Update on the Citrix Vulnerability, CVE-2019-19781

On December 17, 2019, Citrix released information about a vulnerability tracked as CVE-2019-19781. This vulnerability lies in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway. Will this the Citrix vulnerability impact your organization?

What We Know About CVE-2019-19781

CVE-2019-19781 allows unauthenticated remote attackers to execute arbitrary code on the exposed system. Because of where the Citrix vulnerability resides on the network, the importance of patching is critical. But, a permanent patch has not been released by Citrix yet. We expect to see one by the end of the month – meaning Citrix left this vulnerability unpatched for over a month.

Citrix did provide configuration steps to reduce the risk of exploitation for CVE-2019-19781, and the Cybersecurity and Infrastructure Security Agency (CISA) has released a tool, available on GitHub, to check for this Citrix vulnerability.

Citrix 2019 Breach

This isn’t Citrix’s first security incident. In March 2019, the FBI informed Citrix that “they had reason to believe that international cyber criminals gained access to the internal Citrix network.” It was speculated the attackers used password spraying to gain access, impacting over 200 government agencies, oil and gas firms, and technology companies.

Forbes reports that Citrix provides VPN access and credentials to 400,000 organizations worldwide and 98% of the Fortune 500. When an organization like Citrix has a vulnerability, it’s not insignificant. Our penetration testers and auditors are watching this vulnerability closely.

More Resources

National Vulnerability Database Details on CVE-2019-19781 

Think Like a Hacker: Common Vulnerabilities Found in Networks

Reviewing Your Information Security Program for 2020

15 Must-Have Information Security Policies

What Information Security Policies Do You Need?

Why do you need information security policies? What role do policies play in your organization’s security structure? You’re probably familiar with basic policies such as a Disaster Recovery Policy, Data Backup Policy, or Risk Assessment Policy, but there are other must-have information security policies that you should be implementing. The point of having extensive policies in place is to provide clarity for your employees, direction for proper security procedures, and proof that you’re doing your due diligence to protect your organization against security threats. We’ve gathered a list of 15 must-have information security policies that you can check your own list of policies against to ensure you’re on the path towards security:

  1. Acceptable Encryption and Key Management Policy
  2. Acceptable Use Policy
  3. Clean Desk Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Personnel Security Policy
  7. Data Backup Policy
  8. User Identification, Authentication, and Authorization Policy
  9. Incident Response Policy
  10. End User Encryption Key Protection Policy
  11. Risk Assessment Standards and Procedures
  12. Remote Access Policy
  13. Secure Systems Management Policy
  14. Monitoring and Logging Policy
  15. Change Management Policy

Information Security Policies Are Not the Finish Line

Now that you know 15 must-have information security policies, you should also know that policies are not the finish line. You also need to implement procedures and standards to give your employees tangible direction on how to follow information security policies – plus, developing procedures and standards are required for compliance with information security frameworks. It’s also not enough to just have written policies and procedures. You need to make sure every employee in your organization has a chance to read, understand, and acknowledge their your policies. That’s why it’s important to develop an Employee Handbook and require each employee to sign a Policy Acknowledgement. These steps help to ensure those 15 must-have information security policies are implemented well and further your information security goals.

How KirkpatrickPrice Can Help You Develop an Information Security Policy

When you engage in a gap analysis with KirkpatrickPrice, the auditor assigned to work with your organization determines if there are any gaps in your information security structure. Many times, we find organizations are missing policies that give structure to their information security plan. After completing a gap analysis, you can elect to have one of KirkpatrickPrice’s Professional Writers develop customized policies to help you meet your specific compliance requirements. Writing or adding to your information security policies based on your gap analysis results will aid in your remediation efforts.

If you’re looking to develop strong policies and procedures or have further questions about how you can partner with KirkpatrickPrice to meet your compliance goals, contact us so we can help you develop standards that fit your organization.

 

 

More Policy Resources

SOC 2 Academy: Expectations of Policies and Procedures

Quickstart to Information Security Policies for Startups

Auditor Insights: Policies and Procedures are Better Than Gold

5 Best Practices to Integrate Cybersecurity With Your Business Strategy

What Does an Effective Business Strategy Look Like?

For many businesses, it’s been a long time since the business strategy was initially developed. If it was created a few years ago, it’s likely missing cybersecurity as one of its strategic initiatives. The role of cybersecurity has dramatically changed for the C-suite and should be re-evaluated in terms of its impact on strategy.

