Risk Assessments

Internal & External Network Security Assessment

Internal & External Network Security Assessment identifies vulnerabilities, tests defenses, and delivers actionable remediation to strengthen your institution’s security and ensure FFIEC compliance.

Request For Proposal
Read Whitepaper
800
+
Organizations Assisted
23
+
Years of Superior Success
38
States Represented

Internal & External Network Security Assessment

NETBankAudit’s Internal & External Network Security Assessment provides a thorough, multi-layered evaluation of your institution’s network security posture. Our approach leverages industry-leading tools and experienced security consultants to identify vulnerabilities, assess risks, and recommend actionable improvements for both internal and external environments. The assessment is fully integrated into the IT audit process and supports compliance with FFIEC and industry best practices.

Internal Network Security Assessment

Our internal network security assessment is designed to identify vulnerabilities and exposures within your organization’s internal environment. We use a combination of automated tools and expert analysis to ensure a comprehensive review of your network, systems, and physical security controls.

Process and Methodology

  • Industry-Leading Tools: NETBankAudit uses top commercial-grade testing tools, managed onsite or remotely by highly trained and experienced penetration testing and vulnerability assessment engineers.
  • Authenticated Scans: We perform authenticated scans of your internal address space to identify and prioritize security weaknesses and their implications on the internal network. Administrative credentials are entered by your IT team for security and accuracy.
  • Expert Analysis: Scan results are analyzed by a senior vulnerability-testing engineer, certified in information security, who develops custom recommendations for remediation, including step-by-step procedures and/or automated tools where appropriate.
  • Comprehensive Coverage: Our tools and methodology ensure an accurate and comprehensive analysis, reducing the likelihood of false positives. We test for firewall issues, SNMP access, router/switch checks, proxy/DNS settings, remote & VPN services, RPC checks, patch management, misconfigurations, services, port scans/service scans, domain name services, FTP/SMTP settings, system users, default passwords, obsolete software, and more.
  • Non-Public Information (NPI) Protection: We evaluate open shares, unlocked databases, and other network configurations that could expose NPI.

Internal Vulnerability Assessment

  • Patch Management: Focuses on critical areas such as patch management (OS and application), configuration of networked devices, and authentication controls (OS and specific applications/services).
  • Comprehensive Device Scanning: NETBankAudit prefers to scan all devices on the network to ensure all vulnerabilities are identified, but the extent of testing and exclusions is discussed with your team prior to testing.
  • Authenticated Device Analysis: Authenticated scans attach to each workstation or server and analyze the registry, installed software, and device configuration, providing the most accurate assessment of vulnerability posture.
  • Patch Verification: This assessment verifies that your patch management procedures are working as intended and are adequate.
  • Alternative Testing: If administrative credentials are not provided, NETBankAudit recommends internal penetration testing to ensure a valid test.

Scope of Internal Technical Review

  • Network Device Analysis: Includes a mix of Windows servers and workstations, with scans of all devices where possible. Review of user identification and password controls for desktop applications.
  • Firewall and Router Analysis: Scans with the latest open-source automated tools to identify and prioritize security weaknesses and implications. Review of firewall rule sets and router settings for best practices and potential conflicts.
  • Physical Security Assessment: Isolates points of low-, medium-, and high-risk pertinent to information security. Assesses access to buildings, servers, removable media, systems documentation, and surveillance/defense methods. Includes interviews with employees to determine understanding of security policies and procedures.
  • Virus Protection: Assessment of current and planned virus prevention/control tools and policies to determine their effectiveness and role in the security program.

Internal Penetration Testing (Optional)

  • Simulated Attacks: With limited assistance from IT staff, NETBankAudit performs an internal penetration test, attempting to identify and exploit any discovered vulnerability found during an unauthenticated review of the network.
  • Realistic Threat Simulation: This simulates what an attacker would attempt if they gained access to the internal network.
  • Operational Coordination: Testing is coordinated with management and staff to minimize operational disruption.

External Network Security Assessment

Our external network security assessment simulates real-world attack vectors to identify exposures accessible from the internet. We combine automated and manual techniques to uncover vulnerabilities and test the resilience of your external-facing systems.

External Vulnerability and Penetration Testing

  • Simulated Attacks: Simulates the attack vectors that might be used by a determined attacker, including discovery, enumeration, vulnerability mapping, and exploitation phases.
  • Discovery: Upon receipt of confirmed target IPs and/or domain names, we expand our knowledge of your Internet presence by conducting extensive discovery searches, including time synchronization, name services lookups, whois lookups, dig operations, DNS zone transfers, and more.
  • Enumeration: Actively tries to obtain usernames, network share information, and application version information of running services, expanding knowledge of the environment.
  • Vulnerability Mapping: Maps the profile of the target environment to publicly known or, in some cases, unknown vulnerabilities.
  • Exploitation: Attempts to gain privileged access to a target system by exploiting identified vulnerabilities, such as launching password guessing attacks using collected usernames. Any successful exploits are communicated to IT staff immediately with recommended remediation steps.
  • Manual Verification: Ensures discovered vulnerabilities are not false positives, and only safe exploitation is performed (no buffer overflow or denial of service attacks).
  • Comprehensive Assessment: Includes public information gathering, network mapping, host discovery, vulnerability identification, and attempts at vulnerability exploits.

