As we enter a new year, it’s traditional to look back at the successes and failures of the last twelve months. The information security world is no different, and as the year draws to a close, information security writers publish a flurry of articles with titles like The Top Data Breaches of 2021 and The Top 5 Scariest Data Breaches in 2021. They are sobering reading: each listicle entry represents hundreds of millions of people hurt by data breaches that expose their private details to criminals and the wider world.

However, these articles don’t mention the thousands of smaller businesses targeted by cyber-criminals. The headline-grabbing data breaches are the tip of the iceberg. While most of the corporations featured will weather the storm, smaller businesses are less able to bounce back from a catastrophic exposure of sensitive data. Over half of small companies go out of business within six months of a data breach or cyber attack.

Data breaches are avoidable, but any business can significantly reduce the risk that a data breach will hurt its employees and customers, not to mention its reputation, bank balance, and regulatory compliance.

What Causes Data Breaches?

Data breaches occur when bad actors exploit weak security and privacy controls. In a secure system, sensitive data is only accessible to authorized and authenticated users. To build a secure system, businesses should implement controls that allow access to authorized users and deny it to everyone else.

Data breaches are more likely when essential controls are missing or improperly implemented. A weak password is an example of a poorly implemented access control. If a user with administrative privileges on a sensitive system chooses a password such as “123456,” an attacker can easily guess it and gain access.

Weak credentials are among the most common causes of data leaks, but there are many more, including:

  • Stolen credentials: shared or stolen passwords and authentication keys are a leading cause of data breaches.
  • Phishing attacks: attackers use email to trick employees into disclosing credentials or installing malware.
  • Software vulnerabilities: vulnerabilities in network-connected software allow attackers to access sensitive systems.
  • Insider threats: employees or ex-employees work with criminals or steal data for their own purposes.
  • Physical attacks: people who have direct physical access to servers and networks can bypass security controls.
  • Configuration mistakes: incorrectly configuring software or hardware may give an attacker access to sensitive data. This is a common cause of data breaches from cloud platforms, as we discussed in 10 Top Tips For Better AWS Security Today.

What Happens During a Data Breach?

There are many potential techniques an attacker might use to compromise a business’s network and exfiltrate sensitive data. But, at a high level, most data breaches follow a predictable course.

  • Target identification and surveillance: The attacker probes your network and organization for weaknesses. This stage may be automated: many attackers use bots to probe thousands of networks for specific security weaknesses. However, an attacker may manually probe and investigate a high-value target.
  • Social engineering: In addition to probing networks and software, the attacker may contact employees and managers, usually misrepresenting their purpose with a spurious pretext. Their aim may be to learn more about the organization and its systems, steal authentication credentials, or influence an insider to install malware.
  • Compromise: The attacker uses the information they have gathered to gain entry to the network. For example, they may have discovered a misconfigured database, which they now access over the internet. Once the attacker has compromised one network component, they may use that access to “island hop” to more sensitive systems.
  • Exfiltration: The data is copied from the business’s network to servers under the attacker’s control.

Once the attacker has the data, they can release it to the public, sell it to third-party data brokers, use it for identity theft, or extort the businesses.

How to Prevent Data Breaches

We’ve looked at some of the most widely used techniques to compromise business networks and steal data. To prevent data breaches, businesses should focus on implementing processes and controls that render those techniques ineffective.

Regularly Update Software to Apply Security Patches

Older software often contains bugs that create security vulnerabilities. The recent Apache log4J vulnerability is a perfect example. Log4j is a logging tool for the Java programming language ecosystem. It is included in over 35,000 Java packages used by thousands of businesses.

Log4J contained a security vulnerability an attacker could exploit to execute code remotely. Remote code execution vulnerabilities are severe, and the log4J vulnerability could allow an attacker to break into systems, steal data, and upload malware.

Once the vulnerability was discovered, developers quickly fixed it. But, to get the non-vulnerable version, users have to update any software that uses log4J. Although the log4J vulnerability is particularly serious, software vulnerabilities are common, and the best way to fix them is to update all business software regularly.

Encrypt Data and Store Encryption Keys Securely

Businesses should not entirely rely on their ability to keep bad actors out of their networks. It’s always possible that an attacker will find a vulnerability or an employee will make a configuration mistake. It’s best to assume that an attacker will find their way in and implement additional layers of security to deal with that contingency.

If a business ensures that all data is encrypted, an attacker who penetrates network security cannot access the original data. However, a sophisticated attacker may discover encryption keys if they are not also stored securely. The details of secure key storage differ depending on the business’s platforms, but we discussed how to store access securely and encryption keys on Amazon Web Service in How to Keep AWS Access Keys and Other Secrets Safe.

