Volume 5, Issue 7, July – 2020 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Network Penetration and Testing in a

Rural Banking Environment in Ghana
1st Wellington Amponsah, 2nd Simon Amonovi
dept of Computer Science and Engineering dept of Electrical and Engineering
Shaheed Udham Singh College of Engineering and Koforidua Technical University
Technology Tangori Koforidua, Ghana
Mohali, India

3rd Kwabena Gyeke-Lartey 4th Taiwo E. Ajagunsegun

Dept. of Computer Science Dept. of CSE
KNUST, Kumasi Shaheed Udham Singh College of Engineering and
Technology Tangori
Mohali, India

Abstract:- Ghana’s Banking sector has seen much Banks across the country with their respective branches
improvement and this is evidence by the establishment spread across the country. [4][5] Rural Bank is a unit bank
of Commercial Banks, Rural and Community Banks which is a limited liability under the Ghana Company’s Act
and Savings and Loans. Cyber-threats and the which can be defined as rural financial
measures necessary to counter them in the Banking institution/cooperative/ community bank which is to
industry are the major security issue of the hour that mobilize savings that provide customized financial services
the bank is facing. Information security issue is vital to rural communities within its area of operation.
and more critical when it wants to implement and apply
IT into its operations. Penetration and testing uses and Technology has become the main driving tool for our
techniques those hackers employ in penetrating the national development and now applied in all forms of our
network system to verify presence of vulnerabilities in lives. This technology is applied in the financial field,
the network. This research demonstrates how to health sector, educational sector, etc. Data protection and
perform and identify the security strength and reveal providing security to data is one of the major challenges
the vulnerabilities, and possible exploits in the security facing the industry. In the Banking industries network and
of the internal network and misconfiguration of firewall data security is one of the challenges affecting the industry.
of the Bank using penetration testing.
Ghana is now maturing in the field of cyber security
Keywords:- Network Security, Cyber Security, Penetration and this has been described by World Bank in collaboration
And Testing, Virtual Private Network. with the Global Cyber Security Capacity Centre (GCSCC)
as being at the formative level. A finding from the
I. INTRODUCTION assessment is evidenced in the implementation of a number
of initiatives including the formal adoption of a National
The Banking sector of the country has witnessed Cyber Security Policy & Strategy (NCSPS) in 2016, and the
much improvement. This improvement has brought the National Cybersecurity Institutional Framework (NCIF). In
numerous commercial Banks, Rural and Community Banks addition, a National Cybersecurity Advisor was appointed to
(RCBs) and Savings and Loans. The Rural and Community coordinate cybersecurity issues in government and across
Banks (RCBs) were first established in Ghana in 1976 to non-governmental sectors.
provide banking services to the rural population to provide
credit to small-scale farmers and businesses and also The use of the internet in Ghana is experiencing huge
support development projects in the rural communities. The patronage. It is now being used in most of our institutions to
RCB Banks are locally owned and managed [1]. In 1981 enhance operations of their activities and service provision.
about 30 existing RCBs formed the Association of Rural In the Ghanaian banking industry, Information technology
Banks (ARB) to serve as a networking forum and as a has now been recognized as the life wire of the Banks since
network of institutions sharing a common mission, the it simplifies and supports the performance which has made
ARB promoted and represented the RCBs and also it very demanding of the Banks to adopt in full Information
provided training services to member RCBs [1]. [1][2]The Technology in her operation for customer satisfactions and
Rural and Community Banks are supervised by the the reputation and performance the financial market. And
clearing ARB Apex Bank under the regulation of the Bank this demands for a high network and information security in
of Ghana, which owns shares in the Banks. According to the banking services to protect and secures its systems to
[3] the country currently has 144 Rural and Community maintain information vital to its operations.

