Undergoing a penetration test can be a lengthy process. But pen testing – especially manual penetration testing – can save your organization hundreds of hours and thousands of dollars in the long run. Automated scanners can seem more cost-effective upfront, but they often don’t cover the same depth of scope that manual security testing can.

Here are 7 reasons why your organization should consider undergoing a manual security and penetration testing process. 

Automated Vulnerability Scans vs. Manual Penetration Testing

If you’re investing in penetration testing, you need to make sure that the firm you’ve partnered with is not merely passing off vulnerability scanning as a penetration test.

While automatic vulnerability scanners are great for discovering low-hanging fruit, automatic vulnerability scanners should not be confused with an advanced, manual penetration test. Allowing manual penetration testers to gain a basic understanding of an organization’s current security footprint and grant them the ability to target other areas of the application that will require more time and attention, but will be worth it. Vulnerability scanners are only capable of matching patterns and definitions, and are unable to find flaws that require human logic and comprehension. So, what are the benefits of advanced penetration testing?

Benefits of Manual Penetration Testing

Even with the dawn of machine learning programs, there are still items that require human attention to detail, to accurately determine, or to verify. This is why manual security testing is more important than ever before.

This is where the value of a manual penetration tester is so important. Advanced penetration testers can use their ingenuity, business logic, and abilities in analysis to discover the deep, nested flaws within a system. If an organization only hires a firm that uses automatic vulnerability scanners, critical items could be missed. These items that require human attention are what we believe to be the seven reasons why you need a manual penetration test.

DOM Based Cross-Site Scripting (XSS)

Cross-site scripting (XSS) occurs when arbitrary code, such as JavaScript, Action Script, or VCScript, is injected into a parameter and returned with a following response.

Typically, XSS will fall into the following categories: reflected, stored, or DOM based injection. DOM based XSS injection is incredibly dangerous to users of an application because each HTML document becomes a “Document Object” when it is loaded into a web browser and acts as the root node of the HTML document. The Document Object Model (DOM) contains many nodes, which are represented visually to the user. If a developer allows input to alter a response of a page, including one of the nodes with the DOM, external JavaScript, inputs, and other items can be tampered with to inject arbitrary code, resulting in an XSS attack that will be stored with the DOM of the returned response.

Such vulnerabilities can be difficult for automatic vulnerability scanners to detect. Source code can be crawled and basic assumptions can be made, but manual testing of the objects should be required to verify or discover these issues. This is why we recommend manual code reviews to help catch and prevent this kind of error.

Blind SQL Injection

SQL injection occurs when a user of the application injects SQL commands into the backend of a database. While developers have found ways to suppress errors displayed on the screen and instead log errors on the back-end, malicious hackers are still able to find ways to exploit vulnerable areas.

Because of this, automatic vulnerability scanners will often fail in discovering these vectors of attack, which is why a manual penetration test is so important. A trained human eye is required to examine the responses of the application, as many are not revealed within a returned message.

During a manual penetration test, the penetration tester will inject commands to cause the database to sleep or delay, and they will slowly watch for a delayed response in the return or visual disturbances within the response.

CSRF (Cross-Site Request Forgery) Attacks

Cross-Site Request Forgery (CSRF) attacks occur when an application fails to provide a mechanism to verify that the request being issued is known by the account user and is truly being requested by them. Most commonly, sensitive attacks such as creating a user account or changing a password should be tied with a unique token, which is issued along with the web request.

This token should be usable once for that action and then rendered unusable for future requests to prevent “replay” attacks. Such attacks are difficult for automatic vulnerability scanners to detect because they either show a false positive when they believe a CSRF token is not present, or they show a false negative when tokens are present but are not functioning properly.

Considering this, manual penetration testing is needed to determine the application’s vulnerability.

Logic Flaws

Logic flaws are among the toughest issues to find within an application as they require more in-depth inspection and are not blatantly obvious in their presence. Logic flaws creep up in the development of an application, especially within some of the more complex components such as session handling.