Implement Least-Privilege Access Policies

Employees, contractors, and service providers should have the least access consistent with their role within an organization. They should be able to access only the data they need and have only essential privileges. For example, an employee who needs to download data to generate a report does not need write permissions to edit that data.

Implementing least-privilege access policies limits the risk of leaked or stolen access credentials. It also helps to reduce insider threats by limiting the data assets a malicious insider can access.

Follow Cloud and Physical Infrastructure Configuration Best Practices

Many data breaches are the result of improperly configured software and hardware. To mention just four examples:

  • AWS S3 buckets that are accidentally configured to be publicly accessible.
  • MySQL databases deployed without password authentication.
  • Improperly assigned access permissions that allow users to access information they should not be authorized to see.
  • Inadequate firewall rules or a failure to use a firewall.

Configuration errors have two leading causes. First, the business doesn’t invest the time and resources necessary to secure its infrastructure adequately. Second, the business lacks the knowledge and expertise to configure its infrastructure securely. Both scenarios introduce significant compliance and financial risks.

If a business does not have the knowledge or resources to secure its infrastructure or understand the risks, it should consider employing a third-party information security specialist to assess its security and suggest opportunities for improvement.

Carry Out Regular Security Risk Assessments

A security risk assessment can help your business identify and remediate potential vulnerabilities. A comprehensive risk assessment begins with a survey of your infrastructure before identifying risks, assessing their importance, and creating a risk management plan, which can be implemented to remove identified risks.

A third-party risk assessment by qualified information security auditors may help businesses significantly reduce the risk of a damaging data breach.

Conduct Security Awareness Training

Employees have privileged access to sensitive data, but they may not understand their part in keeping that data safe. Phishing attacks and other forms of social engineering deliberately target non-technical employees who may not understand the security implications of clicking a link in an email or sharing their password with someone who claims to be a manager or executive.

Security awareness training helps employees understand the threats their business faces and what they can do to limit exposure. It can be tailored to the company’s specific needs and relevant security frameworks, including HIPAA and PCI.

Prevent Data Breaches with KirkpatrickPrice

As a licensed CPA firm, KirkpatrickPrice specializes in information security audits and security assessments that can help protect your organization from being vulnerable to data breaches. Contact an information security specialist to learn more about our risk assessment services, security awareness training, and compliance audit services.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard merchants and service providers must comply with if they store, process, or transmit cardholder data. PCI DSS includes over 400 information security requirements, including requirements that apply to cloud infrastructure such as Amazon Web Services (AWS).

Organizations that use AWS to store and process credit card data must ensure their cloud infrastructure is compliant. But maintaining AWS PCI-compliance is not as simple as uploading sensitive data to a cloud service that has been audited and declared PCI compliant. As Amazon puts it, “It is the customer’s responsibility to maintain their PCI DSS cardholder data environment (CDE) and scope, and be able to demonstrate compliance of all controls.”

In this article, we examine what AWS PCI compliance means and how companies store and process data on AWS while maintaining PCI DSS compliance.

Which Data is Covered by PCI DSS?

Cardholder data is any personally identifiable information associated with a credit cardholder or their account. It includes:

  • The Primary Account Number (PAN)
  • Cardholder names
  • Expiration dates
  • Service codes

PCI DSS also addresses the storage, processing, and transmission of sensitive authentication data, including magnetic stripe data, CVC numbers and equivalent data, and personal identification numbers (PINs). Organizations storing and processing this data must ensure that the relevant infrastructure and systems are compliant.

Is AWS PCI-Compliant?

AWS is a PCI DSS Level 1 compliant service provider. Level 1 is the most stringent of the four levels of PCI compliance, and it implies that AWS has been certified compliant following an audit by a Qualified Security Assessor (QSA).

Which AWS Services Are PCI Compliant?

The majority of Amazon’s cloud services are PCI-compliant. Compliant services include Amazon Simple Storage Service (S3), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Store (EBS), and around 150 other cloud services and programs. You can see a complete list of PCI compliant AWS services at AWS Services in Scope by Compliance Program.

AWS PCI Compliance and the Shared Responsibility Model

AWS operates a shared responsibility security model meaning responsibility for securing cardholder data is shared between the platform and the user. AWS implements secure and compliant systems which reduce the users’ operational burden. But it doesn’t absolve them of the responsibility to use AWS services in a secure and compliant manner.