IJISRT20JUL162 www.ijisrt.com 73
Volume 5, Issue 7, July – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
II. PROBLEM STATEMENT cyber security or network security to handle security issues
of the bank.
Information security issue is vital and more critical
when it wants to implement and apply IT into its Technologies are constantly evolving and growing, at
operations. The demand for the application of information a rate that is so rapid that one can have a difficult time
communication and technology in the banks is to create keeping up. Antivirus that is aimed at protecting one
more business and ease of operations. Inadequate security computer is often found to be out of date. Most of the
measures and insecure network of the Bank affect the RCBs use free and outdated VPN.
beliefs of customers and their ability and wiliness to
transact any kind of transaction or business with the Bank. III. OBJECTIVE
And it is a major threat to the growth of the banks in the
country as a whole. The security of customer information is This research is to show how to perform and identify
very vital information that is treated as a valuable. Hackers the security strength and reveal the vulnerabilities,
with information about the network of the Bank, staff loopholes and the possible exploits in the security of the
information and even customer information can perform internal network and misconfiguration of firewall of the
many transactions in the name of these staff and customers. Bank using penetration testing techniques approach. This
Some information which can be stolen includes their date will enable identify security flaws, to understand the level
of birth, social security number, tax identification numbers, of risk and vulnerabilities and exploits to secure the
address, staff login details, etc. network. To obtain important data from intruders such as
hackers, who may have unauthorized access to the
Cyber-threats and the measures necessary to counter application and exploit the network to access sensitive
them in the Banking industry are the major security issue of information if any kind of vulnerability is identified. It is to
the hour that the bank is facing. This is because there have also provide evidence for the support to increase
been a number of attacks on the various networks in the investments in the security personnel and technology.
various Banks which are done in an organized and in a very
dangerous way and this calls for a serious attention and IV. ABOUT THE AKUAPEM RURAL BANK
considerations.
Akuapem Rural Bank was established in 1980 for
Priority and attention have not been given to security helping the rural dwellers. The Bank was awarded 64th
of the information system of the bank. Hacking attacks on position in the Ghana Investment Promotion Centre (GIPC)
Bank’s network in Ghana recent days has increased Ghana club 100 awards. The bank also won the maiden
drastically in a very sophisticated manner. The attacks on Association of Rural banks awards for the best Eastern
the bank’s information system have become more frequent region RCB. The goal of the Bank is to become the best
in a well-organized and a more dangerous way. Protecting Rural Bank in Ghana and has its corporate values Honesty,
the digital assets of the bank has not been a priority or responsibility, dependability, and motivation. As part of
concern and the access of this information by hackers will government policy, the Bank has the main data center at
affect the reputations and also compromises intellectual Apex Bank. However, the bank also has its own internal
property of the Bank. Data center which is linked to the main data center at Apex
Bank. The Bank has an application called Jboss services
This is because ports on the network have been left deployed on its server and other branches. The Bank’s data
open since they really on firewalls or have no knowledge center is connected to the Apex Bank data center through
about the various ports that are opened on the network. Wide Area Network and the communication channel is
These ports that are opened are being scanned by hackers through Multiple Layer Switching (MPLS) radio and Very
and also exploits for vulnerabilities which are the means of Small Aperture Terminal (VSAT). The Bank uses wireless
locating and identifying specific weaknesses in the network communication across all the offices and its surroundings.
of the bank and services that are being run. The Bank Customer can access online account balances by the use of
becomes vulnerable to hacking because they do not employ U-connect application we can be downloaded from google
secure information security systems, as well as intrusion play store. Bank does most of the network and system
and detection systems to protect their data. security with regards to storage and WAN. The SUSU
application is developed by the bank. The network is
IT staff of the bank have no knowledge or background connecting through Comsys Ghana as ISP to Apex Bank.
in security and few checks of the various vacancies Comsys provide Data communication and internet
declared by the banks in the country only requested for communication. The Data center connects to Apex for its
people with BSc/HND Computer science, IT, MIS, MBA banking application and other auxiliaries’ product whiles
background. None of the RCBs has a staff dedicated to the internet connects to the outside world.

IJISRT20JUL162 www.ijisrt.com 74
Volume 5, Issue 7, July – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
V. LIMITATION OF THE STUDIY VIII. PENETRATION AND TESTING

