SecQuest were engaged by an Investment Bank to perform a technical security assessment from the guise of a disgruntled employee. The bank’s Internal Audit Team required assurance that technical controls were operating effectively, and managing the risk of a cyber attack by internal personnel, with ‘insider knowledge’ of the bank.

SecQuest (‘SQ’) worked closely with the bank’s Internal Audit Team and phased the following areas for testing over a two week period, including: [1] Data Loss Prevention (‘DLP’) [2] CRM and [3] the bank’s main-frame and critical business applications.

The objective was to assess if controls managed the risk of data exfiltration by disgruntled personnel – typically within the ‘Movers and Leavers’ process. SQ were able to access, via a bank workstation with ‘normal user’ access, shared network resources which contained system credentials in plain-text.

This permitted SQ with a route to some of the bank’s databases and legacy help desk system – the help desk system also provided passage to database backups, due to a Windows disk share with no password. Utilising the exposed credentials SQ performed tasks, such as resetting users’ passwords and gaining access to the Windows network domain, which contained the bank’s CRM applications. Client data was identified, but with sanitised account data.

Information from the legacy help desk system also provided access to the bank’s mid-range / main-frame system(s). Therefore, as SQ has a ‘real-life’ experience and working knowledge of mid-range / mainframe systems, we were able to locate application data replicated between the main-frame and mid-range hosts, thus enabling the team view account transaction data. The bank’s DLP controls partially mitigated the risk of data exfiltration. However, several SQ techniques could be used to exfiltrate data from the bank to SQ systems for further analysis.

The SQ report enabled the bank’s Internal Audit Team to promptly stand-up project(s) to manage the risks to the Windows domain, such as evolving the bank’s network segmentation project, to further protect critical infrastructure and high-risk users. Further asset and configuration management controls were also introduced to ensure legacy systems were decommissioned, in conjunction with managing the confidentiality of system passwords and certificate based access to databases. Logging and monitoring were also improved to ensure the bank could identify suspicious activity within a timely manner.

The SQ team returned to perform a retest and the majority of the security weakness had been either remediated, or was being managed in the interim until the risk could be fully mitigated. SecQuest is now a trusted adviser to the bank and continues to integrate with their assurance program – we are currently providing Penetration Testing Services against the bank’s new account management systems.