Network Penetration Testing for a Financial Institution

Learn how Orro delivered critical testing services against internal and external IT infrastructure for a large financial institution.

External and Internal Penetration Testing

Challenge

Orro was engaged by a large Financial institution for penetration testing services against their external and internal IT infrastructure. These services were required as part of their annual security assessment program.

The key components for this work included Blackbox type testing of the Customers externally accessible services, with the objective to get to the internal network. The Internal network penetration testing was carried out with provided login credentials of an internal user (low privileges), with the main objective to elevate privileges on the network to a Domain Administrator and/or root user in the Customers core systems.

Solution

Orro identified and documented any discovered technical vulnerabilities in the external and internal infrastructure, and outlined the resulting risks to the customer, posed by the following sample attack scenarios:

  • A threat actor on the Internet, who:
    • Discovers vulnerabilities in externally facing hosts, services or applications, and then attempts to bypass authentication mechanisms and/or other restrictions deployed to block anonymous access to services, and thus to corporate and/or customers’ data;
    • Guesses or steals (e.g. via phishing) authorised user’s login credentials for externally facing systems and then uses these credentials to obtain unauthorised access to corporate systems and customers’ data.
  • A threat actor connected to internal network, who:
    • Connects their device to internal network, discovers vulnerabilities within internally accessible hosts, services or applications, and then attempts to exploit these to gain unauthorised access to corporate systems and customers’ data;
    • Guesses or steals (e.g. via phishing or internal network traffic sniffing) authorised user’s login credentials for systems accessible to low privilege type user accounts, and then attempts to elevate their privileges to obtain higher level access, including full administrative privileges (Domain Administrator and/or root user) to core systems.
  • A malicious insider, with authorised low-level privilege account, connected to internal network, who:
    • Misuses their authorised low-level access to probe the internal systems for vulnerabilities that can be exploited in order to elevate their privileges to obtain higher level access, including full administrative privileges (Domain Administrator and/or root user) to core systems.

Outcome

The resulting security assessment report provided the Customer with a prioritised list of recommended risk remediation actions that, once implemented, ensured that all relevant security controls deployed within the external and internal ICT networks are configured in an efficient manner to provide robust defence against threat actors targeting the Customers ICT systems.

Two reports (one per each testing phase listed above) were provided, including the identified findings and risk mitigation recommendations.

An onsite debrief and presentation to key stakeholders was also carried out along with the retesting of ‘high risk’ issues as reported.

The customer name has been withheld due to confidentiality.  More information can be provided by contacting the Orro team directly.

Related Resources

7 November 2020
Learn how Orro helped a QLD Government Agency address critical components across visibility and response time for their Security Improvement Program.
A building bearing the logo of the University of the Sunshine Coast.
4 August 2022
The University of Sunshine Coast (UniSC) was experiencing a number of hardware and software issues and outages due to their aging data centre.
Students walking on a TAFE Queensland campus.
30 November 2022
In order to bring the best-in-class learning experiences to their students, TAFE Queensland sought Orro’s help to upgrade and future-proof their network.