Independent Audit Verifies IDM’s Internal Controls and Processes

Reston, VA – IDM, a data intelligence and marketing advisory firm, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that IDM has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of IDM’s controls to meet the standards for these criteria.

“Successfully completing the SOC 2 Type II audit is yet another way IDM is demonstrating its deep commitment to customer data security.  Having a successful SOC 2 Type 2 audit should give our clients confidence that we are diligent on how we protect their data.  IDM’s dedication to information security allows customers to trust us with confidential information and can depend on IDM as their service provider for secure, compliant services,” said Drew Steed, IDM CIO.

“The SOC 2 audit is based on the Trust Services Criteria. IDM has selected the security and confidentiality categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “IDM delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on IDM’s controls.”

About IDM

IDM is a data intelligence and marketing advisory agency that provides custom data solutions geared to meet the needs of large B2B and B2C companies. Formed in 2003, the firm combines emerging technologies and innovation with data-driven best practices for exceptional results.  Their custom data solutions are strategically designed to meet business objectives, combining multiple sources of external data while enhancing client data.  They create targeted data solutions that provide large positive shifts in customer acquisition, development and retention programs.  For more information, visit www.idm.us.com, or connect with IDM on LinkedIn.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

The technology that consumers use every day is becoming smarter and smarter – locks, mirrors, cars, refrigerators, speakers, watches, thermostats, printers, security cameras. Internet of things (IoT) technology is making daily tasks easier, but how secure is this technology? It’s your job as the developer of IoT technology to make sure that the information transmitted through these devices is secure so that the consumer doesn’t have to worry.

IoT devices are vulnerable to the same array of attacks as you would find in other areas of technology. Why should these not be tested and held to the same security standards as the rest? What ways could an attacker abuse the IoT technology that your organization has developed? In order to protect the IoT products you develop, your IoT products must undergo thorough penetration testing.

Why Test the Security of IoT Devices?

Gartner expects that by 2020, 20 billion IoT devices will be available. This number doesn’t include what Gartner deems “general-purpose” devices like smartphones, but dedicated, physical objects that contain embedded technology to sense or interact with their internal state or the external environment. This surge in IoT technology can save lives, time, energy, money – the possibilities are endless. But IoT that isn’t built with an emphasis on security can be extremely dangerous.

The number of and types of IoT attacks keep on climbing. In Symantec’s 2019 Internet Security Threat Report, for instance, it includes the following:

  • IoT attacks increased 600% between 2016 and 2017.
  • On average, IoT devices experience 5,200 attacks per month.
  • 90% of IoT attacks are attributed to routers and connected cameras.
  • IoT attacks against industrial controls systems (ICS) are rising.
  • Mirai was the third most common IoT threat in 2018, some variants using up to 16 different exploits.
  • VPNFilter revolutionized IoT attacks with its ability to survive a reboot.
  • In 2018, Telnet accounted for 90% of protocol attacks and 85% of port attacks.

When you develop IoT, don’t you want assurance that your technology has a defense against these types of attacks? Are your routers part of the 75% of targeted IoTs? How are you mitigating the threats against the Telnet protocol? How many IoT attacks can your devices withstand? Are you working with a security team that recognizes APT groups’ behaviors? Penetration testing can be a solution for gaining the assurance you need.

How is Penetration Testing Performed on IoT Devices?

During IoT penetration testing, we are testing an IoT product’s security hygiene. Is information secured in storage and in transit? Could the IoT device be forced into completing tasks it shouldn’t? Could the IoT device be bypassed? Could authentication requirements be bypassed? What vulnerabilities could be abused? We put IoT technology through multiple types of tests in hopes of revealing any security vulnerabilities that might exist.