Let’s say a developer has created a shopping cart functionality for a web application. In calculating the price, the cart functionality takes the quantity and price of the item, displays the price, and allows the user to proceed. A logic flaw may exist if a person inputs a negative value for the quantity.

So, if an item costs $399, when calculated with a negative value of-1, the item would then become -$399. When the payment goes through, the purchasing value is then rendered to be free or $399 might even be refunded to the user.

Template Injections

Template injections are becoming more common with some of the newer frameworks, as critical security findings allow remote access into the backend system.

This access, also known as “Server-Side Template Injection,” allows certain inputs to interact with the backend system because of the ability to allow for dynamic generation of custom pages. For example, when a user inputs their email or username, if proper protections are not in place, server-side code can instead be injected. Template injections can sometimes be detected by automatic vulnerability scanners, but often protections are in place that can fool most of the automatic vulnerability scanners into missing the findings.

During advanced penetration testing, the penetration tester can play with the input and escape blacklists, resulting in successful exploitation.

Broken Access Control

Access control and session handling are two of the hardest areas to secure within web applications. If done incorrectly, critical security issues can arise from poor coding implementation.

This is another blind spot for automatic vulnerability scanners. It is difficult to determine, based off of a signature, whether an application is vulnerable. During a manual penetration test, a penetration tester will have to incorporate a lot of repetitive work, including in-depth examinations of the components at work.

Miscellaneous Injection Attacks

Some of the newer frameworks today include their own custom scripting languages or incorporate other forms of coding to help extend functionality. While some automatic vulnerability scanners can detect common injections, such as JavaScript, XML, and ActionScript, they can’t include all varieties of languages. Having a manual penetration test would be of great value, because a manual penetration tester can see custom language being used and will then be able to try to manipulate the outcome.

Automatic vulnerability scanners have their purpose within the security field. The problem with security scanners becomes apparent when they are solely relied upon to provide a security assessment. 

If you’re investing in your organization’s security by undergoing penetration testing, make sure that you’re actually receiving a penetration test. Don’t let firms misguide you into thinking that an automatic vulnerability scanner can detect all of your system’s vulnerabilities. If the firm you’ve hired doesn’t use manual methods from an expert during the penetration test, you’re not receiving a quality penetration test. Contact us today to learn more about our quality, advanced penetration testing services.

More Penetration Testing Resources

Penetration Steps for a Secure Business

7 Steps of a Penetration Test

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

As organizations plan their information security and cybersecurity efforts for 2019, we often hear a lot of confusion and frustration about things like frameworks modifying their requirements, the cost of audits and assessments rising, scopes getting bigger, and testing seeming to get more difficult.

The threats will do nothing but persist in 2019. You need to do more to protect your organization. When prices or scope or frequency increases, here’s what we’re going to ask you: don’t you want more in 2019 than you got in 2018?

Root Causes of Data Breaches and Security Incidents

Some things stay the same. The root causes of data breaches and security incidents center around three areas: malicious attackers, human error, and flaws in technology. Let’s dive into how these areas impact your organization’s information security and cybersecurity efforts.

  • Organized criminal groups aren’t stopping; they’re only getting more sophisticated. They’re using tried and true techniques that continue to work on victims. There’s obviously financial motivation, but a malicious attacker could also be motivated by a political agenda, social cause, convenience, or just for fun.  
  • Employees will continue to be your weakest link. Verizon’s 2018 Data Breach Investigations Report states that one in five breaches occurs because of human error.
  • As if human error wasn’t bad enough, malicious insiders are even worse. 28% of cyberattacks in 2018 involved insiders.
  • Technology is a blessing and curse. Systems glitch and cause major data breaches and security incidents.
  • It’s almost impossible to run a business without involving third parties. Inevitably, third parties cause data breaches and security incidents, and your organization must deal with the consequences.  
  • Timing is everything when it comes to data breaches and security incidents, and hackers are usually quicker than your team. Ponemon’s 2018 Cost of a Data Breach Study reports that the average time to identify a data breach was 197 days in 2018. To actually contain the breach? 69 days.

