BDDK-Compliant Service

BSD.2012/1 Circular-Compliant
Penetration Tests

Nesil Teknoloji – Banking Focused

We perform the "Penetration Tests on Information Systems" service for banks, with BSD.2012/1 Circular and the relevant Communiqué provisions in one-to-one compliance, taking into account the annual obligation and BADES upload requirements.

Purpose (per the Circular)

In bank information systems, the security weaknesses, before being exploitedidentified and remediated.

Scope (Minimum)

Communication Infrastructure & Active Devices
DNS Services
Domain & User Computers
E-mail Services
Database Systems
Web Applications
Mobile Applications
Wireless Network Systems
ATM Systems
Distributed Denial of Service (DDoS)
Social Engineering
These headings are minimum; they are expanded according to the bank's risk profile.

Methodology – Access Points & User Profiles

Access Points

  • Internet: The bank's internet-facing servers/services
  • Bank Internal Network: Server, network and traffic tests on the internal network
  • Branch Network: Network, traffic and branch-accessed systems at the selected branch

User Profiles

  • Anonymous: Non-member external user
  • Bank Customer: Corporate/individual login-authorised user
  • Bank Guest: Guest network user
  • Bank Employee: The most common profile + local admin
  • Other Profiles: Special privilege sets, if any

System Identification

Identification of the system/configuration information of servers and active/passive network devices.

Service Identification

Port scanning; determination of externally exposed services.

Vulnerability Scanning

Scanning of components against current vulnerabilities; database research.

Core Penetration Tests

Internet

  • IP range scanning, system & service identification
  • Scanning and verification against current vulnerabilities

Bank Internal Network

  • Local network map and traffic analysis
  • Content filtering, FW bypass attempts
  • Obtaining sensitive information via MITM
  • Workstation/server takeover and privilege escalation

Branch Network

  • Branch network map and vulnerability scan
  • MITM at the branch, active device tests
  • Penetration attempts on branch-accessed systems
All tests carrying downtime risk are conducted in coordination with the bank.

Detailed Penetration Tests

After the core tests, detailed penetration tests are applied for each of the scope headings in the Circular. The procedures and principles are determined within the authority of the Vice-Presidency to which the BDDK Information Management Department is attached.

Finding Severity Levels (ANNEX-1)

Level Definition
Emergency Weaknesses allowing an unqualified attacker full takeover from the bank's external network
Critical Weaknesses allowing a qualified attacker full takeover from the bank's external network
High DoS/privilege escalation from the external network; weaknesses providing privilege escalation locally
Medium Weaknesses leading to denial of service via the local network/server
Low Hardening deficiencies; situations with limited/unforeseen impact

Reporting, Action Management and BADES

Report Format (ANNEX-2)

  • Finding Ref No, Finding Name, Severity Level, Impact
  • Access Point, User Profile
  • Component(s), Finding Description, Remediation Recommendation

Follow-up & Notification

  • Annual period: A penetration test at least once a year
  • Board-approved action plan
  • Upload to BADES within 1 month following the full report
Nesil Teknoloji supports BADES upload preparation and action closure verifications through process management.

Why Nesil Teknoloji?

Regulation-Compliant

Full compliance with BSD.2012/1 and the relevant Communiqué requirements

Bank/Branch Focus

Internet, internal network and branch network scenarios

Full Scope

Including ATM systems, DDoS and social engineering

Audit-Ready Report

Output in ANNEX-1/ANNEX-2 format, ready for BADES

Expert Team & Accreditations

TSE-Certified Penetration Testing Company
Certificate No: TSE-STF-065
Nesil Teknoloji A.S. is certified by the Turkish Standards Institution as an "Approved Penetration Testing Company" under the TS 13638/T2 standard.

Certificates Held by Our Team

International Certificates
CEH Certified Ethical Hacker EC-Council
OSCP Offensive Security Certified Professional Offensive Security
Security+ CompTIA Security+ CompTIA
CISSP Certified Information Systems Security Professional (ISC)²
CISA Certified Information Systems Auditor ISACA
GPEN GIAC Penetration Tester SANS/GIAC
LPT Licensed Penetration Tester EC-Council
TSE Penetration Testing Experts
2
Senior Penetration Testing Expert TSE Certified
4
Certified Penetration Testing Expert TSE Certified
3
Registered Penetration Testing Expert TSE Registered
All Our Certificates and Documents Click for detailed information and to view documents

BDDK-Compliant Penetration Testing – Quote & Planning

Let's define the plan together with minimum scope verification and branch/internet/internal network scenarios.