The Pros and Cons of Mobile Applications

When you provide mobile apps to customers, they’re expecting them to be secure. They’ve entrusted you with their sensitive data by using your product, and it’s up to you to protect that data. Businesses today must do everything possible to mitigate the advancing threats facing mobile apps, both internally and externally. How sure are you that your organization is doing this? In this webinar, KirkpatrickPrice expert penetration tester, Stuart Rorer, dives into the most common vulnerabilities found in mobile apps and discusses how penetration testing can help keep them secure.

Like all technology, mobile applications have some wonderful benefits, but also have some security concerns that need to be addressed. The trick is to learn how to better secure the technology to thwart attacks before they occur. So, while mobile technology has made nearly everything in our lives more accessible and efficient, the cons of mobile technology should not be forgotten. For example, on the physical side of mobile technology, there are numerous risks: BYOD policies are challenging for IT teams because they’re difficult to secure and keep track of, devices can be stolen, and attackers can hack the devices remotely via Bluetooth. At the application level, mobile applications are vulnerable to common security issues like insecure communications, poor information storage, web attacks, revealed code, and tampering.

7 Proactive Steps for Protecting Your Mobile Apps

From malware attacks and backdoor threats to problems with surveillance, mobile apps will continue to be one of the most targeted attack vectors in 2020. We believe that following these seven steps will help you thwart these security issues and protect your mobile apps.

  1. Stay abreast of the latest security news.
  2. Invest in secure coding and practices for development teams.
  3. Invest in routine – not just annual – penetration testing on mobile applications.
  4. Use code obfuscators to better secure code from decompilation.
  5. Stay on top of the OWASP Top Ten and use their resources to better understand security issues.
  6. Do not trust the device to protect your files.
  7. Always use secure communications to transmit information.

How sure are you that you have found all of the vulnerabilities in your mobile apps? Could there be more you’re unaware of? Watch the full webinar now to learn about common vulnerabilities in mobile apps or let’s talk about how our mobile application penetration testing services can benefit you.

What Were the Biggest Data Breaches of 2019?

The data breaches of 2019 were enormous, with some of the biggest data breaches impacting over a billion people collectively. And, like in year’s past, hackers did not discriminate based on industry, size, or location of companies and continued to use advanced attacks to compromise user data – anything from generic, personal data to payment card information and protected health information. Let’s take a look at five of the biggest data breaches of 2019, how they happened, and what’s been done to mitigate them since they were discovered.

Fortnite ­– 200 million

Starting the year out, security researcher Check Point notified the public that popular gaming site, Fortnite, fell victim to a data breach after an old, unsecured web page was compromised, exposing Fortnite players to the risk of having their accounts being hacked, their audio recorded, and in-game currency used. While the attack happened in November 2018, Fortnite creator, Epic Games, did not acknowledge or attempt to fix the vulnerability until January 2019, two months after Check Point notified them of the security incident. Since the breach was announced, Franklin D. Azar & Associates has filed a class action lawsuit, arguing that while Epic Games is hunting down password dumps that may be used to conduct credential stuffing attacks and are “proactively resetting passwords for player accounts when they believe they are leaked online,” the gaming company isn’t doing enough to recover damages or protect users from future threats.

Facebook – 600 million

In the wake of the Cambridge Analytica scandal, Facebook faced its fair share of cybersecurity challenges throughout this year. Most notably, in a report published by KrebsOnSecurity on March 19th, it was discovered that Facebook had been storing passwords of between 200 to 600 million users in plain text, all of which were searchable by more than 20,000 Facebook employees, and in some cases, were accessible to employees since 2012. Facebook software engineer, Scott Renfro, told Brian Krebs, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.” This incident is separate from another reported Facebook data breach that impacted 50 million users in September 2019.

Capital One – 106 million

Perhaps one of the most startling data breaches announced this year comes from Capital One, where a malicious user, identified as a Seattle-based woman and former Amazon employee, Paige Thompson, illegally accessed and downloaded the PII of 106 million Capital One users, including 100 million US customers and 6 million Canadians. According to a statement released by Capital One, that data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers. Capital One explains that it has been determined that no credit card account numbers or log-in credentials were compromised; however, the investigation is still ongoing. To execute the attack, Thompson exploited a misconfigured web application firewall (WAF) and Server Side Request Forgery (SSRF) to exploit the vulnerability. Thompson has since been arrested and charged by the FBI.

