What are the Stages of Penetration Testing?

If your organization or technology hasn’t gone through a penetration test or security testing before, you may not know what to expect. Even if you have, maybe you’re wondering what KirkpatrickPrice’s methodology and stages of penetration testing are. Once you know what to expect, you can probably reap the benefits of the process a bit more. At KirkpatrickPrice, there are seven stages of penetration testing. Let’s discuss each one so your organization can be prepared for this type of security testing.

7 Stages of Penetration Testing

  1. Information Gathering: The first of  the seven stages of penetration testing is information gathering. The organization being tested will provide the penetration tester with general information about in-scope targets.
  2. Reconnaissance: KirkpatrickPrice uses the information gathered to collect additional details from publicly accessible sources. The reconnaissance stage is crucial to thorough security testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided. This step is especially helpful in internal and/or external network penetration testing, however, we don’t typically perform this reconnaissance in web application, mobile application, or API penetration testing.
  3. Discovery and Scanning: The information gathered is used to perform discovery activities to determine things like ports and services that were available for targeted hosts, or subdomains, available for web applications.
  4. Vulnerability Assessment: A vulnerability assessment is conducted in order to gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or technology being tested. A vulnerability assessment is never a replacement for a penetration test, though.
  5. Exploitation: This is where the action happens! After interpreting the results from the vulnerability assessment, our expert penetration testers will use manual techniques, human intuition, and their backgrounds to validate, attack, and exploit those vulnerabilities.
  6. Final Analysis and Review: When you work with KirkpatrickPrice on security testing, we deliver our findings in a report format. This comprehensive report includes narratives of where we started the testing, how we found vulnerabilities, and how we exploited them. It also includes the scope of the security testing, testing methodologies, findings, and recommendations for corrections. Where applicable, it will also state the penetration tester’s opinion of whether or not your penetration test adheres to applicable framework requirements.
  7. Utilize the Testing Results: The last of the seven stages of penetration testing is so important. The organization being tested must actually use the findings from the security testing to risk rank vulnerabilities, analyze the potential impact of vulnerabilities found, determine remediation strategies, and inform decision-making moving forward.

KirkpatrickPrice security testing methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Effective penetration testing requires a diligent effort to find enterprise weaknesses, just like a malicious individual would. We’ve developed these seven stages of penetration testing because we’ve proven that they prepare organizations for attacks and fix areas of vulnerability. If you want to avoid the consequences of compromised technology while working with an expert ethical hacker, contact us today.

More Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

6 Steps of a PCI Audit

To protect the security of cardholder data, the PCI Security Standards Council requires organizations that work with payment cards to maintain compliance with the PCI DSS. If you’re an entity that stores, processes, or transmits cardholder data, you may be asking QSA firms, “How do you conduct a PCI audit?” At KirkpatrickPrice, we take a six-step approach in the PCI audit process to help your organization gain PCI compliance.

1. Gap Analysis

How do you conduct a PCI audit? Before you begin a PCI audit for the first time, we recommend going through a gap analysis. A gap analysis helps to identify any administrative, physical, and technical gaps in your information security program; specifically, in the way that you handle cardholder data. Going through a gap analysis allows our senior-level QSAs to understand your business and your level of readiness for a PCI audit. The gap analysis is an important step towards PCI compliance because your QSA can create remediation strategies that will guide you through the PCI audit process and towards compliance. Next, your organization will move on to remediate the findings found during the gap analysis.

2. Remediation

Are you worried that after a gap analysis, you’ll be left to mitigate areas of non-compliance on your own? Not when you partner with KirkpatrickPrice on a PCI audit. Now that your organization understands its administrative, physical, and technical gaps, a QSA from KirkpatrickPrice will work to develop a detailed remediation plan with findings from the gap analysis and recommendations on proper ways to mitigate areas of non-compliance. The remediation step in the PCI audit process will help your organization to recognize its gaps and remediate those areas for a smoother path towards PCI compliance.

3. Scoping and Planning

You’ve been through weeks of remediation work, what’s next? It’s time to start the PCI audit by verifying the scope of the engagement. We will work with your organization to analyze your services, geographic locations, payment applications, third parties, and other system factors to develop an accurate scope for the PCI audit. The narrower the scope, the more accurate and efficient your PCI audit process will be, so we aim for a detailed and defined scope. The scoping and planning stage prepares the entire engagement team to move to the next step of gathering information.

