Today’s cyber landscape is riddled with advancing threats. From simple phishing attacks to intricate DoS attacks, businesses must ensure that the data they collect, use, store, and transmit is properly and thoroughly secured. After all, the data that companies hold is one of their greatest asset, so being aware of the consequences associated with losing that data is essential. For this reason, we believe that it’s imperative that organizations encrypt their backups. So, what are encrypted backups? What do you need to know about how to encrypt backups? Let’s discuss.

What is an Encrypted Backup?

To put it simply, an encrypted backup is an extra security measure that is used by entities to protect their data in the event that it is stolen, misplaced, or compromised in some way. Often times, however, many businesses confuse encryption with hashing. Let’s be clear: they are not the same.

Hashing vs. Encryption

The main difference between hashing and encryption is that a hash is not reversible. You cannot take a hash value and derive the original source. In fact, a hash acts somewhat as a fingerpoint, and it’s known to attack (i.e. collisions or rainbow tables). On the other hand, encryption is reversible. It can take the ciphertext and derive the original source if the decryption keys are known.

How to Encrypt Backups

There are various ways to create encrypted backups. If you’re stuck on determining how to encrypt backups, you can start by determining which method is best for your organization by considering factors such as types of data stored, environment types (cloud, hybrid, physical), personnel and technical experience, industry, applicable framework requirements, and more. The most common types of encryption are symmetric and asymmetric.

Common Types of Encryption

  • Symmetric Encryption: Symmetric key algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.
  • Asymmetric Encryption: Asymmetric encryption is a form of encryption where keys become come in pairs. Frequently, but not necessarily, the keys are interchangeable, in the sense that Key A encrypts a message, then Key B can decrypt it and vice versa. With asymmetric encryption, both the private and public keys make up the key pair, and both are required to encrypt and decrypt the data.

Framework and Legal Requirements for Encryption

While this list is not exhaustive, some of the most common framework and legal requirements for encryption include the following:

  • PCI DSS: Requirement 3.4 says, “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), strong cryptography with associated key-management processes and procedures.”
  • HIPAA: According to the HIPAA Security Rule technical safeguards, 45 CFR § 164.312(a)(2)(iv) includes an addressable requirement that covered entities and their business associates, “Implement a mechanism to encrypt and decrypt electronic protected health information.” While this requirement is nebulous, you can learn more about the requirements here.
  • GDPR: Article 32(1)(a) states, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data.”

Benefits of Encrypted Backups

It’s no secret that data is a highly sought-after asset, and malicious hackers and organizations will stop at nothing to get their hands on your organization’s data. However, internal threats are equally as important to consider. But, if you’re proactive and implement robust encryption practices to protect your backups and data, you can reap many rewards. For example, in IBM’s 2019 Cost of a Data Breach Report it’s explained that “extensive use of encryption, data loss prevention, threat intelligence sharing and integrating security in the software development process (DevSecOps) were all associated with lower-than-average data breach costs. Among these, encryption had the greatest impact, reducing breach costs by an average of $360,000.” Aside from lowering the potential cost of a data breach, encrypted backups can protect your organizations assets, position you organization as a trustworthy and reliable organization, and provide your customers with the peace of mind they deserve.

Still questioning what an encrypted backup is? Need more information on how to encrypt backups? Contact us to talk to one of our Information Security Specialists today, and let KirkpatrickPrice be your expert partner as you navigate how to ensure the security of your data through encrypted backups.

More Information Security Resources

How to Scale Your Information Security Program as You Grow

Is Endpoint Protection a Comprehensive Security Solution?

Are Your Remote Employees Working Securely?

business people walking

We get a lot of questions about SOC 1 and SOC 2 audits. What’s the difference between the two? Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and SOC 2 audit.

What are SOC 1 and SOC 2 Audits?

Before we discuss how to go through a combined SOC 1 and SOC 2 audit, let’s review what each of these types of audits are. What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

A SOC 2 audit is a second type of SOC assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria) – which are typically unrelated to ICFR. The Trust Services Criteria are the foundation of the SOC 2 audit, just as the SSAE 18 is the basis of a SOC 1 audit.

Why a Combined SOC 1 and SOC 2 Audit?

Why would a company pursue a combined SOC 1 and SOC 2 audit? The obvious reason is that you may have clients that are specifically asking for SOC 1 and SOC 2 reports from you. They want to know whether you are handling their data in a secure way. You could also have some asking for one audit or the other. In some circumstances, your clients may not even know which one you need, but they want you to prove your security practices are legitimate – so it’s up to you to determine whether you’ll undergo a SOC 1, SOC 2, or a combined SOC 1 and SOC 2 audit. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 1 and SOC 2 audit is an option.