As part of this research, the objective is to present Penetration testing refers to the testing of a network
how network penetration testing of the Bank can be done. system, cyber system, or application to detect weaknesses
The penetration testing procedure shall not involve that may be exploited by a malicious hacker. The term
attacking the Bank’s network structure and security system. “penetration testing” refers to testing the security of a
This is only to help IT staff to be able to understand and computer system and/or software application by attempting
undertake penetration and testing of the network in a to compromise its security, and in particular the security of
banking environment. It will help obtain knowledge to the underlying operating system and network component
secure the network of the bank and to adopt network configurations. According to [ken] the de facto stewardship
penetration and testing approach to identify vulnerabilities of penetration testing tools and processes by IT Security
in the system. organizations is significant which has afforded IT Security
people with the opportunity to test a computer and
VI. NETWORK SECURITY application’s configurations from afar, as a sort of
independent audit function. During penetration and Testing,
[6]It is the monitoring of network and preventing one is essentially trying to gain access to a system without
unauthorized use of network resources. The security tasks having any usernames or passwords or the credentials of
are managed by the network administrator. These include the system and obtain vital inform. The aim is to see how
policies and practices which are adopted to prevent and easily it will be for one to obtain confidential information
monitor unauthorized access to the network, misuse of about an organization, and then increase the security of the
network resources and their modification, denial of a network system or the information security system that is
computer service on the network and network-accessible being tested. In simple words, penetration testing, also
resource. It protects the usability and integrity of your known as pen testing is the process of testing the network
network and data. Network security includes both the and other applications for vulnerabilities. The main purpose
hardware and the software technologies. of this test is to secure the network or important data from
outsiders like hackers, who can have unauthorized access to
Effective network security manages access to the the application and exploit the network to access sensitive
network and targets a variety of threats and stops them information if any kind of vulnerability is identified within
from entering or spreading on the network. Network it. Generally, vulnerabilities are introduced by accident
security combines multiple layers of defenses at the entry during configuration of the network security, development
point to the network and in the network. Each of the layers and implementation of the system and applications.
implements policies and controls. It provides Authorized Common vulnerabilities include configuration errors,
users with access to the network resource and block application bugs, and design errors. Testers use different
malicious actors from carrying out exploits and threats. sophisticated tools and advanced knowledge of IT to
identify the behavior of an attacker, who penetrates the
VII. CYBER SECURITY client's network and it’s applications to obtain information
and access to higher permissions without proper
[7]It is the process whereby you protect yourself authorization. Penetration testing tools are used to identify
online, as well as your entire online presence. The means of standard vulnerabilities in the application. These tools will
protecting yourself on the internet involve the installation scan code to check whether there is any malicious code
of current and updated antivirus on the computers, the use present in the system network by examining data
of virtual private network (VPN). It also includes day-to- encryption techniques and figuring out different hard-coded
day activities as protecting your password, email details, values like username and password.
passwords of users, amongst others. The essence of
knowledge in cyber security is to protect the individuals in A. Types Of Network Penetration and Testing
the bank, computers, networks, programs, and data from The type of a network penetration and test selection
unauthorized access to banking information. Cyber security depend on the purpose and scope of the Bank. Whether
does not take a one-size-fit all approach. What works for Bank want to simulate an attack by their employees, a
one computer system may not necessarily provide full network administrator or external sources.
protection to another. Technologies are constantly evolving
and growing, at a rate that is so rapid that one can have a Generally, there are three different types of network
difficult time keeping up. Antivirus software that may have penetration and testing. These are Black box, white box and
protected an older computer that you had five years ago grey box penetration and testing. In black-box penetration
may not protect you adequately on the computer that you and testing, the pen tester is not provided with much
have now. An encryption program or VPN that promises to information about the application he/she is going to test on
keep you safe online may leave you exposed to undetected the bank. The tester has a full responsibility collate
threats, possibly those originating in other countries. information about the bank’s network, system, and
application running on the network.

