How do you ensure you’ve identified security vulnerabilities before a hacker has? In today’s threat landscape, it’s crucial for organizations to take cybersecurity seriously and create a prevention strategy. We know that organizations today face extremely threatening cybersecurity risks. We know you need validation of your security methods. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. That’s why we offer quality penetration testing. But what does that even mean?

We want to provide you with a few ways to identify whether or not you’re receiving quality penetration testing. This will help you build a strong security testing methodology, help you meet your compliance objectives, and protect your organization from malicious attacks.

How to Identify Quality Penetration Testing

  • Does KirkpatrickPrice outsource penetration testing services? No. When you partner with penetration testers from KirkpatrickPrice, you work with a dedicated, highly knowledgeable team located in the United States. Our penetration testers aren’t rushing through projects and clients, and they are available for project planning and educating your team.
  • Do we have a team of qualified, professional penetration testers? Yes. Quality penetration testing needs to be performed by a skilled professional or group of professionals who can analyze the results of security testing activities and use those results to inform future activities. Our team of highly skilled and certified penetration testers have diverse backgrounds, extensive experiences, and hold GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), GIAC Exploit Researchers and Advanced Penetration Tester (GXPN), and GIAC Certified Intrusion Analyst (GCIA) certifications, among others.
  • Will KirkpatrickPrice ever try to pass off a vulnerability scan as a penetration test? No. We’ve witnessed many testing firms that, either through ignorance or deceit, mislead their customers by identifying their vulnerability scanning services as penetration testing. Many of these firms deliver scan reports to their customers labeled as a penetration test report with little more than an edited title and their firms logo added to the document. Some will attempt to hide this approach by taking the vulnerability scan results and placing them into a custom reporting template without performing any additional testing that would support labeling the service as penetration testing. Despite numerous resources calling out this practice, it continues to be a common source of confusion for customers.
  • Do our penetration testers find security vulnerabilities that an internal penetration tester would not? Yes. There is a unique value to having an independent, third-party perform penetration testing services for your organization because the internal blinders have been removed. Personnel often can’t or don’t want to see the security vulnerabilities that an experienced auditor does. With today’s cybersecurity risks, you can’t be too careful when it comes to security vulnerabilities. Ask yourself: what could a certified, professional penetration tester find that we wouldn’t?
  • Have our penetration testers found security vulnerabilities that previous penetration testers did not? Yes. In one testing situation, we found thousands of accounts that were being maliciously used in a payment portal. Did the previous penetration tester find this? No – this security vulnerability was completely missed.
  • Are KirkpatrickPrice penetration testers dedicated to educating you on the implications of your security vulnerabilities? Yes. Our penetration testers are passionate about empowering your organization to greater levels of assurance, and they do that through analyzing the findings of your penetration tests, communicating the consequences, and recommending remediation tactics.
  • Do we use both automated and manual testing methods in our penetration testing services? Yes. One of the major differences between vulnerability scanning and penetration testing is automated versus manual processes. Beyond the initial scan configuration process, a vulnerability assessment does not require a significant amount of human interaction. Quality penetration testing should include manual testing methods, particularly performed by a professional. If the penetration testing services you receive are a highly automated process with minimal human effort, you might not be receiving quality penetration testing.
  • Do we give post-exploitation direction? Yes. A key aspect of quality penetration testing is using the findings. Your organization should risk rank the vulnerability findings you receive, analyze the potential impact of vulnerabilities found, and determine remediation strategies. KirkpatrickPrice penetration testers will partner with you to ensure you have proper post-exploitation direction.

What would it cost you if your top client was not satisfied with the quality of your penetration test? If you did not undergo a penetration test, what security vulnerabilities would you not know about? How would it impact your job if you did not receive quality penetration testing? In a day and age when security controls must be strong and effective against advanced threats, we’ve made it our mission to deliver quality services – and that includes penetration testing services.

Want to learn more about our penetration testing services? Contact us today.