Here’s what some of our clients have to say about their combined SOC 1 and SOC 2 audit with KirkpatrickPrice:

  • “Trust and transparency is a core Rhumbix value. As a leading provider of construction technology, it is important for us to provide SOC 1 and SOC 2 reporting for our customers and ensure we continue to build and architecture future Rhumbix products with the highest standards. ” – VP of Development at Rhumbix
  • “The successful completion of our SOC 1 and SOC 2 Type II examination audits provides our clients with the assurance that the controls and safeguards we employ to protect and secure their data are in line with industry standards and best practices.” – Information Security Officer at Inovatec
  • “CBOSS is committed to delivering robust, secure solutions for payment processing to all our customers. To that end, we strive to make security and reliability integral to every aspect of our operations. We appreciate the KirkpatrickPrice’s thoroughness and we are proud to have met or exceeded all the requirements they validated.” – Security and Compliance Manager for CBOSS
  • “Upholding security regulations is critical as a service provider. Completing the SOC 1 Type II and SOC 2 Type II audits provides validation to OneCloud customers that we’re committed to keeping our platform secure.  OneCloud will annually renew our SOC certification by maintaining the necessary controls and processes.” – Chief Executive Officer of OneCloud

Using the Online Audit Manager

Our goal is to make SOC 1 and SOC 2 reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 1 and SOC 2 audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 1 and SOC 2 audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 1 and SOC 2 Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

Using the Online Audit Manager to Complete Multiple Audits

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

Thinking about hiring a firm to conduct an external network penetration test? What is an external network penetration test and why you need one? Or, have you recently been disappointed with an external network penetration test engagement? At KirkpatrickPrice, our experienced penetration testers want our clients to walk away from each engagement knowing that they are more prepared to combat advancing cyber threats. We are committed to conducting the most realistic, thorough testing possible because when an attacker compromises your external network, it’s likely that they won’t stop there. They’ll go a step further and utilize social engineering tactics, like creating phishing emails specific to your organization, to further infiltrate your environment. That’s why we recommend knowing your options and understanding the different levels of service available for external network penetration tests.

Choosing Levels of Service for External Network Penetration Testing

Standard – External Network Penetration Testing

An external network penetration test provides insight into what an attacker outside your network could exploit. Findings might include:

  • Discovery of open ports, protocols, and services that were accidentally exposed to the Internet
  • Discovery of data leaks, such as excessively open permissions on Amazon S3 buckets
  • Identification and exploitation of old or unsupported systems. These are especially prone to compromise since exploits are more likely to be widely available
  • Identification and exploitation of unpatched or misconfigured systems. On multiple occasions, our testers have found systems with remote-code execution vulnerabilities or misconfigurations that allow passwords to be leaked, among other bugs
  • Broken encryption methods (most common on websites, but also for systems like SSH or VPN servers)

Advanced – External Network Penetration Test Plus Social Engineering

A good ethical hacker will want to utilize as many tactics as possible to discover potential vulnerabilities in an external network. That’s why our penetration testers take external network penetration tests to the next level – the advanced level. They don’t feel like they’re delivering on their work until they go the extra mile and use creative ways to exploit your external network. This typically looks like social engineering methods, such as phishing, to make the penetration test more realistic. An external attacker is not just interested in checking the security of your network perimeter and moving on if they don’t find anything – they’re interested in using external-facing systems (such as email) to get directly into the network. When you’re selecting a firm to conduct your external network penetration testing, consider asking them about social engineering. This provides additional value, such as:

  • Measures mentioned for external testing alone
  • Reviewing layers of security – if an employee accidentally gives away a password when phished, does this impact the external security, and how?
  • Testing security awareness of employees when it comes to email and phone
  • Evaluation of how well email protection/spam filtering measures and protects users from potentially dangerous content
  • Evaluation of how well endpoint protection protects users

Because hackers are so likely to compromise environments using multiple attack vectors, we highly recommend understanding your options when it comes to levels of service and choosing an advanced level external network penetration test. This extra measure will test to ensure that all potential vulnerabilities are found. 

Case Study: Advanced External Network Penetration Test

Did you know that in 2019, 32% of breaches involved phishing, and over 60% of breaches involved the use of stolen credentials? Phishing is one of the simplest and most frequently used attack methods used by malicious hackers. Educating your employees on how to identify and report such emails is essential – and it’s a skill that needs to be thoroughly tested by someone experienced in creating realistic phishing emails. Our penetration testers have executed phishing attempts that have been so convincing that 40% of IT personnel compromise their passwords.

