Internet of Things (IoT) technology makes daily tasks easier. From smart home devices to entire smart cities, these interconnected devices are changing the way we interact, do business, and live our lives. But with any new technology implementation, there are risks involved, and this especially rings true for IoT. Because the demand for IoT devices is projected to rapidly increase — Gartner predicts that the number of IoT devices in use will reach 20.4 billion by 2020 — organizations must be proactive in mitigating the threats to IoT technology. So, how can they do that? Here are four ways to minimize risk in IoT devices.

4 Ways to Minimize Risk in IoT Devices

1. Take Inventory

The first step in reducing the risks associated with using IoT devices is taking inventory. What IoT devices are currently connected to your network? How are they being managed? How are you updated when a new IoT device is added to your environment? What BYOD policies do you have in place? To limit the attack surface, knowing what you have is crucial. This means knowing what devices, both hardware and software, your organization has deployed as well as the IoT devices your employees bring into your environment.

2. Design for Security

Organizations are quickly developing and adopting their own IoT technologies, and with that, vulnerabilities are bound to slip through the cracks. But rushed development and/or implementation can have detrimental results. When adopting or deploying IoT technology, organizations must be sure to carefully design for security. Developers must be proactive and lay a foundation for security before the device falls victim to potential attacks like malware, ransomware, or DDoS. For example, during the development stage, developers need to consider what type of data must be collected and how it will be secured. For IoT devices that transmit sensitive data like protected health information or payment card data, organizations should consider using various encryption methods, like firewalls or SSL. In recent cases, healthcare devices are amongst the most vulnerable IoT devices for malicious attacks, like the Medtronic CareLink 2090 — a device designed to monitor pacemaker settings — and the Medtronic MiniMed 508 — a device used to monitor insulin. Because these devices had poor authentication and encryption features, the software became vulnerable to malware infections and malicious use, putting patient lives at risk.

3. Perform Risk Assessments

Whether your organization offers IoT technology as a product or service or uses it to conduct business, performing a risk assessment is essential for mitigating any and all potential vulnerabilities. Even if the IoT device has been developed with security in mind, there could still be unidentified vulnerabilities that could be exploited by a malicious hacker. Not to mention, there are likely IoT devices in use by your organization that you might not consider a traditional attack vector, and those devices are equally as important to assess. For example, an American casino experienced a data breach via their aquarium because a malicious hacker compromised their IoT temperature sensor, gained access to their network, and stole data about high-paying customers. By performing a risk assessment, organizations will be able to identify and mitigate potential weaknesses, no matter where or how seemingly non-threatening they may be, in their IoT technology and will be more prepared to avoid possible security incidents.

4. Undergo Penetration Testing

Before deploying any IoT technology, organizations would be wise to undergo IoT penetration testing. Why? Because even with the most experienced development and internal audit teams, some vulnerabilities may remain undiscovered. By receiving third-party assurance via penetration testing of the IoT devices your organization is using, you can ensure that your organization’s data and reputation remains secure.

Securing Your IoT Devices: Invest Now or Pay the Price Later

According to Symantec, “IoT devices experience an average of 5,200 attacks per month” and were an emerging attack vector throughout 2018. Considering this, as threats against IoT devices continue to rise and organizations continue to quickly adopt IoT technology, mitigating the risks associated with using such devices needs to be taken more seriously. By using these four steps to minimize risk in IoT devices, your organization can help secure your data, protect your reputation, and gain peace of mind that the IoT devices in use are as secure as possible. It’s not worth rushing the development or implementation of an IoT device that could lead to a breach later. Invest in security from the start, so you can prevent potential costly data breaches in the future.

Want to learn more about how you can minimize risk in IoT devices? Contact us today to find out how KirkpatrickPrice can help you ensure the security, availability, and confidentiality of the IoT devices your organization uses through penetration testing.

More Resources

What is IoT Penetration Testing?

Risk Assessment Checklist: 5 Things You Need to Know

How to Lead a Cybersecurity Initiative

Web Pages vs. Web Applications

According to the 2019 Verizon DBIR, web applications are a top vector in data breaches. But is your organization doing anything to mitigate this threat? Are you educated on what vulnerabilities web apps like yours are facing? In the first installment of our “Think Like a Hacker” webinar series, one of our expert penetration testers, Stuart Rorer, dives into the most common vulnerabilities found in web applications during penetration tests. If you’re interested in learning about common ways your web applications may be compromised by a malicious hacker, remediation tactics for mitigating threats facing your web apps, and how to continue to stay abreast of cyber threats with KirkpatrickPrice’s pen testing services, watch the full webinar now.

When it comes to ensuring the security of a web app, there is one critical thing to keep in mind: web apps are not the same as web pages. Web pages are static, whereas web applications are dynamic and respond to user interaction. What does this mean? It means that web pages are simple: you view the page, and there is usually very little that can be attacked, aside from the underlying infrastructure. When there is added dynamic functionality, such as adding a search option, there is greater risk for a malicious attack because there’s a level of interaction with the underlying system. So, what common vulnerabilities are found when there’s added dynamic functionality? We’ll give you five.