Amazon is always responsible for securing the underlying hardware, but the user may be responsible for the service’s configuration and any software they run on it. The division of responsibility depends on the cloud service. On EC2, the user is responsible for securing the operating system and services they run on virtual servers. On S3, they are responsible for the aspects of the service that are user configurable.

To consider one common AWS security failing, Amazon S3 is a secure and PCI-compliant object storage service. If S3 is correctly configured and used as part of a compliant system, an AWS user could store cardholder data on S3 and maintain PCI compliance.

However, S3 can be configured insecurely. This could occur by setting a permission policy that allows public access to the data stored in a bucket. In that case, the service is PCI compliant, but the user’s implementation is not, and nor is any system that uses that implementation.

As Amazon’s compliance guidelines make clear, “AWS Services listed as PCI DSS compliant means that they can be configured by customers to meet their PCI DSS requirements. It does not mean that any use of that service is automatically compliant.” Additionally, the PCI DSS’s scope goes beyond infrastructure to processes and people—compliant infrastructure can’t make a system compliant unless all other appropriate controls are also implemented.

Ultimately, PCI DSS compliance is always the responsibility of the user. Amazon makes compliance easier, but if cardholder data is exposed or misused, it is the user who faces penalties and perhaps the revocation of their ability to process credit card payments.

How to Achieve PCI Compliance on AWS

Achieving PCI compliance on AWS is a complex topic: it depends on the size and scope of a business’s cardholder data environment; the cloud infrastructure, services, and software in use; and the processes the company supports with AWS services.

To implement a PCI-compliant cardholder data environment, AWS users must ensure that all infrastructure connected to the data environment complies with the relevant PCI DSS requirements. We cannot cover all applicable requirements here, so let’s look at three examples of how AWS helps businesses comply.

PCI DSS Firewall Controls

PCI DSS Requirement 1.1.4 requires businesses to implement a firewall at each internet connection and between any demilitarized zone and the internal network zone. Amazon provides two main PCI compliant firewall options: Security Groups and Network Access Control Lists (NACL).

Firewalls are a clear example of how the division of responsibility between AWS and the user works. AWS provides firewall services that help users comply with PCI DSS requirements, but the user must configure and manage the firewalls in a compliant manner. AWS also provides the AWS Firewall Manager to centralize and simplify firewall management for AWS environments.

Strong Encryption of Data at Rest and in Motion

PCI DSS Requirements 3 and 4 address cardholder data protection, including encryption at rest and in transit. Relevant requirements include:

  • Render PAN unreadable anywhere is stored.
  • Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open networks.

Businesses must encrypt cardholder data in transit and at rest with strong, modern cryptographic technology. AWS makes this relatively straightforward. Most storage services offer encryption at rest, including databases, storage services, and caching services.

Data is automatically encrypted as it is moved within a secure AWS network. Still, users must ensure that they implement suitable cryptographic protection when data is transmitted to third-party clients and services.

Secure Key Management

PCI DSS Requirement 3.5 and Requirement 3.6 include several key management sub-requirements such as:

  • Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
  • Restrict access to cryptographic keys to the fewest custodians necessary.
  • Generate strong cryptographic keys and implement processes to store and distribute them securely.

To help businesses comply with these requirements, AWS provides the AWS Key Management Service (AWS KMS). AWS KMS is a key management service that can generate and control secure keys. It integrates with many other AWS services that encrypt data, making it easier to comply with PCI DSS encryption and key management requirements.

Verifying AWS PCI Compliance with A PCI DSS Audit

As we’ve seen, AWS is a PCI-compliant cloud platform. AWS services help businesses build PCI compliant systems to store and process credit card data. Achieving PCI compliance is much less complex on AWS than on self-managed colocated servers.

However, less complex isn’t the same as simple. Businesses often face challenges configuring, managing, and integrating AWS cloud services in a way that maintains compliance. Non-compliant organizations risk fines and penalties, termination of the ability to accept cards as payment, loss of business, and legal costs.

As a licensed CPA and QSA firm, KirkpatrickPrice’s PCI audits will help your business demonstrate PCI compliance and reduce the risk of non-compliance. In addition to PCI audits, we also offer cloud security audits, penetration testing, risk assessments, and other services that help businesses to achieve PCI compliance on AWS.

Contact KirkpatrickPrice today to learn more about how a PCI audit could benefit your business.

Independent Audit Verifies Net Friends’ Internal Controls & Processes, Adding Confidentiality Trust Services Criteria

DURHAM — Net Friends, Inc., a North Carolina-based IT company and managed services provider, announced today that it has completed its annual SOC 2 Type II audit, performed by Kirkpatrick Price. For the third year in a row, this attestation presents independent, third-party validation that Net Friends demonstrates a strong commitment to information security practices. By exhibiting the necessary internal controls and processes, Net Friends has provided evidence that they deliver high-quality, trust-based services to their clients.

