What is NIST?

The National Institute of Standards and Technology, or NIST, is an organization that is part of the U.S. Department of Commerce and has the goal of being a leader in innovation and technology by providing fair standards and solutions.

The core competencies of NIST are measurement science, rigorous traceability, and development and use of standards. These core competencies influence the reliability of the information produced by the organization. As a giant in the industry, NIST has an opportunity to provide quality principles that can be used by organizations to develop secure information security practices and perform security testing.

NIST publishes documents that can be helpful in developing further strategies and methodologies that are used by information security specialists. NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, is one of these documents that is used in planning and designing proper security processes and procedures.

When it comes to penetration testing, NIST SP 800-115 is a valuable guide that can be used to influence the methodology pen testers use when testing for organizational vulnerabilities.

NIST Special Publication 800-115 and Penetration Testing

NIST SP 800-115 is an overview of the key elements of security testing. It isn’t a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies.

This guidance on NIST methodology includes:

  • Security Testing and Examination Overview
    • Policies
    • Roles
    • Methodologies
    • Techniques
  • Review Techniques
    • Documentation Review
    • Log Review
    • Ruleset Review
    • System Configuration Review
    • Network Sniffing
    • File Integrity Checking
  • Target Identification and Analysis Techniques
    • Network Discovery
    • Network Port and Service Identification
    • Vulnerability Scanning
    • Wireless Scanning
  • Target Vulnerability Validation Techniques
    • Password Cracking
    • Penetration Testing
    • Social engineering
  • Security Assessment Planning
    • Developing a Security Assessment Policy
    • Prioritizing and Scheduling Assessments
    • Selecting and Customizing Technical Testing and Examination Techniques
    • Determining Logistics of the Assessment
    • Developing the Assessment Plan
    • Addressing Any Legal Considerations
  • Security Assessment Execution
    • Coordination
    • Assessment
    • Analysis
    • Data Handling
  • Post-Testing Activities
    • Mitigation Recommendations
    • Reporting
    • Remediation

The detailed guidance provides necessary explanations for many major components of security testing. Because of NIST SP 800-115, your organization can trust qualified audit firms to perform security testing that complies with a set of guidelines that is accepted across the industry.

The NIST SP 800-115 guidance is useful in providing structure to information security testing, but it is not meant to be a substitute for proper security procedures and processes.

Instead, NIST SP 800-115 should be helpful in testing that your organization’s security controls are as secure as you expect them to be. For that reason, penetration testers gravitate to the principles taught in NIST SP 800-115 when developing their testing, as it gives clear guidance for seeking out vulnerabilities.

To learn how you can benefit from penetration testing in your organization, contact KirkpatrickPrice today!

More Pen Testing Resources

Guide to 7 Types of Penetration Tests

What is IoT Penetration Testing?

Penetration Testing Best Practices Webinars

What Do You Need to Know About CCPA?

Much like the European Union’s General Data Protection Regulation of 2018, the California Consumer Protection Act is yet another data privacy legislation that organizations must prepare for as they reexamine the way they collect, use, store, transmit, and protect data. But here’s what companies who interact with California consumers and residents must understand: while they may comply with the various other data privacy laws already being enforced, that does not mean they comply with CCPA. In fact, no matter how similar CCPA is with other data privacy laws – there are nuances between those laws to be accounted for. What does this mean for your organization? What do you really need to know about CCPA? Here are the five core components of the law.

1. What Is CCPA?

In June 2018, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). The purpose of CCPA is to give consumers more rights related to their personal data, while also requiring businesses to be more transparent about the way personal data is used and shared. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information. The law will go into effect on January 1, 2020. Please note that the law may be subject to legislative amendments and regulations that the California Attorney General’s Office creates. At the point of publication, the main legal requirements are:

  • Consumer rights to access, deletion, non-discrimination, and opt-out of selling data
  • Privacy disclosure (i.e. Privacy Policy requirements) related to data collection and use and disclosures
  • Vendor contract requirements
  • Implement and maintain reasonable security measures

2. Who Does CCPA Apply To?

Like with GDPR’s data subjects, the law doesn’t apply to only those businesses who are located within the state of California. Instead, the law applies to certain businesses who collect, use, receive or transmit the personal data of California consumers. Specifically, CCPA applies to for-profit businesses that do business in California and that meet any of the criteria:

  • (A) Have annual gross revenues of over $25,000,000
  • (B) Buy, sell, or share the personal information of 50,000+ consumers per year
  • (C) Derive 50% or more of their annual revenues from selling consumers’ personal information

3. Who Enforces CCPA?

The CCPA is far less ambiguous than other data privacy laws when it comes to who is enforcing the law. According to the American Bar Association, “The CCPA is enforceable both by the Attorney General for the State of California and by private litigants. However, the Act contains technical terms regarding when and how a consumer can bring a private action under the statute.”

