What is Mobile Application Penetration Testing?

So often, mobile devices are assumed to be the causes of security incidents or breaches, but mobile applications usually serve as the attack vector. In 2018, one in 36 mobile devices had high risk apps installed. There were 2,328 variants of mobile malware. Only about 50% of mobile apps were running on the newest, major iOS version and 19% for Android. Mobile applications and their risks aren’t something you can avoid. What does this mean for your business? You need to defends the mobile applications you have built from hackers and cyber threats. Are you performing penetration testing on your mobile applications to validate your security efforts? Let’s discuss the risks associated with mobile applications and how KirkpatrickPrice’s penetration testing methodologies are effective for securing your business.

Why Test Mobile Applications?

Mobile applications provide a large surface area of attack and are often a weak link in a company’s security posture. Does your app connect with backend servers? How is information stored on the device? Is there a chance information may be hardcoded into the program code? So many things can go wrong with iOS or Android mobile applications, which is why organizations must protect them through penetration testing. During 2018, Symantec blocked an average of 10,573 malicious mobile apps per day. Do you want to be considered a high risk app?

According to OWASP’s Mobile Security Project, the 10 most critical security risks to mobile applications are the following:

  1. Improper Platform Usage
  2. Insecure Data Storage
  3. Insecure Communication
  4. Insecure Authentication
  5. Insufficient Cryptography
  6. Insecure Authorization
  7. Client Code Quality
  8. Code Tampering
  9. Reverse Engineering
  10. Extraneous Functionality

To complement these critical security risks, OWASP and ENISA collaborated to set a joint set of mobile controls and design principles determined to be best practice, which include:

  1. Identify and Protect Sensitive Data on Mobile Devices
  2. Handle Password Credentials Securely on Mobile Devices
  3. Ensure Sensitive Data is Protected in Transit
  4. Implement User Authentication, Authorization, and Session Management Correctly
  5. Keep the Backend APIs (Services) and the Platform (Server) Secure
  6. Secure Data Integration with Third-Party Services and Applications
  7. Pay Specific Attention to the Collection and Storage of Consent for the Collection and Use of the User’s Data
  8. Implement Controls to Prevent Unauthorized Access to Paid-For Resources
  9. Ensure Secure Distribution/Provisioning of Mobile Applications
  10. Carefully Check Any Runtime Interpretation of Code for Errors

Has your organization analyzed the security of your iOS or Android mobile applications against these 10 risks? Have you built mobile applications that align with these mobile controls and design principles?

Timehop is a perfect example of how mobile applications can impact our day-to-day lives and how, when a breach happens, it can truly scare users. Timehop is a memory-sharing app enabling users to distribute posts from the past by connecting to their social networks and photo storage apps. In 2018, the app experienced a breach where up to 21 million users were impacted. Because of Timehop’s connection to users’ social networks, the company had to be very clear about what happened and the types of data that were breached. Timehop came straight out and admitted that the breach was due to a lack of appropriate MFA on access credentials, which resulted in network intrusion. In their security incident report, Timehop went above and beyond the norm in order to be as transparent as possible. Timehop’s incident response approach was extremely transparent and accessible, one of the most thorough that we’ve seen – and we think it’s because they recognized the impact mobile applications have on users’ lives.

How is Penetration Testing Performed on Mobile Applications?

We find that many mobile security analysts are lacking in the knowledge and expertise they need to thoroughly test a mobile application. With all the types of technology available to organizations across different industries, there is a lot of ground to cover and a lot of expertise required to properly perform penetration testing on mobile applications. At KirkpatrickPrice, our approach is in-depth, and we dig deep to try and find any issues that may exist.

Effective penetration testing on iOS or Android mobile applications requires a diligent effort to find weaknesses, just like a hacker would. KirkpatrickPrice methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Our penetration testing methodology is derived from various sources including the OSSTMM, Information Systems Audit Standards, CERT/CC, the SANS Institute, NIST, and OWASP.

What is mobile application penetration testing and how could it secure your organization? If you want to avoid the consequences of a compromised mobile application while working with an expert ethical hacker, contact us today.

