Does your organization have a bring-your-own-device policy? Do your employees use external storage devices? How do you protect workstations, servers, and mobile devices that connect to your network? The perimeter of businesses today only keep expanding – and so does the use of endpoint protection. Is endpoint protection the best way to protect your network, though?

The Rise of Endpoint Protection

With the number of endpoints with the ability to connect to your network, endpoints are becoming a common, easy entry point for cyber attacks. Greater visibility, control, and security is needed to prevent attackers from compromising your network.

A trend within the industry that we see is the implementation of endpoint protection platform (EPP) solutions. Makes sense, right? If endpoints are the vulnerable access points, put something in place directly at the device level to protect them. Cisco’s definition says, “An EPP solution is known as a preventative tool that performs point-in-time protection by inspecting and scanning files once they enter into a network.” EPP solutions include antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention, and data loss prevention. Most EPP approaches identify threats based on known file signatures for newly discovered threats.

The next level of endpoint protection is endpoint detection and remediation (EDR) solutions. Cisco’s definition says, “An EDR solution goes beyond simple point-in-time detection mechanisms. Instead, it continuously monitors all files and applications that enter a device.” EDR solutions go a step further than EPP by providing more visibility and analysis for threat investigation. Even more so, EDR solutions can detect threats beyond just signature-based attacks, including fileless malware, ransomware, and polymorphic attacks.

Most endpoint protection solutions offered today now combine EPP and EDR solutions, but implementing endpoint protection alone doesn’t make a comprehensive information security program. Endpoint protection should be just one component of a full-spectrum of security solutions and processes that stop targeted, advanced threats.

Benefits of Penetration Testing

To get the most out of your information security program and processes, consider undergoing regular, advanced penetration testing. The findings from penetration testing can actually help you remediate the common vulnerabilities that malware and APT groups rely on to exploit endpoints – not just prevent the threats, like EPP and EDR solutions provide.

Threat groups are constantly evolving their tooling and malware, which endpoint protection struggles to keep up with. Once an attacker is inside your network, they can move laterally and find what they want or need. Don’t you want to do everything possible to keep them from ever getting inside? If your organization can harden the underlying vulnerabilities that are found during penetration testing, that will mitigate entire threat categories at the root, rather than having to react any time an iteration of a threat is detected.

Remediating findings from penetration tests could be substantially cheaper than relying on a third party security layer to (hopefully) catch the latest iteration of a threat. If you use qualified, skilled penetration testers, they will find and exploit the vulnerabilities that an attacker will use, plus provide remediation tactics for the vulnerabilities found. If your security budget is tight, penetration testing may be a more effective solution for you than endpoint protection.

A penetration test itself won’t fix your security problems, but when you use the findings to mitigate vulnerabilities, you are going beyond endpoint protection. We do acknowledge, though, that there is great value in endpoint protection. If you choose to utilize EPP or EDR solutions, it’s crucial to find one that integrates with your other security measures. When vulnerability, patch, and configuration management can be cohesive with endpoint protection, you’re getting a more comprehensive solution.

If you’re interested in getting the most of your information security program and pursuing advanced penetration testing, contact us today. Our team of expert penetration testers will find and exploit your vulnerabilities in order to provide remediation guidance so your team can protect your network.

More Penetration Testing Resources

The Dangers of End-of-Support Operating Systems

How Can Penetration Testing Protect Your Assets?

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

The Role of Women in Information Security

Women play critical roles in advancing science, medicine, human rights, social justice issues, and so much more, but there’s one industry where women are just getting their foot in the door: information and cybersecurity. While this growing industry has been long dominated by men, it’s quickly starting to change. In fact, according to Cybersecurity Ventures, the percentage of women in the industry is projected to grow from the long-reported 11% to 20% by the end of 2019. Although this number may seem small, the impact these women have made on securing some of the world’s most sensitive assets is tangible. In honor of Women’s History Month, we’d like to spotlight KirkpatrickPrice’s Information Security Specialists and Audit Support Professionals who work tirelessly to ensure that our clients are secure.