American Medical Collection Agency (AMCA)  – 20+ million

Though much smaller in size in terms of people impacted, the American Medical Collection Agency data breach that occurred between August 1, 2018 and March 30th, 2019 is one of the most talked-about breaches of the year. Why? Because it highlights the pervasive lack of focus on cyber and information security in the healthcare industry. With more than 20 million patients impacted by the breach, AMCA’s partner organizations, including Quest DiagnosticsLabCorp, BioReference Laboratories, and many others have all since filed complaints with the SEC against AMCA and have cut ties with the company. AMCA has filed Chapter 11 protection.

Canva – 139 million

On August 10th, Canva, a popular design app, posted a notice on their website explaining that on May 24th a malicious hacker compromised their systems. According to the notice, the malicious individuals were able to access information from the Canva profile database containing the usernames, names, email addresses, country and other optional information of 139 million users. The hackers also accessed cryptographically protected passwords, briefly viewed files with partial credit card and payment data and claimed to have obtained OAuth login tokens. Canva was able to effectively stop the attack while it was happening and implemented their incident response plan immediately – notifying users and authorities right away that the breach occurred. In a June 1st notice, Canva explained the steps they took to mitigate this breach: notifying users, prompting users to reset passwords, resetting OAuth tokens, coordinating with partners, and partnering with 1Password to provide password management services for a year.

Staying secure in a data-centric world has become increasingly complicated, and that’s more than evident by these top data breaches of 2019. There are new threats and vulnerabilities discovered on a regular basis, and if organizations don’t make security a foundational part of their organization, they will likely see repercussions from this. Let KirkpatrickPrice be the partner you’ve been looking for when it comes to ensuring the security of your business. Contact us today to learn about our auditing, pen testing, and readiness and guidance services so you can stay protected against these types of data breaches and more in 2020.

More Cybersecurity Resources

How Much is Your Data Worth to Hackers?

Why Bother with an Information Security Program?

Executive Insight into the Importance of Penetration Testing

On July 25, 2019, New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which amends the state’s breach notification law in order to “impose stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach.” The breach notification amendments took effect in October 2019, while the data security requirements will take effect on March 21, 2020.

New York’s Commitment to Data Security, Privacy, and Breach Notification

As one of the technology epicenters of the world, there is a dire need for New York to position itself has a leader in data security, privacy, and breach notification. Over the last two years, we’ve seen New York make progress by placing a focus on cybersecurity via the Cyber NYC initiative and emphasizing vendor management and cybersecurity through the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23. But, New York’s data security, privacy, and breach notification laws have still fallen short considering the type of controls needed to secure businesses and the type of data privacy laws other states are working to implement. Considering this, the most recent move by Governor Cuomo to implement the New York SHIELD Act is a clear indication that New York is committed to establishing and enforcing protective measures for New York consumers’ private information.

What is the New York SHIELD Act?

Born out of the need for stricter breach notification laws, the SHIELD Act makes it a requirement that entities who collect, handle, use, or store the personal or private information of New York residents must have robust data security measures and must report breaches within a timely manner. Ultimately, according to the New York State Senate, the SHIELD Act has three main intentions:

  1. To broaden the scope of information covered under New York’s breach notification law and update requirements
  2. To broaden the definition of a data breach
  3. To require reasonable data security, provide standards tailored to the size of a business, and provide protections from liability for certain entities

How Does the SHIELD Act Impact Your Organization?

Similar to the California Consumer Privacy Act (CCPA), the New York SHIELD Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that businesses who have just one set of data from a New York resident or employee are privy to the requirements of the law. In other words, the SHIELD Act does not only apply to businesses who physically do businesses within the borders of New York – it is far-reaching and will likely have a nationwide and global impact.

How to Comply with the SHIELD Act?

