How NIST SP 800-115 Informs Information Security Practices

What is NIST?

The National Institute of Standards and Technology, or NIST, is an organization that is part of the U.S. Department of Commerce and has the goal of being a leader in innovation and technology by providing fair standards and solutions. The core competencies of NIST are measurement science, rigorous traceability, and development and use of standards. These core competencies influence the reliability of the information produced by the organization. As a giant in the industry, NIST has an opportunity to provide quality principles that can be used by organizations to develop secure information security practices and perform security testing.

NIST publishes documents that can be helpful in developing further strategies and methodologies that are used by information security specialists. NIST SP 800-15, the Technical Guide to Information Security Testing and Assessment, is one of these documents that is used in planning and designing proper security processes and procedures. When it comes to penetration testing, NIST SP 800-115 is a valuable guide that can be used to influence the methodologies pen testers use when testing for organizational vulnerabilities.

Let’s Talk About NIST SP 800-115

NIST SP 800-115 is an overview on the key elements of security testing. It isn’t a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies. This guidance includes:

  • Security Testing and Examination Overview
    • Policies
    • Roles
    • Methodologies
    • Techniques
  • Review Techniques
    • Documentation Review
    • Log Review
    • Ruleset Review
    • System Configuration Review
    • Network Sniffing
    • File Integrity Checking
  • Target Identification and Analysis Techniques
    • Network Discovery
    • Network Port and Service Identification
    • Vulnerability Scanning
    • Wireless Scanning
  • Target Vulnerability Validation Techniques
    • Password Cracking
    • Penetration Testing
    • Social engineering
  • Security Assessment Planning
    • Developing a Security Assessment Policy
    • Prioritizing and Scheduling Assessments
    • Selecting and Customizing Technical Testing and Examination Techniques
    • Determining Logistics of the Assessment
    • Developing the Assessment Plan
    • Addressing Any Legal Considerations
  • Security Assessment Execution
    • Coordination
    • Assessment
    • Analysis
    • Data Handling
  • Post-Testing Activities
    • Mitigation Recommendations
    • Reporting
    • Remediation

The detailed guidance provides necessary explanations for many major components of security testing. Because of NIST SP 800-115, your organization can trust qualified audit firms to perform security testing that complies with a set of guidelines that is accepted across the industry.

The NIST SP 800-115 guidance is useful in providing structure to information security testing, but it is not meant to be a substitute for proper security procedures and processes. Instead, NIST SP 800-115 should be helpful in testing that your organization’s security controls are as secure as you expect them to be. For that reason, penetration testers gravitate to the principles taught in NIST SP 800-115 when developing their testing, as it gives clear guidance for seeking out vulnerabilities. To learn how you can benefit from penetration testing in your organization, contact KirkpatrickPrice today!

More Resources

Guide to 7 Types of Penetration Tests

What is IoT Penetration Testing?

Penetration Testing Best Practices Webinars

5 Facts to Know About CCPA

What Do You Need to Know About CCPA?

Much like the European Union’s General Data Protection Regulation of 2018, the California Consumer Protection Act is yet another data privacy legislation that organizations must prepare for as they reexamine the way they collect, use, store, transmit, and protect data. But here’s what companies who interact with California consumers and residents must understand: while they may comply with the various other data privacy laws already being enforced, that does not mean they comply with CCPA. In fact, no matter how similar CCPA is with other data privacy laws – there are nuances between those laws to be accounted for. What does this mean for your organization? What do you really need to know about CCPA? Here are the five core components of the law.

1. What Is CCPA?

In June 2018, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). The purpose of CCPA is to give consumers more rights related to their personal data, while also requiring businesses to be more transparent about the way personal data is used and shared. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information. The law will go into effect on January 1, 2020. Please note that the law may be subject to legislative amendments and regulations that the California Attorney General’s Office creates. At the point of publication, the main legal requirements are:

  • Consumer rights to access, deletion, non-discrimination, and opt-out of selling data
  • Privacy disclosure (i.e. Privacy Policy requirements) related to data collection and use and disclosures
  • Vendor contract requirements
  • Implement and maintain reasonable security measures

2. Who Does CCPA Apply To?

Like with GDPR’s data subjects, the law doesn’t apply to only those businesses who are located within the state of California. Instead, the law applies to certain businesses who collect, use, receive or transmit the personal data of California consumers. Specifically, CCPA applies to for-profit businesses that do business in California and that meet any of the criteria:

  • (A) Have annual gross revenues of over $25,000,000
  • (B) Buy, sell, or share the personal information of 50,000+ consumers per year
  • (C) Derive 50% or more of their annual revenues from selling consumers’ personal information

3. Who Enforces CCPA?

The CCPA is far less ambiguous than other data privacy laws when it comes to who is enforcing the law. According to the American Bar Association, “The CCPA is enforceable both by the Attorney General for the State of California and by private litigants. However, the Act contains technical terms regarding when and how a consumer can bring a private action under the statute.”