More Web Application Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Is Endpoint Protection a Comprehensive Security Solution?

Penetration Testing Steps for a Secure Business

How to Scale Your Information Security Program as You Grow

It’s a great accomplishment for startups to meet compliance goals, like gaining SOC 2 attestation or becoming HITRUST CSF certified – but what happens after you receive your report? How do you continue to implement the lessons you learned and the controls you developed? What happens when a CISO or an IT director leaves the company? Will your information security program withstand your projected growth? These are all things to consider when developing your information security program.

Why is an Information Security Program Important for Startups?

Information security tends to be sacrificed due to the resources it requires – resources that could be used or spent elsewhere. There are always more prospects to pursue, contracts to sign, growth to focus on, and more problems to fix. Initially, an information security program is typically viewed as a headache that seems to get worse year after year, requiring more time, money, and attention. And yet as an assurance firm, we know that a business built with an information security program at the foundation has an advantage because a business process or IT solution is so hard to change once it becomes core to the enterprise and its operation. Every shortcut taken during the design processes, technology solutions, or internal systems will haunt your startup forever – even when you’re not a startup anymore. That’s why creating an information security program must be a priority from the very beginning.

Creating a Scalable Information Security Program

What does it mean for startups to create information security programs that scale as they grow? It means that the work you put into your program at the inception of your organization will pay off in the long run. You will reap the benefits of your information security program long after you’ve graduated from being a startup. What are some ways to create a scalable information security program?

  • Bake information security into the foundation of your organization, but don’t overwhelm your personnel. What are the information security basics that you need to cover? How can you configure AWS in a secure way? Have you created an incident response plan? Have you installed 2FA? A business that is driven by security and integrity will create a quality service or product.
  • Even if it’s not a full-time position, someone needs to be responsible for information security efforts. Maybe it’s something that grows into a full-time position, but if no one is in charge of the information security program, you will regret it down the line. Eventually, you will get to the point that you have a full-time position heading up your information security program.
  • Conducting a formal risk assessment is not only a way that startups can identify and assess organizational risk; the findings can be used to prioritize risks to your organization’s business continuity, reputation, and financial health. Risk assessments will be essential as a startup grows; what new risks are you exposed to that you weren’t a year ago? How can you mitigate them? How can you monitor them?
  • When startups have a product, customers, and the customers’ data (and possibly their customers’ customers’ data), they are a more interesting target to hackers. Do you have engineers and developers who know how to design a secure system? Can they review code? Do they know how valuable penetration testing is? Do controls scale alongside your infrastructure?

What Our Clients Say

What do we hear from our clients about creating an information security program that is scalable?

  • “As a startup, if you’re going to deal with data that has privacy and compliance requirements or talk to customers that are heavily regulated, you have to think about that in your initial design and business strategy because that’s the success. That’s the difference between being profit-positive inside of one year and being profit-positive at year seven.”
  • “We want to be able to tell our clients and our clients’ customers that the framework that we’ve built and the design or architecture that we’ve built is as secure as is available on the market. We knew that the sooner we could close that gap and prove to our customers and prospects that we’ve rolled out an information security program, thought about the processes and procedures, and considered privacy laws and requirements around the globe, that opens the door to more conversations and builds confidence in us as a vendor.”
  • “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.”
  • “[Going through] a gap analysis was the best thing that we ever did.”
  • “[Going through an audit made] our documentation lightyears beyond what it was.”
  • “We’re a small company, but as we grow, the Online Audit Manager is architected in such a way that you can delegate the questions out to the right people in your team and get accurate answers. It also alleviates businesses from having a single point of contact that must do it all. Having an online platform with delegation and tracking capabilities plus the feedback from the auditor in a digital format, along with the daily email reminders, is a great way to keep the audit process moving forward.”

If your organization is a startup considering undergoing information security assessments or penetration testing for the first time, KirkpatrickPrice wants to be your resource for building a scalable, solid information security program. Want to learn more? Contact us today.

