How Can Penetration Testing Protect Your Assets?

Every business has something to lose. But…who loses sleep over it? Whose job is on the line if assets are compromised? Who cares about protecting their assets? In recent data breaches, some companies just haven’t shown the expected response when they compromise assets. Take Uber, for example. The core of Uber’s business is drivers and riders, yet they covered up a hack for over a year. Hackers stole 57 million credentials through a third-party cloud-based service, and Uber paid to cover it up. Uber knew they’d face major backlash when they exposed the cover-up because they didn’t protect their assets.

How can organizations protect their assets? Investing in penetration testing is one way to show clients, prospects, and competitors that you are willing to protect your assets and that you recognize the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company.

What Type of Assets Do You Protect?

In any industry, there are assets that need to be protected. You may not think that your organization has a “security issue,” but third-party validation through penetration testing can either validate or deny that. Cardholder data, Social Security numbers, protected health information, access credentials, intellectual property – businesses across industries need to recognize how penetration testing can protect their assets.

  • Casinos – The gaming industry has earned a reputation for strict, effective physical security. As technology advances, though, so should cybersecurity. If a casino is connected to a hotel, are the networks segmented appropriately? If not, a hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, the ability to manipulate odds, see payout information for each machine, alter rewards information, or worse.
  • Hotels – Cardholder data, passport information, rewards numbers, room information, security systems, and more could be compromised if a hotel is hacked. The Marriott hack exposed in 2018 is now one of the largest known thefts of personal records in history. When Marriott’s Starwood reservation system was breached, the personal data of up to 500 million guests was compromised.
  • Pharmaceutical – Production and development, intellectual property, operations, clinical trials, and laboratory results can be impacted when the pharmaceutical industry is targeted by cyberattacks. When pharma giant Merck was hit by NotPetya, it disrupted their operations across the world and production of new drugs, ultimately costing them over $600 million in 2017.
  • Utilities – The threat of power grids being attacked by nation states is becoming more real every day. In 2018, the DHS linked Russia to hacking US power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.
  • Data Centers – Whatever data is stored in a data center is under threat. Any insecure access point, like security systems, power supply, security cameras, or HVAC systems, are fair game to a hacker.
  • Retail – Cardholder data is the major asset of any retailer. The infamous 2013 Target hack is a nightmarish example of just how much data a retailer is responsible for. The compromised cardholder data of 40 million shoppers led to a $18.5 million settlement for Target.
  • Airlines – Passport details, passenger itineraries, rewards information, cardholder data, flight schedules, and the safety of passengers are things that could be compromised if an airline is hacked. Fortunately, no travel or passport details were revealed in British Airway’s 2018 data breach, but 380,000 transactions were compromised due to digital skimming on the airline’s website and app.
  • Telecommunications – Because telecom providers communicate, transmit, and store sensitive data, they are a target for cyberattacks. Telecom providers also have attacks coming from two sides: directly to their organization’s network and indirectly through their users. There are new channels of attack with every advance in technology.
  • Auto – As automakers incorporate more technology into vehicles and self-driving cars become a reality, the threat of cyberattacks on vehicles is very real. Locks, brakes, volume, AC, acceleration – it’s all been proven to be hackable.
  • Education – Educational institutions hold not only attendance and grade records, but Social Security numbers, cardholder data, billing addresses, and many other forms of personal data. Understaffed universities that hold expensive research have a target on their backs. A data breach in the education industry costs $166 per capita, according to the Ponemon Institute.
  • Insurance – Cardholder data, protected health information, and other sensitive data are assets given to insurers through websites and apps, making the insurance industry a target for cyberattacks.
  • Public Sector – 44% of local governments face cyber attacks daily. The City of Atlanta’s Ransomware attack was an unfortunate example of just how vulnerable cities are to cyber threats and how much it costs for a city to recover.
  • Banking – Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances – it’s all available to banks. In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
  • Hospitals – Protected health information, security systems, expensive research and prototypes, drugs, scheduling information, and operations of facilities are all assets that a hacker could hope to compromise through cyberattacks. Ransomware attacks are extensive in healthcare for this very reason. No hospital wants their computers, elevators, locks, medical devices, or HVAC system held hostage.

Seeing some similarities, here? Any industry can benefit from penetration testing. Any service provider would be embarrassed to sell something that isn’t secure. Any healthcare organization on the HHS’ “wall of shame” will be used as an example of what not to do. Any payment processor’s reputation would be tainted by compromised cardholder data. No matter the industry, organizations need to protect their assets. What is the value of your assets?

How Can Organizations Use Penetration Testing to Protect Their Assets?

Penetration testing can be used to determine how vulnerable your assets are. It puts your security intelligence in your own hands instead of a hacker’s. It shows your security strengths and weakness, then allows you to prioritize your risk levels. If you have compliance requirements, then penetration testing helps align your organization’s security with those requirements. If you do not have compliance requirements, penetration testing is a proactive way to see and analyze the holes in your security posture. Because penetration testing is a simulated yet real-world exercise, it also gives your team a chance to have true “what if” scenarios to practice incident response and, hopefully, avoid the downtime that a breach would cost in the future.