The SHIELD Act requires that organizations, at a minimum, do the following:

Implement reasonable administrative safeguards

According to § 899-bb(2)(b)(ii)(A), organizations can do this by:

  • Designating one or more employees to coordinate the security program
  • Identifying reasonably foreseeable internal and external risks
  • Assessing the sufficiency of safeguards in place to control the identified risk
  • Training and managing employees in the security program practices and procedures
  • Verifying that the selection of service providers can maintain appropriate safeguards and requiring those safeguards by contract
  • Adjusting the security program in light of business changes or new circumstances
Establish reasonable technical safeguards

According to § 899-bb(2)(b)(ii)(B), organizations can do this by:

  • Assessing risks in network and software design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to attacks or system failures
  • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Create reasonable physical safeguards

According to § 899-bb(2)(b)(ii)(C), organizations can do this by:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
  • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

Cost of Non-Compliance

In today’s data-driven world, the cost of a data breach can be detrimental to a business, especially medium and small-sized businesses. If data security and privacy isn’t made a priority from the start, compliance and security issues may later be the downfall of a seemingly secure, successful company. When a data breach occurs, there are endless impacts to not only the entity that was hacked, but potential vendors, partners, and most importantly, the consumers. Because Governor Cuomo understood that adequate breach notification is such a vital part of breach recovery,  the SHIELD Act explains that if entities fail to comply, the New York State Attorney General can seek up to $250,000 for violations by a company.

Data breaches are only a matter of when not if they’ll occur, which means that it is imperative that organizations have a thorough breach notification strategy in place. But more often than not, organizations fail to do this and can incur costly fines and penalties for their negligence, like with Uber’s infamous data breach cover-up. Consumers have the right to know when their personal and private information has been compromised by malicious individuals, and businesses must be sure to ensure those rights are given. The SHIELD Act is one way New York is making sure this happens.

If your organization has to comply with the latest New York breach notification law or you’re in need of guidance for creating your own breach notification strategy, let’s find some time to talk!

More Data Security, Privacy, and Breach Notification Resources

Introducing the New York SHIELD Act

Breach Notification: Who, When, Why

Best Practices for Data Privacy

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

business people walking

During the audit process, our qualified Information Security Specialists use best practices to determine the scope of the work. If you’ve never completed an audit, you’ve probably had questions about scoping and sampling. How many locations should be audited? Which locations are most important? How does an auditor develop a scope? What kind of sampling takes place during the audit? These are all valid questions asked by organizations undergoing an audit for the first time. Let’s talk about locations and sampling.

Locations, Locations, Locations

If you’re an organization with multiple office locations, you may be wondering which locations to include in your audit. While our expert-level Information Security Specialists will audit multiple locations, it’s not necessary that they physically visit every office location that you have. Instead, you can include the locations that hold key systems and processes. If you are storing data or backing up your systems in an office location, you should expect that location to be included in your audit. Do you have remote employees with no access to data? Wherever you’re looking to check security controls and protect data, you need to have those processes tested.

Do you have an office located overseas? Have you ever visited this office location to confirm proper security processes are in place? Out of sight, out of mind is a reality for many organizations with overseas locations. That’s why it’s important to have a qualified Information Security Specialist in person completing an onsite visit and auditing your security controls. Many of our clients are appreciative of our auditors who are willing to travel overseas to verify that their vendors are doing what they say they’re doing. Whether that location is in Canada or India, you’ll want the security of that location to be thoroughly audited.

How Does Location Data Sampling Work?

Imagine you have hundreds of employees across hundreds of office locations with countless amounts of data you’re planning to audit. If one of our Information Security Specialists were to use every one of your data points from every location in an audit, the audit process would take years to complete. Instead, auditors use sampling to take a portion of the data that is necessary to reach reasonable assurance during the audit. When designing the sample, auditors evaluate the purpose of the sample, outliers, and behavior to select the proper sample size. Sample risk should be determined to understand how many possible errors could be in the data so that the Information Security Specialist can do a job of reaching reasonable assurance.

Overall, sampling is a tool that is used to gather a reasonable amount of data that can be used in the audit. Instead of auditing 400 retail locations, the auditor may take a sample from each region. You can expect to participate in sampling during the audit process as an effort to complete a quality audit.

