Independent Audit Verifies ClassLink’s Internal Controls and Processes

Clifton, NJ – ClassLink, a cloud-based education solution services provider, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that ClassLink has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of ClassLink’s controls to meet the standards for these criteria.

“ClassLink is committed to protecting the privacy of data that is entrusted to us.  We take this commitment very seriously, and have subjected our controls and procedures to a full SOC 2 Type II audit by a trusted auditor, KirkpatrickPrice.  We will continue to provide our customers with best products and support possible, and are proud to have achieved this attestation.”Jeff Janover, VP of Interoperability Services, ClassLink

“The SOC 2 audit is based on the Trust Services Criteria. ClassLink has selected the security, availability, and confidentiality categories for the basis of their audit.  ClassLink delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on ClassLink’s controls.” Joseph Kirkpatrick, President of KirkpatrickPrice

About ClassLink

ClassLink® LaunchPad includes a library of over 6,000 single sign-on apps and instant links to file folders at school and on Google, Office 365, and Dropbox cloud drives. ClassLink Analytics gives decision makers the usage data they need. ClassLink Roster Server easily and securely delivers class rosters to any publisher using open technology standards. ClassLink OneSync automates account provisioning and provides bidirectional account syncing.  Accessible from any computer, tablet or smartphone, ClassLink is ideal for 1to1 and Bring Your Own Device (BYOD) initiatives.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Gartner says that by 2020, 60% of digital businesses will suffer from service failures due to their IT security teams’ inability to manage digital risk. What does this mean for your business? Is your organization defending its network from cyber threats? Are you performing network penetration testing to validate your security efforts? What is network penetration testing, and should you be doing internal or external? Let’s discuss.

Internal vs. External Network Penetration Testing

What is network penetration testing? Well, there are two types – internal and external. External threats to your network may seem more obvious than internal threats. Most organizations would agree that anything exposed to the Internet needs some form of security testing, and we recommend external network penetration testing. If an external host is compromised, it can lead to an attacker digging deeper into your internal environment. If an external device is the target of an attack, like a hacker looking for a public-facing SFTP/FTP server that stores your clients’ data, these devices must also be protected. External network penetration testing is focused on the perimeter of your network and identifies any deficiencies that exist in the controls that protect against remote attackers targeting the Internet-facing systems in your environment. When performing external penetration testing, our penetration testers mimic real scenarios as best as possible to root out all potential vulnerabilities. External network penetration testing techniques include the following:

  • Port scans and other network service interaction and queries
  • Network sniffing, traffic monitoring, traffic analysis, and host discovery
  • Spoofing or deceiving servers via dynamic routing updates (e.g., OSPF, RIP spoofing)
  • Attempted logins or other use of systems with any account name/password
  • Use of exploit code for leveraging discovered vulnerabilities
  • Password cracking via capture and scanning of authentication databases
  • Buffer overruns/underruns
  • Spoofing or deceiving servers regarding network traffic
  • Alteration of running system configuration except where denial of service would result
  • Adding user accounts

Whether it’s disgruntled workers, previously terminated employees, or someone trying to steal trade secrets, there are lots of potential internal threats. Did you know that, on average, it only takes 16 minutes before the first employee clicks on a phishing email? Even without malicious intent, simple configuration issues or employee mishaps can also result in a network compromise, leading to the majority of attacks originating from within. That’s why internal network penetration testing targets the networked environment that lies behind public-facing devices. This type of penetration test is designed to identify and exploit issues that can be discovered by an attacker who has gained access to your internal network. Internal subnets, domain servers, file servers, printers, switches – it’s all in play during internal network penetration testing. Penetration testers will assess your internal network and thoroughly look for any avenue that could lead to exploitation.

How is Network Penetration Testing Performed?

Network penetration testing at KirkpatrickPrice begins with information gathering and the reconnaissance phase, where the organization being tested will provide the penetration tester with general information about in-scope targets, plus the penetration tester collects additional details from publicly accessible sources. Our penetration testers are looking for vulnerable ports and services that will allow them to gain entry into the network, similar to an open door or window on a house that is supposed to be locked. The reconnaissance phase is crucial to thorough network penetration testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided.