Consider all types of penetration testing and consult with a qualified consulting firm to decide which would be most beneficial for protecting your assets. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to your organization’s security efforts.

If you’re questioning whether or not penetration testing would be appropriate for a business of your size or in your specific industry, remember to consider the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company or your industry.

If your default belief is that we, as an auditing firm, do not employ in-house penetration testers, let us make it clear: we do. We recognize the value of your assets and want to help you find your vulnerabilities and correct them. Contact us today to learn more about our penetration testing services.

More Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

Protecting MSPs from Million Dollar Ransomware Attacks

The DarkSide Ransomware Attack on CompuCom

On March 3, the IT managed service provider (MSP) announced they had fallen victim to a Darkside ransomware attack. The cybercrime group installed CobaltStrike beacons on several systems throughout the MSP’s environment. These beacons helped the threat actor steal data, spread the virus, and deploy ransomware payloads. 

The MSP expects the incident to result in losses of $20 million and counting due to the disruption of customer services and internal operations. Since CompuCom is up for sale, the attack has come at an inopportune time for the company. 

Read more

The Main Types of Security Policies in Cybersecurity

In 2020, security breaches cost businesses an average of $3.86 million, but the cost of individual incidents varied significantly. The main factor in the cost variance was cybersecurity policies and how well they were implemented. Cost mitigating factors include security best practices such as encryption and vulnerability testing, but board involvement in creating and enforcing security policies also had a substantial impact. 

Organizational security starts at the top, with clearly defined information security policies that influence how the organization as a whole prioritizes security, implements security best practices, and responds to threats. 

Read more

The 5 Components of Risk Management

Every business must contend with risks, some chosen deliberately and others an inherent part of the environment in which the business operates. Founding a business, launching products onto the market, employing people, collecting data, building systems—these are all essential to growing a successful business. They are also all sources of risk. 

But a business doesn’t thrive for long if it fails to balance risk-taking with risk mitigation. That’s the role of risk management. 

Read more

PCI DSS Compliance: What Do SAQ, AoC, and RoC Mean?

The Payment Card Industry Data Security Standard, or PCI DSS, was established as a standard security requirement for all entities that store, process, or transmit cardholder data. PCI DSS compliance helps to demonstrate your security commitment and assure your clients that their cardholder data is protected. When you engage in a PCI DSS audit, you’re testing your organization’s systems and processes against 12 technical and operational requirements made up of nearly 400 individual controls established by the PCI Security Standards Council to protect cardholder data.

There are three parts to a PCI DSS audit and the merchant level of your organization plays a part in determining what you need from a PCI DSS audit. Let’s take a look at the distinctions between a PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AoC), and Report on Compliance (RoC).

What is a PCI SAQ?

The PCI Self-Assessment Questionnaire is a tool used to document an organization’s self-assessment of their security practices concerning cardholder data. There are nine different SAQ types which apply variably to different organizations depending on how they process, handle, and store cardholder data, including:

  1. SAQ A
  2. SAQ A-EP
  3. SAQ B
  4. SAQ B-IP
  5. SAQ C-VT
  6. SAQ C
  7. SAQ P2PE-HW
  8. SAQ D for Merchants
  9. SAQ D for Service Providers

These questionnaires help to determine which PCI DSS compliance requirements apply to your organization and how your current systems align with those security requirements. Although each of the SAQ types have different goals, your organization can evaluate which applies best to you so that you can obtain an AoC.

At KirkpatrickPrice, we offer guidance to help your organization work through your SAQ and ensure all of your yes/no answers are accurate according to your security systems. Even with a self-assessment, you’re not alone!

What is a PCI AoC?

The PCI Attestation of Compliance (AoC) is just that, an attestation completed by a Qualified Security Assessor (QSA) that states an organization’s PCI DSS compliance status. An AoC is documented evidence that an organization has upheld security best practices to protect cardholder data. Basically, an AoC is a written representation that your organization has completed the applicable SAQ and been verified by a QSA.

If your organization is a merchant, the requirements for a SAQ, AoC, and RoC vary depending on your PCI level of compliance. We’ve written an introduction on the 4 PCI merchant levels for you to refer to when determining your own level of compliance. Similarly to the SAQ, there are different versions of the AoC which coincide with the versioning for the SAQ. Whichever version of the SAQ your organization completes, the same version can be determined useful for your AoC.

What is a PCI RoC?

A PCI Report on Compliance (RoC) is issued by a QSA and details an organization’s security posture, environment, systems, and protection of cardholder data. The RoC is developed through a thorough assessment completed by a QSA that includes an onsite audit and review of controls. After an auditor tests your controls and obtains documentation of your processes, a summary of findings is developed which culminates in a final RoC.

Every RoC is organized according to the PCI Security Standards Council’s specifications for a qualified RoC which is derived from the RoC Reporting Template provided to all QSAs. The standardization of reporting allows your organization to provide every stakeholder, client, or interested party with a clear representation of your status on PCI compliance.

If you’re overwhelmed or confused by the PCI audit process, KirkpatrickPrice experts are here to help! Whatever your PCI objectives are, we want to partner with you to help you achieve your compliance goals. Call us today  to talk with an expert and start your PCI compliance journey.