5 Common Vulnerabilities Found in Web Applications

When looking at the vulnerabilities found in web applications, it’s important to realize that all web applications are different: there are different frameworks, components, libraries, and services. Considering this, when undergoing a web application penetration test, there could be a number of vulnerabilities found, but the five we most commonly see at KirkpatrickPrice are:

  1. Misconfiguration
  2. Vulnerable third-party libraries and components
  3. Authorization issues
  4. Redirection issues
  5. Injections

Your organization’s web apps are only as strong as your latest penetration test. Have you found all of the vulnerabilities in your web applications? Could there be more you’re unaware of? Watch the full webinar now to learn about five common vulnerabilities or contact us today to speak to one of our Information Security Specialists about our web application penetration testing services.

Why Do You Need Continuous Penetration Testing?

Applications change. Systems change. Networks change. Employees change. Hackers change. What happens when you connect a new API, add in a new server, or alter your environment in any way? A web application that was stable yesterday may not be with the next update. So, why wouldn’t you engage in continuous penetration testing? A standard penetration test is a snapshot of your security posture at the specific time of testing, whereas continuous penetration testing seeks to fill in the gaps between point-in-time penetration testing.

Hacking attempts happen all the time, and so should penetration testing. Hackers have an unlimited amount of time to launch complicated attacks, spending months testing out different tactics and learning how to avoid warning bells. Continuous penetration testing gives your penetration tester permission to act more like a hacker and provide better coverage for your organization’s security.

Continuous penetration testing isn’t just automated testing, though. At KirkpatrickPrice, continuous penetration testing fully utilizes both automated and manual testing techniques to assess cyber risks to your assets, data, and business. Consider this type of testing an extended coverage of what you already undergo annually or biannually. Instead of just one test a year, we test your environment continuously. Continuous penetration testing is dynamic, more realistic, and can quickly validate the remediation strategies you implement. This type of testing also ensures that you’re being tested against the latest, newest hacking techniques.

What’s the Difference Between Bug Bounty and Continuous Penetration Testing?

Continuous penetration testing isn’t the only way to combat high risk cyber threats, though. Does your organization have a bug bounty program? Bug bounty is a results-driven, crowd-sourced program where payment is offered for valid vulnerabilities found within a specific scope. Bug bounty programs differ from continuous testing because you’re paying for valid results as opposed to, essentially, a retainer for time and effort. Bug bounty programs can be public or private, the most well-known coming from organizations like WordPress, Uber, the Pentagon, Netflix, Microsoft, Facebook, and Apple. In fact, Apple recently opened its bug bounty program to more researchers and expanded its maximum reward to $1 million.

Bug bounty is often seen as riskier than continuous penetration testing, but as long as stringent parameters are set and you’re working with trusted, invitation-only partners, it could be the right ethical hacking solution for your organization.

Is Continuous Penetration Testing Right for My Organization?

Do you have high risk cyber threats? Do you make frequent changes to your applications, networks, systems, or services? Are your clients or stakeholders asking for assurance about your security methods? Do you consider retesting to be valuable? Does your job depend on the preparedness of your security perimeter? Continuous penetration testing may be the best solution for your organization’s penetration testing needs.

We want to find the gaps in your security before a hacker does. We offer advanced, continuous penetration testing as well as bug bounty services. If you want to avoid the consequences of a application, network, or system while working with an expert ethical hacker, contact us today.

More Penetration Testing Resources

What are the Stages of Penetration Testing?

What is Web Application Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

At KirkpatrickPrice, we’re committed to helping our clients get the most out of their information security engagements with us. That’s why we insist that our audits include an onsite visit. It’s part of performing our due diligence and testing. So, what happens during an onsite visit? How can organizations calm their nerves and prepare for an onsite visit?

What Happens During an Onsite Visit?

Once an organization has completed about 80% of its Online Audit Manager responses, we schedule an onsite visit. During this 3- to 4-day visit, an auditor has three tasks: interview, review, and observe. The auditor will interview the personnel responsible for various activities, physically test your networks, systems, and devices, and observe your company culture. While this process may seem straightforward, we understand that having an auditor come onsite can be stressful and nerve-wracking. What exactly are auditors looking for? Who will they talk to? What will they ask? Let’s take a look at how organizations can prepare for an onsite visit.

How Can I Prepare My Organization for an Onsite Audit Visit?

Every organization is different when it comes to onsite visits: levels of preparedness differ, the buy-in from personnel differs, and even the resources needed to get through the onsite differ. Regardless of this, though, every organization can proactively set itself up for success by implementing the following five practices to prepare for an onsite visit.