4. What are the Penalties for Non-Compliance?

The penalties for non-compliance with CCPA depend on the entity issuing the penalty. If consumers pursue a private, class-action lawsuit, statutory damages could be between $1,000 to $3,000 or actual damages, whichever is greater. If the Attorney General issues fines for non-compliance, companies may be liable for paying fines up to $7,500 per violation. Additionally, in the event of a data breach, consumers can recover damages between $100-$750 per consumer per incident.

5. What are the Exemptions to CCPA?

According to AB 371 Section 1798.145, there are six exemptions to complying with CCPA. Complying with the law should not hinder a business’ ability to:

  1. Comply with federal, state, or local laws
  2. Comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
  3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
  4. Exercise or defend legal claims
  5. Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information
  6. Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California

When it comes to complying with CCPA, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, wants organizations to know that “CCPA has already generated other state laws with similar requirements, so the time spent working on data subject rights processes and privacy policy disclosures right now could save some time in the future if and when other states or the U.S. federal government implements consumer privacy rights.” Whether it’s CCPA, GDPR, PIPEDA, or any of the other data privacy laws enacted throughout the United States and beyond, KirkpatrickPrice wants to partner with you on your compliance journey. Let’s talk about our risk assessment, consulting, or privacy audit services soon!

More CCPA Resources

Best Practices for Data Privacy

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

AWS Security for S3 and EC2

Best Practices for AWS Security

AWS brings new opportunities for businesses to innovate, build, and grow – but what about the data in the cloud? Is it protected? How likely is it to be compromised? The 2019 Cloud Adoption and Risk Report from McAfee reports that the sharing of sensitive data in the cloud is increasing 53% year-over-year. The average enterprise generates over 3 billion events every month in the cloud and uses 1,935 different cloud services, giving malicious attackers ample opportunity to find, steal, and sell the data you are responsible for. This means that organizations must do everything in their power to implement AWS security and safeguard personal information. Where should you begin? Let’s discuss some of the basic security practices for S3 and EC2. These are extremely complicated subjects, but let’s make a starting point for your AWS security strategy with the following best practices.

Protecting S3 Buckets

S3 buckets are a major component of using AWS, but they’re also a major security concern. McAfee reports that 5.5% of all AWS S3 buckets that are in use are misconfigured and publicly readable. Why? S3 buckets are extremely complex, and anything that is complex is harder to secure. Randy Bartels, Vice President of Security Services at KirkpatrickPrice, comments, “AWS has an obligation to make it less complex, and users have an obligation to understand the complexity and make sane choices in setting up policies.” How can you be sure your S3 buckets align with best practices for AWS security?

  • Does your organization have IAM policies? This will give you a way to manage permissions for digital identities. IAM best practices include policies that outline strong password requirements, key rotation every 90 days or less, role-based access controls, and MFA.
  • Are permissions based on a least privileges principle? Users should only be allowed to access data that is necessary to perform their job duties.
  • Does your organization have S3 bucket policies? These will define access or grant access to specific buckets and objects.
  • Do any of your S3 policies allow a wildcard identity or action?
  • Does your organization use block public access properly?
  • Are access control lists made? Make sure that you’re aware if they have the capability to provide any type access to “Everyone” or “Any authenticated AWS user.”
  • Does your organization use S3 access logs? Do you analyze user behavior based on logs?
  • Is sensitive data in S3 encrypted at rest?
  • Is inbound and outbound data traffic encrypted?
  • How to you implement SSE? Does your S3 encryption strategy utilize SSE-S3, SSE-KMS, or SSE-C?
  • Are the responsible personnel knowledgeable about S3 versioning and S3 lifecycle policies?
  • Does your organization monitoring actions taken on buckets and objects? Making your monitoring program a priority will help solve small problems or risks before they become a much larger incident.

Protecting EC2 Instances

AWS outlines 5 key areas for baseline configuration that will secure EC2 instances, which include:

  • Least access
  • Least privilege
  • Configuration management
  • Change management
  • Audit logs

These aren’t new security concepts by any means, but they are ones that are incredibly important in AWS security. In addition to those baseline areas, you must consider the following questions when protecting EC2 instances:

  • Do your encryption strategy address protecting your data in EC2? It should address when, how, where, and what data is encrypted.
  • Do you collect IP traffic from VPC flow logs?
  • What do you do to manage access keys and key pairs?
  • Do IAM policies related to EC2 follow a “need to know” basis?
  • Is inbound and outbound traffic controlled through Security Groups?