More Penetration Testing Resources

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

Ask the Expert: Penetration Testing

5 Benefits of Regular Penetration Tests

Updating Your Privacy Policy for GPDR Compliance

Privacy policies are critical to GDPR compliance efforts, as this statement or notice explains how an organization handles personal data. We know that in order to comply with GDPR, a privacy policy should be concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect. So, what specific elements should a GDPR-compliant privacy policy include to avoid these pitfalls?

What Should GDPR-Compliant Privacy Policy Include?

According to Article 13 under Section 2 of GDPR, “Information and Access to Personal Data,” states the required information that should be provided when personal data is collected from a data subject. Following Article 13’s guidance and others, we’ve compiled a checklist that will give your organization over 20 items to consider when creating or updating your privacy policy in order to help guide you toward a GDPR-compliant privacy policy.

To ensure fair and transparent processing, the law states that privacy policies must demonstrate the following:

  • Identify the data controller
  • Identify the data protection officer
  • Define the purposes of processing
  • Define the legal basis for processing
  • When “legitimate interests” are your legal basis for processing, describe the legitimate interests for processing
  • Describe the recipients or categories of recipients of personal data
  • If applicable, identify any intent of international transfers of personal data
  • If applicable, identify safeguards for international transfers of personal data
  • Define the data retention period
  • Describe data subjects’ right of access to personal data

The EU’s General Data Protection Regulation (GDPR) is a top regulatory focus, and for good reason. Organizations across the globe are mapping their data, updating their privacy policies, updating contracts, reviewing their data collection processes, and trying to figure out whether they are data controller or processor – all to avoid the severe consequences of GDPR non-compliance. Not only are the requirements and scope for this data protection law extremely broad, but the fines and penalties that organizations could face for GDPR non-compliance are unlike any fines and penalties imposed by a regulatory body before.

GDPR Fines and Penalties

Organizations that have grown used to being slapped with minor fines for data breaches or misusing consumers’ data will no longer be able to put the security and privacy of their consumers’ data on the back burner. To gain GDPR compliance, organizations who market, collect, use, or store consumers’ personal data must make the security and privacy of consumers’ data a top priority, or be faced with the severe consequences of GDPR non-compliance. GDPR is equivalent to a US Federal Law, and GDPR non-compliance can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greater.

Fines and Penalties

  • €20 million or 4% of annual global turnover – whichever is greater.

For example, Hilton – one of the largest hotel and resort chains in the world – was fined a mere $700,000 for a data breach that caused the information of 350,000 cardholders to be exposed. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected. For data controllers like Hilton, as well as data processors, understanding the consequences of GDPR non-compliance is crucial. A $700,000 fine for Hilton presumably didn’t impact the organization much, but a $420 million fine would have had much more severe implications.

Want to learn what fines and penalties will be enforced for GDPR non-compliance? Need to know what to do if your organization violates multiple GDPR provisions? Ready to learn what your organization can do to reduce the maximum fines?

Microsoft’s Password Guidance recommends that passwords be set to never expire. Microsoft argues, “Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other.” NIST’s guidance suggests, “Verifiers should not require memorized secrets [passwords] to be changed arbitrarily. However, verifiers shall force a change if there is evidence of compromise of the authenticator.” These concerns and suggestions are valid, but we believe that moving away from password expiration policies altogether is problematic.

What Makes a Strong Password?

Creating an effective password expiration policy goes hand-in-hand with creating a strong password. Both NIST and Microsoft guidance highlight a need to move away from traditionally accepted strong password best practices, such as:

  • Character length
  • Character complexity
  • Expiration date

Instead, NIST and Microsoft claim that strong password best practices should include:

  • Banning common passwords
  • Educating employees to not use their organization credentials anywhere else
  • Enforcing multi-factor authentication (MFA)
  • Enabling risk-based MFA

Following these new best practices and ensuring that users create strong passwords could allow administrators to implement less frequent password expiration dates.

