WAPT
Introduction
A private bank in Australia offers comprehensive e-banking services to a wide range of users, including individuals, banking institutions, and payment gateway providers. The e-banking platform facilitates critical financial operations such as money transfers, balance inquiries, utility payments, and loan payments. Given its critical nature, the platform must operate continuously, 24/7/365, and any downtime or security breach could significantly impact its users.
The bank sought to enhance the security of its web application by conducting penetration testing aligned with PCI-DSS and international cybersecurity standards. They required both black box and gray box testing to safeguard against external and internal threats. To achieve these objectives without disrupting service, the bank engaged Cybernetic Global Intelligence for their expertise in cybersecurity.
Solution
- Initial Consultation: Cybernetic Global Intelligence initiated the project with a kick-off meeting involving the bank’s senior management to clarify the testing objectives and requirements.
- System Overview: The team reviewed the web application architecture with insights from the bank’s technical team to understand its functionalities and potential vulnerabilities.
- Pre-requisites Confirmation: During the kick-off meeting, Cybernetic team ensured that all necessary pre-requisites for testing were in place.
- Non-Intrusive Testing: The initial phase involved non-intrusive tests to gather baseline information and perform technical reconnaissance.
- Infrastructure Testing: Recommendations were made to include penetration testing of the web server and network components such as firewalls, switches, and routers.
- Tool Selection and Manual Testing: Based on preliminary scan results, appropriate tools were selected, and manual testing was conducted on the network and web infrastructure.
- Vulnerability Reporting: Critical vulnerabilities discovered during testing were immediately reported to the bank’s technical team, who promptly addressed and resolved them. Cybernetic team confirmed the remediation within the same testing cycle.
- Intrusive Testing: At the client’s request, more intrusive tests, including password brute force attacks and denial of service attacks, were performed during off-business hours to ensure no disruption to services
- Comprehensive Reporting: A detailed report, including proof-of-concept (PoC) where applicable, was prepared and delivered to the client. The report provided thorough recommendations for fixing identified issues.
- Project Closure: The project was concluded after a final review and sign-off by the bank’s senior management, as re-testing was not included in the initial scope.
This structured approach ensured that the bank’s e-banking platform enhanced its security posture without impacting its operational performance.