More Resources for Startups

Auditor Insights: Compliance from the Start

You’re a Target for Cyber Attacks No Matter Your Business Size

5 Strategies to Keep You From Wasting Time on Security Questionnaires

5 Information Security Considerations to Make Your Startup Successful

What is Web Application Penetration Testing?

According to Verizon’s 2019 DBIR, web applications are the top hacking vector in breaches. What does this mean for your business? Is your organization defending its web applications from hackers and cyber threats? Are you performing penetration testing on your web applications to validate your security efforts? Let’s discuss the risks associated with web applications and how KirkpatrickPrice’s penetration testing methodologies are effective and necessary for securing your business.

Why Test Web Applications?

Web applications are unique constructs, mixing various forms of technology and providing an interactive front for others to use. Some web applications are made public, while others might be internal applications existing on an intranet. No matter the location, there are always security variables. How well does your application handle input? Does it work with backend servers in a secure manner? Do you have default configurations? Do you have an effective incident response plan? Will your session management scheme hold up to penetration testing?

According to OWASP, the 10 most critical security risks to web applications are the following:

  1. Injection Flaws
  2. Broken Authentication Methods
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Controls
  6. Security Misconfigurations
  7. Cross-Site Scripting (XSS) Flaws
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

Has your organization analyzed the security of your web applications against these 10 risks? In order to accurately identify and prioritize risks specific to your organization’s web applications, OWASP recommends that you consider a risk’s exploitability, weakness prevalence, weakness detectability, technical impacts, and business impact.

The key vulnerability in Capital One’s breach was traced back to a misconfigured web application firewall. KrebsOnSecurity reported that Paige Thompson was a former employee of the web hosting company involved (presumed to be AWS) and “allegedly used web application firewall credentials to obtain privilege escalation.” Thompson illegally accessed and downloaded the PII of 106 million Capital One users, data that included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers. All of this because one former employee knew how this web application misconfiguration could be massively exploited.

How is Penetration Testing Performed on Web Applications?

In the past, web applications proven to be problematic for many security analysts. With all the types of technology available to organizations across different industries, there is a lot of ground to cover and a lot of expertise required to properly perform penetration testing on web applications. We often see other firms blindly assign an analyst to a web application project, assuming that their knowledge, skill, and ability will transfer to or fit whatever the web application requires. This is not the case, so you must be careful about who you hire to perform penetration testing on your web applications. Without the proper knowledge and expertise, a penetration tester can miss important findings. That’s why web application penetration testing methods at KirkpatrickPrice include the following:

  • Application Logic Flaws
  • Forced Browsing
  • Access and Authentication Control Flaws
  • Session Management
  • Cookie Manipulation
  • Horizontal Escalation
  • Vertical Escalation
  • Brute-Force Attacks
  • Poor Server Configuration
  • Sensitive Information Leakage
  • Source Code Disclosure
  • Response Splitting
  • File Upload/Download Attacks
  • Parameter Tampering
  • URL Manipulation
  • Injection Attacks for HTML, SQL, XML, SOAP, XPATH, LDAP, Command
  • XSS
  • Fuzzing
  • Manual Testing

So, how will our methodologies help secure your organization’s web applications? KirkpatrickPrice’s web application penetration testing methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Effective penetration testing requires a diligent effort to find enterprise weaknesses, just like a malicious individual would. Our advanced, web application penetration testing methodology is derived from various sources including the OSSTMM, Information Systems Audit Standards, CERT/CC, the SANS Institute, NIST, and OWASP.

What is web application penetration testing and how could it secure your organization? If you want to avoid the consequences of a compromised web application while working with an expert ethical hacker, contact us today.

More Web Application Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Components of a Quality Penetration Test

How Can Penetration Testing Protect Your Assets?

5 Project Management Tips for Information Security Audits

When most people think of auditing, they automatically associate it with negative emotions such as stress or anxiety. At KirkpatrickPrice, we understand that undergoing an information security audit can be an overwhelming task for organizations, and we want to partner with you to ensure that we can alleviate as much of that stress as possible. However, while we have processes, personnel, and tools like our Online Audit Manager to help your organization succeed, an audit engagement is a two-way street, and your organization must be sure to manage the project efficiently. To do so, we’ve come up with a five tips for project management for information security audits.