IJISRT20JUL162 www.ijisrt.com 75
Volume 5, Issue 7, July – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
White-box penetration and testing is where the tester network mapper which is called Nmap. The Nmap tool can
is provided with all the required and necessary information be used in combination with other tools such as metasploit
by the bank concerning the network, implemented systems framework to determine the available ports, services, the
and applications, the type of operating system and their services type and their version. Nmap is able to identify
details. It is an attack by an internal source. even if a host is alive or dead even if ICMP is completely
down on the network Nmap is free in kali Linux and can
In grey box penetration testing, the tester will have the also be used in windows. It is important to know that the
partial knowledge of the application or the network system type of scanning to perform determines the type of
and it can be considered as an attack by an external hacker, scanning such as scanning and bypassing firewalls will
who had gained illegitimate access to the Bank’s network require
infrastructure details. [10]The penetration tester is provided
with information such as the hostnames, some selected  Identification of system vulnerabilities
internet protocol addresses and people that are allowed to After the scanning of all available devices on the
connect to the Bank’s network remotely. The Penetration network is completed the pen tester undertakes
Tester is given enough common information a normal user vulnerability assessments which are to identify
can know. It is the combination of both the white box vulnerabilities in the system which can be exploited. [11]
testing and the black box testing approach during Vulnerability assessment is the process of identifying the
penetration testing. The Penetration Tester is provided vulnerabilities in a system which is conducted on behalf of
some basic details of the target; however, internal workings the organization. Threats available in the system will be
and some other privileged information is still kept from the identified. [10] Vulnerability phase is started after some
Penetration Tester. Real attackers tend to have some hosts are identified via nmap scans or other scanning tool
information about a target prior to engaging the target. after the reconnaissance. One of the best tools for
Most attackers do not choose random targets. They are vulnerability scanning is Nessus, Nikto, Metasploit and
motivated and have usually interacted in some way with Open Vulnerability Assessment System (OpenVAS). It is
their target before attempting an attack. Gray box is an an open-source vulnerability scanner which employs
attractive choice approach for many conducting Penetration Nessus Attack Scripting Language (NASL). Finding the
Tests because it mimics real-world approaches used by vulnerability allows the users to access complete
attackers and focuses more on vulnerabilities rather than information on the network
reconnaissance.
 Reporting
B. How Penetration and Testing can be done Writing a report and stating all important activities is
The process of penetration and testing follow a final phase of penetration and testing. The findings are
methodology that is accepted globally. In other to perform conveyed to the managers of the Banks in a very
the penetration and testing on the Bank’s network, the meaningful manner. The managers are made aware of the
following steps should be adopted as explained below. good things and the bad things and what has to be done to
improve their security. This report must be in a clear
 Reconnaissance language which a non-technical staff can easily understand.
The first stage in network penetration and testing is Kali Linux has several tools that are available to deliver
reconnaissance. This involves defining the scope and goal information found during the penetration testing.
of the test, the systems to be addressed and the methods to
be used in the process. [8]Reconnaissance defines the target IX. CONCLUSION
environment based on the scope of work and once the
target is identified, research is performed to gather It is recommended that the Bank runs a regular and
intelligence on the target such as which ports are in use and consistent penetration and testing of the network security
the services being run. The network diagram, Internet and relevant applications. The penetration and testing
Protocol Address, devices operating in network, activity is to prevent hackers or intruders from tempering
applications, services and their version. It also exposes the with information resources of the bank.
security defense systems the Bank has implemented such as
Intrusion Detection System (IDS) and Intrusion Prevention It is hereby conclude that, it is very necessary to
Systems (IPS) ensure that information security breaches are detected as
early as possible. Threats should be detected in a timely
 Scanning manner that will make the bank’s network system robust to
[9]Scanning is a method for bulk target assessment. prevent hacker’s attack. There must also be a quick and
To discover the live IP addresses in the network, to timely response which is to enable the Bank to prevent and
discover the open ports on the machines, to fingerprint the mitigate the damages that may be caused by attackers of the
services and to detect the vulnerabilities which is done by system. This is to aid check how well the network is
the vulnerability scanners. [10]The fundamental goal of secured against extremely trained hackers who are
scanning is to identify potential targets for security holes attacking the network with determined stealth. This will
and vulnerabilities of the target host or network. There are enable the bank to train train their information security
many tools that are available for scanning our network such team to be proactive in the identification of attacks and the
as ncat, and nmap. The most popular scanning tool is reaction to threat.

IJISRT20JUL162 www.ijisrt.com 76
Volume 5, Issue 7, July – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
REFERENCES

[1]. GTsamenyi Matthew, and Shazard Uddin “the caes of

rural banks in ghana: corperate Governance in Less
Developed and Emerging Economies”. Emerald
Group Publishing. pp. 311 334. ISBN 978-1-84855-
252-4
[2]. BAkwasi A. Boateng, Kennedy Annoh-Koranchie,
andmEric Hayford “An Appraisal of rural and
community banks in Ghana”, www.iiste.org ISSN
2224-607X (Pper) ISSN 2225-0565 (online) Vol.6,
No.6,2016
[3]. Bank of Ghana report , “ List of rural banks”.
https://www.bog.gov.gh [Accessed: Januay, 2019
online]
[4]. Alok. Kumar, and Alimany Contte, “Financial and
accounting manual for Rural banks,”
https://www.microfinancegateway.org/sites/
[Accessed: January,2019]
[5]. R. Nicole, “Title of paper with only first word
capitalized,” J. Name Stand. Abbrev., in press.
[6]. Y. Yorozu, M. Hirano, K. Oka, and Y. Tagawa,
“Electron spectroscopy studies on magneto-optical
media and plastic substrate interface,” IEEE Transl. J.
Magn. Japan, vol. 2, pp. 740–741, August 1987
[Digests 9th Annual Conf. Magnetics Japan, p. 301,
1982].
[7]. Waleed Al Shehri “A Survey On Security In Wireless
Sensor Networks” International Journal of Network
Security & Its Applications (IJNSA) Vol.9, No.1,
January 2017 DOI: 10.5121/ ijnsa. 2017.9103 25
[8]. Georgia Weidman “Penetration Testing: A hands-on
introduction to hacking”
[9]. Chaitra N. Shivayogimath “ An overview of network
penetration testing”. IJRET eISSN: 2319-1163 |
pISSN: 2321-7308
[10]. Timothy P. Layton, Sr. “Penetration Studies–A
Technical Overview”.
URL:http://www.sans.org/readingroom/whitepapers/te
sting/penetration-studies-technicaloverview-267
[11]. Vulnerability assasment
www.en.wikipedia.org/wiki/Vulnerabilitya ssessment
[12]. Simon Parkinson and Andrews Crampton “Guide to
Vulnerability Analysis for Computer Networks and
Systems”

IJISRT20JUL162 www.ijisrt.com 77