The OWASP IoT Top 10 lists things to avoid when building, deploying, or managing IoT systems or devices, including:

  1. Weak, Easily Guessable, or Hardcoded Passwords
  2. Insecure Network Services
  3. Insecure Ecosystem Interfaces
  4. Lack of Secure Update Mechanism
  5. Use of Insecure or Outdated Components
  6. Insufficient Privacy Protection
  7. Insecure Data Transfer and Storage
  8. Lack of Device Management
  9. Insecure Default Settings
  10. Lack of Physical Hardening

While our testing is focused on how IoT technology has been built with security in mind, this list provides a good baseline of what a penetration tester may be looking for during IoT penetration testing. Our team will thoroughly test IoT devices to think of ways that an attacker could leverage your vulnerabilities. All IoT is different, and we’re prepared to perform diligent, advanced IoT penetration testing to protect your organization.

We want to find the gaps in your IoT security before an internal or external attacker does. If you want to avoid the consequences of compromised IoT technology and work with an expert ethical hacker, contact us today.

More Penetration Testing Resources

What is Network Penetration Testing?

What are the Stages of Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

Imagine this…Your employee, Kevin, sits down at the office and opens his email inbox. The first message is from the CEO of your company, Chris, with the subject line “Priority Task” The email seems urgent. He opens it quickly and reads his task.

Personalized Spear-Phishing Attacks

Because Kevin wants to quickly complete this task for his employer, he rushes to reply. He follows the instructions he receives in a follow-up email, which leads him to send private access information to a “client,” AKA the spear-phisher behind this entire email thread. If he was trained on proper security measures, Kevin would have recognized the familiar spear-phishing tactic of personalized, yet random requests from c-level executives. He would have realized the email address was unfamiliar and the urgency in the message was uncharacteristic of his boss. Instead, he fell for a common spear-phishing tactic which led to malicious access to his company’s data.

To make sure your employees recognize the familiar tactics of phishing, you first need to know the various strategies malicious individuals use to gain access to sensitive information. Let’s talk about the difference between phishing and spear-phishing.

What is Phishing?

Phishing is any effort from an attacker to gain sensitive information from an individual via email, social media, and even phone calls. In the context of a business entity, these malicious individuals make contact with employees asking for private information that can lead to access of company systems, processes, or data. These attacks are not personalized. Instead, they are mass-generated with the hope at least one individual will fall for the trap.

It’s not uncommon for employees to fall for these simple phishing attacks. In fact, Verizon’s 2019 Data Breach Investigations Report claims that 32% of breaches involved phishing. That’s a difficult number to grasp. Phishing is not a complex or expensive tactic that attackers use. It’s about casting a wide net and, as evidenced, it’s successful in gaining access to companies’ private systems.

Phishing vs. Spear Phishing

Spear-phishing differs from normal phishing in that spear phishing is targeted and personalized. Spear-phishers target specific individuals with custom messages. They spend more time and energy on finding personal information to create tailored attacks. For businesses, spear-phishers tend to act as c-level executives or fellow employee. The emails, phone calls, and messages from these malicious individuals tend to hold a level of urgency to convince victims to act quickly.

Spear-phishing is more likely to be successful in gaining access to sensitive data as it appeals to the familiarity of a victim. The tech company Ubiquiti learned about the impact of spear-phishing firsthand in 2015 when employees fell victim to an attacker’s tactics. The spear-phisher targeted Ubiquiti employees by imitating a company employee and asking for an unauthorized international wire transfer. The attacker targeted Ubiquiti knowing it handles international transfers often, and it worked for them – the company lost $46.7 million to these spear-phishing attacks. It led to legal action and countless hours remediating the security issues found from this attack.

Was this leak of information and financial resources inevitable? Absolutely not. If proper information security procedures were in place, employees would have been aware of possible attack tactics. Whether it’s personalized or not, phishing is effective. Make sure your organization is even more effective in securing its data and private information.

Hunt for Your Vulnerabilities Before Hackers Do

Who would you rather have locating the security weaknesses within your company – a malicious hacker or a security professional that you hired to secure your assets? At KirkpatrickPrice, we recognize the value in thorough penetration tests that seek out your vulnerabilities and work to correct them. Our team of expert penetration testers use a variety of penetration tests and social engineering to locate the security issues your organization may not recognize.