Meet Our Auditors – Lee and Lorna

Information Security Specialists at KirkpatrickPrice are responsible for not only performing various audit and consulting services, but they’re responsible for building lasting relationships with our clients by educating, empowering, and inspiring them to greater levels of assurance.

Although she has only been with KirkpatrickPrice for two years, Lee Sirotnak’s 35 years of experience in the information security industry has helped her excel in her current role and achieve Lead Practitioner status. Clients have referred to Lee as a “driving force” during an audit engagement, and claimed that calls with her are worth thousands of dollars based on the education they walk away with. Holding CISSP, CRISC, and CSNA certifications, Lee uses her background and education to conduct regulatory and security audits, as well as serve as a mentor to her audit team. Lee believes that women play an especially important role in the information security industry because “as in all things, women have a different perspective than men, and having a diversity of perspectives makes us a stronger team.”

Lorna Willard also recently joined the KirkpatrickPrice team as an Information Security Specialist. With more than 20 years of experience working in the information security industry, especially within the federal government and the Department of Defense, Lorna’s insight into the industry is telling. She explains that throughout her years working in IT, she’s grown used to working in a male-dominated industry and acknowledges that many opportunities have opened up for women. She feels that working in this industry satisfies her desire to learn, test herself constantly, and earn a living doing something that she really enjoys.

Meet Our Audit Support Professionals – Jodi, Selena, Jessica, Mary Beth, and Erin

Audit Support Professionals at KirkpatrickPrice play an integral role in delivering our audit services. They are responsible for serving as a client liaison, ensuring quality services before and during the audit process, and providing any necessary training for clients.

Jodi Carson is KirkpatrickPrice’s most veteran Audit Support Professional. She has a B.S. in Information Systems Security and holds the Security+ certification. Clients often comment on Jodi’s hardworking attitude and commitment to the project. Jodi especially enjoys helping clients become confident about security – something that many are reluctant to be because of the ever-changing threat landscape.

Selena Carlton has seven years of experience working in the information security industry.  She enjoys the problem-solving aspect of her position and is committed to providing a quality experience for clients.

Jessica Leo was one of three women in her program who graduated with their IT degree and was advised early on about entering a male-dominated industry. Thankfully, she has not experienced any adversity throughout her experience working in the industry. Instead, Jessica remains optimistic about the opportunities for women in the industry, saying that “women should work in information security because it has excellent opportunities for growth, empowerment, and an all-around lucrative and successful career.”

Erin Gregory has a B.S. in Computer and Information Technology, and will also pursue a Master’s in Engineering Technology Management. Although she is just beginning her career in the industry, Erin most enjoys that she is constantly learning and being challenged on the job. She sees the information security industry as a lucrative industry full of opportunities for women, especially because of the flexibility that many IT jobs offer.

Mary Beth Muniz is new to the information security industry but believes that women are the future of technology. Like Lee, Mary Beth believes that women can bring a fresh perspective to the industry and individual engagements. In her own experiences, her ability to engage her nurturing side can prove to be useful during high-stress audit engagements.

What is the Future for Women in Information Security?

When asked what the future looks like for women in the industry, one thing remained constant across the board from our female professionals: the importance of education and empowerment. Whether it’s joining or partnering with technology organizations, supporting STEM groups for women and girls, such as Girls Who Code, or participating in professional development activities through KirkpatrickPrice, our female professionals know that in order for women to be successful in the industry, they need to feel empowered and have access to the right resources.

At KirkpatrickPrice, our core mission is to educate, empower, and inspire our clients to greater levels of assurance, but we’re also committed to educating, empowering, and inspiring our personnel too. This means that the women who work at KirkpatrickPrice can know they’re supported and valued. In fact, Lee explains, “I can honestly say that I’ve never been so fully supported. KirkpatrickPrice is the first company at which I experienced absolutely no difference in treatment for being a woman – I am an auditor just like all of the other auditors.  I’ve not had to work harder – or less hard – because I’m a woman. In a positive way, this company is gender neutral, and the greatest strength in my opinion is that we are all supported very well.” KirkpatrickPrice is committed to delivering quality, thorough audit and advanced penetration testing services, and that would not be possible without the talented women on our team. As the roles and opportunities for women across the globe continue to grow, especially in the information security industry, we’re thankful for the female professionals that have chosen to dedicate their lives to securing the sensitive assets that fuel our businesses.