4. What are the Penalties for Non-Compliance?

The penalties for non-compliance with CCPA depend on the entity issuing the penalty. If consumers pursue a private, class-action lawsuit, statutory damages could be between $1,000 to $3,000 or actual damages, whichever is greater. If the Attorney General issues fines for non-compliance, companies may be liable for paying fines up to $7,500 per violation. Additionally, in the event of a data breach, consumers can recover damages between $100-$750 per consumer per incident.

5. What are the Exemptions to CCPA?

According to AB 371 Section 1798.145, there are six exemptions to complying with CCPA. Complying with the law should not hinder a business’ ability to:

  1. Comply with federal, state, or local laws
  2. Comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
  3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
  4. Exercise or defend legal claims
  5. Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information
  6. Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California

When it comes to complying with CCPA, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, wants organizations to know that “CCPA has already generated other state laws with similar requirements, so the time spent working on data subject rights processes and privacy policy disclosures right now could save some time in the future if and when other states or the U.S. federal government implements consumer privacy rights.” Whether it’s CCPA, GDPR, PIPEDA, or any of the other data privacy laws enacted throughout the United States and beyond, KirkpatrickPrice wants to partner with you on your compliance journey. Let’s talk about our risk assessment, consulting, or privacy audit services soon!

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

More CCPA Resources

Best Practices for Data Privacy

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Best Practices for AWS Security

AWS brings new opportunities for businesses to innovate, build, and grow – but what about the data in the cloud?

Is it protected? How likely is it to be compromised?

The 2019 Cloud Adoption and Risk Report from McAfee reports that the sharing of sensitive data in the cloud is increasing 53% year-over-year. The average enterprise generates over 3 billion events every month in the cloud and uses 1,935 different cloud services, giving malicious attackers ample opportunity to find, steal, and sell the data you are responsible for.

This means that organizations must do everything in their power to implement AWS security and safeguard personal information. Where should you begin?

Let’s discuss some of the basic security practices for S3 and EC2. These are extremely complicated subjects, but let’s make a starting point for your AWS security strategy with the following best practices.

Protecting AWS S3 Buckets

S3 buckets are a major component of using AWS, but they’re also a major security concern. McAfee reports that 5.5% of all AWS S3 buckets that are in use are misconfigured and publicly readable.

Why?

S3 buckets are extremely complex, and anything that is complex is harder to secure.

Randy Bartels, Vice President of Security Services at KirkpatrickPrice, comments,

“AWS has an obligation to make it less complex, and users have an obligation to understand the complexity and make sane choices in setting up policies.” How can you be sure your S3 buckets align with best practices for AWS security?

  • Does your organization have IAM policies? This will give you a way to manage permissions for digital identities. IAM best practices include policies that outline strong password requirements, key rotation every 90 days or less, role-based access controls, and MFA.
  • Are permissions based on a least privileges principle? Users should only be allowed to access data that is necessary to perform their job duties.
  • Does your organization have S3 bucket policies? These will define access or grant access to specific buckets and objects.
  • Do any of your S3 policies allow a wildcard identity or action?
  • Does your organization use block public access properly?
  • Are access control lists made? Make sure that you’re aware if they have the capability to provide any type access to “Everyone” or “Any authenticated AWS user.”
  • Does your organization use S3 access logs? Do you analyze user behavior based on logs?
  • Is sensitive data in S3 encrypted at rest?
  • Is inbound and outbound data traffic encrypted?
  • How to you implement SSE? Does your S3 encryption strategy utilize SSE-S3, SSE-KMS, or SSE-C?
  • Are the responsible personnel knowledgeable about S3 versioning and S3 lifecycle policies?
  • Does your organization monitoring actions taken on buckets and objects? Making your monitoring program a priority will help solve small problems or risks before they become a much larger incident.