Do you want to find out your organization has a security vulnerability after you’ve already lost millions to a malicious attacker?

Of course not!

Be proactive. Contact KirkpatrickPrice today to learn how we can help you become secure.

More Information Security Resources

What is Network Penetration Testing?

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

Three Types of Social Engineering Attacks on the Financial Services Industry: Would Your Employees Fall for Them?

APIs have led to digital transformation within the cloud, IoT, and mobile and web applications. Without knowing it, the average person engages with multiple APIs every day, especially on mobile. APIs are the connective tissue responsible for transferring information between systems, both internally and externally. All too often, though, deployed APIs do not go through comprehensive security testing, if tested for security at all. Whether SOAP or REST, a poorly secured API can open security gaps for anything that it is associated with. The security of the API is just as important as the applications that it provides functions for. What ways could an attacker abuse the APIs that your organization has built?

Why Test the Security of APIs?

According to Gartner, by 2022, exploiting APIs will be the most common attack vector for data breaches within enterprise web applications. In the last few years, we’ve already seen plenty of security incidents with unprotected APIs at the center: Venmo, celebrity websites and mobile apps, Salesforce’s Marketing Cloud, and Panera to name a few.

When there is no emphasis on API security, we see negative impact like customer accounts being taken over, exposed application logic, fraud, data breaches, performance issues, control systems being taken over, and compromised internal infrastructures.

Because of the prevalence of unprotected SOAP and REST APIs, OWASP is extending its popular “Top 10” to API security in 2019. Version one is set to release later this year, and in the meantime, we’re able to see the current draft, which lists:

  1. Missing Object Level Access Control
  2. Broken Authentication
  3. Excessive Data Exposure
  4. Lack of Resources and Rate Limiting
  5. Missing Function/Resource Level Access Control
  6. Mass Assignment
  7. Security Misconfiguration
  8. Injection
  9. Improper Assets Management
  10. Insufficient Logging and Monitoring

These risks could come from man-in-the-middle, CSRF, XSS, SQL injection, or DDoS attacks. How are you preparing your APIs to defend against internal and external attackers?

How is Penetration Testing Performed on APIs?

Primarily, during API penetration testing, we are testing an API’s functions/methods, how they could be abused, and how authorization and authentication could be bypassed. We also test to see if we can cause any form of command injection, or even XSS, if the function’s response renders data on the page. We put APIs through these types of tests in hopes of revealing any security vulnerabilities that might exist.

Many security analysts who aren’t experienced in API penetration testing will try to attack the API with a vulnerability scan, but we know it doesn’t work that way. Even with the proper tools, penetration testers who don’t have the appropriate API knowledge won’t know what to do because they can’t interpret the data they receive. Our penetration testers have the background in programming and development that’s needed provide a thorough, proper assessment for a SOAP or REST API. Our team will go through the API, function by function, to think of ways that an attacker could leverage your vulnerabilities. Every API is different, and we’re prepared to perform diligent, advanced API penetration testing to protect your organization.

We want to find the gaps in your API security before an internal or external attacker does. We offer advanced, web API security testing for both SOAP and REST APIs. If you want to avoid the consequences of a compromised API and work with an expert ethical hacker, contact us today.

More Penetration Testing Resources

OWASP’s REST Security Cheat Sheet

What are the Stages of Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

Every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during August and the lessons we can learn from them.

State Farm Data Breach in 2019

What Happened?

On August 7th, insurance provider State Farm notified the California Attorney General of a data breach caused by a credential stuffing attack. State Farm sent out an email notifying users whose online log-in credentials had been compromised, stating that “a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access [sic] to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.” While usernames and passwords were compromised, no other PII or fraud has been detected.

Lessons Learned

According to Verizon’s 2019 DBIR, over 60% of breaches involved the use of stolen credentials. To prevent organizations from experiencing a data breach like State Farms, organizations must work to protect their users’ data by implementing information security best practices, like these recommended by OWASP:

  • Deploy Multi-Factor Authentication
  • Use a CAPTCHA
  • Use IP blacklists
  • Utilize Device Fingerprinting
  • Disallow Email Addresses as User IDs

Presbyterian Health Services

What Happened?