KirkpatrickPrice’s Best Practices for a Password Expiration Policy

At KirkpatrickPrice, we have found that eliminating password expiration policies can lead to a weakened security posture. Users are still likely to create and use hackable passwords, such as variations of birthdays, anniversaries, names, addresses, and other personal information. Because of this, establishing effective criteria for strong passwords and implementing a password expiration policy is crucial in maintaining a strong security posture. To accomplish this, we recommend doing the following when developing a password expiration policy:

  • Education and Training: A key to maintaining a strong security posture is continuously educating and training users on the importance of creating strong passwords. Administrators must set the tone for establishing strong passwords through proper security awareness training. Users must understand what constitutes a strong password, and also what password expiration policy is in place and why.
  • Utilizing MFA: MFA allows users to confirm their identity by successfully presenting two or more pieces of evidence to an authentication mechanism, reducing the risk of compromise. Without MFA and password expiration dates, users are much more likely to be hacked or to be unaware that a hack has occurred.
  • Setting a Timeframe for Password Expiration: It is imperative that a password expiration policy be established. Though research has shown that frequent password expiration dates can be detrimental, that doesn’t mean that you shouldn’t set password expiration dates at all. For example, your password expiration policy could be that passwords expire every two years, but those passwords must meet certain strong password criteria and require the use of MFA.

How is MFA More Secure than 2FA?

Because frequent password expiration dates have been industry standard, moving away from that best practice might seem unnerving. Using two-factor authentication (2FA) and MFA, though, can serve as an additional step in maintaining a strong security posture. However, while a 2FA system is a growing best practice, it isn’t guaranteed to shield against cyberattacks; 2FA systems can be easily bypassed. Instead, we suggest using an MFA system to better ensure security because it requires several separate pieces of evidence to confirm a user’s identity instead of just two. How are you ensuring that your employees’ credentials aren’t compromised?

Have you reviewed your password expiration policy? Do you need help developing your organization’s security awareness training? Ensuring a strong security posture doesn’t need to be challenging. Let us help! Contact us today for more information on how KirkpatrickPrice can assist you in implementing these password expiration policy best practices.

More Resources

The 8-Character Password is No Longer Secure

Choosing Secure Passwords

Two-Factor vs. Multi-Factor Authentication

The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone. What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.

Key GDPR Terms Defined

Data Subject: Some may assume that “data subjects” means EU citizens, but the explicit language of the law applies to processing the personal data of “data subjects in the Union” which could cover tourists, non-citizen residents, international students, and much more. Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects:

  1. A person located in the EU,
  2. A resident of the EU,
  3. A citizen of the EU,
  4. An EU resident/citizen physically located anywhere in the world, or
  5. A person whose personal data is processed within the EU, regardless of that person’s location.

Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”

Personal Data: Per Article 4(1), personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identify of a data subject.

Controller: The natural or legal entity that regulates the purpose and means of processing personal data. The greater the decision-making authority an organization has regarding what personal data to obtain from data subjects and how to use that personal data, the more likely it is that an organization takes on the responsibilities of a data controller.

Processing: Processing is any action that impacts or uses personal data, including accessing, collecting, storing, archiving, reviewing, or destroying.5. Processor The natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller, therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches, and adding/changing of sub-processors.

Processor: The natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller, therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches, and adding/changing of sub-processors.

Data Protection Officer (DPO): An individual that has expert knowledge of data protection laws, coordinates with data subjects and supervisory authorities, participates in data protection impact assessments, and monitors GDPR compliance.

Supervisory Authority: Independent, public authorities for each EU member state that are responsible for monitoring the application of GDPR and addressing non-compliance. For example:

• National Commission of Computing and Freedoms in France

• The Federal Commissioner for Data Protection and Freedom of Information in Germany

• Agency of Protection of Data in Spain

• The Information Commissioner’s Office in the United Kingdom

Joint Controller: When two or more controllers jointly have authority over and determine the purposes and means for processing personal data.

Controller-Processor: An organization or person identified as both a controller and a processor.

Sub-processor: An organization that processes personal data on behalf of a processor. Sub-processors must comply with the same contractual and compliance requirements as a processor.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.