Performance Based Penetration Testing - Financial Services

Background

A financial services organization operating in over 150 countries, with over US$50 Billion in revenue, and over 150,000 employees. Naturally an organization of this type has a mature information security program, along with a large number of vendors providing a variety of services.

"Nobody offers penetration testing in this way….this is a game changer"
Client

The Challenge

After multiple years using the same vendor the client was questioning whether it was receiving the best return on it’s investment. Vulnerabilities were found, however they were often impractical, good for a presentation at a conference but less useful in terms of actually addressing something that could harm the organization. In essence vendor fatigue had set in.

The Solution

A performance based assessment was proposed. OccamSec worked with the client to identify a number of “trophies” and set out the rules of engagement. The engagement fee was agreed upon, at which point the following agreement was made – if OccamSec were unable to breach the environment, identify critical vulnerabilities, and obtain a number of trophies, the fee would be reduced. If trophies were obtained, depending on the number, an additional performance bonus would be paid.

The team were able to use a variety of vectors, including a vulnerable cloud based server, a poorly maintained SharePoint site, and an open conference phone system, to ultimately breach the environment and access a number of the trophies.