Then, a vulnerability assessment is performed where our expert penetration testers utilize multiple tools to gain initial knowledge. A vulnerability assessment is not a replacement for a network penetration test, though. After interpreting those results, our expert penetration testers will use manual techniques, human intuition, and their backgrounds in network administration to attack those vulnerabilities. After the completion of the network penetration testing, you will receive a comprehensive report with narratives of where we started the testing, how we found vulnerabilities, and how we exploited them.

KirkpatrickPrice’s network penetration testing methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Effective penetration testing requires a diligent effort to find enterprise weaknesses, just like a malicious individual would. Our advanced, network penetration testing methodology is derived from various sources including the OSSTMM, Information Systems Audit Standards, CERT/CC, the SANS Institute, NIST, and OWASP. Our team of highly skilled penetration testers have backgrounds specifically in systems and network administration and understand the complexities of protecting your network. This works to our advantage so that we can identify the areas that are the most difficult to defend.

What is network penetration testing and how could it defend your organization? If you want to avoid the consequences of a compromised network while working with an expert ethical hacker, contact us today.

More Network Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Components of a Quality Penetration Test

How Can Penetration Testing Protect Your Assets?

The goal of the healthcare industry has always been to provide quality patient care. To do so, healthcare organizations have invested in state-of-the-art technology and highly-educated personnel, but there’s still one thing that many in the healthcare industry have failed to do: invest in robust information security management programs. In fact, almost on a daily basis, there’s headline after headline reporting of new healthcare data breaches impacting the PHI of hundreds, and often times, millions of patients. This leads us to question: why would someone want to steal healthcare data? Why is it so important that the healthcare industry focuses on information security?

Why Would Someone Want to Steal Healthcare Data?

It’s understandable why a malicious hacker would want to steal financial data. After all, most malicious hackers are after some sort of financial gain. But there’s one critical issue with compromising financial data: card numbers, PINs, account information – it can all be easily changed. When it comes to protected health information (PHI), it’s long-term value makes healthcare data more enticing for malicious hackers to steal and is all the more reason why information security is so important in healthcare.

3 Reasons Why Information Security is So Important in Healthcare

1. The healthcare industry is highly regulated.

The healthcare industry is one of the most regulated industries in America. That’s why we see so many reported breaches in the media and on the OCR’s “wall of shame.” But even despite the HIPAA Security, Privacy, and Breach Notification requirements and various other state laws that require covered entities and business associate to protect PHI, there’s a serious lack of robust information security management programs. In order to provide quality patient care and meet HIPAA requirements, then, covered entities and business associates alike need to heavily invest in the security of their people, processes, and infrastructure as a whole.

2. The healthcare industry is highly dependent on new technologies.

From artificial hearts to mobile applications, the modern healthcare industry wouldn’t be what it is today without advancing technologies. However, as we all know, with new technology that is introduced into an environment, the attack surface increases, and new risks must be accounted for. This goes beyond technologies used in hospitals or other healthcare facilities – medical manufacturers must also take into account the cyber risks associated with their products. For example, something as simple and as medically necessary as an insulin pump, like that of Medtronic, can become vulnerable to a cyberattack and have detrimental effects on a patient’s well being.

3. The healthcare industry is highly reliant on humans.

Week after week, there are reports of data breaches impacting hundreds of healthcare patients, and many of these attacks are the result of human error, such as falling for phishing attempts. Because the healthcare industry relies on humans to provide quality patient care, the risk of experiencing a data breach or security incident becomes much more likely, which is why creating and implementing a robust information security management program must be made a top priority.

It is paramount that covered entities and business associates alike understand why information security is so important to the healthcare industry. To continue providing quality patient care, robust information security management programs must be established and maintained. Want to learn more about how your healthcare organization can meet HIPAA or HITRUST requirements? Need to see if your systems can stand up to an advanced penetration test? Ready to prove to your patients that you can deliver quality patient care? Contact us today.

More Healthcare Resources

Why Would a Healthcare Organization Need a SOC 2?

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

Business Associate Due Diligence: Lessons Learned from AMCA

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

Regardless of the size or industry of organizations, every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during July and the lessons we can learn from them.

Maryland Department of Labor

What Happened?

On July 5, 2019, officials from the Maryland Department of Labor announced that they had experienced a data breach earlier in April that impacted nearly 78,000 individuals who used the department’s unemployment benefits in 2012 or enrolled in the Literacy Works Information System in 2009, 2010, or 2014. The cause? Malicious hackers gained unauthorized access to the Department of Labor’s systems, allowing them to steal personally identifiable information such as names, Social Security Numbers, and dates of birth. In an interview with The Washington Post, Fallon Pearre, a spokeswoman for the Department of Labor said that “the state does not believe any of the information was misused.”