Completing an Audit with KirkpatrickPrice

When you choose to complete an audit with KirkpatrickPrice, you’re also choosing to receive quality education throughout the audit process and guidance from our expert information security team. We’ll guide you through the decision-making processes as you choose which locations to include in your scope. During the onsite visit, your Information Security Specialist will further expand on the sampling tool as they work to audit your security controls. You can count on KirkpatrickPrice to reach reasonable assurance in all of our audit practices. Interested in learning more about completing an audit with KirkpatrickPrice? Contact us, today!

More Resources

Auditing Basics: What is Scope?

How to Streamline the Audit Process

What Does Reasonable Assurance Mean?

It’s not uncommon for healthcare breaches to make the headlines these days. Whether it’s a major breach like Anthem’s $16 million breach or a smaller HIPAA violation such as improper disposal of secure records, healthcare organizations are falling victim to security breaches at an alarming rate. According to IBM Security’s 2019 Cost of a Data Breach Report, the highest industry average cost of $6.45 million is the healthcare industry. Do you have $6.45 million that you’re ready to use if your systems are breached? Are you prepared to spend years dealing with the OCR for failing to protect privacy rights? Of course not. One of the best ways to avoid these detrimental consequences is to make sure you’re compliant with HIPAA and start mitigating common HIPAA gaps now.

Missing the Mark with HIPAA Gaps

Maybe you’re preparing for a HIPAA audit and looking for the first step to compliance or you don’t know anything about HIPAA and you’re struggling to get started. Either way, you need to know about these common HIPAA gaps to avoid possible threats and hefty fines. What are HIPAA gaps that are most prominent vulnerabilities revealed in recent healthcare industry security breaches? Let’s discuss four common HIPAA gaps.

Non-Compliant Business Associate Agreements

A Business Associate Agreement, or BAA, is a document between a covered entity and business associate confirming that both entities will do their due diligence to protect PHI that is transferred between businesses. Not having a thorough written agreement in place to protect PHI is a violation of HIPAA. According to recent OCR findings, non-compliant BAAs are common HIPAA gaps that you should be working to mitigate. If you aren’t already practicing proper BAA procedures, you need to start now.

Missing Risk Analysis

How often should a risk analysis be performed? What should you do with your risk analysis findings? These are good questions to ask when mitigating common HIPAA gaps, as missing a risk analysis tends to be one of the first weaknesses found during a HIPAA audit. A risk analysis should be performed after any major changes in your organization and, at the very least, once annually. Once the risk analysis is performed, your organization should adjust and correct any vulnerabilities found. Don’t be a victim of this common HIPAA gap!

Physical Security Holes

Your physical security is one of the most important defense practices you can establish to protect valuable PHI. Without proper locking of secure documents, the use of security badges for access to secure areas, or proper desktop auto-locking procedures, you’re creating vulnerabilities that could be breached by malicious individuals. To comply with HIPAA, you have to be diligently working to mitigate common HIPAA gaps like holes in your physical security.

Lost or Insecure Devices

While it may seem obvious that all devices with PHI need to be protected against loss or theft, it’s still one of the most common HIPAA gaps found during the compliance journey. Encryption is a big piece of the puzzle, as all devices in your organization should be protected against malicious use in the case of loss or left. Taking the next step to back up your systems and encrypt those backups vital in mitigating any threats to your organization.

Learning to Close Common HIPAA Gaps

By mitigating these gaps early on, you’re setting your organization up to avoid costly fines and unexpected breaches. You can start your compliance journey by closing these common HIPAA gaps and implementing company-wide procedures that address vulnerabilities plaguing your systems. These practices will help you avoid becoming another number in common healthcare security statistics. Instead of joining the hundreds of other healthcare organizations that were victims to 466 security incidents in 2019, your organization can join the many KirkpatrickPrice clients who are satisfied with the expert-level, quality audits we perform. Contact us to start your journey to becoming more than an information security breach statistic!

More HIPAA Resources

Penetration Testing in Support of HIPAA

Dangers of XSS Attacks at Healthcare Organizations

Why is Information Security So Important in Healthcare