The evolution of the cloud presents new security issues every day. As more and more organizations migrate user data to the cloud, it drives both cloud service customers and providers to consider how the cloud will impact the privacy and security of data. How does your organization secure your cloud environment? Just like any type of technology or IT operation, the security of your service needs to be validated by a third party. Who should perform your cloud audit? Someone who understands cloud computing and technology, not just an average auditor.

Cloud Computing Challenges

NIST defines cloud computing as, “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” This definition has become an industry foundation and demonstrates why cloud computing challenges are two-fold: understanding the cloud, then understanding how you secure it. Who should perform your cloud audit? Someone who can face both of these challenges.

Understanding the cloud means you must understand each of the three elements of cloud computing: characteristics, service models, and deployment models. Each one adds a layer of complexity and shows why cloud computing so different than traditional IT operations.

Cloud Computing Challenges - Who Should Perform Your Cloud Audit?

Location of data, the value of your data, data ownership, compliance obligations, disaster recovery, physical security, vendor risk, evolving technology – these challenges make securing the cloud especially difficult. There’s a lot of moving parts when it comes to cloud computing and truly understanding the technology, the consumer, the responsibility, and the mission. Can your auditor handle it?

Who Should Perform Your Cloud Audit?

When choosing who should perform your cloud audit, you need to focus on finding a cloud expert. Because cloud technology is new and evolving, the industry lacks best practices that are known and understood. That’s why you want an auditing firm that does a thorough job and has auditors that understand the underlying technology. Consider the following questions when determining who should perform your cloud audit:

  • Do they understand the characteristics of cloud computing?
  • Do they understand the three service models?
  • Do they understand deployment models?
  • Can they explain the shared responsibility model to you?
  • Can they keep up with the evolution of the cloud?
  • Do they understand your compliance obligations?
  • Can they determine which information security framework fits your needs?
  • Do they specialize in information security and cybersecurity?

At KirkpatrickPrice, we hire technologists, then make them auditors – and this increases the value and quality of our cloud audits. Any auditor from KirkpatrickPrice who’s performing a cloud audit understands cloud computing and technology, and proves it through certifications like Certificate of Cloud Security Knowledge (CCSK) or Certified Cloud Security Professional (CCSP). Contact us today to begin working with a cloud expert.

More Cloud Computing Resources

ISACA’s IT Control Objectives for Cloud Computing

The Dangers of Remote Cloud Audits

Who’s Responsible for Cloud Security?

Start-Up SaaS Audit Success Story

Independent Audit Verifies Eon’s Internal Controls and Processes

Eon, a SaaS provider that identifies patients at risk for future disease and longitudinally tracks their care, announced today that it has completed its SOC 2 Type I audit. This attestation provides evidence that EON has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of EON’s controls to meet the standards for these criteria.

“We are relentless about keeping our clients’ data safe. In healthcare, data security is paramount, so it’s essential that rigorous security practices and controls are implemented and maintained,” said Christine Spraker, co-CEO of Eon. “Eon is pleased to demonstrate our commitment to security by achieving SOC 2 Type I certification and the assurances that such a trusted standard brings with it.”

“The SOC 2 audit is based on the Trust Services Criteria. Eon has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Eon delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Eon’s controls.”

