How to Secure Your Business Through Penetration Testing

Being prepared for cyber attacks and having the ability to fix the weaknesses within a system helps organizations avoid the consequences of data breaches. Not only are these breaches costly due to the accumulation of legal fees, IT remediation, and customer protection programs, but customer loyalty can be lost following a breach. By being aware and prepared for attacks before they happen, organizations who regularly undergo penetration testing are more likely to avoid these consequences. Undergoing regular penetration testing can help your organization identify and remediate vulnerabilities found in your security posture. But what steps does your organization need to take to ensure that you’re getting the most out of undergoing penetration testing? We suggest following four steps.

Before you begin undergoing regular penetration testing, you need to determine what type of penetration test your business needs. Penetration testing is a service that attempts to gain access to resources in an organization’s network without knowledge of usernames, passwords, or other standard means of access. Penetration testing is a form of permission-based ethical hacking to expose vulnerabilities in the network’s infrastructure. KirkpatrickPrice offers both standard and advanced service level penetration testing services, including internal and external network, web application, web service/API, wireless, and social engineering.

Once you know which type of penetration test you need, you need to determine who will perform your penetration test. Because of the complexity and maturity of today’s threat landscape, you need to choose a qualified, thorough penetration tester who delivers quality services. This will help you build a strong security testing methodology, help you meet your compliance objectives, and protect your organization from malicious attacks. So, how can you tell whether you’re making the right choice? Start by asking candidates or potential firms the following questions:

  • Does the firm outsource penetration testing services?
  • Does the firm have qualified, professional penetration testers?
  • Does the firm know the difference between a vulnerability scan and a penetration test, and promise to deliver a penetration test?
  • Does the firm use both automated and manual testing methods?
  • Does the firm have a history of finding security vulnerabilities that previous internal or external penetration testers have not found?
  • Does the firm have a commitment to educating you one the implications of your security vulnerabilities?
  • Does the firm provide post-exploitation direction?
  • Does the firm intend to help you determine how the testing results can impact information security audits?

Want the next steps?

Get the Guide

What are the Trust Services Criteria?

Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts:

  • Security – Is the system protected, both physically and logically, against unauthorized access?
  • Availability – Is the system available for operation and use as agreed upon?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
  • Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?

Which Trust Services Criteria Apply to My Organization?

Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on. In a non-privacy SOC 2 engagement, the security category must be included. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control — Integrated Framework. The common criteria are categorized based on the following:

  • Control environment
  • Communication and information
  • Risk assessment
  • Monitoring activities
  • Control activities
  • Logical and physical access controls
  • System operations
  • Change management
  • Risk mitigation

It’s important to note, though, that your organization isn’t required to address all five of the Trust Services Criteria in our SOC 2 report; however, you should select the categories that are relevant to the services that you provide to your clients. So, aside from security, which apply to your organization: availability, processing integrity, confidentiality, and/or privacy?

On July 4, 2018, Timehop, a self-proclaimed “daily nostalgia product,” discovered a data breach where up to 21 million users were impacted. Timehop is a memory-sharing app, enabling users to distribute posts from the past; Timehop connects to users’ social networks and photo storage apps – Twitter, Instagram, Facebook, Dropbox, Google Photos, iCloud, etc. For them, this breach was a nightmare because of the nature of their services. When users saw the headlines about Timehop’s breach, I’m guessing the first thing that went through their mind was, “Are my social media accounts compromised?” This assumption, which led to user frenzy, was Timehop’s first obstacle. The company had to overcome this false narrative by being incredibly clear about what kind of data was breached.

Timehop’s MFA Policy: What Happened?

From the security incident and technical reports published by Timehop, we actually know a lot of details about this breach and the incident response plan. Timehop came straight out and admitted that the breach was due to a lack of appropriate MFA on access credentials, which resulted in network intrusion. Obviously many details of the incident couldn’t be released for security reasons, but Timehop did provide the public with a timeline of the event.

  • December 19-21, 2017: An unauthorized user used a legitimate employee’s credentials to access Timehop’s cloud computing environment and perform cyber reconnaissance.
  • April 4, 2018: The legitimate employee migrated user data into the database, generating the data that would become the target of the attack. Until this date, no PII was accessible to the attackers.
  • June 22, 2018: The unauthorized user discovered the user data, including PII.
  • July 4, 2018: The unauthorized user logs in and the attack occurs. Timehop’s internal alerting tools reported that the service was down, and Timehop engineers worked to restart services.
  • July 5, 2018: Timehop engineers began their investigation and declared that an incident had occurred when they recognized suspicious patterns. They immediately collected evidence, implemented MFA policies, secured the cloud computing environment, and then contacted law enforcement, Timehop’s Board of Directors, and the incident response team.

