results of the audit, as well as recommendations for improving the IT infrastructure’s security.

The work was completed in just a month, and the processes were organized so as to minimize the involvement of IS specialists of the bank and not interfere with their core business. Moreover, the work had no impact on the service quality and went unnoticed by customers.

As a result of the pentest and audit, Databank’s management decided to adopt a comprehensive approach to organizing its information security system that would increase the protection of the corporate infrastructure, prevent future attacks, and protect the assets of the bank’s clients.