About Eon

Eon is a Denver-based healthcare technology company dedicated to defying disease by revolutionizing the way healthcare data is gathered, curated, and shared among healthcare professionals. This ensures the right data reaches the right people at the right time. Eon is expanding outside of lung and moving into additional incidental disease identification and management and will become a comprehensive incidental platform to better manage patients at-risk for disease. For more information visit www.EonHealth.com or contact info@eonhealth.com and follow Eon on LinkedIn and Twitter.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, CanadaAsia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Investing in regular penetration testing is oftentimes a hard pill to swallow. You’re paying someone to break into your networks, systems, or applications. You might find that your secure technology isn’t as secure as you thought. Your ever-changing, complex environment might create more vulnerabilities than expected. Plus, you might not even be sure what you need or who should perform the testing. Though undergoing penetration testing may seem daunting, there’s one thing that we know for certain: penetration testing is vital for protecting your assets. Let’s talk about some issues with penetration testing, like how movie and television have changed our perception of hacking, how scoping impacts your assessment, and how a penetration tester could hold you back from receiving a thorough assessment.

1. Hollywood Hacking Myths

The entertainment industry has given the world a very unrealistic view of how hacks happen. Whether it’s in a James Bond movie or a ransomware attack in Grey’s Anatomy, Hollywood’s depiction of hacking isn’t an accurate representation of anything you’d really see. Even if the scene uses correct terms or buzzwords, the 3D interfaces, multiple pop-ups and screens, and fast typing diminishes any realistic elements.

“Hollywood hacking” has given people the idea that a malicious attack happens quickly and is easily-stopped. In reality, if a person, company, or asset is being targeted, the attacker is going to try everything in their power to break in. They have time on their side, so they are going to continue to attack until they are successful. It could take weeks or months, but once they are successful, they can compromise your data and your reputation.

Because we know that malicious attackers are going to go above and beyond to get what they want, so do our penetration testers. Through ethical, permission-based hacking, we try to find any vulnerability that could be exploited. We often take a more unconventional approach than you might find in other firms, all with the goal of providing the most thorough assessment possible. We think outside of the box. When we hit a wall, we try to find a way around it, through it, over it, or under it. Where others might throw in the towel, we continue to brainstorm to find a way past the barrier.

2. Proper Scoping

While it’s true that no security service can 100% guarantee that all vulnerabilities have been found, it’s crucial that a thorough, quality-based penetration test be performed. This is always dependent upon proper scoping. If you’re testing your network, how many active hosts are there? How many devices are in the network? Does your mobile application include APIs or web applications? Do those need to be tested separately? When going through the scoping process with a security firm, they’re going to ask lots of questions, but the goal is to give you the most accurate, thorough penetration test as possible. After all, security audits are a financial investment, why pay for something if it isn’t comprehensive?

3. Proper Penetration Tester

Oftentimes, penetration testers can become frustrated when they encounter barriers, so they give it a few tries and then move on. This is common when testing APIs, web applications, and mobile applications. So many professionals within the security field lack the knowledge and experience to assess these environments properly. They give up and run a vulnerability scan, which will find the low-hanging fruit, leaving the harder to reach bugs active in the environment. It’s usually these types of vulnerabilities that are exploited, causing serious damage to a company’s reputation and financial stability. The organization thinks, “But I had a penetration test done! I should have been safe!” In reality, the penetration test delivered to them was merely a vulnerability scan with a few glances from so-called security experts.

Quality penetration testing needs to be performed by a skilled professional or group of professionals who can analyze the results of security testing activities and use those results to inform future activities. They also need to have the drive to dig deep. Discontent with the base assessment, our penetration testers dig deep into the networks, systems, and applications, looking for those vulnerabilities that might cause you to lose sleep at night. Our goal is to excavate those issues that would otherwise lay dormant until someone seeks to exploit them.

Quality Over Quantity

Penetration Testing - Quality Over QuantityWhen I’m asked what the difference is between penetration tests from KirkpatrickPrice and other security firms, my first answer is the focus on quality. Quality is the key aspect of providing a solid penetration test. This is becoming a rare find as more and more security firms become focused on quantity over quality.

In a day and age when security controls must be strong and effective against advanced threats, we’ve made it our mission to deliver quality penetration tests. When looking for your next penetration test, consider KirkpatrickPrice’s quality-based approach instead of the typical “scan, report, repeat” assessments.

More Penetration Testing Resources

Not All Penetration Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

Components of a Quality Penetration Test

Auditor Insights: Vulnerability Assessments vs. Penetration Testing