A Guide to Penetration Testing in Financial Services

  • Jed Kafetz, Head of Pen Testing at Redscan

  • 12.07.2021 02:15 pm
  • #financialservices #testing

According to the ICO’s most recent security incidents report, the financial services sector has the second highest number of cybersecurity incidents of any industry – with only the retail sector faring worse.  

The high volumes of extremely valuable personal and financial data processed by financial firms is a major draw for cybercriminals. However, a recent study identified that 30 major banking applications had a known security risk.  

Thankfully, these vulnerabilities were discovered and – presumably – fixed, but it begs the question ‘How many vulnerabilities remain undiscovered?’. This is why penetration testing – to identify hidden vulnerabilities and help validate the effectiveness of controls and processes – should be conducted regularly as part of every financial services organisation’s security programme. 

What is pen testing and why is it important? 

A pen test entails granting experienced ethical hackers permission to simulate controlled cyber-attacks. Pen tests can be commissioned to assess different aspects of an IT estate, such as servers, portals, websites and applications. They are conducted with the aim of identifying and helping to address security weaknesses that criminals might seek to exploit in order to compromise assets and steal data. 

Regular penetration testing is crucial to not only exposing and remediating vulnerabilities but achieving compliance with the latest data and information security requirements, including those mandated by the FCA, PRA, GDPR, NIS Directive, SWIFT and MIFID II. 

In such a competitive landscape, the financial and reputational costs of a breach can be significant. A poor cybersecurity posture can be extremely damaging to the way a company is perceived, undermining the trust of customers, and negatively impacting revenues and market valuation. 

Common vulnerabilities in financial services 

The security challenges faced by financial institutions vary, depending on their size and how well-established they are. However, in my experience of working with clients, some major trends are directly influencing the type of vulnerabilities commonly identified. 

One of these trends is the increased use of mobile applications. Most financial services organisations now have an app and these are attractive targets due to the extensive personal and financial data they process, as well as the software programming flaws they may contain. 

Insecure Direct Object References (IDOR) are one example of a type of web application vulnerability being actively exploited by cybercriminals to target organisations in finance.  An IDOR vulnerability typically involves an attacker logging into an app and then making small changes to the string of a URL. This is in order to gain access to the profiles of other users and harvest their data. 

For larger financial institutions, key vulnerability challenges often concern the use of legacy technologies and the migration of systems to the cloud. Older technologies weren’t developed with today’s cybersecurity threats in mind so can present an increased risk, particularly if software patches and updates aren’t released and regularly applied.  

That’s not to say that more recently established organisations that utilise the latest technologies are not without their own set of security challenges. A common problem which affects financial startups is that the size of their digital footprint can rapidly exceed the rate at which they are able to protect it. Another issue is that new technologies can lack widely documented security standards and are often misconfigured for this reason. The current version of the PCI DSS, for instance, lacks guidance around serverless technologies, so urgently needs updating.  

Remote working is a trend that is also posing significant security challenges across the financial sector. Employees accessing networks and systems outside of offices can create new risks and it is important that regular assessments are conducted to identify weaknesses such as VPN misconfigurations and improper access controls. 

Where to focus assessments 

Protecting data and assets that are public-facing should be imperative when prioritising security resources. Context is key here. Given resource constraints and the need to keep on top of vulnerability management, knowing where to focus attention is vital.  

Automated vulnerability scanning tools are good at spotting basic vulnerabilities but don’t offer the level of testing nor specialist support that an experienced ethical hacker can provide. While tools can tell you that a vulnerability is low risk, they provide little information about how easily it might be chained to others to create a cumulative issue that is more serious. 

Scenario-based assessments, a form of pen testing, are a great way to better understand and validate the effectiveness of controls and processes. Though not full red team exercises, they often focus on specific adversarial tactics, techniques and procedures that are commonly used against organisations. One example of a scenario-based test is a simulated phishing exercise designed to mirror a Business Email Compromise (BEC) attack in which fraudsters aim to compromise an employee’s account and instigate bogus payment requests. 

Why working with the right security partner is vital 

Penetration testing should be at the heart of any financial institution’s security posture, providing invaluable insight to help security teams better understand where organisations are vulnerable and the effectiveness of controls and processes. 

Choosing the right third-party security partner is vital to successful pen testing. It is essential to select one that can demonstrate sector-specific financial services experience and an understanding of the latest adversarial techniques, with the capacity to uphold the highest legal and ethical standards  

Without an experienced partner, penetration testing will not deliver the maximum value and the outcomes that financial services organisations need to better understand the security risks they face and strengthen their cyber resilience. 


Other Blogs