4. Gathering

At KirkpatrickPrice, we will collect your policies, procedures, and other documentation needed for your PCI audit through the Online Audit Manager. Alongside your designated Audit Support Professional and QSA, you will begin answering questions and describing systems relating to your organization’s internal controls. The Online Audit Manager provides a platform that streamlines the PCI audit process and aids you in completing 80% of the PCI audit before one of our senior-level QSAs even visits your office for an onsite visit. Gathering and preparing data beforehand gives you the opportunity to be more effective with time and communication during your onsite visit.

5. Onsite Visit

How do you conduct a PCI audit? An onsite visit is probably what you envision when thinking about a stereotypical audit. Onsite visits during the PCI audit process are important for not only testing internal controls that cannot be accurately tested remotely, but also seeing your people and technology in-action. We are putting our name, our reputation, and our firm’s reputation on the line when we issue a report – we take that responsibility seriously, and onsite visits are major part of that responsibility. During the onsite visit, a senior-level QSA, who has been partnered with you throughout the PCI audit process, will observe and test your organization to determine if your processes meet the 12 requirements of PCI compliance.

6. Report Delivery

The final step in the PCI audit process is receiving a Report on Compliance (RoC), which provides you with a detailed report on the results from your PCI audit. To generate RoCs, KirkpatrickPrice has a team of Professional Writers, who are trained and knowledgeable about the PCI DSS, that write high quality reports. Your report will also go through our Quality Assurance processes to ensure it meets our quality standards. You can take a deep breath knowing your PCI audit was performed by a QSA and a firm that is committed to your organization’s compliance success!

Bonus: How to Market Your PCI Compliance

Going through the PCI audit process can do more than assure your clients that their sensitive data is protected; PCI compliance can also be a powerful tool for your sales and marketing team. How do you take your PCI compliance and market it to prospects and clients? When you work with KirkpatrickPrice, you will receive a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing your recent PCI compliance, copy to use in marketing materials, and advice on how to best your market PCI compliance achievements.

How do you conduct a PCI audit? Now you know how we perform PCI audits at KirkpatrickPrice. Are you ready to work with a QSA firm that partners with you throughout the PCI audit process? Contact us today!

More PCI Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

Leveraging Information Security as a Competitive Advantage

When organizations come to us to pursue their information security goals, we make sure they know all the benefits of compliance accomplishments. This ranges from avoiding fines and answering to regulatory bodies to protecting and strengthening your business. What we want more organizations to take advantage of, though, is leveraging information security as a competitive advantage. How do you do that?

How Can You Use Information Security as a Competitive Advantage?

Information security efforts do more than assure your clients that their sensitive data is protected. When you partner with an audit or penetration testing firm that educates you and performs quality-driven assessments, your sales and marketing teams will learn how powerful compliance can be.

There are several marketing benefits to achieving compliance. It gives you an opportunity to display and explain the value of your compliance accomplishments, establishes your brand as one that’s committed to privacy and security, and gives you a competitive edge. There are so many possible ways to use compliance for marketing and branding tools. Is your organization using information security as a competitive advantage in these ways?

  • Marketing your product as reliable and secure, with an audit report to show for it.
  • Adding a landing page to your website that outlines all of your compliance achievements and goals.
  • Incorporating a compliance logo into company email signatures.
  • Using compliance logos on your company’s branded presentation templates.
  • Producing materials for conferences that highlight your information security program.
  • Distributing a press release announcing each audit report that you receive.
  • Publishing a blog post or a series of blog posts that outlines your compliance journey, like our client Paubox recently did with their HITRUST journey.

Educating Your Sales and Marketing Teams on Information Security as a Competitive Advantage

Does your competition have the same audit report that you do? Do they have the same information security standards that you do? Do they undergo penetration testing? If not, you’re ahead of the game. Your competitors are very likely considering how to accomplish challenging compliance expectations, and when you’re proactive about establishing an information security program, it will pay off. You can close deals that rely on SOC 2 attestations, you can go after business that requires GDPR compliance, you can expand your services to the healthcare industry through HIPAA compliance; the opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it.