Presbyterian Health Services, a New Mexico-based healthcare provider, fell victim to a data breach after multiple employees responded to a phishing email. Malicious hackers were then able to gain access to the protected health information of nearly 183,000 patients and health plan members.

Lessons Learned

The healthcare industry is amongst one of the top targets for cyberattacks, and malicious hackers will only become more creative and cunning; however, time and time again, we see reports of healthcare organizations being impacted by something as simple as phishing attacks. This highlights the extreme importance of training employees on information security best practices on a regular basis; all employees should know how to identify and report suspicious emails and other forms of electronic communications.

22 Texas Local Governments

What Happened?

Last month, it was Los Angeles County Department of Health Services and Maryland’s Department of Labor. This month, it’s 22 Texas municipalities. Malicious hackers are targeting municipal governments more than ever, and Texas is only the latest victim. Faced with paying a $2.5 million ransom to restore all crypto-locked systems, these Texas municipal governments are in the stages of investigating and recovering from the attack. And while the Texas Department of Information Resources is leading the incident response effort and are being assisted by entities like the U.S. Department of Homeland Security and the FBI’s cyber division, the type of ransomware used has not been released. However, Mayor Gary Heinrich of Keene, Texas, gave more details on the attack in an interview with NPR, stating, “They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.” Services like vital statistics, credit card payments, and utility disconnections were impacted by the data breach.

Lessons Learned

Month after month, local governments are being attacked by malicious hackers. Why? Because once malicious hacker targets big companies and government agencies and fails, they target smaller companies and governments. And because of the limited personnel and financial resources, local governments like those in Texas are often forced to partner with third-party IT service providers, making them even more susceptible to breaches. This underscores just how important having robust cybersecurity strategies are for municipal governments, especially when it comes to working with third-party vendors. It also points to the need for municipal governments to perform thorough risk assessments of third-party vendors in order to mitigate and risk-rank the potential threats associated with working with third-party vendors.

Imperva

What Happened?

On August 20th, Imperva, a leading provider of Internet firewall services that help websites block malicious cyberattack, announced that it experienced a data breach that impacted users of their cloud-based Web Application Firewall (WAF) product. According to a report issued by KrebsOnSecurity, malicious hackers compromised data including email addresses, scrambled passwords, API keys, and SSL certificates.

Lessons Learned

When asked about the lessons organizations can learn from Imperva’s breach, KirkpatrickPrice’s Director of Audit Operations, Richard Rieben said, “The biggest takeaway is that no one is immune to breaches – organizations need to continually defend against malicious attacks as well as internal misconfigurations. While we don’t know all of the details of this exact breach, it highlights the need for defense-in-depth techniques which would minimize exposure due to this specific breach given what was disclosed.”

Bonus: What to Watch

Netflix recently released The Great Hack, re-sparking the conversation around Cambridge Analytica, Facebook, and the use of personal data to create propaganda and targeted messaging. The Great Hack follows Cambridge Analytics former employees Christopher Wylie and Brittany Kaiser, Carole Cadwalladr, the journalist who broke the story, as well as David Carroll, the professor who took legal action against Cambridge Analytica to access the data points collected about him.

Data rights are human rights. As technology booms, data is the first asset to be used to influence buyer habits, ways of thinking, and decision making. It’s also the first asset to be stolen or targeted by a hacker. As organizations continue to use more and more personal data to create targeted messages towards data subjects, we’ll continue to see laws and regulations (like GDPR and CCPA) rise up to protect data. If your organization is considered a controller or processor of personal data, you have a responsibility to develop data privacy practices that protect data subjects.

To understand the impact that insecure or illegal data privacy practices can have, find time to watch The Great Hack and let us know your reactions. We’d love to hear them!

Whether it’s a government agency or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.