These root causes, all connected to malicious attackers, human error, and flaws in technology, impact your organization’s information security and cybersecurity efforts in a significant way. Did you experience a negative impact from these areas in 2018? How are you going to mitigate the risks in these areas for 2019?

Cost of a Data Breach

There’s no denying that information security and cybersecurity efforts require a financial investment, but so do data breaches and security incidents. According to Ponemon, the average total cost of a data breach was $3.86 million in 2018 – a 6.4% increase from 2017. You can bet that in 2019, that number will grow again.

Organizations are usually surprised that the following elements drive up the cost of a data breach:

  • Loss of customers
  • Size of the breach
  • Time it takes to identify and contain a data breach
  • Effective incident response team
  • Legal fees and fines
  • Public relation fees
  • Information security and cybersecurity program updates

Take the City of Atlanta, for instance. When the SamSam ransomware attack hit in March of 2018, it was initially estimated to cost $2.6 million in emergency response efforts. Incident response consulting, digital forensics, crisis communication, Microsoft expertise, remediation planning, new equipment, and the actual ransom cost added up quickly. It’s now speculated that this ransomware attack cost $17 million.

As the cost a of data breach rises, so does the cost of information security auditing and testing. The threats are pervasive – how can you make a smart investment to avoid the cost of a data breach?

Your Plan for 2019

Now that you’ve learned about the persistent root causes of data breaches and security incidents, plus the cost of a data breach, what are you going to do about it in 2019? How are you going to modify your information security and cybersecurity efforts? Here are a few areas to consider as we head into a new year:

  • When was the last time you performed a formal risk assessment? Risk assessments can provide you with what we call the three C’s: confidence, clear direction, and cost savings.
  • If your weakest link is employees, how will you hold them accountable to their security awareness training?
  • Ponemon reports that when an organization has an incident response team, they save $14 per compromised record. Has your incident response plan been tested recently?
  • What security automation tools would be a valuable investment for your organization? According to Ponemon, security automation is a way to decrease the cost of a data breach because you’re able to identify and contain the attack faster.
  • Ask your auditing firm to educate you on what new cybersecurity testing exists and which relevant requirements will be changing in 2019.

No defense is 100% effective. There are no guarantees that a data breach or security incident won’t occur. Organizations must be vigilant in doing what they can to prepare, detect, contain, and recover from persistent and sophisticated threats. Auditing firms must also commit to providing quality, thorough services that will empower organizations to meet their challenging compliance objectives. At KirkpatrickPrice, that’s our mission and our responsibility. Contact us today to discuss how we can prepare your organization for the threats of 2019.

More Data Breach and Incident Response Resources

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

[24]7.ai Cyber Incident: How Your Vendors Can Impact Your Security

Rebuilding Trust After a Data Breach

Horror Stories: Million Dollar Malware Losses

Information security audits strengthen business operations, yet many organizations are fearful of the process. We understand organizations’ hesitance to spend the time, money, and resources on information security – but the threats are only going to get more pervasive and more sophisticated. When a company chooses to invest in information security, it’s evidence of their commitment to providing assurance to clients, prospects, regulators, and business partners. But before they choose to make that investment, they weigh their options and ask whether the audit be worth it.

Health Catalyst, a next-generation data, analytics, and decision support company committed to being a catalyst for massive sustained improvements in healthcare outcomes, sat down with us to answer one question: was the audit worth it?

Getting Rid of the Checkbox Mentality

We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off on a list, rather than something than can strengthen their business. Health Catalyst believes in the value and purpose of information security auditing. Kevin Scharnhorst, Chief Information Security Officer and Vice President of Cloud Operations, says, “The value of auditing is highly dependent upon the perspective of the person going into it. If they go into it with the attitude of just checking an item off of a list so that they can just say that they’ve done it, that’s the wrong attitude. I think everybody has room to improve, and if you go in with a humble attitude, realizing that your processes aren’t perfect and you’re bringing in outside expertise to see those opportunities that you can improve, that makes it well worth it.” Every business – no matter the size, no matter the industry – can benefit from a third party’s perspective. Is the audit worth it? Is the validation worth it? Yes, the investment will be worth it, and much more than an item to be checked off on a list.

