Security assessment of the Internet banking system for Maruhan Japan Bank (Cambodia)

I. Introduce

Maruhan Japan Bank is a large bank with 100% investment from Japan and is one of the renowned banks in the capital city of Phnom Penh, Cambodia. Maruhan provides various professional banking services catering to individuals, organizations, businesses, and the government. Maruhan constantly strives for development and applies international market experiences to the Cambodian market, aiming to contribute to Cambodia's growth by enhancing the quality of life and community development for the Cambodian people, and delivering internationally standardized service quality.

II. Challenge and request

In 2011, as part of its remarkable development, Maruhan Bank invested in building an Internet banking system - an online banking platform that provides online services to customers, establishing Internet banking as a key strength and an important development strategy alongside the bank's growth. Prior to launching the Internet banking system, Maruhan aimed to ensure the entire system underwent information security procedures, independent and reliable security assessments, to guarantee safety, stability, and integrity for online banking services when operational, minimizing the risk of cyberattacks by criminals.

The bank's Internet banking system needs to assess the following components:

- Assessing the website system to identify external internet-related risks.

- Validating system components to identify internal risks through application source code validation and server system verification.

- Assessing the website system according to PCI DSS standards.

III. Solution

To meet all the aforementioned requirements of the client, Maruhan Bank has trusted HPT as the service provider for security assessment of their Internet Banking system. The bank's Internet Banking system needs to assess the following components:

HPT provides Maruhan Bank with two main security services:

- Penetration Testing

- Secu- rity Auditing

Security Assessment Service - Penetration Testing:

  • The scope of the security assessment includes evaluating the security of all system components from the following perspectives: Blackbox, Greybox, and Whitebox.
  • Blackbox: Simulating the viewpoint of a hacker, attempting to attack the system from external sources.
  • Greybox: Acting as an authorized system user or employee, performing security assessment techniques to test the system's susceptibility to privilege escalation and unauthorized access.
  • Whitebox: Assuming the role of a system administrator, evaluating all components and providing detailed reports on each device.
Within the chosen service package, Maruhan has opted for Blackbox and Greybox assessment services.

The security assessment report follows the OWASP and PCI DSS standards, providing comprehensive and independent details, including:

  • Job description
  • Scope of work
  • Approach methodology
  • Used methods
  • Detailed vulnerability descriptions
  • Recommendations for remediation

Security Auditing Service:

The scope of security auditing for the Internet Banking system includes the following verification tasks:

  • Auditing the security of application source code.
  • Auditing the security of configurations on the Internet Banking server system.

A detailed report is provided, which clearly presents:

  • Job description
  • Scope of work
  • Faulty configuration files and specific parameters causing the errors
  • Impacts on the system
  • Recommendations for remediation

IV. Benefits provided

- HPT is a reputable information service provider with extensive experience in security assessment services. HPT's engineers hold prestigious security certifications such as CEH, CCIE, CISSP, CISA, ensuring their expertise in the field.

- HPT's security assessment services adhere to well-known security standards and procedures such as OWASP-2010, PCI DSS, OSTMM, and ISO 27001. These standards ensure comprehensive and reliable evaluations of the security of the systems.

- After the evaluation and security testing of Maruhan's Internet Banking system, the bank's IT department proceeded to address any remaining vulnerabilities, optimize the system's security, and prepare it for live operation. The system is now ready to be introduced to customers, offering the following benefits

V. Customer Reviews

Vongsa Neou, the head of the IT department at the bank, expressed satisfaction with HPT's highly skilled technical team and their professional and enthusiastic work attitude. The successful implementation of the security service at a Japanese bank with high-quality requirements demonstrated their excellent professional capabilities and promised the development of system security assessment services, particularly in the field of Internet banking and overall network systems for businesses. This is the customer's feedback.