Project Management Tips for Information Security Audits

1. Know What You’re Getting into Before the Audit Begins

Often times, organizations fail to thoroughly research and understand what exactly will be expected of them during an audit engagement. For many organizations, this is because it is their first time undergoing an information security audit. Before an audit engagement begins, organizations need to familiarize themselves with their audit firm’s audit processes and the framework(s) that they are going to be audited against. This might mean reviewing the actual framework itself, like the PCI DSS or HITRUST CSF, or referencing educational materials to prepare your organization, like KirkpatrickPrice’s SOC 2 Academy.

In addition to familiarizing your organization with the frameworks and audit processes, organizations must ensure that everyone in their organization is on board with the information security audit from the start and that they are willing to participate as needed. Gaining the buy-in from C-level executives all the way down to department heads or key team players will make the audit engagement more efficient because everyone knows and understands what’s at stake during the audit and how they can play a roll in ensuring the completion of the engagement.

2. Make an Audit Strategy

For every organization, the audit process is different depending on the time, personnel, and financial resources available. The audit process is also different based on what services you choose. Will you go through a gap analysis? Are you provided with a remediation plan? How long will it take you to remediate? Do you have multiple audits happening simultaneously? This is why establishing an audit strategy is essential to project management for information security audits. Organizations must determine who will oversee the engagement, how the progress of the engagement will be tracked, and other considerations that could impact the completion of the audit, such as what would happen if someone from the company (i.e. a Director of IT) left the company during the audit.

3. Select a Leader to Oversee the Project

Want to ensure a successful audit? Selected a leader to oversee the engagement. At KirkpatrickPrice, we call this person the executive sponsor. This is typically a C-level executive who will manage the project, serve at the point of contact between your organization and ours during the engagement, and ensure that the project remains on schedule. If a problem arises during the audit, this person should be able to effectively communicate those problems to other stakeholders in the audit and work with the audit partner to find solutions and get the engagement back on schedule. This component is especially important when it comes to project management for information security audits.

4. Stay on Top of Deadlines

By far and large, sticking to deadlines during an audit period seems to be one of the most pressing concerns for organizations. When prospects approach us about engaging in an information security audit, we’re often asked if we be able to complete the audit and report by a specific date or told about a hard deadline that compresses the timeline. Because most organizations do need an audit by a specific date, we have streamlined our audit process to ensure an efficient delivery system. However, this system only works the way it’s designed to if our clients are held accountable and complete the work they’re assigned on time. Why? Because even the smallest delay, such as not turning in artifacts or evidence when requested, can lead to receiving your report later than it’s needed, and it could also cost you in late fees, clients, or even legal penalties. Additionally, to ensure efficient project management of information security audits, organizations must analyze the availability of the key players in the engagement. For example, what holidays will impact your deadline? Are there any team member vacations scheduled during the engagement? If so, how will the workload be distributed or completed to ensure that no delays occur?

5. Utilize Your Audit Partner

Project management for information security audits may seem like a daunting task. If you feel unsure about your progress during the audit engagement, utilizing your audit partner is a great way to get back on track. At KirkpatrickPrice, our Client Success Team and experienced Audit Support Professionals are available to answer questions, provide time management help, and additional resources to ensure the successful completion of an audit engagement all year round. Unlike many other CPA firms who drop or neglect clients during the busy tax season, we won’t because we’re solely an information security auditing firm. Our clients can rest assured that if they have questions about their audit – no matter what time of year – we’ll be there to help.

Here’s the thing: whether done because it’s required or because your organization wants to be proactive, information security audits are an investment that should not be taken lightly. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their investment, but our clients must understand the critical role project management plays into information security audits. Project management helps ensure the efficiency of the engagement, ensure that deadlines are met, and ensure that reports are delivered on time. Ready to get started on your audit? Want to learn more about project management for information security audits? Contact us today.

More Auditing Resources

When Will You See the Benefit of an Audit?