The Audit Lifecycle

We like to view the auditing lifecycle in three phases. Organizations most likely begin the auditing process for a specific reason, so during the first year, organizations are almost in denial about having to go through an audit. Most ask questions like, “Do we have to do this? Why do we have to go through this audit? Is the audit worth it – all this hassle? How can compliance help our business?” If an organization never graduates from this mindset, they will get stuck in the checkbox mentality, rather than reaping the benefits of assurance.

In the second year of auditing, hopefully the perspective has changed. With some experience from the first-time audit, the second year seems less daunting. Was the audit worth it last year? Yes. The audit team now knows the process, knows what needs to be done, and is set on getting it done.

By the third year of the audit process, we hope organizations are able to recognize how important assurance is for their business. In this phase, organizations move away from the checkbox mentality and accept the worth of assurance.

Scharnhorst comments, “A lot of it has to do with getting used to the process of going through an audit. You definitely learn that in year one, and come out of it knowing the remediation items that you have, and learn how to effectively manage a security program. It’s just keeping eyes on the things that you’re told that you’re not done with after year one. Rather, in year two, you want to make sure that any of those exceptions are remediated and that you’re growing and strengthening yourself throughout year two and three, etc. At Health Catalyst, our plan is to do ongoing SOC audits. That gives us subsequent opportunity to just improve each year off of the prior year’s audit.”

Was the Audit Worth It?

In our discussion with Health Catalyst, it all came down to one question: Was the audit worth it? “Absolutely.” Health Catalyst leverages the value of their assurance. Scharnhorst says, “I’ve worked with many other firms, but I especially like working with my auditor at KirkpatrickPrice because he’s been a CISO before and over IT operations. He’s just a well-rounded individual and has a strong background, which helps me see not only where I can improve, but gives me challenges on how to do that. That’s where I see the value of working with somebody and having continuity, because the auditor will come in the next year and will see if I followed their advice. If I did, the auditor will go deeper into an area that I can improve. That’s the value and why it’s worth it. I’m using that expert advice to get better year after year and get stronger doing it.” Health Catalyst threw away the checkbox mentality a long time ago – they are making an investment in information security so that they can strengthen their organization year after year.

If your organization is reluctant to begin an audit for the first time, Scharnhorst has advice for you, too. “I would encourage them to consider that they need to have an outsider’s opinion to remove bias and blind spots that an organization could otherwise be uninformed on. Use reference calls to find the provider that is going to be the most compatible with your culture and that meets your checklist or compliance objectives. Don’t look for just a provider, but a partner. It could turn into an ongoing relationship if you go into it with the right mindset.”

More About Health Catalyst

Health Catalyst is a next-generation data, analytics, and decision support company committed to being a catalyst for massive, sustained improvements in healthcare outcomes. They are the leaders in a new era of advanced predictive analytics for population health and value-based care with a suite of machine learning-driven solutions, decades of outcomes-improvement expertise, and an unparalleled ability to integrate data from across the healthcare ecosystem. The Health Catalyst Data Operating System (DOS™), a next-generation data warehouse and application development platform—powered by data from more than 100 million patients, encompassing over 1 trillion facts— helps improve quality, add efficiency and lower costs for organizations ranging from the largest US health system to forward-thinking physician practices. Their technology and professional services can help keep patients engaged and healthy in their homes, communities, and workplaces, and can help optimize care delivery to those patients when it becomes necessary. They are recognized by Fortune, Gallup, Glassdoor, Modern Healthcare and a host of others as a Best Place to Work in technology and healthcare.

More Assurance Resources

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

What is a Gap Analysis?

