Independent Audit Verifies SightCall’s Internal Controls and Processes

San Francisco, CA – KirkpatrickPrice announced today that SightCall, a global cloud software company that empowers businesses with visual support capabilities, has again received its annual SOC 2 Type II attestation report. This attestation provides evidence that SightCall has a strong commitment year-over-year to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of SightCall’s controls to meet the standards for these criteria.

“Securing this attestation reinforces SightCall’s mission as a trusted, reliable and customer-focused organization,” stated Matthieu Piquet, Head of Security and Program Management at SightCall. “Compliance and security are one of our main commitments and are critical to building trust and providing an excellent customer experience. It’s one thing for us to say that our security and processes meet and exceed industry standards. It’s another to provide independent verification from an expert. This is why we choose KirkpatrickPrice to perform our SOC 2 Type II audits.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “SightCall delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on SightCall’s security and controls.”

About SightCall

SightCall is a global video cloud platform with a decade of experience enabling visual support interactions for enterprises in over 90 countries around the world. Enhanced by Augmented Reality (AR) and Artificial Intelligence (AI), the visual support technology digitally transforms service organizations, notably improving first time fix rates, decreasing truck rolls and increasing NPS. SightCall is headquartered in San Francisco with offices in NYC, Boston, Paris, London, Frankfurt and Singapore. For more information, visit: www.sightcall.com, follow SightCall on Twitter (@SightCall) or connect with SightCall on LinkedIn.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Penetration testing, or pen testing, is a proactive way that organizations can improve their security hygiene and assure their clients that the products and services they provide are as secure as possible. While many enterprises rely on internal audit teams to test the security of their networks, applications, and devices, undergoing third-party penetration testing is a surefire way to identify overlooked or unknown vulnerabilities, find remediation strategies and guidance, and gain peace of mind. But because, often times, pen tests are merely a suggestion – like with HIPAA – or are only required annually – like with the PCI DSS – organizations overlook the value of undergoing pen testing after a significant change is made.

What Constitutes a Significant Change?

Think about the many components of your organization’s security infrastructure: software, hardware, networks, and even your personnel. How often are updates made to your software? How frequently do you replace hardware? What does your organization’s turnover rate look like? The goal of pen testing is to identify vulnerabilities in your IT infrastructure, which is constantly changing. When a significant change occurs, like developing a new web application, implementing a new smart security system, or having a senior-level executive retire, penetration tests are needed to account for any new risks or vulnerabilities that may be introduced.

Examples of Significant Change

Example 1: Updating Code in a Web Application

According to Verizon’s 2019 Data Breach Investigations Report, “Web application breaches made up nearly 30% of all breaches in 2018.” This should come as no surprise – nearly every organization uses web applications to provide or conduct business, and no matter if they are public-facing or exist on an intranet, they’re susceptible to many cyber threats like SQL injection, DoS, brute-force attacks, or malware. Let’s say that a director of IT has instructed her team to implement and deploy new code. While this code may be developed with security in mind and may go through ample security testing, there could still be undiscovered vulnerabilities. By undergoing pen testing and code review after developing the new code, organizations can rest assured that they performed their due diligence to make sure that the improved web application is secure.

Example 2: Introducing New IoT Devices

IoT devices have made daily tasks easier – from making coffee in the morning to securing your office building. But how might these devices compromise your organization’s security hygiene? Even the smallest, seemingly non-threatening IoT device could cause the demise of your organization if a malicious hacker used it to gain unauthorized access to your network. For instance, let’s say that your coworker brought in a smart picture frame – one that connects to your organization’s WiFi network to display images from your coworker’s phone. Seems pretty harmless, right? Now, if everyone in your organization did something similar, there would be multiple, seemingly non-threatening attack vectors that a malicious hacker could exploit. In scenarios like this, having a robust information security program, thorough internal auditing, and third-party continuous pen testing would be useful to discover new vulnerabilities the IoT devices may introduce.

Example 3: Accounting for Personnel Changes

Major changes to personnel can greatly impact your organization’s security hygiene. If a CISO or CTO leaves, how would that impact the entire IT department? If a developer or network administrator resigns, how would their responsibilities be covered or reassigned? Does the culture of compliance stay intact? Personnel changes are just as likely to introduce new risks into your environment and undergoing continuous pen testing can help account for those changes.

How Can Continuous Pen Testing Help?

Undergoing annual penetration testing is a great first step for improving your organization’s security hygiene, but to really get the most out of your investment in pen testing, you should consider partnering with a third-party firm like KirkpatrickPrice to conduct continuous pen tests. Why? Because changes happen every day, and malicious hackers won’t give you an opportunity to fix the vulnerabilities those changes introduce before they exploit them. By investing in third-party continuous pen testing, organizations like yours will not only gain an objective insight into the security of your IT infrastructure on a regular basis, receive actionable remediation steps to mitigate vulnerabilities, and maintain compliance, but you’ll also be able to leverage your commit to security and give your customers peace of mind that your organization is doing everything it can to remain secure.