Lessons Learned

Maryland’s Department of Labor breach is just another example of the dire need for municipal governments to implement robust cybersecurity strategies. When a government entity becomes compromised, critical systems can be shut down and citizens’ livelihoods can be greatly impacted. It is up to city officials to ensure that information security best practices are followed by all employees and that effective cybersecurity policies are in place to locate and remediate any vulnerabilities that can be exploited by malicious hackers.

Los Angeles County Department of Health Services

What Happened?

Yet another municipal government agency experienced a data breach after one of its contractors, the Nemadji Research Corp., fell victim to a phishing attempt. The Los Angeles Times reported that a malicious individual was able to gain access to a Nemadji’s email account that included encryption keys, allowing the hacker to access the PHI, including names, Social Security Numbers, and addresses of nearly 14,600 patients.

Lessons Learned

Like Maryland’s Department of Labor data breach, Los Angeles County Department of Health Services’ also underscores just how important having robust cybersecurity strategies are for municipal governments, especially when it comes to working with third-party vendors. It also points to the need for municipal governments to perform thorough risk assessments of third-party vendors in order to mitigate and risk-rank the potential threats associated with working with third-party vendors.

Northwood – Equipment Benefits Administrator

What Happened?

According to HIPAA Journal, a Michigan-based business associate, Northwood, Inc., reported that it discovered that an employee’s email account had been compromised. After investigating the incident, Northwood was not able to determine which emails were viewed or opened by the hacker, but they did determine that patients’ PHI had been exposed, which included addresses, dates of birth, provider names, dates of service, medical record numbers, patient ID numbers, diagnosis and diagnosis codes, medical device descriptions, treatment information, and health plan membership numbers.

Lessons Learned

It is no secret that phishing attempts are amongst the largest threats to the healthcare industry. Nearly every month, there are data breach reports highlighting new covered entities and business associates that fell victim to phishing attacks. It is paramount that all healthcare organizations, regardless of services offered or size, to implement security awareness training for all employees. When employees know how to effectively identify and report suspicious emails, links, and attachments, they are less likely to fall for the increasingly advanced phishing attacks malicious hackers are so likely to use.

Sprint

What Happened?

In mid-July, Sprint announced that the “add a line” feature on Samsung’s website was breached, putting users at risk for a plethora of security concerns. While the exact number of impacted individuals still remains unknown, the malicious hackers were able to access PII including names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.

Lessons Learned

According to Verizon’s 2019 DBIR, web applications are the top hacking vector in breaches. This means that securing web applications must be made a top priority amongst organizations, especially those that handle such critical information like Sprint. To combat the advancing cybersecurity threats facing web applications, organizations should consider undergoing regular penetration tests, like those offered by KirkpatrickPrice, to ensure the security of their web applications.

Capital One

What Happened?

Perhaps one of the most startling data breaches announced this month comes from Capital One, where a malicious user, identified as a Seattle-based woman, Paige Thompson, illegally accessed and downloaded the PII of 106 million Capital One users. According to a statement released by Capital One earlier this week, that data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers. Capital One explains that it has been determined that no credit card account numbers or log-in credentials were compromised; however, the investigation is still ongoing. Thompson has since been arrested by the FBI.

Lessons Learned

This massive data breach highlights a few critical takeaways. The first two being the very real risk of insider threats, especially once employees are terminated or resign, and the dire need to implement effective incident response plans to mitigate data breaches and notify effected parties as soon as they are discovered. KrebsOnSecurity reported that Thompson was a former employee of the web hosting company involved and “allegedly used web application firewall credentials to obtain privilege escalation”. However, because Capital One has an established outlet for receiving potential data breach intel, they were able to move quickly and respond to the breach once they learned about it. In addition, this breach underscores just how vulnerable cloud environments are to malicious hackers. While many organizations who migrate their data to the cloud, either out of ignorance or lack of understanding of the technology, believe that their cloud service provider is solely responsible for protecting their sensitive assets, they aren’t. Both the cloud service provider and the entity using the cloud must work together to ensure internal controls are in place and operating effectively.

