BSD.2012/1 Circular-Compliant
Penetration Tests
We perform the "Penetration Tests on Information Systems" service for banks, with BSD.2012/1 Circular and the relevant Communiqué provisions in one-to-one compliance, taking into account the annual obligation and BADES upload requirements.
Purpose (per the Circular)
In bank information systems, the security weaknesses, before being exploitedidentified and remediated.
Scope (Minimum)
Methodology – Access Points & User Profiles
Access Points
- Internet: The bank's internet-facing servers/services
- Bank Internal Network: Server, network and traffic tests on the internal network
- Branch Network: Network, traffic and branch-accessed systems at the selected branch
User Profiles
- Anonymous: Non-member external user
- Bank Customer: Corporate/individual login-authorised user
- Bank Guest: Guest network user
- Bank Employee: The most common profile + local admin
- Other Profiles: Special privilege sets, if any
System Identification
Identification of the system/configuration information of servers and active/passive network devices.
Service Identification
Port scanning; determination of externally exposed services.
Vulnerability Scanning
Scanning of components against current vulnerabilities; database research.
Core Penetration Tests
Internet
- IP range scanning, system & service identification
- Scanning and verification against current vulnerabilities
Bank Internal Network
- Local network map and traffic analysis
- Content filtering, FW bypass attempts
- Obtaining sensitive information via MITM
- Workstation/server takeover and privilege escalation
Branch Network
- Branch network map and vulnerability scan
- MITM at the branch, active device tests
- Penetration attempts on branch-accessed systems
Detailed Penetration Tests
After the core tests, detailed penetration tests are applied for each of the scope headings in the Circular. The procedures and principles are determined within the authority of the Vice-Presidency to which the BDDK Information Management Department is attached.
Finding Severity Levels (ANNEX-1)
| Level | Definition |
|---|---|
| Emergency | Weaknesses allowing an unqualified attacker full takeover from the bank's external network |
| Critical | Weaknesses allowing a qualified attacker full takeover from the bank's external network |
| High | DoS/privilege escalation from the external network; weaknesses providing privilege escalation locally |
| Medium | Weaknesses leading to denial of service via the local network/server |
| Low | Hardening deficiencies; situations with limited/unforeseen impact |
Reporting, Action Management and BADES
Report Format (ANNEX-2)
- Finding Ref No, Finding Name, Severity Level, Impact
- Access Point, User Profile
- Component(s), Finding Description, Remediation Recommendation
Follow-up & Notification
- Annual period: A penetration test at least once a year
- Board-approved action plan
- Upload to BADES within 1 month following the full report
Why Nesil Teknoloji?
Regulation-Compliant
Full compliance with BSD.2012/1 and the relevant Communiqué requirements
Bank/Branch Focus
Internet, internal network and branch network scenarios
Full Scope
Including ATM systems, DDoS and social engineering
Audit-Ready Report
Output in ANNEX-1/ANNEX-2 format, ready for BADES
Expert Team & Accreditations
Certificates Held by Our Team
BDDK-Compliant Penetration Testing – Quote & Planning
Let's define the plan together with minimum scope verification and branch/internet/internal network scenarios.