Penetration Testing in the Financial Services Industry
Unfortunately it’s not just the banks that are being targeted. Recent data breach numbers indicate hackers are targeting the entire financial sector. It's one of our favorite sectors because we can easy demonstrate value and make a strong impact.
We’re here to help make sure the hackers move to an easier target than you.
Are you getting your money’s worth for your cybersecurity investments? How do you know for sure?
Data breaches continue to rise year after year. As a result, regulations are growing in number and complexity to mitigate the risks. While it may seem as though hackers are only interested in stealing money, they are more often after Personally Identifiable Information (PII), as it can be used to create illegal bank accounts under the victim’s identity. The pace of new banking cybersecurity recommendations has accelerated over the past years in an attempt to thwart the ever-increasing threats. From best practices to annual testing requirements, there are a lot of very specific security procedures that need to be followed in order to remain compliant and hopefully safe from outside attacks.
Regulatory Drivers for Pentesting
Since 2011, Raxis has been performing pentesting for financial operations across the country. We’ve assisted banks, investment companies, credit card processing organizations, and asset trading operations. From our experience, we see two major areas of risk: failure to follow business processes and errors in information system operations. Often employees are too willing to help or are unsure of the proper procedure, and this usually gets our foot in the door for a larger hack. We also uncover security vulnerabilities that provide access we then leverage for a larger breach.
Passing a penetration test means the tester was unable to exploit any aspects of your inscope systems. It’s the best way to validate that your security processes are doing what you’ve designed them to do. It is important to note that a penetration test is much different than a vulnerability scan, as often many customers, and even providers, blur the lines between them. A penetration test is a realistic simulation of a real hacker trying to breach your systems, while a vulnerability scan validates that your security controls are operating properly through the use of a software analysis tool. Further, the skills required for penetration testing vs. vulnerability scanning are substantially different, as the penetration tester must be well versed in current hacking techniques and adapting to different technology environments.
FTC GLBA: The Federal Trade Commission requires annual penetration testing under the Gramm-Leach-Bliley Act (GLBA) as of 2022. Also, the rule has been expanded to include companies engaged in “activities incidental to financial activity.” We’ve worked with banks, lenders, mortgage brokers, collection agencies, and investment firms to help them meet penetration testing requirements.
UCF 00654: Establish, implement, and maintain a testing program. This includes red team exercises, penetration testing, vulnerability scanning, testing technology and people controls, using a third party to conduct these tests, and remediation of any findings.
UCF 00655: Perform penetration tests, as necessary. This includes access controls, security vulnerabilities, application layer testing, segmentation testing, and remediation of findings.
FFIEC Information Technology Handbook: Provides guidance to financial institutions on security controls and addresses factors necessary to assess the level of security risk to a financial institution’s information systems.
PCI DSS: PCI has specific security and testing standards that are required to process credit card transactions.