Protecting AWS EC2 Instances

AWS outlines 5 key areas for baseline configuration that will secure EC2 instances, which include:

  • Least access
  • Least privilege
  • Configuration management
  • Change management
  • Audit logs

These aren’t new security concepts by any means, but they are ones that are incredibly important in AWS security. In addition to those baseline areas, you must consider the following questions when protecting EC2 instances:

  • Do your encryption strategy address protecting your data in EC2? It should address when, how, where, and what data is encrypted.
  • Do you collect IP traffic from VPC flow logs?
  • What do you do to manage access keys and key pairs?
  • Do IAM policies related to EC2 follow a “need to know” basis?
  • Is inbound and outbound traffic controlled through Security Groups?

Who Should Perform Your AWS Cloud Audit?

Just like any type of technology or IT operation, the security of your service needs to be validated by a third party, whether that is through a SOC 2 attestation, penetration testing, consulting, or another form of security testing.

When choosing who should perform an audit of your AWS environment and controls, you need to focus on finding an auditor who is also a cloud expert. Because cloud technology is new and evolving, the industry lacks best practices that are known and understood. AWS does a good job at distributing best practices for security, but you want to hire an auditing firm that does thorough testing and has auditors that understand how AWS works.

If you don’t feel ready for an audit but want to begin your own AWS security practices, AWS has developed many security tools to help you achieve secure environments.

AWS security is just as important to AWS as it is to customers. These tools can help you achieve best practices for cloud security, automate security assessments, give alerts for security incidents, and assess data security requirements to verify the security and compliance of cloud solutions. Amazon CloudWatch, Amazon Inspector, and AWS CloudTrail are a few examples.

At KirkpatrickPrice, we hire technologists, then train them to be auditors – and this increases the value and quality of our AWS audits. Any auditor from KirkpatrickPrice who’s performing a cloud audit understands cloud computing and technology and proves it through certifications like CCSK or CCSP.

Contact us today to begin security testing for your AWS environment.

More AWS Security Resources

Getting the Most Out of Your Penetration Test

You’ve seen hacking portrayed in Hollywood films, but have you seen how hackers can be an ally in your fight for security? Ethical hacking plays a key role in identifying what malicious outsiders are planning against your organization’s sensitive assets. If you’ve been wondering about the trends in penetration testing and how other organizations utilize these tests to creatively improve security, download this full webinar to hear from KirkpatrickPrice’s President, Joseph Kirkpatrick, as he discusses creative approaches to penetration testing, how executives use penetration testing to evaluate security effectiveness, and how to overcome fears and misconceptions about penetration testing.

When organizations invest in penetration testing, they’re likely looking for a quality, thorough third party who is able to uncover vulnerabilities that their teams can’t or wouldn’t find and provide remediation strategies and guidance to improve security. In order to do so, though, penetration testers must go beyond routine approaches to ethical hacking, like walk throughs and merely passing reports presentations to committees, and instead employ creative methods, like advanced social engineering methodologies used by KirkpatrickPrice penetration testers.

For example, when KirkpatrickPrice penetration testers begin an engagement, they’ll be sure to do their due diligence when it comes to reconnaissance. Our pen testers will stimulate real-life hacks by:

  • Using online research via the Dark Web
  • Entering a physical location using methods like tailgating or copying badges
  • Using pre-text calling
  • Using spear-phishing

By employing such creative means to test an organization’s security, executives will gain a greater holistic insight into the security of their organization, and they’ll be better prepared and empowered to make decisions about improving the organization’s security hygiene.

Do you want to make sure your organization is getting the most out of your penetration testing results? Are you ready to learn how executives can use the findings of a penetration test to better improve organizational security hygiene? Watch the full webinar now or contact us today to speak to an Information Security Specialist.

What is OWASP?

The Open Web Application Security Project, or OWASP, is an open, online community that provides free tools and documentation to anyone interested in improving insecure software and in developing, operating, and maintaining secure software. OWASP is a not-for-profit organization, with no affiliation to any company, making it a popular methodology to rely on.

OWASP’s core values are: open, innovation, global, and integrity. OWASP prides itself on being a transparent organization that supports innovation and information security solutions with honesty and truth for any person in the world to access. These principles create an atmosphere of trust and confidence in the quality of information that OWASP provides. Organizations can rely on OWASP to offer tools that help them make informed decisions regarding secure software. OWASP is an incredible resource to learn how to properly mitigate your risks in terms of software development.