In one engagement, a KirkpatrickPrice penetration tester performed a red team engagement on a casino and resort. In order to gain access to the network, the penetration tester sent out a phishing email that impersonated the casino’s HR department. The email stated that there was a new HR portal that employees needed to log in to and verify their personal information. If they didn’t, the phishing email threatened that a delay in payroll might occur. The penetration tester even went as far as creating a fake HR portal webpage identical to the casino’s brand and link to it in the phishing email. With the fear of payroll being impacted, many employees (even some HR employees) clicked on the phishing link, allowing the penetration tester to obtain several sets of credentials and utilize a VPN connection to access the network of the casino. From there, they were able to compromise the entire network.

Had this casino opted to only do a standard external network penetration test, it’s likely that the phishing email never would’ve been created and the casino would have no idea that its employees so easily click on a phishing email. Instead, the casino and resort would have only received findings of things like open ports, protocols, and services that were accidentally exposed to the Internet, or unpatched or misconfigured systems, and it would be left vulnerable to more thorough hackers.

Getting the most out of your penetration test comes down to choosing the right penetration tester and knowing your options for the levels of service. If you’re in the process of selecting a firm to conduct penetration testing for your organization, let’s chat more about the different levels of service for external network penetration tests and how we can partner to get you the results you need.

More Penetration Testing Resources

5 Critical Things to Consider When Choosing a Pen Tester

3 Hacks to Get the Most Out of Your Penetration Test

What Should You Really Be Penetration Testing?

Security Awareness Training Requirements: SOC 2, PCI, HIPAA, and More

Independent Audit Verifies ProntoForms’ Internal Controls and Processes

Ontario, Canada – ProntoForms, a low-code app development platform for field service today announced that it has completed its annual SOC 2 Type II and HIPAA audits. This attestation is evidence of ProntoForms’ continued commitment to delivering a high quality solution with the necessary internal controls and processes for highly regulated industries.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of ProntoForms’ controls to meet the standards for these criteria.

HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules. ProntoForms’ compliance with the HIPAA Security Rule demonstrates its commitment to security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance.

Glenn Chenier, Chief Product Officer, says, “With KirkpatrickPrice, it didn’t feel like we were doing two audits, we just had a larger question set. Working in the portal and with an auditor helped us feel like we had a realistic feel for the project size.”

“ProntoForms delivers trust-based services to their clients, and by communicating the results of these audits, their clients can be assured of their reliance on ProntoForms’ controls,” said Joseph Kirkpatrick, President of KirkpatrickPrice.

ProntoForms also decided to extended the scope of its compliance program to include FDA Title 21 CFR Part 11. This regulation, issued by the FDA, sets out security criteria for ERES captured on electronic documents. ProntoForms commented, “Obtaining Part 11 compliance augments our already very strong HIPAA and SOC 2 Type II compliance story. It demonstrates that we’re committed to growing our compliance footprint and that we take the security of sensitive data collected in the field very seriously. When working with compliance-sensitive companies, like biotech, pharma, healthcare, and medical device organizations, this is imperative.”

About ProntoForms

ProntoForms is the global leader in field-focused low-code application platforms for enterprise. The company’s solution is used to create apps and forms to collect and analyze field data with smartphones and tablets – either as a standalone solution or as a mobile front-end to enterprise systems of record.

ProntoForms’ 100,000+ subscribers harness the intuitive, secure, and scalable solution to increase productivity, improve quality of service, and mitigate risks. It is based in Ottawa, Canada, and trades on the TSXV under the symbol PFM. ProntoForms is the registered trademark of ProntoForms Inc., a wholly owned subsidiary of ProntoForms Corporation.

Read more about ProntoForms’ compliance journey here.

Independent Audit Verifies Pacesetter’s Internal Controls and Processes

Tulsa, OK – Pacesetter, a leading provider of catastrophic and daily property claims adjusting services, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that Pacesetter has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Pacesetter’s controls to meet the standards for these criteria.

Pacesetter’s President and CEO, Bill Brassfield, is justifiably proud of this achievement. “Our brand has been that of quality claims services our clients can all rely on. I wanted to expand on that and add another dimension. I wanted to prove to our current and future clients that we understand the security risk exposures we all face, and most importantly, at Pacesetter, we have implemented necessary controls and systems to meet or exceed our industry’s expectations. By meeting the rigid standards of a SOC 2 Type II engagement, I believe provides our clients and business partners with advanced assurances they can count on when doing business with us.”

“The SOC 2 audit is based on the Trust Services Criteria. Pacesetter has selected the security category for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Pacesetter delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Pacesetter’s controls.”

About Pacesetter

Pacesetter Claims Service Inc. began in 1997 as an independent catastrophe claims adjusting firm. Today, PCS proudly offers a variety of professional claims services. We are still a family-run company, owned and operated by experienced, dedicated claims professionals who fundamentally appreciate and understand the value of customer service delivered through quality claims products and services. To learn more about Pacesetter, we invite you to visit our website, follow us on Facebook, or connect with us on LinkedIn.