Who Should Perform Your Cloud Audit?

Just like any type of technology or IT operation, the security of your service needs to be validated by a third party, whether that is through a SOC 2 attestation, penetration testing, consulting, or another form of security testing.

When choosing who should perform an audit of your AWS environment and controls, you need to focus on finding an auditor who is also a cloud expert. Because cloud technology is new and evolving, the industry lacks best practices that are known and understood. AWS does a good job at distributing best practices for security, but you want to hire an auditing firm that does thorough testing and has auditors that understand how AWS works.

If you don’t feel ready for an audit but want to begin your own AWS security practices, AWS has developed many security tools to help you achieve secure environments. AWS security is just as important to AWS as it is to customers. These tools can help you achieve best practices for cloud security, automate security assessments, give alerts for security incidents, and assess data security requirements to verify the security and compliance of cloud solutions. Amazon CloudWatch, Amazon Inspector, and AWS CloudTrail are a few examples.

At KirkpatrickPrice, we hire technologists, then train them to be auditors – and this increases the value and quality of our AWS audits. Any auditor from KirkpatrickPrice who’s performing a cloud audit understands cloud computing and technology and proves it through certifications like CCSK or CCSP. Contact us today to begin security testing for your AWS environment.

More AWS Security Resources

AWS Security Best Practices

AWS Security Checklist

5 Best Practices for Cloud Security

How Can a SOC 2 Bring Value to Your SaaS?

Finding and Mitigating Your Vulnerabilities Through OWASP

What is OWASP?

The Open Web Application Security Project, or OWASP, is an open, online community that provides free tools and documentation to anyone interested in improving insecure software and in developing, operating, and maintaining secure software. OWASP is a not-for-profit organization, with no affiliation to any company, making it a popular methodology to rely on.

OWASP’s core values are: open, innovation, global, and integrity. OWASP prides itself on being a transparent organization that supports innovation and information security solutions with honesty and truth for any person in the world to access. These principles create an atmosphere of trust and confidence in the quality of information that OWASP provides. Organizations can rely on OWASP to offer tools that help them make informed decisions regarding secure software. OWASP is an incredible resource to learn how to properly mitigate your risks in terms of software development.

OWASP’s Top 10

OWASP’s “Top 10” is one of their most well-known projects, relied upon by many developing secure software and systems. The Top 10 projects document the industry’s consensus on the most critical security risks in specific areas, from web applications to APIs. These lists are especially helpful for organizations that are looking to develop secure code and  software. OWASP’s Top 10 security risks for web applications, mobile applications, IoT devices, and APIs include the following:

  • Web Application Risks
  • Injection Flaws
  • Broken Authentication Methods
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Controls
  • Security Misconfigurations
  • XSS Flaws
  • Insecure Deserialization
  • Using Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring
  • Mobile Application Risks
  • Improper Platform Usage
  • Insecure Data Storage
  • Insecure Communication
  • Insecure Authentication
  • Insufficient Cryptography
  • Insecure Authorization
  • Client Code Quality
  • Code Tampering
  • Reverse Engineering
  • Extraneous Functionality
  • IoT Risks
  • Weak or Hardcoded Passwords
  • Insecure Network Services
  • Insecure Ecosystem Interfaces
  • Lack of Secure Update Mechanism
  • Use of Insecure or Outdated Components
  • Insufficient Privacy Protection
  • Insecure Data Transfer and Storage
  • Lack of Device Management
  • Insecure Default Settings
  • Lack of Physical Hardening
  • API Risks
  • Missing Object Level Access Control
  • Broken Authentication
  • Excessive Data Exposure
  • Lack of Resources and Rate Limiting
  • Missing Function/Resource Level Access Control
  • Mass Assignment
  • Security Misconfiguration
  • Injection
  • Improper Assets Management
  • Insufficient Logging and Monitoring

While these lists include an overwhelming number of risks to be aware of, they are helpful in determining what type of penetration testing your organization might consider, what risks to prioritize during remediation, and how to further develop secure software. OWASP is used by penetration testers, whether internal to your organization or a third party, to stay in tune with common vulnerabilities they should be looking for in your systems, devices, and environment.

How Does Penetration Testing Help You Mitigate Your Risks?