Public Information Gathering Process

  • Manual and Automated Searches: Use of manual and automated searching techniques to identify public information pertaining to the institution, uncovering configuration errors, accidental posting of sensitive/internal information, malware, malicious sites, and phishing attacks.
  • Domain Name Searches: Name services lookups, whois lookups, polling registry information, dig operations, DNS zone transfers, and more.
  • Primary Website Review: Technology security assessment of the public website for sensitive content, access rights, and web server technology. Evaluation of potential web access vulnerabilities (OWASP Top 10 risks), Google searching for documents/configuration info, and site crawling for unlisted directories.
  • Email Address Searching: Specialized tools are used to gather email addresses belonging to the institution.
  • Advanced Google Searching: Finds information posted/published regarding the institution, with only items of interest reported.

Dark Web Search (Optional)

  • Dark Web Intelligence: Search for bank information on the Dark Web, including evidence of bots or malware associated with bank IP addresses, compromised user accounts/passwords, bank in breach databases, bank routing number, and card issuer identification numbers.

External Vulnerability Penetration Test

  • Discovery: Passive electronic discovery of identified targets, including time synchronization, name services lookups, whois lookups, dig operations, dnswalk, and research of web/application servers.
  • Enumeration: Active and passive discovery of target networks/domains, traceroutes, ping sweeps, and mapping of routers, hosts, firewalls, etc.
  • Vulnerability Mapping: Non-port scanning reconnaissance, OS fingerprinting, intense port scanning, analysis of ICMP traffic, and identification of time protocol vulnerabilities.
  • Exploitation: Bulk vulnerability scanning, manual verification, application attacks, brute force attacks, CGI/web exploits, and attempts to bypass firewalls/IDS/IPS using tools such as firewalk.
  • Safe Exploitation: Mapping vulnerabilities to known exploits, carrying out only safe exploits that will not harm the target device or cause service loss.

Additional Testing Options

To further strengthen your security posture, we offer additional assessments tailored to your institution’s needs. These options provide deeper insight into specific areas of risk.

Wireless Penetration Test (Optional)

  • Network Design Review: Assessment of wireless network design and documentation to understand deployment in the network.
  • Authentication Review: Review of two-factor authentication in use on wireless networks.
  • Access Point Identification: Identification of all wireless access points in range of the testing laptop.
  • Vulnerability Assessment: Assessment of security vulnerabilities associated with each device.
  • Encryption Key Testing: Testing using specialized and open-source tools to attempt to obtain handshake data to wireless access points. If WEP or WPA is used, attempts to identify the wireless encryption key via dictionary and side channel attacks; if WPA2 is used, dictionary attack on captured handshake data.

Quarterly Firewall Ruleset Audit (Optional)

  • Firewall Configuration Review: Initial review of firewall configuration with a specialized tool designed to audit firewalls and network devices.
  • Ongoing Change Management: Every three months, an updated firewall configuration and all change management documentation related to firewall changes are reviewed.
  • Reporting: Deliverables include an executive summary for Board or Audit committees and a supplemental report with technical details and findings for IT staff.

Deliverables

Our assessment provides clear, actionable results to help you prioritize remediation and strengthen your security posture.

  • Comprehensive Reports: Assessment reports for internal and external environments, including all findings and recommendations.
  • Prioritized Remediation: Prioritized list of vulnerabilities and actionable recommendations.
  • Executive Summary: High-level summary and technical details for remediation.

Supplemental Reports: Additional reports for optional services such as wireless, firewall, and dark web assessments.