Businesses today are rapidly adopting new technologies, but are they staying ahead of the latest threats? Ask yourself if your organization is doing everything you can to prevent a data breach or security incident when the next significant change occurs. Not sure if you are? Contact us today to find out how KirkpatrickPrice’s penetration testing services can help.

More Penetration Testing Resources

Not All Pen Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

7 Reasons Why You Need a Manual Penetration Test

Independent Audit Verifies Eon’s Internal Controls and Processes

Denver, CO – Eon, a healthcare IT company, identifies patients at risk for future disease and longitudinally tracks care, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that Eon has a commitment to deliver high quality healthcare services to its clients and demonstrates they have the necessary internal controls and processes in place to protect healthcare data.

Earlier this year, Eon received its SOC 2 Type I attestation and the continuation to the Type II audit proves Eon’s strong commitment to security. SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. A SOC 2 Type II report is an attestation of controls at a service organization over a period of time as opposed to a point in time. KirkpatrickPrice’s audit report verifies the suitability of the design and operational effectiveness of Eon’s controls to meet the SOC 2 standards.

“We see many healthcare security breaches due to lax policy controls, and surprisingly, still see cloud vendors ride the coattails of their data center’s security certification without employing their own rigorous controls,” says Eon founder and co-CEO, Akrum Alzubaidi, DO, FCCP. “As Eon continues to enable large and small hospital systems to remove data silos, SOC 2 assurances are now the expectation from our clients. Achieving this milestone demonstrates our commitment to making large scale patient management platforms safe and adoptable enterprise wide solutions.”

“The SOC 2 audit is based on the Trust Services Criteria. Eon has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Eon delivers trust-based healthcare services to their clients, and by communicating the results of this SOC 2 Type II audit, their clients can be assured of their reliance on Eon’s controls.”

About EON

Eon is a Denver-based healthcare technology company dedicated to defying disease by revolutionizing the way healthcare data is gathered, curated, and shared among healthcare professionals. This ensures the right data reaches the right people at the right time. Eon is expanding outside of lung and moving into additional incidental disease identification and management and will become a comprehensive incidental platform to better manage patients at-risk for disease. For more information visit www.EonHealth.com or contact info@Eonhealth.com and follow Eon on LinkedIn and Twitter.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Last month, the Iowa Judicial Branch made an investment in their security efforts by partnering with an information security firm to perform penetration testing on their organization. But…it appears they signed up for more than they bargained for. Why? The two ethical hackers working the job were arrested after they successfully gained unauthorized access to a Dallas County courthouse. What went wrong? Why were these ethical hackers arrested? Could this mishap have been prevented? Let’s discuss.

Why Scoping a Penetration Test Matters

When organizations partner with ethical hackers to perform penetration testing, defining the scope of the engagement is absolutely critical. When an organization is paying someone to gain access to their sensitive assets, if what will happen is not explicit and clearly defined, chaos could ensue like it did in Iowa. Before a penetration test begins, both the organization investing in the security testing as well as the firm providing the service should work together to clearly and accurately define the scope of the engagement – being sure to define the areas that ethical hackers are allowed to test, permitted to attempt to access, and how they are expected to do so.

How Far Will Ethical Hackers Really Go?

Penetration tests are not meant to be easy, high-level engagements. When you partner with the right firm, you’ll receive a quality, thorough penetration test – one that simulates real-world attacks, finds vulnerabilities in places you wouldn’t expect, and results in remediation tactics to better secure your company. This means that before engaging in any type of security testing, you must understand how far ethical hackers will really go and determine if that aligns with your intentions and business objectives.

Are you looking to meet a legal or framework requirement? Did a client or prospect ask that your company undergo security testing? Do you want to be preventative and find vulnerabilities before a malicious individual does? Or, are you just looking to check an item off a list? If you fall under the latter category, you probably don’t consider how far ethical hackers will go to help you improve the security of your organization. If your intentions are to make your company more secure, then knowing that the penetration testers you’ve hired won’t stop until they’ve exhausted their resources is essential. What does this look like?

  • Are you prepared for ethical hackers to use tools like Nessus, Metasploit Framework, HP WebInspect, Wireshark, Kismet, Maltego, Shodan, Burp Suite, SET, BeEF, and Microsoft Baseline Security Analyzer, in addition to freeware tools in their security testing?
  • Could your employees withstand social engineering attempts like phishing, tailgating, and general manipulation?
  • Ethical hackers work at all hours to find the perfect attack window. If your organization is on alert, monitoring the traffic during business hours, what could happen after hours? What happens when an ethical hacker works from 6:00 PM to 6:00 AM?
  • What policies and procedures that, when violated, could lead to access to an unauthorized area?
  • Physical security is a major part of ethical hacking. Lock picking, badge cloning, finding network jacks in public areas – it’s all within the skill sets of good ethical hackers.
  • What vulnerabilities would wardriving find?

If you want to get the most out of your penetration testing investment, you would want an ethical hacker who would go above and beyond in their testing methods, constantly thinking of innovative ways an outsider could attack your networks, devices, code, or physical locations.