When an organization pursues an audit for the first time, we strongly recommend starting with a gap analysis. Why? The truth is: we don’t want you to fail the audit. We want to help you prepare for the audit so that you can meet your challenging compliance goals, and we want to educate you on what you’re getting into when you pursue an information security audit. A gap analysis at KirkpatrickPrice means working with an Audit Support Professional and an Information Security Specialist to identify any operational, reporting, and compliance gaps in your organization and advise you on strategies for remediation. Gap analyses ask and answer, “How are we doing compared to what regulations require?”

Instead of jumping into an audit without knowing what your organization should expect, a gap analysis can prepare your organization to remediate any identified gaps. Let’s take a look at Paubox, a HIPAA compliant email solution platform, to see what benefits they found from a HITRUST CSF™ gap analysis.

Lessons Learned from Gap Analysis

Many organizations do consider undergoing a gap analysis before an audit but are unsure it’s worth the cost or effort. Well, there’s a reason that our clients tell us that a gap analysis was the best decision they made. We always recommend a gap analysis to first-timers is because you will have actionable items to remediate as a result of a gap. You won’t be playing a guessing game of what might be tested in an audit or unsure of what the audit process will entail.

Paubox recently underwent a three-day onsite gap analysis in pursuit of HITRUST™ compliance. According to Hoala Greevy, the founder and CEO of Paubox, they came away each day with several takeaways.

Day One

  • There are approximately 320 control statements to be addressed in the assessment.
  • Document everything.
  • Paubox was introduced to the CIS 20 Critical Controls.
  • How do Paubox’s vendors demonstrate HIPAA compliance?
  • What is the definition of “scope” for a HITRUST assessment? Anything that affects the security of the system is in-scope.
  • What is in-scope for Paubox’s assessment?
  • You must know where the data lives, where it’s stored, where it’s processed, and which systems transmit it.
  • What kinds of risk assessments have been done so far? Have they been scored?
  • “Formal” is another way of saying “documented.”
  • What change management processes are in place? How are changes managed?

Day Two

  • A passing score of 3+ in every domain is needed to pass HITRUST, or 3 with Correction Action Plans (CAPs).
  • Corrective Action Plans must show progress at the one-year mark or be resolved.
  • Google only recently attained HITRUST certification.
  • Web Application Firewalls are a necessary component of HITRUST.
  • According to HITRUST, “The organization does not send PII/PHI over facsimile (FAX), unless it cannot be sent over other, more secure, channels e.g., delivery by hand, secure email.”

Day Three

  • HITRUST has a unique definition of the “contractor”and it’s important to know their meaning.
  • Two-factor authentication for all critical services is vitally important.
  • A customer identification process for incoming phone calls and emails must be formally documented.
  • User access controls must be well-defined.
  • A documented hierarchy of PHI access levels must be established.

Paubox’s Compliance Journey

Paubox has already passed two independent HIPAA compliance certifications, but HITRUST compliance will help take their security efforts to the next level. Paubox is part of HITRUST’s new program specifically created for start-ups – the RightStart Program™. Compliance efforts require a time, personnel, and financial investment that can be straining on start-ups, and HITRUST recognized this need that it could fill for start-ups pursuing HITRUST compliance.

“The RightStart Program gives us the ability to adopt a security framework that will scale with our organization and provide brand name peace of mind to our customers, partners and investors,” said Greevy. “HITRUST provides us with the tools for secure, compliant growth needed to increase our bottom line. Our customer focus demands we have security, compliance, and risk management in place by design and not as an afterthought.”

Paubox has positioned itself as the only secure HIPAA compliant email solution with zero-step encryption on all sent emails. As a start-up whose business relies on information security certifications and compliance, gaining HITRUST compliance will be a game changer for Paubox. Even with HIPAA compliance certifications, they still made the decision to undergo a HITRUST gap analysis. This, as well as taking part in HITRUST RightStart program, is evidence of their commitment to providing a secure service.