A SOC 2 audit verifies a service organization’s ability to meet industry standards stipulated by the AICPA. During the audit, the non-financial reporting controls of Net Friends were tested for relevancy to the (1) security, (2) availability, and (3) confidentiality criteria. The SOC 2 report delivered by Kirkpatrick Price validates the design suitability and operating effectiveness of Net Friends’ controls to meet the standards of these criteria.

“By engaging in the SOC 2 Type II audit every year, we are motivated by transparency and accountability,” said John Snyder, CEO of Net Friends.

“We believe it is our duty to provide our customers with a non-biased, third-party confirmation of our information security practices. We fully leverage our audits to continuously improve our security, availability, and confidentiality.”

       — John Snyder, Net Friends CEO

“By adding the Confidentiality Trust Services criteria to their SOC 2 audit this year, Net Friends has increased their commitment to trust-based controls to support customers’ data protections,” said Joseph Kirkpatrick, President of Kirkpatrick Price. “The SOC 2 audit is based on the Trust Services Criteria, and by communicating Net Friends’ audit results, clients can be assured of their reliance on Net Friends’ controls.”‍

About Net Friends:‍

Net Friends provides comprehensive managed IT services, cybersecurity services, IT staffing, and managed infrastructure services to businesses and organizations of all sizes in North Carolina and across the United States. We are your technology partners, delivering reliable, flexible, and effective technical expertise and solutions that have fueled our clients’ success for 25 years. We believe in people, and we love to see our customers and community thrive. Learn more at www.netfriends.com and follow us on LinkedIn.‍

About KirkpatrickPrice:

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

Independent Audit Verifies Randstad RiseSmart’s Internal Controls and Processes

SAN JOSE, Calif., March 9, 2022 – Randstad RiseSmart, a leading specialist in coaching and career transitions, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Randstad RiseSmart has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Randstad RiseSmart’s controls to meet the standards for these criteria.

“At RiseSmart we deliver innovation to businesses across the world, but a SOC 2 audit is an opportunity for our business to innovate and improve itself,” said Vikash Chauhan, chief technology officer, Randstad RiseSmart. “The audit isn’t a simple tick box exercise to be checked off every year, or just another IT task to include in the budget. Instead, we view the audit as an opportunity to improve our business processes, our approach to data security, and the organization as a whole. As a business partner entrusted to help unleash worklife possibilities, we view caring about our customer’s data and keeping it secure as a critical piece of our business operation.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Randstad RiseSmart delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Randstad RiseSmart’s controls.”

About Randstad RiseSmart

Randstad RiseSmart is a leading specialist in worklife coaching and career transitions and an operating company of Randstad N.V. Our purpose is to enable organizations to unleash possibilities throughout their working lives for their biggest asset, their people. We understand that a business thrives when its people do. Our coaching-centric approach is designed to support individuals throughout all stages of their employment, and to support businesses in onboarding, developing, mobilizing, engaging, retaining, and transitioning employees to have the best possible worklife experience in alignment with business needs. We do this through our industry-leading combination of ‘tech and touch’ resources such as expert coaching, field expertise, industry insights, curated content, specialist platforms, and personalized action plans. Visit us at: www.randstadrisesmart.com

Cloud platforms are popular, but they aren’t yet ubiquitous. Six out of ten businesses have conducted a cloud migration, but that implies four out of ten haven’t. If your business hasn’t made the leap to cloud infrastructure, you may be wondering what all the fuss is about. In this article, we explore five reasons you may want to reconsider moving some of your workloads to cloud platform like AWS or Microsoft Azure.

What is Cloud Migration?

Cloud migration is the process of moving data, applications, and computational workloads into the cloud. Because the cloud takes many forms, cloud migration takes many forms too. The classic cloud migration involves moving an application hosted on a physical server to a virtual server hosted in the cloud. But cloud migration may also involve breaking an application into components distributed across multiple cloud services, including database services, storage services, and Platform-as-a-Service (PaaS).

A business may also choose to migrate only part of an application or workload. For example, they may migrate data storage to a cloud platform while hosting the application’s code in their data center. Or they may use on-premises infrastructure as a primary site while leveraging the cloud as a disaster recovery or “cloudburst” location. The combination of on-premises hosting with cloud hosting is often called a hybrid cloud environment. 