Leveraging information security as a competitive advantage does require some extra work, though. Does your sales and marketing team understand or even know about all the effort that went into an audit? You need to take steps to educate your sales and marketing team on what types of audits you’ve been through so that they can explain the value of your information security program to prospects. When your team can have sales conversations that relay why your service is more secure than a competitor’s, you are fully utilizing all the work that went into your compliance accomplishments.

After going through a SOC 2 Type II audit at KirkpatrickPrice, Unqork’s CISO told us, “We want to be able to tell our clients and our clients’ customers that the framework that we’ve built and the design or architecture that we’ve built is as secure as is available on the market because that builds a lot of confidence and meets industry requirements. We knew that the sooner we could close that gap and prove to our customers and prospects that we’ve rolled out an information security program, thought about the processes and procedures, and considered privacy laws and requirements around the globe, that opens the door to more conversations and builds confidence in Unqork as a vendor.”

How KirkpatrickPrice Helps

We always recommend that our clients leverage information security as a competitive advantage and strive to help find creative ways to do so. When clients complete an audit with us, we’re dedicated to helping them find the best way to market their compliance. We offer our clients a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing their recent compliance accomplishment, copy to use in various marketing materials, and advice on how to best market their focus on information security. Want to learn more about how to leverage your compliance accomplishments as a competitive advantage? Contact us today.

More Compliance Resources

When Will You See the Benefit of an Audit?

Was the Audit Worth It?

5 Questions to Ask When Choosing Your Audit Partner

Why Quality Audits Will Always Pay Off: You Get What You Pay For

How Do I Find a QSA For My PCI Audit?

Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? Going through a PCI audit for the first time? Your organization will need an individual who can help you maintain PCI compliance and provide you with a high-quality PCI audit. Who can do that? A Qualified Security Assessor (QSA). In fact, a QSA is the only individual who can deliver a PCI RoC for your organization. Without hiring a company that has a certified QSA, you won’t be able to meet your PCI compliance requirements and are at risk for additional data threats. You know you need a QSA, but where should you start? Let’s begin by defining what you’re looking for when choosing a QSA.

What is a QSA?

A QSA is an individual who is certified with qualifications from the PCI Security Standards Council that can test and prove an organization’s compliance with PCI DSS standards. A security expert who holds the QSA certification is highly esteemed as a credible source for reviewing compliance activities. You can find a real QSA that will lead you on the path towards PCI compliance through the PCI SSC. The PCI SSC provides a detailed list of all QSA companies and individuals, but choosing a QSA takes more effort than simply searching a list.

Choosing a QSA That’s Right for You

Finding a list of QSAs may be straightforward, but choosing the best QSA for your organization is a more difficult choice. There is more to choosing a QSA than finding a company with the correct certification.

  • The best QSA for your PCI audit must understand your organization, what you do, the technologies you use, and the industry within your industry.
  • To get the most out of your journey to PCI compliance, you want an experienced QSA, not a junior auditor.
  • You need to find a QSA that can meet your needs. Do you have a quick turnaround time? Does the company fit your budget? Are they equipped to handle your specific scope? Can they handle visiting your third parties?
  • Do you need a gap analysis before going through the audit? The right QSA for your organization is one that provides you with remediation guidance and prepares you for the upcoming audit.
  • Do you need to go through multiple audits? Choosing a QSA that will benefit you by offering multiple services and gap analyses along with your PCI audit is necessary!

What to Look Out for When Choosing a QSA

You may hear from an auditing firm that they are qualified to complete your PCI audit, but if they’re not a QSA on the list from the PCI SSC, they’re most likely outsourcing the project. The last thing you need when working towards PCI compliance is a company that leaves the security validation to a third-party. They may even misrepresent their PCI services because they want to get your business in another auditing or service area, such as SOC 2 or penetration testing. What’s more, many times companies will claim to be a QSA when they only have PCI Professionals (PCIPs). PCIPs are valuable to the PCI audit process, but lack in the necessary certification to properly audit your organization for PCI compliance. You need to watch out for these possible misrepresentations when you’re choosing a QSA.

Choosing KirkpatrickPrice as Your QSA

At KirkpatrickPrice, we pride ourselves on providing a quality QSA experience that gives your organization a streamlined PCI audit experience. How do we do it? We partner with you to learn about your organization, your processes, your technologies, and your industry to ensure the scope of your engagement is accurate. We utilize our Online Audit Manager to guide you through the audit control objectives and help you complete your audits together at the same, qualified firm. We work hand-in-hand with your information security team on remediation strategies to make sure that you get the most out of your audit. In addition, many of our audit support professionals, technical writers, and quality assurance personnel have the PCIP certification and work with your QSA, so you’ll have peace of mind that you’re receiving an expert PCI audit from start to finish.

