Unique Approach
According to Jimmy Sawyers, Co-Founder of Sawyers & Jacobs LLC, “We take a helpful approach designed to identify potential weaknesses in the bank’s systems and provide guidance on how to fix the problems. Better we find the holes and plug them before the bad guys exploit them and gain unauthorized entry.”
“The devil is in the details,” says Joshua Jacobs, Co-Founder of Sawyers & Jacobs LLC. “We see firms selling a simple automated external vulnerability scan and deceptively calling it a ‘penetration test’ which it is not. We also see firms selling penetration testing services where the goal is strictly to break in and then abruptly end the engagement with a ‘Gotcha!’ mentality. This is akin to breaking a window with a rock while failing to determine if the front door, the back door, or any other windows are locked and secure. We use the same tools and techniques that real-world hackers use and we speak the language of bankers to marry the highly technical with the business of banking.”
The Sawyers & Jacobs LLC offering is unique in that the bank receives the traditional IT Audit and the Network Vulnerability Assessment, which includes External Penetration Testing, Social Engineering, Internal Penetration Testing, and an overall Network Security Review, in a combined engagement. Bank management receives a comprehensive report written in plain English. “We believe we offer the most complete package of these services in the industry,” added Sawyers.
Covering All the Bases
A bank should address the typical controls of the IT environment such as dormant account transaction processing, business continuity, and online banking in the IT Audit, then the more technical areas such as patch management, intrusion prevention, and incident response should be addressed in the Network Vulnerability Assessment. One without the other is a half-baked review that leaves the bank exposed.
Sawyers adds, “We also serve as an early warning system for our clients by educating them on industry trends, new regulations, and vendor management issues. Because we are so active in the industry, we have our ear to the ground and can let our clients know what is coming over the horizon.”
Sawyers & Jacobs LLC has helped banks identify vendor-introduced vulnerabilities, unpatched systems, and other security holes that could have exposed the banks to major security breaches and liability. Averting those disasters saved these banks significant dollars, avoided embarrassment, and preserved customer trust.
The Most Common Exploits
Most bank hacks don’t occur through brute force attacks on banks’ systems. Instead, the hackers normally get in by tricking a bank employee to click on a link to an infected web page or by opening an infected email attachment. This is why social engineering tests, especially in the form of simulated spear phishing attacks are so important. According to Jacobs, “Bankers tell us they like our professional approach to social engineering. We don’t try to embarrass bank employees or crash systems, and we certainly don’t dress up like pizza delivery guys to gain entrance into the bank. Such amateurish gimmicks only serve to disrupt daily operations and in some cases, put bank employees in real danger. Sawyers & Jacobs LLC has perfected a sophisticated approach to social engineering and simulated spear phishing attacks that identifies problems, gathers relevant statistics, and provides bank management with a cautionary yet real-world example of the importance of security awareness.”
Independence Issues
A bank’s auditors and consultants should be independent and free from conflicts of interest. In some cases, prohibited non-audit services include financial information system design and implementation. For example, a provider of core processing services, which would include the bank’s “financial information system,” should not provide IT audit services or network vulnerability assessment services to that bank. This provider would be auditing its own systems which could include the core (DDA, Savings, Loans, General Ledger) plus imaging systems, online banking, and other systems the provider designed, sold the bank, and continues to maintain. Clearly, this situation would be a conflict and would impair independence.