What can your organization do with the knowledge of these common risks and vulnerabilities? You’re already ahead of the game by understanding OWASP’s Top 10 Security Risks and seeking to better your information security processes, but you can take your proactive work a step further by investing in penetration testing that helps you build secure software and mitigate your risks. When your organization hires a penetration tester to manually attack your vulnerabilities and provide an extensive report on the details of your security testing, you can better understand your weaknesses and how they can be exploited.

OWASP influences the penetration testing methodology at KirkpatrickPrice so that we stay at the top of the industry in quality and information security knowledge to provide your organization with a guided path to secure software. Contact us today if you’re ready to take the next step to securing your applications.

More Penetration Testing Resources

What is API Penetration Testing?

What is Mobile Application Penetration Testing?

What You Need to Know About OSSTMM

Pen Testing After a Significant Change

Penetration testing, or pen testing, is a proactive way that organizations can improve their security hygiene and assure their clients that the products and services they provide are as secure as possible. While many enterprises rely on internal audit teams to test the security of their networks, applications, and devices, undergoing third-party penetration testing is a surefire way to identify overlooked or unknown vulnerabilities, find remediation strategies and guidance, and gain peace of mind. But because, often times, pen tests are merely a suggestion – like with HIPAA – or are only required annually – like with the PCI DSS – organizations overlook the value of undergoing pen testing after a significant change is made.

What Constitutes a Significant Change?

Think about the many components of your organization’s security infrastructure: software, hardware, networks, and even your personnel. How often are updates made to your software? How frequently do you replace hardware? What does your organization’s turnover rate look like? The goal of pen testing is to identify vulnerabilities in your IT infrastructure, which is constantly changing. When a significant change occurs, like developing a new web application, implementing a new smart security system, or having a senior-level executive retire, penetration tests are needed to account for any new risks or vulnerabilities that may be introduced.

Examples of Significant Change

Example 1: Updating Code in a Web Application

According to Verizon’s 2019 Data Breach Investigations Report, “Web application breaches made up nearly 30% of all breaches in 2018.” This should come as no surprise – nearly every organization uses web applications to provide or conduct business, and no matter if they are public-facing or exist on an intranet, they’re susceptible to many cyber threats like SQL injection, DoS, brute-force attacks, or malware. Let’s say that a director of IT has instructed her team to implement and deploy new code. While this code may be developed with security in mind and may go through ample security testing, there could still be undiscovered vulnerabilities. By undergoing pen testing and code review after developing the new code, organizations can rest assured that they performed their due diligence to make sure that the improved web application is secure.

Example 2: Introducing New IoT Devices

IoT devices have made daily tasks easier – from making coffee in the morning to securing your office building. But how might these devices compromise your organization’s security hygiene? Even the smallest, seemingly non-threatening IoT device could cause the demise of your organization if a malicious hacker used it to gain unauthorized access to your network. For instance, let’s say that your coworker brought in a smart picture frame – one that connects to your organization’s WiFi network to display images from your coworker’s phone. Seems pretty harmless, right? Now, if everyone in your organization did something similar, there would be multiple, seemingly non-threatening attack vectors that a malicious hacker could exploit. In scenarios like this, having a robust information security program, thorough internal auditing, and third-party continuous pen testing would be useful to discover new vulnerabilities the IoT devices may introduce.

Example 3: Accounting for Personnel Changes

Major changes to personnel can greatly impact your organization’s security hygiene. If a CISO or CTO leaves, how would that impact the entire IT department? If a developer or network administrator resigns, how would their responsibilities be covered or reassigned? Does the culture of compliance stay intact? Personnel changes are just as likely to introduce new risks into your environment and undergoing continuous pen testing can help account for those changes.

How Can Continuous Pen Testing Help?

Undergoing annual penetration testing is a great first step for improving your organization’s security hygiene, but to really get the most out of your investment in pen testing, you should consider partnering with a third-party firm like KirkpatrickPrice to conduct continuous pen tests. Why? Because changes happen every day, and malicious hackers won’t give you an opportunity to fix the vulnerabilities those changes introduce before they exploit them. By investing in third-party continuous pen testing, organizations like yours will not only gain an objective insight into the security of your IT infrastructure on a regular basis, receive actionable remediation steps to mitigate vulnerabilities, and maintain compliance, but you’ll also be able to leverage your commit to security and give your customers peace of mind that your organization is doing everything it can to remain secure.

Businesses today are rapidly adopting new technologies, but are they staying ahead of the latest threats? Ask yourself if your organization is doing everything you can to prevent a data breach or security incident when the next significant change occurs. Not sure if you are? Contact us today to find out how KirkpatrickPrice’s penetration testing services can help.

More Penetration Testing Resources

Not All Pen Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

7 Reasons Why You Need a Manual Penetration Test