Any successful business will have a solid definition of its mission, values, and goals. In today’s landscape, every organization is in the business of cybersecurity. It should have significant part to play in the overall strategy for the company’s success. How can you do this? By adopting the following five best practices to integrate cybersecurity with your business strategy.

5 Ways to Integrate Cybersecurity With Your Business Strategy

Integrating cybersecurity with your business strategy shouldn’t be as painstaking as it may initially seem. Whether you’re in the beginning phases of establishing a business strategy or your organization is re-evaluating your long-term goals, you can follow these five best practices as a starting point to integrate cybersecurity with your business strategy.

1. Identify your business’ key goals and aspirations

What is the overall purpose of your organization? Evaluate the specific milestones you have set to realize that purpose and now look at them in a new way. How does cybersecurity make or break the mission? This are important considerations to integrate into your strategic initiatives.

2. Pinpoint areas of weakness in your cybersecurity hygiene

When you evaluate risk throughout the organization, C-level executives are particularly strong at considering threats impacting financial risk, competitive changes, loss of key employees, market shifts, environmental events, and other disasters. Now, add cybersecurity risk to this same equation. Don’t make the mistake of assuming an IT department is covering this base. Executives must seek out the same details on potential impact from cybersecurity threats as they do in other areas. Conducting a risk analysis can help you identify weak areas in your cybersecurity hygiene and risk-rank vulnerabilities that need to be addressed first. You might need a third-party information security expert to provide an unbiased view of your risk. Specialists at KirkpatrickPrice can help pinpoint weak areas in your cybersecurity hygiene, give you advice on how to remediate those findings, and help fine tune your strategic initiatives.

3. Determine how your people, processes, and technology need to evolve

The cybersecurity landscape is constantly changing, and you need to make sure that your people, processes, and technology are able to swiftly adapt. Humans are generally the root cause of security incidents – whether it’s out of ignorance or deceit – and so it’s up to your organization to ensure that all personnel understand the cyber threats they’re faced with on a day-to-day basis. Requiring annual, thorough security awareness training is one way to do this. As for your processes and technology, how often do you update them to meet information security best practices? Do you conduct internal audits to validate the security of your processes and technology? Are you making investments in technology that will improve the cybersecurity of your organization?

4. Implement a strategy for cybersecurity best practices

Once you’ve identified your key goals and aspirations, identified areas of weakness in your cybersecurity hygiene, and found ways that your people, processes, and technology need to evolve, you need to decide how exactly you’ll be implementing these five best practices. Will you use a framework like NIST to guide your efforts? Will it require you to partner with an MSP or hire more IT personnel? Do you need to hire an independent, third-party firm to validate your cybersecurity efforts?

5. Leverage cybersecurity and compliance for success

Strategic planning is what guides all that you do in your organization. Cybersecurity and compliance are strategic initiatives that serve as benchmarks for your business. Do we have a cybersecurity mission? Have we identified our cybersecurity goals? What are the plans to get there? Have we defined the resources we need? Are we monitoring our progress to quantify success? Ultimately, these will become strengths that are important to your clients and other stakeholders. You might train your sales and marketing teams on how to communicate your strategic differentiation in the market because of your cybersecurity and compliance strengths. Leading firms have a dedicated cybersecurity landing page on their website that explains the “why” behind cybersecurity and how it serves as a strategic goal in their business.

All in all, cybersecurity can no longer be an afterthought or kept at arms-length from the boardroom. It must be a proactive effort – one that is ingrained in the company culture and strategic purpose. If your business is struggling to adopt these five best practices to integrate cybersecurity with your business strategy, let’s find some time to talk to see how we can help you.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

How to Lead a Cybersecurity Initiative

Key Takeaways from the SEC’s Cybersecurity Guidance

Validating Fixes 30 Days After Your Pen Test – Our Retesting Policy

Every penetration testing firm has unique processes for conducting penetration tests. While there are standards that influence penetration tests, like the OWASP Top Ten, the Open Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES), the truth is not all penetration tests are created equally. When hiring a firm to conduct your penetration tests, having a thorough understanding of their methodologies is imperative. How will the firm you’ve hired help you remediate findings? Will they offer detailed insights and strategies for remediation? Will they re-validate what you’ve remediated? A firm focused on advanced, personal service will do exactly that. That’s why KirkpatrickPrice has a 30-day retesting policy.

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s assets, including people, systems, and locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, pen testing firms who are committed to helping their customers get the most out of their investment know that delivering a penetration test report is only the first part of the service. An exceptional pen tester mindset focuses on providing guidance to remediate the findings, and ultimately, help their client improve their security methods.