Update: AMCA Data Breach

While we reported on the AMCA data breach last month, developments continue to arise as more and more organizations come forward to report how their clients have been impacted by the breach. According to  ISMG Network, “At least nine more companies in the last few days have revealed that have been notified by AMCA that the data on a combined total of nearly 1 million of their patients was potentially exposed by a data breach the debt collector discovered on March 21.” The organizations with the highest number of patients impacted includes American Esoteric Laboratories, CBL Path, Inc., Laboratory Medicine Consultants, and Austin Pathology Associates.

Whether it’s municipal governments or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.

Let’s face it: our society is becoming more reliant on cashless payment systems, from payment cards to contactless pay. With this digital focus, the security of cardholder data is top of mind to consumers. In fact, according to Pew Research Center, “41% of Americans have encountered fraudulent charges on their credit cards.” If your business cannot prove that your services are secure, why would consumers choose to do business with you when there are hundreds of others who will protect their cardholder data? Has your business been hesitant to start a PCI audit? Let’s discuss a few reasons why you should stop waiting and start a PCI audit right now.

1. You’re Required To Complete One

The first, and most obvious reason, why you would start a PCI audit is because you are required to. If your business is a merchant, service provider, and/or subservice providers that stores, transmits, or processes cardholder data, including credit, debit, or other payment cards, then you are are required to adhere to the PCI DSS.

When we partner with businesses on their PCI compliance journey, though, we want their intention to be more than just a requirement. We want to partner with businesses that are committed to securing the cardholder data that they are responsible for. When clients start a PCI audit for the very first time, we often hear, “Do we really have to do this? Why do we have to go through this audit? Will we pass or fail? How can PCI compliance actually help our business?” After a few audit cycles, though, the denial and hesitancy are replaced with appreciation and preparedness. If the only reason why you want to start a PCI audit is to check compliance off on a list, we want to help you get out of the checkbox mentality and fully reap the benefits of PCI compliance.

2. Your Brand Depends on It

What are the brands that you use on a daily basis? Where do you shop, eat, or visit? What websites store your cardholder data? If one of the brands you trust had a breach that compromised cardholder data, would you continue entrusting them with yours?

Take Uber, for example. As an app that facilitates 14 million rides each day and stores 91 million users’ cardholder data, it’s crucial to their brand that they demonstrate a high level of due diligence when it comes to data security. Although Uber’s 2016 breach did not compromise cardholder data, the fact that hackers stole other types of personal information (phone numbers, email addresses, names, driver’s license numbers) took a massive toll on the ride-sharing giant’s reputation. If they can’t protect a driver’s license number, how can they protect cardholder data? Even the New York Times pointed out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.”

Does your brand depend on cardholder data security? Could PCI compliance enhance your brand? That’s just one more reason to start a PCI audit.

3. It Opens Up More Business Opportunities

Do you have a major deal riding on the fact that you’ve agreed to start a PCI audit? We hear this often from clients, especially from startups, that haven’t made PCI compliance a priority, but now a game-changing deal depends up on it. This is a clear reason to start a PCI audit, but the benefits go beyond that single deal.

Once you obtain PCI compliance, it can open up bigger and better business opportunities for you. It can give you a competitive advantage over competitors who haven’t pursued this compliance goal yet. It boosts your loyal customers’ confidence. PCI compliance can be incorporated into sales conversations and marketing plans. Why wait any longer to start a PCI audit?

4. It Helps Secure Cardholder Data

What people, processes, or technology have access to your cardholder data? How many transactions do you facilitate annually? What network segmentation controls do you implement? How many payment applications are in use? What assets could impact the security of your cardholder data environment? These are the types of questions you must think about when considering how you secure cardholder data. Are you doing your due diligence? Or do you need to be tested against the PCI requirements?

Demonstrating your PCI compliance instills trust with your customers, prospects, and business partners. Take the next step in cardholder data security and start a PCI audit.

Need more reasons to start a PCI audit right now? Let our Information Security Specialists convince you. Contact us today.

What is a PCI Compliance Audit?

We’ve compiled these resources to help you learn more about what a PCI Compliance audit is and how you should begin in starting a PCI audit for your business.

More PCI Resources

Beginner’s Guide to PCI Compliance

What Type of Compliance is Right for You?

When Will You See the Benefit of an Audit?