Fortunately for Timehop, the connection to users’ social networks was not compromised. They reported, “No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected. To reiterate: none of your ‘memories’ – the social media posts & photos that Timehop stores – were accessed.” The PII breached was fairly typical from that of most breaches these days – email address, dates of birth, name, gender, etc.

Lessons Learned from Timehop

Because of Timehop’s connection to users’ social networks, the company had to be very clear about what types of information were breached. In their security incident report, Timehop goes above and beyond the norm in order to be as transparent as possible. They state, “We commit to transparency about this incident, and this document is part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again.” We believe that because GDPR was in effect at the time of this breach, it greatly impacted the level of detail they provided to users.

Timehop had an exemplary incident response approach. Within 2 hours of discovering the network intrusion, Timehop engineers responded to the event. From our standpoint, their incident response plan seemed to work as intended. Their plan included providing the public with access to the following:

  • Easy-to-understand information about the incident
  • A full timeline of the attack
  • Detailed information about the types of PII that were breached, including a distinction between breached data and breached GDPR data
  • A glossary of terms used in the reports
  • Answers to frequently asked questions
  • A technical report for those interested in technical details of the incident
  • Next steps for users to take

During the weeks after the incident, you couldn’t go to Timehop’s website without learning about the breach. Their social media announced the incident, plus the company dedicated a permanent landing page to host the information listed above. Timehop’s incident response approach has been extremely transparent and accessible, one of the most thorough that we’ve seen.

If your organization was breached, what would the headlines say about your incident response plan? Does your plan provide users or clients with accessible information about their data? Would you go above and beyond to be honest about the incident?

More Resources

7 Deadly Breaches of 2018 (So Far)

Rebuilding Trust After a Data Breach

What is an Incident Response Plan?

Major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB, acted against the increased number of data security breaches by coming together to create the PCI Security Standards Council. This Council developed a security standard for merchants that process credit card data, known as the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS encourages and enhances cardholder data security by providing globally-recognized data security measures. Merchants, service providers, and subservice providers that store, transmit, or process cardholder data, including credit, debit, or other payment cards, are required to adhere to the PCI DSS. The PCI DSS audit is designed to test whether your organization is compliant with the 12 technical and operational requirements established to protect cardholder data.

What Do You Need to Know Before Your PCI Audit?

When it comes to preparing for your PCI audit and securing your cardholder data environment (CDE), it’s important to understand where all of your sensitive assets lie. Taking an inventory to identify any and all locations with stored cardholder data and performing a thorough search of all systems to identify cardholders and track data is a critical PCI audit preparation step.

The scope of your CDE determines the extent to which all PCI DSS controls must be in place. Common issues with PCI compliance are a result of scoping errors. Any personnel, processes, or technologies that store, process, or transmit cardholder data are considered to be within your CDE and, therefore, in scope for your PCI audit. These assets include:

  • Any devices that provide security/authentication services, such as firewall, router, or patching servers
  • Any asset that is connected to the CDE
  • Any routing rules that allow traffic into the CDE
  • Any asset that can impact CDE security in any way

To reduce the scope of your PCI audit and assessment, you can use logical and physical controls to ensure network segmentation. Segmentation is the use and implementation of additional security controls to separate systems with different security needs. These controls commonly include firewall and router configurations to deny traffic passing from out-of-scope networks and the CDE, network hardening standards, and physical access controls.

Beginner's Guide to PCI Compliance

Starting a PCI audit is overwhelming.

Our Beginner’s Guide to PCI Compliance will prepare you to complete your audit successfully.

You know you need a PCI audit, but don’t know what to expect or how to get started. This guide will prepare you for what your auditors are looking for and how to confidently begin your PCI compliance journey.

Get the Guide

In late September, Facebook gave a new security update, outlining a breach that has impacted 50 million users – Facebook’s largest breach ever. The social network has been under intense scrutiny this year after the Cambridge Analytica scandal and has been redirecting their security team since the departure of their chief security officer, Alex Stamos. With the midterm elections coming up, this massive breach couldn’t have come at a worse time for Facebook. Users, regulators, lawmakers, and competitors are watching to see how Facebook improves the way it handles the private data of its users and how the social network giant handles this latest breach. Many believe it is time for the government to step in, and others are focusing on the GDPR implications of this breach.

Facebook’s Largest Breach: What Happened?

