Financial market experience
Financial industry specifics.
For the financial organization of any scale we can provide a set of high quality services tailored to the industry specifics:
- Penetrating testing can be done with the aid of customer infrastructure. No data leaves customer processing facilities.
- All activities organized in away to introduce minimal availability risk to production operations.
- The audit program utilizes our knowledge of the protocols and systems which are common in the financial industry (SWIFT, SEPA, SEP, ATM and POS networks, internet banking systems, etc.)
- Testing process follows requirements of the international and national security standards (e.g. PCI-DSS, ISO27001, Cobit5, etc.).
Pakurity has experienced professionals in its core team which understand the financial systems architecture and industry specifics. Particularly they have a proven record of:
- Serving to security teams of the largest banks in the world.
- Mitigating the Advanced Persistent Threats (APT) from the international financial cyber-crime groups.
- Conducting research on the cyber-threats scene of Ukraine, including state sponsored threat actors. The research papers are regularly presented on the international cyber-security conferences.
Project case: Security audit in the Bank
The goal of the project was to verify if the hacker can penetrate the internal bank network from the outside. The project was conducted in a black-box manner, so access was not provided by the customer. Our pentesters were used the most actual and modern techniques to penetrate the customer’s network.Some security issues which were found:
- Detailed error message in the internet banking application. This bug facilitated remote code execution of the Spring Expression Language (EL) injection.
- Remote code execution due the unpatched version of the Spring framework.
- Direct object reference for the client account payment details (used to conducted a wire transfer). Though the payment details for the wire are public in their nature, the enumeration allowed to identify all bank clients.
- Know your customer (KYC) routine abuse. The phone number of the client was verified by SMS, however not bruteforce protection were implemented, so it was possible to find the right SMS verification code and link the phone number to the customer account.
- The use of weak TLS cipher suite, which was a violation of PCI-DSS requirements.
Project case: PCI-DSS internal pentest
The project goal was to verify the Payment Card Industry Data Security Standard (PCI DSS) compliance of the customer’s internal network. The test was conducted in a gray-box manner. Due to the high security level the pentester worked from the customer provided computer with Kali linux installed and restricted access to the Internet. The test included infrastructure testing, layer 2 network attacks, network segmentation testing, internal web-application testing. The methodology included PCI Penetration Testing Guidance requirements. As a result, the customer has received a detailed report with the findings and specification which PCI requirement was violated. Some of the issues that were identified:
- The lack of IPv6 firewall on the systems. While many of servers had host firewall with IPv4 rules, the IPv6 rules were not implemented, but IPv6 was enabled on the network interfaces. It was possible to join a wide set of services over IPv6, including NFS share with backups. The backups had an SSH private key, which allowed to penetration one of the servers in CDE.
- The JavaEE application did not have a proper file type and file location filtering, which allowed to upload a JSP web-shell and compromise the application server.
- The log server used to serve CDE machines, used an Elastic instance to store logs, including commands invoked by the system administrators. The database passwords were recovered from that logs.