OWASP’s Top 10

OWASP’s “Top 10” is one of their most well-known projects, relied upon by many developing secure software and systems. The Top 10 projects document the industry’s consensus on the most critical security risks in specific areas, from web applications to APIs. These lists are especially helpful for organizations that are looking to develop secure code and  software. OWASP’s Top 10 security risks for web applications, mobile applications, IoT devices, and APIs include the following:

[av_table purpose=’pricing’ pricing_table_design=’avia_pricing_default’ pricing_hidden_cells=” caption=” responsive_styling=’avia_responsive_table’ custom_class=”] [av_row row_style=”][av_cell col_style=”]Web Application Risks[/av_cell][av_cell col_style=”]Mobile Application Risks [/av_cell][av_cell col_style=”]IoT Risks [/av_cell][av_cell col_style=”]API Risks[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Injection Flaws[/av_cell][av_cell col_style=”]Improper Platform Usage[/av_cell][av_cell col_style=”]Weak or Hardcoded Passwords[/av_cell][av_cell col_style=”]Missing Object Level Access Control[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Broken Authentication Methods[/av_cell][av_cell col_style=”]Insecure Data Storage[/av_cell][av_cell col_style=”]Insecure Network Services[/av_cell][av_cell col_style=”]Broken Authentication[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Sensitive Data Exposure[/av_cell][av_cell col_style=”]Insecure Communication[/av_cell][av_cell col_style=”]Insecure Ecosystem Interfaces[/av_cell][av_cell col_style=”]Excessive Data Exposure [/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]XML External Entities (XXE)[/av_cell][av_cell col_style=”]Insecure Authentication[/av_cell][av_cell col_style=”]Lack of Secure Update Mechanism[/av_cell][av_cell col_style=”]Lack of Resources and Rate Limiting[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Broken Access Controls[/av_cell][av_cell col_style=”]Insufficient Cryptography[/av_cell][av_cell col_style=”]Use of Insecure or Outdated Components[/av_cell][av_cell col_style=”]Missing Function/Resource Level Access Control[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Security Misconfigurations[/av_cell][av_cell col_style=”]Insecure Authorization[/av_cell][av_cell col_style=”]Insufficient Privacy Protection[/av_cell][av_cell col_style=”]Mass Assignment[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]XSS Flaws[/av_cell][av_cell col_style=”]Client Code Quality [/av_cell][av_cell col_style=”]Insecure Data Transfer and Storage[/av_cell][av_cell col_style=”]Security Misconfiguration[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Insecure Deserialization[/av_cell][av_cell col_style=”]Code Tampering[/av_cell][av_cell col_style=”]Lack of Device Management[/av_cell][av_cell col_style=”]Injection[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Using Components with Known Vulnerabilities[/av_cell][av_cell col_style=”]Reverse Engineering[/av_cell][av_cell col_style=”]Insecure Default Settings[/av_cell][av_cell col_style=”]Improper Assets Management[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Insufficient Logging & Monitoring [/av_cell][av_cell col_style=”]Extraneous Functionality [/av_cell][av_cell col_style=”]Lack of Physical Hardening[/av_cell][av_cell col_style=”]Insufficient Logging and Monitoring[/av_cell][/av_row] [/av_table]

While these lists include an overwhelming number of risks to be aware of, they are helpful in determining what type of penetration testing your organization might consider, what risks to prioritize during remediation, and how to further develop secure software. OWASP is used by penetration testers, whether internal to your organization or a third party, to stay in tune with common vulnerabilities they should be looking for in your systems, devices, and environment.

How Does Penetration Testing Help You Mitigate Your Risks?

What can your organization do with the knowledge of these common risks and vulnerabilities? You’re already ahead of the game by understanding OWASP’s Top 10 Security Risks and seeking to better your information security processes, but you can take your proactive work a step further by investing in penetration testing that helps you build secure software and mitigate your risks. When your organization hires a penetration tester to manually attack your vulnerabilities and provide an extensive report on the details of your security testing, you can better understand your weaknesses and how they can be exploited.

OWASP influences the penetration testing methodology at KirkpatrickPrice so that we stay at the top of the industry in quality and information security knowledge to provide your organization with a guided path to secure software. Contact us today if you’re ready to take the next step to securing your applications.

More Penetration Testing Resources

What is API Penetration Testing?

What is Mobile Application Penetration Testing?

What You Need to Know About OSSTMM