Even this early on in the investigation, Facebook knows that the attack stemmed from the “View As” feature, which impacted access tokens. Specifically, hackers exploited a combination of three bugs: one in a post composer for birthday posts, one in a new version of a video uploader, and one when using the “View As” feature in conjunction with the video uploader. In their security update, Facebook reported, “When using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user. The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”

To quickly fix the vulnerability, Facebook reset the access tokens of the 50 million impacted accounts, plus reset another 40 million accounts as a precautionary measure. As a result, users had to log back into their account, then see a notification in their News Feed explaining the security incident. Facebook also switched off the “View As” feature during their security review. As the investigation continues, Facebook must provide transparency about three elements of this breach: if accounts or data were misused, who the attackers were, and if third-parties were impacted.

Facebook needs to clearly announce whether accounts were misused or if any private information was accessed during this breach. All we know so far is that the attackers retrieved basic profile information like name, gender, or hometown. Guy Rosen, vice president of product management at Facebook, explained in a press call, “…We don’t know exactly how – which and how – what information we will find has been used. What we’ve seen so far is that access tokens were not used to access things like private messages, or posts, or to post anything to these accounts and we’ll update as we learn more…what we also can confirm is that no credit card information has been taken. We do not display credit card information, even to account holders.”

The public also wants to know who these hackers are and who they’re supported by. Guy Rosen explained in a press call, “Given this investigation’s still early, we haven’t yet been able to determine if there’s specific targeting. It does seem broad and we don’t yet know who is behind these attacks or where there’s base – or where they might be based…The investigation is early, and it’s hard to determine exactly who was behind this, and we may never know. This is a complex interaction of multiple bugs that happened together. It did – it did need a certain level in order for the attacker to run this attack in a way that not only gets access tokens, but then pivots on those access tokens and continues to further – get further access tokens using this mechanism.”

Facebook must also investigate if any third-party services that use its single sign-on function were impacted by this breach. So far, Facebook hasn’t found evidence of third-parties becoming compromised. Thousands of companies use this identity provider function, like Spotify, Instagram, Airbnb, Pinterest, GoFundMe, Headspace, and others. Guy Rosen stated that WhatsApp users are not impacted by this breach, but Tinder has called on Facebook for transparency and full disclosure during their investigation to better support third-parties in their own investigations.

Midterm Elections, GDPR Implications, and Facebook’s Reputation

There seems to be two conversations surrounding Facebook’s latest breach: how this attack reflects Facebook’s preparation for the midterm elections and how this attack needs to be handled in terms of GDPR.

With the midterm elections coming up and the Cambridge Analytica scandal in the rearview, users, regulators, lawmakers, and competitors are watching to see how Facebook is protecting itself from election interference. In fact, two weeks before this breach, Mark Zuckerberg posted Preparing for Elections, a blog post addressing exactly that – Facebook’s defense against election interference. It calls for enforcement over fake accounts, the spreading of misinformation, and advertising transparency and verification. It also speaks of coordination with governments and industries across the globe. Zuckerberg wrote, “While we’ve made steady progress, we face sophisticated, well-funded adversaries. They won’t give up, and they will keep evolving. We need to constantly improve and stay one step ahead. This will take continued, heavy investment in security on our part, as well as close cooperation with governments, the tech industry, and security experts since no one institution can solve this on their own.”

In the wake of this latest breach, is Facebook’s defense plan enough?

With GDPR in mind, Facebook notified the FBI and the Irish Data Protection Commission of this breach. Many suspect that if not for the GDPR’s breach reporting requirements, Facebook wouldn’t have notified the public about this breach until there were more details about the scope of who was impacted and where the attack came from. From the Irish Data Protection Commission’s tweets, we can gather that they are not satisfied with the level of detail provided in Facebook’s breach report. Organizations worldwide need to recognize how strict GDPR’s breach reporting requirements are and what penalties they could face.

During a press call, the New York Times asked Zuckerberg, “I’m just thinking back to your testimony in congress and one of the main points you made was if Facebook’s here to serve its users and if you can’t be responsible with user data then you don’t deserve to serve users. And I guess I’m just wondering if you still think you all are able to do that because it just — it seems like a pretty — another pretty big breach of user trust?” This is the exact question so many are wondering. If Facebook takes a hit from any more breaches or incidents, how will users, regulators, lawmakers, and competitors react?

More Resources

Facebook’s Morning Press Call Transcript

Facebook’s Afternoon Press Call Transcript

Twitter’s Election Integrity Update

7 Deadly Breaches of 2018 (So Far)