1. Relax! Remind Yourself Why You’re Doing This Audit

The goal of compliance, and especially the onsite visit, is to make your organization stronger. Auditors aren’t there to get you fired. An auditor finding vulnerabilities means doesn’t mean you’ve failed – finding vulnerabilities is the only way an auditor can help you! It means that you’re receiving a thorough audit – one that will only strengthen your security in the long run. Before your onsite visit begins, remember to relax and remind your personnel what this audit means to your organization. Does it mean more revenue? Bigger clients? New industries? New locations? To hone in on the value of compliance, you might consider sending out a company-wide email prior to the auditor coming onsite, similar to the one our client sent out. This is something that acknowledges how all employees play a role in compliance, explains what compliance means for your organization, and provides reminders of what not to do when an auditor is onsite.

Audit Week - How Can I Prepare My Organization for an Onsite Visit?

2. Ask Questions, Voice Concerns

At KirkpatrickPrice, we know that undergoing any type of information security audit is difficult and stress-inducing. Often times, clients have questions, concerns, and even fears going into the onsite visit – and we want to reiterate that we are always here to help. Before the onsite visit then, ask your questions and voice your concerns. Our auditors can’t answer questions that never get answered or address concerns that are never shared. This level of transparency builds our relationship and will only help the success of your audit.

3. Review the Agenda

The best auditors will supply you with an agenda of topics prior to the onsite visit, so be sure to work with your auditor to ensure that you have the right personnel lined up to speak to an auditor. This will help prevent any confusion or stress when the auditor comes onsite. If your staff knows when they’ll be interviewed, they’ll be much more prepared.

4. Involve Senior Management

At every stage of an information security engagement, senior management involvement is extremely important, although this is especially true when it comes to the onsite visit. The best auditors will be sure to hold briefings will all involved in the audit at both the start and finish of the onsite engagement. This gives the auditor the opportunity to address questions about the timeline, expectations for the group, any issues in need of attention, as well as any other notable findings. If senior management is not involved during this process, critical information could be missed, which could prolong the engagement or prevent your organization from receiving your report on time.

5. Develop a Method for Tracking Action Items

Whether it’s during the onsite visit or afterward, there will be a number of items that the auditor may ask for more information on, such as logs, files, reports, etc. Most organizations will utilize Excel or other GRC software, but at KirkpatrickPrice, we’ve developed our own online tool for tracking action items. Using a tool like KirkpatrickPrice’s Online Audit Manager can facilitate the process through various time statuses and compliance frameworks.

The Online Audit Manager - Develop a Method for Tracking Action Items

Have more questions about our audit process? Want more information on how to prepare for your next onsite visit? We’re here to help! Contact us today to speak to one of our Information Security Specialists.

More Onsite Visit Resources

Remote Auditing vs. Onsite Assessments: What Do I Want?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Was the Gap Analysis Worth It?

Was the Audit Worth It?

Independent Audit Verifies Trinity’s Best Practices to Protect Customer Data

Dallas, TX – Trinity Real Estate Solutions®, a national provider of specialty inspections, construction lending services and appraisals, is pleased to announce it has successfully completed a System and Organization Controls (SOC) 2 Type II audit, performed by KirkpatrickPrice. This completion illustrates Trinity’s ongoing commitment to create and maintain a secure operating environment for its clients’ confidential data.

“In today’s world, data privacy is a fundamental right, and data security is imperative to the customer experience,” says Steve Fontaine, Vice President Services at Trinity. “The SOC 2 audit helped standardize and streamline Trinity’s policies and procedures, and working with KirkpatrickPrice ensures our customers’ data will be handled using the strictest of guidelines. Protecting our customers’ most critical assets is not only our job – it’s a commitment that goes to the very heart of our relationship with each and every client.”

“The SOC 2 audit is based on the Trust Services Criteria, and Trinity selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “By communicating the results of this audit, their clients can be assured of their reliance on Trinity’s controls.”

SOC 2 engagements are performed in accordance with the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing, integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Trinity’s controls to meet the standards for these criteria.

About Trinity Real Estate Solutions, Inc.

Trinity Real Estate Solutions®, Inc. is a national provider of residential and commercial construction lending services, draw inspections, appraisal services property preservation, broker price opinions, consulting services, appraisals and specialty inspections (e.g. merchant site inspections, disaster inspections, collateral inspections). Its products are designed to mitigate risk and provide onsite assessments of properties. Founded in 2003, Trinity has grown from one company in a specialized industry to five companies today – Trinity Inspection Services®, Trinity Field Services®, Trinity Appraisal Services LLC, Trinity Loan Administration®, and Trinity Residential Land Services® — operating in the banking, mortgage lending, credit card and insurance industries nationwide. Headquartered in Dallas, Texas, Trinity partners with more than 10,000 field appraisers, inspectors, contractors, engineers, architects, surveyors, and brokers across the country. They serve small, regional and national customers.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.