The Financial Services sector suffers one of the highest cyber incident rates and average breach costs of any

industry1. The industry looks to Synack to secure their assets and their reputations, in addition to meeting compliance.

Hacker-Powered Penetration Testing for High-Value Assets

Financial Services companies’ large volumes of financial assets, transactions, and customer data under

management make the industry a no-brainer target for cybercriminals. As emerging policy frameworks, such as the

EU General Data Protection Regulation, heighten the penalties for a breach, executives are facing increasing legal,

reputational, and financial repercussions of a breach. Financial Services companies need an offensive approach to

defense that helps them understand their security risk from an adversarial perspective.

Synack’s innovative, hacker-powered approach to penetration testing enables Financial Services companies to

understand their security risk from the adversary’s perspective. Synack Crowd Security Intelligence provides an

on-demand offensive approach to an organization’s security defenses to uncover vulnerabilities left undetected by

traditional security solutions. The intelligence platform provides real-time insights on Financial Service companies’

attack surfaces and exploitability to enable clients to rapidly remediate sources of security risk and protect their

assets, customers, and brands before damage can be done.

WHAT WE TEST:

WHAT YOU GET:

Crowd Security Intelligence®

Web—Get insight into

how a cybercriminal

could exploit security

vulns to gain entry to

a web app, sensitive

customer data, and

funds.

Mobile—Discover

unknown

vulnerabilities in mobile

apps and APIs that

hackers could exploit

to access customer

accounts.

Host—Uncover

vulnerabilities within,

and any changes

to, networks & host

infrastructure before

they cause downtime

and revenue loss.

IoT—Analyze how

vulnerabilities within

internal and consumer-

facing devices impact

the grander enterprise

ecosystem.

Real-Time Analytics—

Real-time analytics on when,

what, and how clients’ assets

were tested. Insight into how

hardened digital assets and

businesses are against attack.

Actionable Reports—Detailed,

actionable assessment and

vulnerability reports with

firsthand reproduction and

remediation instructions from

the Synack Red Team members

who found the vulnerabilities.

Continuous Support—Complete customer control

and visibility throughout the

engagement; all Synack Red

Team members are rigorously

vetted and all testing traffic is

captured via LaunchPoint® for

real-time adversarial intelligence.

1 IBM 2016 Cyber Security Intelligence Index; Ponemon 2016 Cost of Data Breach Study: Global Analysis

F INANCIAL SERVICES

Solution Overview

Client Onboarding—Synack Mission Operations worked closely with the client to scope the

engagement, including defining the objectives and outlining the rules of engagement.

Hydra—Synack’s proprietary vulnerability intelligence platform kicked off the engagement by scanning and

mapping the attack surface. Hydra continuously pushed vulnerability intelligence to the Synack Red Team

for additional investigation and manual testin.

Synack Red Team (SRT)—Synack’s crowd of top security researchers searched for and tested

vulnerabilities using their unique techniques and tradecraft. All of their testing traffic and adversarial

intelligence was captured through Synack’s secure gateway, LaunchPoint, giving the client complete

control and auditability. Almost immediately after testing began, the SRT began to discover and report

critical vulnerabilities. For example, one researcher reported a XSS vulnerability that would allow an

adversary to steal customer data and gain access to customer bank accounts and funds. An attacker

could insert an XSS payload into the target’s CRM system that would enable the attacker to hijack

a user’s CRM session and install malware. Using the malware, the attacker could obtain customer

credentials and drain their accounts without alerting the security team.

Mission Operations—Immediately after the researcher submitted the vulnerability report, Synack

Mission Operations triaged the vulnerability, conducting complete vulnerability reproduction and

validation. Once the team confirmed the quality of the vulnerability, they prioritized the vulnerability and

alerted the client.

Client—Upon receiving the alert in the web-based client portal, the client’s security team passed the

detailed vulnerability report and suggested fix on to the remediation team. Through the Synack API, the

client seamlessly ingested the vulnerability data into their internal systems and processes, including Jira.

After the vulnerability was patched, the researcher that discovered the vuln worked with the client team

to verify the patch. Through Synack’s Coverage Analytics on what/when/how the asset was tested by

the Synack Red Team, the client was also able to obtain an assessment of the web app’s overall security

risk and resistance to attack.

Client: F500 Financial Services Company

Problem: This Financial Services company had met all security and privacy compliance requirements. The firm

was using a penetration testing contractor and automated vulnerability scanner to look for vulnerabilities in their

systems. However, after an attacker was able to penetrate the network and steal customer records, the client

decided to try Synack’s crowdsourced penetration testing solution to mimic the diversity and creativity of the

adversary and gather real-time intelligence on how many vulnerabilities and how much risk lay beneath the surface.

Assessment: Financial Services CRM Web Application

Impact: Using an incentive-driven model that mimicked the creativity and diversity of the adversary, this F500 financial

services company was able to address and prevent a potential exploit that could have cost this company millions, if

not billions, in funds, as well as their reputation. In preparation for the EU’s General Data Protection Regulation, Synack

Crowd Security Intelligence provided the client with an attacker-driven perspective on their risk of a breach.

Case Study: Customer Relationship Mismanagement

Synack, Inc.

855.796.2251 | www.synack.com | info@synack.com

© 2017 Synack, Inc. All rights reserved. Synack is a registered trademark of Synack, Inc.

v2017.1—INT US

Synack at Work:

Report

1

2

3

4

5