KirkpatrickPrice’s Commitment to Your Security Needs

When prospects approach us about undergoing a penetration test for the first time, or perhaps they’ve had a bad experience with another penetration testing firm in the past, they’ll question how KirkpatrickPrice’s pen testing methodologies will prepare their organization against the advancing threats of today’s cyber landscape. It’s simple. We use tried-and-true methodologies that have helped keep our clients secure, including:

  1. Information Gathering
  2. Reconnaissance
  3. Discovery and Scanning
  4. Vulnerability Assessment
  5. Attack and Exploitation
  6. Final Analysis and Review
  7. Implement the Remediation Guidance
  8. 30-Day Retesting Period

Benefits of Retesting

KirkpatrickPrice is well aware that the security of your organization is not something to take lightly. This is why when we conduct our quality, thorough pen testing services, we do everything possible to help you get the most out of your engagement, including providing free resources, access to Information Security Specialists, and a 30-day retesting period to test the changes you make after the engagement concludes. What are the benefits the 30-day retesting policy?

According to KirkpatrickPrice pen tester, Stuart Rorer, “The 30-day retesting policy provides our clients with the ability to have any issues, previously discovered in the pen test, reassessed to see if the remediations have been effective.” This means that when you remediate vulnerabilities over this 30-day retesting period you could:

  1. Save your organization from a costly, embarrassing data breach
  2. Demonstrate your organization’s commitment to security
  3. Prove to stakeholders that you’re willing to do everything possible to protect their investments
  4. Ensure the security of a product before you take it to market
  5. Give your customers peace of mind

For those who may argue that 30 days post-exploitation isn’t enough to remediate vulnerabilities, Rorer makes a critical point: “Having a pre-determined test window also provides the client with a level of accountability, and helps set a timeline goal to have issues remediated. The longer the vulnerabilities remain present, the more likely they can be exploited.” In addition, many compliance frameworks require that you remediate high findings and also test your system after any significant changes.

The 30-day retesting policy at KirkpatrickPrice is optional, but we encourage all of our clients to take advantage of the benefits of re-testing, implementing changes, and validating the security of their networks and systems. After all, a data breach is only a matter of when, not if, it will occur. Make sure your organization receives quality, thorough pen testing services – talk to an expert today. We’re here to help!

More Penetration Testing Resources

What Should You Really Be Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

5 Critical Things to Consider When Choosing Your Pen Tester

Using the Online Audit Manager to Complete Multiple Audits

Can You Complete Multiple Audits at One Time?

What do you do when you have multiple information security frameworks to comply with? Is there a guide on how to manage audit completion tasks? Are you able to consolidate multiple audits into one project? At KirkpatrickPrice, you are. We’ve developed the Online Audit Manager – an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits. The Online Audit Manager enables us to combine multiple audits into one project, plus provide customized audits to meet your needs.

How Frameworks Map to One Another in the Online Audit Manager

When an organization is pursuing multiple compliance goals, it’s crucial to find an auditing firm who has the technology and expertise to not only streamline your process, but also use your resources in the most responsible way. We don’t want our clients answering the same question over and over again, wasting their time and becoming frustrated with the audit. Because the Online Audit Manager maps each framework’s controls and requirements to one another, we know which overlap and which don’t. This means that when there is overlap, auditors can use one answer to verify multiple controls.

Let’s take a look at some real examples.

 

Empowering You to Meet Your Compliance Requirements

Tackling multiple audits can be daunting, but we believe that consolidating the questions that we ask clients to answer gives them a more practical view of the project in front of them. To our clients, it doesn’t feel like they’re completing multiple audits or managing multiple projects – they’re just answering a larger question set. This is the exact mission with the Online Audit Manager – to make audits more approachable and empower your team to meet your compliance obligations.

When Joseph Kirkpatrick began his career in the information security industry, he realized there wasn’t a way to perform multiple audits through a single process. The Online Audit Manager was his own vision for how an audit should be done – 80% online, with resources from us available along the way. Because of the Online Audit Manager, KirkpatrickPrice was the first authorized company to provide multiple audits through an online process. If you’re curious about our process, let us walk you through an Online Audit Manager demo and discuss your compliance goals. With KirkpatrickPrice, they may be more achievable than you think!

More Multi-Audit Resources

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

Choosing the Online Audit Manager: One Tool, Multiple Audits

Was the Audit Worth It?