Penetration TEsting for Compliance
We go beyond “check-box security” with a rapid, rigorous pentest to get you approved
Compliance Penetration Testing done right
Raxis makes compliance driven penetration testing easy for you, while strengthening your cybersecurity posture as intended.
PCI has specific requirements
Raxis provides top tier PCI penetration testing services designed to meet the PCI-DSS standards while working within aggressive business timelines. Though we are faster than our competition, we don’t cut corners. Instead, we’ve streamlined our sales process, implemented faster scheduling, and developed a tried-and-true process for quality reviews. In addition, we include remediation testing with our PCI pentest package, which means we also provide the report you need to submit to your QSA.
Included in PCI penetration testing, Raxis performs segmentation testing to prove separation between PCI in-scope and out-of-scope assets. This is often required as part of PCI penetration test.
Re-test to validate remediation
Once findings have been corrected, PCI DSS requires a repeat test be performed to validate the remediation. Raxis includes re-testing as part of our PCI penetration testing program.
Also, our PTaaS meets PCI DSS standards
Our PTaaS offering performs one or more manual penetration tests per year, which meets PCI requirements. We’ll perform segmentation testing, application level testing, and provide a PCI compliant report. Unlike many others that provide an automated scan, Raxis PTaaS is manual penetration testing using Raxis One for communication, report delivery, and asset tracking.
We specialize in banking and financial services Penetration Testing
Unfortunately it’s not just the banks that are being targeted. Recent data breach numbers indicate hackers are targeting the entire financial sector. It’s one of our favorite sectors because we can easy demonstrate value and make a strong impact. We’re here to help make sure the hackers move to an easier target than you.
Multiple programs require or recommend penetration testing for the financial industry
FTC GLBA: The Federal Trade Commission requires annual penetration testing under the Gramm-Leach-Bliley Act (GLBA) as of 2022. Also, the rule has been expanded to include companies engaged in “activities incidental to financial activity.” We’ve worked with banks, lenders, mortgage brokers, collection agencies, and investment firms to help them meet penetration testing requirements.
UCF 00654: Establish, implement, and maintain a testing program. This includes red team exercises, penetration testing, vulnerability scanning, testing technology and people controls, using a third party to conduct these tests, and remediation of any findings.
UCF 00655: Perform penetration tests, as necessary. This includes access controls, security vulnerabilities, application layer testing, segmentation testing, and remediation of findings.
FFIEC Information Technology Handbook: Provides guidance to financial institutions on security controls and addresses factors necessary to assess the level of security risk to a financial institution’s information systems.
PCI DSS: PCI has specific security and testing standards that are required to process credit card transactions.
Humanity and technology: We protect where they intersect
Here’s a scary truth no one wants to hear: Our health care organizations are vulnerable to catastrophic cyberattack. Even systems directly connected to patients are not beyond the reach of a determined hacker. At Raxis, we know this because we’ve hacked those very systems and exploited their weak points. We didn’t cause any problems, but we proved that the bad guys could.
Raxis often uncovers security vulnerabilities and configuration errors within medical related systems that surprise our customers. We have breached internal medical systems holding patient records, payment systems managing insurance and credit card data, and embedded systems that are critical for patient health monitoring. Whether you’re confident you’ve closed most of the security gaps, or if you have no idea where to start, a medical penetration test from Raxis will provide valuable information on where your security risks are so that you can remediate them.
Experience with healthcare systems makes the difference
We’ve often heard our customers say that their previous penetration test wasn’t effective because the testers didn’t understand the differences in medical systems. Raxis has specialized experience with testing hospitals and medical facilities, including systems used for health monitoring, prescription management, and patient portals. Our list of satisfied customers ranges the entire medical industry, including hospitals, doctors’ offices, medical facilities and insurance, and pharmaceuticals.
HIPAA and Meaningful Use compliance is often the reason our medical customers contact us for security services. While it’s not required to use a third party for the penetration test, a third party can often help reveal hidden security vulnerabilities that you never knew existed. Adversaries are looking for PHI data as well as ways to disrupt operations, and a breach could result in a significant cost or health risks for patients.
Meet requirements, save money, and reduce risk
Actuarial data is at the heart of the insurance industry and for good reason: Working with large sample populations, insurers can accurately determine the likelihood and severity of a covered event and set rates accordingly.
That’s why many cybersecurity insurance companies and underwriters are requiring penetration tests before writing policies. The security questionnaires they include may seem like check-the-box forms, however, the intention is to help organizations realize the need to identify their vulnerabilities and remediate to reduce risk.
Cybersecurity spending is not an accurate measure of preparedness
One crude method of assessing risk is by comparing a company’s spending on cybersecurity to its total revenue, total IT expenditures, or some other benchmark. Though it would seem logical that companies who spend more money on cybersecurity are more prepared, that isn’t necessarily the case. With more than a decade of experience and thousands of pentests under our belts, the Raxis team has seen countless examples of companies over-investing in the wrong cybersecurity technology, leaving parts of their attack surfaces unprotected, and/or implementing counterproductive security policies (or not enforcing effective ones).
Either continuously or on demand, Raxis One shows a clear picture of the attack surface for an organization. It’s an organized, simple to understand view that represents the same perspective that an outsider would have of an organization when they are attempting to launch an attack.
Different approaches to meet compliance standards
We will help you determine which type of test is best for your compliance specification.
No information is provided by the client: no IP addresses, no applications, or system descriptions. Although it’s the most realistic form of pentesting and used frequently on other tests, the black-box pentest is often not very useful for PCI pentesting.
The customer provides partial details of the in scope assets. In a grey-box test, typically we are provided an IP range to ensure we are testing the right resources, however nothing else is disclosed. This is common in PCI pentesting.
The customer provides full details of the network and applications deemed in scope. Normally this includes IP ranges and application descriptions in order to focus the testing on a particular area. This is common in PCI pentesting credit card applications.