To learn more about Paubox and their HITRUST journey, keep reading:

Paubox Gets on RightStart With New HITRUST Program

HITRUST CSF Gap Analysis for a Silicon Valley Startup

HITRUST CSF Gap Analysis (Day 2) for a Silicon Valley Startup

HITRUST CSF Gap Analysis (Day 3) for a Silicon Valley Startup

Is your organization considering a gap analysis but unsure if it’s worth it? Contact us today to discuss your compliance objectives and how we can help.

More Resources

What is a Gap Analysis?

Will I Fail the Audit? Reasonable Assurance Explained

Preparing for a HITRUST CSF Assessment

What would it cost you if your printing business compromised client data because of a printing error? How would your organization be impacted if your printers were hacked? As service organizations and third-party vendors, organizations in the printing industry cater to a variety of organizations such as financial, government, or healthcare and are likely to interact with personally identifiable information (PII) on a regular basis. Because of this, it’s critical that printing organizations ensure that they are secure vendors, and they can do this by undergoing information security audits.

Common Frameworks for the Printing Industry

While there needs to be policies and procedures in place to govern product development, printing companies need to undergo regular information security audits to find and mitigate vulnerabilities found in their processes, assure their clients that they are secure, and get assurance by a third-party auditing firm that they are doing everything they’re supposed to be doing to protect PII. So, what types of information security audits would a printing organization need?

  • SOC 1: Do you print financial information such as billing statements or invoices? If so, a SOC 1 audit would be necessary for your organization.
  • SOC 2: How do you secure the information you’re printing? What internal controls do you have to protect the privacy of the information you’ve been given to print? Even if you aren’t printing PII, a third-party may still ask you to undergo a SOC 2 audit to verify that the internal controls you have in place won’t impact their security.
  • SOC for Cybersecurity: What risk management processes are in place at your organization? While a third-party might not ask you to pursue SOC for Cybersecurity compliance, your board of directors or management might want to conduct an internal assessment of your cybersecurity risk management program.
  • PCI: Does your organization print credit card numbers, statements, or collection notices? If so, how does your organization limit access to payment card information? What policies and procedures do you have in place to prevent employees from stealing that information? Undergoing a PCI DSS assessment allows printing businesses to validate their policies and procedures regarding the protection of PII and assure their clients that the payment card information they are printing is secured.
  • NIST Risk Management: Are you partnering with federal organizations? Have you been asked to use the NIST 800-53 framework to assess your security controls? While using the NIST framework is a great way to validate your security controls, because most printing companies are non-federal organizations, using the NIST 800-171 framework would be a more appropriate choice.
  • HIPAA & HITRUST: Do you print healthcare billing statements or list of benefits? As a business associate, printing companies must ensure that they comply with the HIPAA Security and Breach Notification Rules.

Benefits of Information Security Audits for the Printing Industry

Engaging in regular information security audits helps any organization demonstrate that they are committed to improving and maintaining their security posture. For the printing industry, though, it goes a step further and gives organizations a competitive advantage. For example, if a printing company is looking to partner with a publicly traded company, chances are they’ll be asked to provide a SOC report, because the company wants to ensure that the organization has mature systems and will be able to protect the information they are going to print. If the printing business does not have a SOC audit performed, the publicly traded company’s audit firm will advise that they do not partner with the printing company because of the liability of engaging with a business that can’t demonstrate the effectiveness of its internal controls. In short, undergoing information security audits gives printing organizations the competitive advantage of being the most secure company in their industry.

Regardless of the type of information printing companies print, securing the people, processes, and technologies used must be a top priority. Every device connected to the Internet is a gateway for a possible cyber attack. This means that even the printing industry is susceptible to the increasing cyber threats and must perform their due diligence to ensure that the vulnerabilities in their systems are identified and mitigated. Don’t put your or your business partners’ reputation, finances, or operations at risk. Contact us today to learn how KirkpatrickPrice can help you protect your business and assure your business partners that you’re performing your due diligence.

More Resources

When Will You See the Benefit of an Audit?

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

5 Questions to Ask When Choosing Your Audit Partner