The banking and financial sectors are prime targets for cybercriminals. Some of the largest banks have been hacked and as technology evolves, it is getting much harder to keep up with cybersecurity requirements. We have worked with several banks and financial institutions and can demonstrate our case here:
Cybersecurity Testing for a Bank
|
Effective cybersecurity is always a work in progress. Even when you have layered security protocols in place to keep malicious actors out, hackers are always looking for a way into your network. A recent case we handled for a large banking institution illustrates why a proactive, third-party security approach to assessing your state of security, rather than assuming all is well, is an important part of keeping your organization safe. The ScenarioBanks are understandably among the businesses most likely to be a target for cybercriminals looking for a quick buck. Being able to drain customer accounts with the right stolen access credentials or surreptitiously installed malware is a strong motive for hackers to find a way to worm their way inside a bank’s defenses. Understandably, most financial institutions devote considerable resources to trying to ensure this doesn’t happen, which makes them difficult targets. However, the potential payout is so high that malicious actors continue to try to find any possible way inside their defenses. |
America’s banking sector is a prime target for cyber criminals. How vulnerable is your banking or financial institution? |
Knowing this, our client hired Petronella Technology Group (PTG) to do a thorough assessment of their state of cybersecurity readiness. I cannot state strongly enough that this is exactly what businesses SHOULD be doing. When it comes to cybersecurity, prevention is ALWAYS better than incident response. Our project included:
- Internal and external penetration testing
- Vulnerability scanning
- Manual exploitation
- On-site and phone-based social engineering for bank staff
- Email phishing tests against bank staff
As part of our testing efforts, PTG constructed a fully functional, custom lookalike website to mimic the bank’s site, the only difference was that we replaced the normal “.com” domain name extension with “.us” instead. This tactic aided in supporting our social engineering and phishing exercises, allowing us to send anyone duped by our attempts to the alternate site under our control.
Social Engineering: The Results
|
We often say that the human element is the weakest link in any cybersecurity setup, and this proved to be true in this test. Our efforts to set up a dummy site were fruitful, enabling us to trick several bank employees, who were already extremely well trained in guarding against the types of attacks we were attempting. Once we gained their trust, PTG cybersecurity engineers could have persuaded them to install malicious software such as keylogger malware and/or ransomware, which would have magnified the damage done by the initial security breach. Additionally, PTG was able to trick on-site bank employees to escalate our access into the communications closet where they store the expensive servers and equipment that run the bank. This could have allowed PTG to physically disconnect or damage equipment wiring, disrupt power, cause devastating downtime to the bank’s network, and more. |
|
On top of the successful efforts to exploit avenues of human weakness, PTG detected ongoing assaults against the bank’s cybersecurity defenses. PTG’s extended detection and response (XDR) platform and security operations center (SOC) team were able to gather evidence of brute force attacks against administrator accounts, as well as traffic transmissions tying those attempts to adversarial countries.
The TakeawayThis exercise was invaluable to the bank and illustrates exactly why every business should be making penetration and social engineering testing part of their regular cybersecurity protocols. Our client already had training for their employees in place; the fact that we were still able to fool multiple staff members only shows that human beings will make mistakes, no matter how well-trained they are. Therefore, having layered security in place is a must to prevent human error from turning into a financial and reputational catastrophe. |
In addition, the bank’s above-average security posture and training facilitated PTG’s efforts to identify where there were genuine problems. It was easy to spot the brute force attempts to log in and the suspicious IP addresses from foreign countries, simply because there wasn’t a lot of noise from sloppy cybersecurity measures to filter out. If their regular cybersecurity wasn’t so good to begin with, those issues would have been harder to pinpoint, increasing the dwell time and the opportunity for actual malicious actors to do harm.
Again, this exercise was a sterling example of our client doing the right thing to protect themselves and their customers. Instead of finding out the hard way that they were vulnerable to an attack, they hired Petronella Technology Group, Inc, to find the gaps in their security before a hacker could exploit them. This gave them the information they needed to successfully remediate problems and improve their cybersecurity posture.
With cyberattacks on the rise against every kind of business, it’s only a matter of time before your company’s cybersecurity measures are put to the test. With PTG’s expertise, you can find and root out vulnerabilities before hackers strike. Don’t wait—contact PTG here to schedule your FREE initial consultation now.
Other additional services include:
|
|
If your bank or financial institution requires an audit done, we can provide some insights as to how we can test how vulnerable you are to potential cybercrimes.
To speak to one of our experts, call 919-646-3780.