Table of Contents
This is also a heading
This is also a heading
Related Services
Generative AI Risk Assessment
Information Technology General Controls Audit
Ransomware Assessment Facilitation
Social Engineering Testing
Related Articles
IT Network Security Management: Protecting Your Digital Assets
Guide to Cybersecurity Assessments for Financial Institutions
IT Security Incident Reporting: A Guide for Financial Institutions
Key Cybersecurity Deadlines and New DFS Requirements Coming in 2025
"NETBankAudit is more than just an audit firm. They take the time to truly understand your organization. By working as a partner they made recommendations that best fit our bank while helping us realize resources that were already at our disposal. The employees we work with are extremely knowledgeable and always available to assist"
Garrett Henry, Chief Information Technology Officer
Franklin Savings Bank
$822M total assets, FDIC regulated
Franklin Savings Bank Logo
"Our Auditor was accommodating when appropriate, but never at the expense of principle.  She has my respect in every regard, and it is a privilege having her as a resource especially during exams. Our Engineer was great as well.  He was able to perform the penetration testing and vulnerability scanning with little disruption to our team.  This year’s engagement was on point as usually."
Beth Worrell, EVP, Chief Risk Officer
Skyline National Bank
$855M total assets, OCC regulated
"We were very satisfied with the model validation of our Verafin System. The NETBankAudit team was great to work with, very professional and kept us in the loop throughout the engagement. We will definitely consider working with them again for the annual validation"
Ken Helmrich, CAMS, CFCS
Kearny Bank
$7B total assets, FDIC regulated
"NETBankAudit provides us with top notch Information Security Professionals to allow us to continually improve our organizations security posture. Springs Valley is able to utilize them to stay abreast of the changing regulatory and cybersecurity landscape. It is great to have a reliable resource like them as a valued partner."
Craig Buse, CLO, COO
Springs Valley Bank & Trust Company
$494M total assets, FDIC regulated
"We appreciate working with professionals respected in the financial services community for their individual expertise and their attention to detail in the audit programs.  Always accessible when we need their assistance. "
Teresa Welty, SVP Internal Audit and Risk Officer
Capital Bank
$1.8B total assets, OCC Regulated
Capital Bank Logo
"We have been doing business with NETBankAudit since 2018 and their team of professionals have been amazing to work with.  They are experienced, objective, and responsive in performing our audit. Plus, they have been readily available to assist us with any issues during regulatory exams."
Robin Harris, Vice President
Carolina Bank
$579M total assets, FDIC regulated
Carolina Bank Logo
"The auditors have been very helpful and patient in giving us guidance with starting, developing, and improving our cybersecurity program. We have an active relationship with NETBankAudit and they are not just an audit firm. NETBankAudit wants us to succeed and not only meet regulatory requirements but understand them as well."
Leslie Nicely, Cybersecurity and BSA Officer
Highlands Community Bank
$172M total assets, FRB Regulated
Highlands Community Bank Logo
"First Citizens National Bank selected NETBankAudit to provide audit services for Information Technology Systems in early 2005.  Since that time, we have added cybersecurity, digital banking, and network penetration testing.  NETBankAudit is not only our auditor, but our partner in developing new digital strategies, policies and procedures. When we are implementing anything digital, NETBankAudit is a resource we use to ensure we have covered all aspects of risk management"
Judy Long, President and COO
First Citizens National Bank
$2B total assets, OCC Regulated
First Citizens National Bank Logo
"We were very satisfied with our first NETBankAudit experience and impressed with the thorough report. Working with our assigned auditor was a pleasure - he possesses great field experience and regulatory experience that was very helpful to us."
Dan Hagedorn, Audit Liaison/Compliance
International Bank of Chicago
$845M total assets, FDIC regulated
International Bank of Chicago Logo
"NETBankAudit's auditor was very knowledgeable and explained clearly what was needed from our side to help complete the audit as well as providing clear recommendations on where we could improve our controls.  The audit was done very professionally. Everyone here at SECU that interacted with NetBankAudit here at SECU had the feeling of a partner."
Rodney Hill, VP Technology
Schlumberger Employees Credit Union
$945M total assets, NCUA regulated
SLB Employee Credit Union Logo
"NETBankAudit serves as our internal auditing team. Their attention to detail and mastery of regulations are invaluable tools to our organization. During the audit, when they have a recommendation or finding, they partner with us and aide us in an internal audit liaison capacity. It is not a typical auditor firm’s approach, who just present their report and findings with limited direction or follow-up. NETBankAudit’s approach also helps us prepare for regulatory reviews with regular “heads-up” guidance and coaching. The examiners value NETBankAudit’s quality and depth of coverage and leverage the detailed audit work papers to facilitate the examination process. "
Dave Kittleson, Director of IT
Arundel Federal Savings Bank
$444M total assets, OCC regulated
Arundel Federal Logo
"We are very satisfied with NETBankAudit’s IT Audit services. The people we worked with are very personable, knowledgeable, and professional."
Sue Richardson, ISO
BayPort Credit Union
$2.2B total assets, NCUA regulated
BayPort Credit Union Logo
"We've partnered with NETBankAudit for over 10 years. We know we'll always receive a thorough review, but the service is always above and beyond our expectations. NETBankAudit keeps us apprised of recent regulatory changes, potential exam issues, and other areas for focus. Engaging NETBankAudit is creating a partnership for the future."
Leslie Hambrick, CFSA, CRMA
Peoples Bank, Newton, NC
$1.5B total assets, FDIC regulated
Peoples Bank Logo

More Services

Value-Add Consulting
Leveraging Decades of Industry Experience

As your trusted partner for compliance and security, our audits include informed recommendations to improve.
Request For Proposal
How NETBankAudit Delivers Value-Add Consulting:

Our Value-Add approach to auditing and compliance provides tailored, actionable advice drawn from our experts' practical industry experiences.

  • Senior-level auditing team each bringing 10+ years of industry and regulatory experience.
  • Our team has broad expertise with certifications from CISA, CISSP, CISM, CRISC and more.
NETBankAudit Logo PNG
2024 NETBankAudit. All Rights Reserved.
Privacy PolicyTerms of Service