Leveraging Information Security as a Competitive Advantage

Getting Executives on Board with Information Security Audits

What is Network Penetration Testing?

Gartner says that by 2020, 60% of digital businesses will suffer from service failures due to their IT security teams’ inability to manage digital risk. What does this mean for your business? Is your organization defending its network from cyber threats? Are you performing network penetration testing to validate your security efforts? What is network penetration testing, and should you be doing internal or external? Let’s discuss.

Internal vs. External Network Penetration Testing

What is network penetration testing? Well, there are two types – internal and external. External threats to your network may seem more obvious than internal threats. Most organizations would agree that anything exposed to the Internet needs some form of security testing, and we recommend external network penetration testing. If an external host is compromised, it can lead to an attacker digging deeper into your internal environment. If an external device is the target of an attack, like a hacker looking for a public-facing SFTP/FTP server that stores your clients’ data, these devices must also be protected. External network penetration testing is focused on the perimeter of your network and identifies any deficiencies that exist in the controls that protect against remote attackers targeting the Internet-facing systems in your environment. When performing external penetration testing, our penetration testers mimic real scenarios as best as possible to root out all potential vulnerabilities. External network penetration testing techniques include the following:

  • Port scans and other network service interaction and queries
  • Network sniffing, traffic monitoring, traffic analysis, and host discovery
  • Spoofing or deceiving servers via dynamic routing updates (e.g., OSPF, RIP spoofing)
  • Attempted logins or other use of systems with any account name/password
  • Use of exploit code for leveraging discovered vulnerabilities
  • Password cracking via capture and scanning of authentication databases
  • Buffer overruns/underruns
  • Spoofing or deceiving servers regarding network traffic
  • Alteration of running system configuration except where denial of service would result
  • Adding user accounts

Whether it’s disgruntled workers, previously terminated employees, or someone trying to steal trade secrets, there are lots of potential internal threats. Did you know that, on average, it only takes 16 minutes before the first employee clicks on a phishing email? Even without malicious intent, simple configuration issues or employee mishaps can also result in a network compromise, leading to the majority of attacks originating from within. That’s why internal network penetration testing targets the networked environment that lies behind public-facing devices. This type of penetration test is designed to identify and exploit issues that can be discovered by an attacker who has gained access to your internal network. Internal subnets, domain servers, file servers, printers, switches – it’s all in play during internal network penetration testing. Penetration testers will assess your internal network and thoroughly look for any avenue that could lead to exploitation.

How is Network Penetration Testing Performed?

Network penetration testing at KirkpatrickPrice begins with information gathering and the reconnaissance phase, where the organization being tested will provide the penetration tester with general information about in-scope targets, plus the penetration tester collects additional details from publicly accessible sources. Our penetration testers are looking for vulnerable ports and services that will allow them to gain entry into the network, similar to an open door or window on a house that is supposed to be locked. The reconnaissance phase is crucial to thorough network penetration testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided.

Then, a vulnerability assessment is performed where our expert penetration testers utilize multiple tools to gain initial knowledge. A vulnerability assessment is not a replacement for a network penetration test, though. After interpreting those results, our expert penetration testers will use manual techniques, human intuition, and their backgrounds in network administration to attack those vulnerabilities. After the completion of the network penetration testing, you will receive a comprehensive report with narratives of where we started the testing, how we found vulnerabilities, and how we exploited them.

KirkpatrickPrice’s network penetration testing methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Effective penetration testing requires a diligent effort to find enterprise weaknesses, just like a malicious individual would. Our advanced, network penetration testing methodology is derived from various sources including the OSSTMM, Information Systems Audit Standards, CERT/CC, the SANS Institute, NIST, and OWASP. Our team of highly skilled penetration testers have backgrounds specifically in systems and network administration and understand the complexities of protecting your network. This works to our advantage so that we can identify the areas that are the most difficult to defend.

What is network penetration testing and how could it defend your organization? If you want to avoid the consequences of a compromised network while working with an expert ethical hacker, contact us today.

More Network Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Components of a Quality Penetration Test

How Can Penetration Testing Protect Your Assets?