Three Cloud Migration Strategies

As we’ve seen, cloud migration isn’t a simple matter, but application cloud migration strategies can be broken down into three broad categories. 

Lift and Shift

Lift-and-shift, also known as rehosting, is the simplest cloud migration strategy. An application is transferred in its current form from on-premises servers to virtual servers running in the cloud. Lift-and-shift migrations involve minimal changes to the application because Infrastructure-as-a-Service platforms such as AWS EC2 or Azure Virtual Machine provide server environments that are essentially identical to physical servers from the application’s perspective. 

Lift-and-shift migrations are faster, simpler, and less expensive than other types of migration. However, they may not take full advantage of the cloud platform’s capabilities. Additionally, businesses should consider the security and compliance implications of even a simple rehosting project. Virtual servers appear similar to physical servers, but moving to an unfamiliar cloud environment may introduce security and privacy risks that a business is not well-equipped to predict or mitigate. 

Rearchitect

Rearchitecting transforms an application’s design to take advantage of cloud platform features. A monolithic application might be rearchitected as microservices hosted on containers. Or the application might be modified to work with a managed database platform instead of a self-hosted database. 

The extent and complexity of rearchitecting projects depend on the business’s objectives and often on cost considerations, but all rearchitecting projects must pay careful attention to the security and privacy implications of any changes. 

Rebuild/Replace

In the most radical cloud migrations, an application is rebuilt or replaced in its entirety. Instead of moving code and data to the cloud, similar functionality tailored for the cloud is built from the ground. Businesses may take this route to leave behind a legacy application judged unsuitable for the cloud or to embrace new technologies and platforms.  Rebuilding provides a cloud-native application, but it is the most complex and expensive cloud migration option. 

5 Benefits of Cloud Migration

We’ve looked at what cloud migration is and the migration strategies businesses use to achieve their objectives, but why do they choose to migrate to the cloud in the first place. 

Improved Infrastructure Security and Compliance

Cloud migration alleviates businesses’ need to manage some aspects of infrastructure security. For example, the cloud provider manages physical and some network security. It also provides tooling that helps businesses to monitor and secure their infrastructure. 

However, it’s important to emphasize that cloud security is a shared concern. Although the provider is responsible for some aspects of infrastructure security, the user must ensure they configure and manage cloud services according to cloud security best practices. A significant percentage of cloud security incidents result from improper configuration, as we’ve discussed in previous articles

Reduced Infrastructure Cost

Cloud platforms can be less expensive than on-premises or colocated infrastructure if managed correctly. Cloud environments grow and shrink in line with the user’s requirements. For example, AWS EC2 instances scale up and down, and businesses can choose from many different configurations depending on their need. Additionally, cloud infrastructure does not require significant up-front investment; users pay only for the infrastructure they use, as they use it. 

As with the security benefits of cloud migration, businesses must follow cloud best practices to realize potential cost savings. Cloud users may spend more than they expect if they do not monitor and control their environment to avoid wasted resources. 

Enhanced Scalability

Scaling on-premises infrastructure is often complex and expensive. Scaling in the cloud is more straightforward. As we have already mentioned, most cloud services grow and shrink in line with the users’ needs. For example, cloud block storage services provide an almost infinite amount of data storage, and businesses don’t have to manage physical storage devices. 

Scalability is one reason businesses opt to rearchitect applications when migrating. Breaking an app into smaller services allows each component to be scaled and replicated independently, which may not be possible with a monolithic application. 

Increase Business Agility

The flexibility of cloud platforms allows businesses to respond to evolving customer and market demands. They can deploy and scale infrastructure quickly. Larger cloud platforms provide an array of managed services that make it easier to deploy new features. Furthermore, cloud platforms encourage a DevOps approach to application development, allowing businesses to quickly develop and deploy new features. 

Simplified IT Management

Cloud infrastructure can be managed in a web interface or scripted via an API. Modern cloud management interfaces provide a vast array of features that allow businesses to monitor, configure, and adapt every aspect of their environment. 

As with the other benefits we’ve looked at here, there are potential drawbacks where cloud management is concerned. Cloud management is simpler if your business is familiar with the platform and its intricacies. If not, cloud management can be confusing, and, in the worst cases, a lack of expertise leads to cost, security, and compliance issues. 

Verify Your Cloud Migration Security with KirkpatrickPrice

Cloud migration may create significant new security and compliance risks, especially for businesses unfamiliar with the platform. A cloud security audit verifies and tests the controls your company has in place on AWS, Azure, or GCP. Visit the KirkpatrickPrice AWS Security Scanner or contact a cloud security specialist to learn more about cloud security audits.