ROCHESTER — High Bit Security said it performed a penetration test for a national mortgage company concerned about its security after a ransomware attack against another mortgage firm.
In that case, the hacker took control of that system, locked the company out, and threatened to publish applicants’ sensitive information unless a “ransom” of $200,000 was paid within 24 hours.
High Bit said its testing identified multiple exploitable vulnerabilities, underscoring the need for a preemptive approach to security and illustrating why penetration testing is widely acknowledged as the best way to protect and preserve valuable information.
“Anyone who has ever applied for a mortgage knows that you are required to document your entire financial life,” said High Bit Security chief business development officer Barbara Goushaw. “Mortgage company records are a gold mine for an identity thief, and whether this information is stored locally or the mortgage company uses third party software — customer information exists unencrypted at various points as it traverses the network. Information is transferred using unencrypted e-mails and it’s also copied, faxed, and scanned on all-in-one printers that retain the information. Yet, most of us would never ask about security policies when selecting a mortgage company.”
In the case of this particular mortgage company, High Bit COO Adam Goslin said, “Our security engineers documented vulnerabilities that could allow a full breach of the server and the operating system. There was also a server misconfiguration that inappropriately exposed an ‘internal only’ database to the Internet, in addition to remote access vulnerabilities. We discovered that this company was at risk, and it was fortunate they engaged us before the hackers discovered it too. In cases like this it’s only a matter of time.”
High Bit Security reported what was found, where it was found, what it meant, relative severity within the environment, and specific details on how to fix it. Upon receipt of the testing results report, the mortgage company IT staff began at once to remediate the vulnerabilities.
“Most of the fixes were relatively simple to accomplish,” Goslin said. “The trick is to know what needs to be fixed. That’s why an experienced security engineer heads up all of our engagements. They know where to look. The key is to engage us before the hackers find you, because they also know where to look. In this case the company was proactive and brought us in before they became a target. “
The complete anonymous case study can be reviewed at: http://www.highbitsecurity.com/casestudies-pentesting-mortgage.php.
High Bit Security is a national security services provider, providing testing, assessment and solutions to clients who need to protect sensitive data in industries such as health care, credit card, financial and companies that otherwise store intellectual property or personally identifiable information. HBS also provides security consulting services to assist clients with their compliance objectives across PCI-DSS, PA-DSS, HIPAA, SSAE-16 or simply wish to perform a security best practices audit of their organization.
More at www.highbitsecurity.com