Security Services Tailored for the Financial Sector
As expected, financial services organizations face more security threats than most others. Raxis understands the threats that face banks, credit unions, and card processors, and we have performed hundreds of penetration tests specifically in this area, often achieving customer data exfilration as well as transferring funds outside of the financial institution. We have breached ATM devices, defeated two-factor authentication (2FA) on a financial applications, and transferred funds between accounts by providing our own "supervisor" approval. If this were to happen outside of our controlled testing arrangement, a real breach could create costly compliance fines, reputation damage, and shareholder anxiety.
Raxis financial customers include numerous banks and credit unions, from just a few branches in one state to hundreds across the country. We've worked extensively with our banking customers to ensure that ongoing operations are not impacted while we provide the best penetration test possible. We do not post names of our customers for security reasons, however we'd be glad to provide reference customer contact information upon request and under NDA.
Financial & GLBA Penetration Testing
GLBA Compliance Requirements
The Gramm-Leach-Bliley Act (GLBA) includes provisions to protect consumers' financial and personal information that may be stored or handled by financial institutions. These provisions require that financial organizations ensure the security and confidentiality of customer information, protect against threats to the security of this information, and protect against unauthorized access to those records. In order to enforce GLBA, the Federal Trade Commission (FTC) issued the Privacy Rule and the Safegards Rule, which require financial institutions to maintain a comprehensive information security program to protect the privacy and integrity of customer data.
Penetration Testing for Compliance
Raxis has performed hundreds of penetration tests against financial institutions and has designed a methodology that is designed specifically to meet compliance standards and protection of Personally Identifiable Informaiton (PII). In addition to GLBA, often financial organizations need to meet other standards, such as PCI or Sarbanes-Oxley (SOX). Raxis can combine the pentesting procedures from multiple compliance standards to ensure that the same penetration test meets all of these standards together. In addition to pentesting, a social engineering engagement is also used to demonstrate effectiveness of the protection and controls used by the organization to safeguard consumer PII data.
Financial Penetration Testing Features
- Reviewing business process used by applications to ensure security and confidentiality of customer records
- Exploiting vulnerabilities in unpatched systems to gain further system access or customer data
- Brute forcing of available login forms such as webpages and other remote services
- Testing malicious injections and session mismanagement on available websites
- Work closely with your remediation team to ensure findings are addressed for compliance documentation
- Document successful and failed attempts to access customer records for compliance use
- And, if obtained, cracking of password hashes to be leveraged for additional access
Download our Penetration Testing Service Brief (PDF) for more information.
Penetration Testing Services
ExternalExternal manual penetration testing performs actual hacking attacks against your internet presence to the highest level of detail, including every application and port.
InternalInternal manual penetration testing attacks your internal defenses as a rogue employee, contractor, or other third party.
Web ApplicationRaxis provides extreme focus on hacking your web application to determine if there are coding errors that could cause privilege escalation of a data breach.
WirelessRaxis will attempt to breach your wireless network controls, including the setup of a cloned access point to obtain user password hashes.
APIRaxis performs extensive manual testing of web service calls using real-world hacking techniques to ensure input controls are operating as they should.
MobileUsing the developer API, rooted devices, and MitM proxies, Raxis attempts to extract critical data from your mobile application.
Transporter Remote Access
Raxis Transporter provides an easy to deploy "virtual wire" network connection to our manual penetration testers, vulnerability assessors, and R3 incident response team.
On-Site Penetration Testing
Sometimes it's necessary to be on-site to get access to internal networks or examine a breach first hand. No problem, our consultants will fly to you.
A Smarter Way to Stay Secure
Learn how hacking can help find and fix security gaps you never knew about.