Bank management asked Elliott Davis for help: “We have lots of data from customers applying for Paycheck Protection Program loans (PPP); is it protected? Additionally, we had a previous firm perform testing, but we need to validate their results. Can you help?”
Customer Background
- Top nationwide lender
- Previously had completed a cybersecurity assessment and penetration test with another firm, needed confirmation of findings
- Needed to protect client data received through their PPP loan portal
- Wanted to assess overall security posture of applications and systems
Our Approach
1. External Penetration Testing occurred first due to sensitivity of PPP application data.
- Testing performed uncovered data customers submitted was not adequately protected
- Found path to key documents that included sensitive personally identifiable information
- Team alerted bank in afternoon with steps for remediation; IT team resolved issue following morning
2. Internal Penetration Testing completed on entire network.
- Elliott Davis team mimicked multiple threat scenarios to demonstrate impact of findings on internal network
- Result: Ability to capture passwords and access domains- specifically card issuance system that prints credit cards
- Remediation path developed for Customer IT team to implement
3. Cybersecurity Assessment completed analysis of bank security posture against CIS Framework.
Customer Results
- Identified PPP loan portal was at risk and remediated in less than 24 hours
- Performed a complete and thorough external and internal penetration test of systems and applications; previously not fulfilled
- Pinpointed additional areas of risk across multiple systems
- Established clear path for remediation
- Successfully completed assessment to help company understand cybersecurity posture
We Can Help
For more information on this and other topics related to Cybersecurity, contact a member of our team.The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.