Communicating Before, During, and After Penetration Testing Engagements

Communication is key during security testing – you’ve paid for a service that could impact your sensitive assets. When engaging a firm to conduct security testing, there must be clear communication between all parties. In the case of the Iowa Judicial Branch, there was confusion between the client, the ethical hackers, state authorities, and local authorities, resulting in the arrests of the two ethical hackers despite having documentation that they were authorized to be there. By having a clearly defined scope and a better understanding of just how far ethical hackers will go, breakdowns in communication will be far less likely and the penetration testing engagement will be more fruitful.

At KirkpatrickPrice, we are committed to delivering quality, thorough penetration testing services – services that include a clearly defined a scope and ethical hackers who can communicate exactly what they’ll be doing to help secure your business.  If you’re thinking about making the investment in security testing, make sure you avoid a penetration testing mishap by knowing exactly what you’re paying for. Contact us today to speak to an Information Security Specialist.

More Penetration Testing Resources

Guide to 7 Types of Penetration Tests

How Can Penetration Testing Protect Your Assets?

5 Critical Things to Consider When Choosing Your Penetration Tester

Every month there is headline after headline reporting about a new data breach. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by hackers and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during September and the lessons we can learn from them.

Foxit Software

What Happened?

At the beginning of the month, Foxit Software, a document software company, released a statement notifying its “My Account” users of a data breach where malicious individuals gained access to user account data, including email addresses, passwords, users’ names, phone numbers, company names, and IP addresses. While no payment card data was stolen, this major data beach left nearly 560 million users at risk. Foxit has since encouraged users to update their passwords. ZDNet reported, “Due to the presence of IP addresses in the data hackers managed to access, [the breach is] believed to be a breach of Foxit’s backend infrastructure, rather than a credential stuffing attack.” Foxit has not commented on when the breach occurred or how long they knew about it before notifying “My Account” users.

Lessons Learned

Often times, if malicious hackers want to hack larger companies, they’ll target companies like Foxit, where they know they’ll find a list of usernames and passwords that can be a gateway to hacking larger companies. KirkpatrickPrice penetration tester, Stuart Rorer, explains that malicious individuals who use this tactic do so because “many of us use the same password for a lot of our services, so chances are, the stolen credentials might work for other similar accounts.” He adds that malicious hackers can then use that information they gain as a foothold on a larger company, which was their original intent – it’s a domino effect.

ScotiaBank

What Happened?

In mid-September, one of Canada’s financial giants experienced a massive data breach caused by none other than internal negligence. Scotiabank disclosed that critical information was leaked on unsecured GitHub repositories, compromising internal source code and some of the bank’s private login keys to backend systems. The Register reported, “These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances.”  It is still unknown if malicious hackers have yet to exploit the digital blueprints to attack the bank and its more than 25 million users.

Lessons Learned

While investigations into this breach are still ongoing, preliminary findings point to internal negligence. Richard Rieben, a Director of Audit Operations at KirkpatrickPrice, explains, “As the growth of cloud-based resources continues, organizations need to become increasingly vigilant about understanding what data is being placed on such platforms and how it is secured. A quality audit, which digs deep into the organization’s usage of risk-prone solutions, can be an effective tool in reducing the likelihood and impact of breaches associated with the failure of technical or administrative controls.”

Thinkful

What Happened?

Just days after it announced that it would be acquired by education giant, Chegg, for $80 million, Thinkful, an education site for developers, said that unauthorized third-party users accessed company credentials. According to Thinkful VP of Operations, Erin Rosenblatt, as soon as they learned of the unauthorized access, they “promptly changed the credentials, took additional steps to enhance the security measures [they] have in place, and initiated a full investigation.” It is still unclear what caused the breach, although phishing attacks are presumed to be the cause.

Lessons Learned

What can we learn from Thinkful’s data breach? Rieben says, “As part of M&A activities, effective due diligence can often uncover weaknesses in the security compliance programs of organizations which are preparing for an acquisition. Organizations engaging in M&A activities should strongly consider the dependence on a quality audit or other assessments as part of the valuation process.”

DoorDash

What Happened?

On September 26th, the popular food delivery service, DoorDash, published a statement announcing that they had experienced a data breach on May 4th – one that impacted 4.9 million of its users, delivery drivers, and merchants. The statement explained that the data compromised by unauthorized third-party users included names, email addresses, delivery addresses, order histories, phone numbers, and hashed, salted passwords. Other information stolen included the last four digits of users’ credit and debit cards, the last four digits of bank account numbers for drivers and merchants, and driver’s license numbers for 100,000 drivers. The breach only impacted DoorDash users that joined before April 15, 2018.

Lessons Learned

While the exact cause of DoorDash’s data breach has yet to be disclosed, there are two key takeaways from this security incident: the risks of working with third-party vendors and the importance of transparent, effective incident response. Rieben explains, “This is another example of not only the vulnerabilities associated with the usage of third parties who have access to sensitive data, but it’s also an example of how not to perform incident response. We’ve seen a pattern of poor responses to past breach concerns from DoorDash and with many questions still outstanding regarding this breach, transparency does not seem to be the theme of the day for the organization.”

At KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help you mitigate risk and keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.