Why settle for a company that outsources your PCI audit when you can choose a QSA that works alongside you to perform a quality audit completed by senior-level, expert auditors? Hire a QSA that’s right for you. Contact us today.

More PCI Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

Business Associate Due Diligence: Lessons Learned from AMCA

In most healthcare settings, third parties are relied upon to provide secure offerings to assist covered entities in providing quality, secure healthcare services.  Covered entities ultimately bear the responsibility of validating their third party security standards, however, covered entities often times still fall short in ensuring that business associates guard protected health information (PHI) against advancing cybersecurity threats. In one of the most recent cases, Quest Diagnostics, one of the United States’ top blood testing organizations reported that nearly 12 million of their patients fell victim to a data breach caused by one of their business associates, American Medical Collection Agency (AMCA). What exactly caused this data breach? What lessons can covered entities and their business associates learn from it? Let’s take a look.

What Really Happened with American Medical Collection Agency Data Breach?

On May 31st, Quest Diagnostics received noticed from AMCA that an unauthorized user accessed AMCA’s system containing the personal information of patients from Quest Diagnostics via their web payment page between August 1, 2018 and March 30, 2019. According to Quest Diagnostics’ SEC filing against AMCA, the information on AMCA’s compromised system included some financial information, medical information, and other personal information, such as Social Security Numbers, but did not include laboratory test results.  LabCorp also used AMCA for collections and also suffered a breach affecting almost 8 million patients.  Now, Quest Diagnostics, LabCorp and AMCA are facing lawsuits and investigations from state regulators in at least Michigan, Illinois, New Jersey, and Connecticut.

What Lessons Can We Learn from AMCA’s Data Breach?

While it might seem redundant to continuously focus on the need for efficient third-party risk management, AMCA’s data breach proves that this is still something all healthcare organizations need to take more seriously. When partnering with a third party or business associate, healthcare organizations must perform their due diligence and properly vet the organizations they want to partner with. How can they do this? We’ll give you four key lessons learned from the AMCA data breach.

  1. Breach Notification Matters: All the key players made several potential missteps related to breach notification timing and process. First, there are allegations that AMCA knew about the breach in March 2019 and failed to respond to concerns from cybersecurity analysts until the end of May while Quest waited two weeks from the date it received notice from AMCA about the breach to make its “public” statement.  Second, there is nothing on AMCA’s website while Quest and LabCorp’s impact became public through SEC filings rather than any notification posted to their corporate websites.   These choices are being used as evidence of negligence in class action lawsuits and may violate HIPAA breach notification requirements.  Instead, covered entities and business associates must clearly and promptly notify impacted patients within 60 days of breach discovery and notify the Department of Health and Human Services (within 60 days of the breach discovery) and media when the breach impacts more than 500 patients.
  2. Implement a Formal Risk Assessment Policy: In order to comply with HIPAA Privacy and Security Rules, covered entities and business associates must conduct a risk assessment. By doing so, organizations can ensure that they have identified, assessed, and prioritized organizational risk and have proactively worked to mitigate any potential vulnerabilities in their system. Online payment processes, like the web portal used by AMCA, should be considered particularly sensitive to security threats and therefore given great consideration.
  3. Understand Shared Risk: When working with a business associate, covered entities must understand that when they share their patients’ PHI with a vendor, it’s not solely up to the vendor to protect that information. In this case, Quest used Optum 360, another billing service provider, to partner with ACMA so there are multiple layers of shared risk.
  4. Undergo Quality, Thorough Information Security Audits: In many instances, organizations view information security audits as an item to check off a to-do list, or worse, they don’t see it as a valuable investment. If your healthcare organization is committed to delivering quality, secure healthcare services, how exactly can you guarantee that you’ll do this? Undergoing thorough information security audits, like those performed by KirkpatrickPrice, can help your organization ensure that you’re able to deliver quality, secure healthcare services by evaluating the effectiveness of your internal controls and your business associates’ internal controls.

When your patients entrust you with their personal information, especially their PHI, it’s your responsibility to make sure that it remains secure. This includes performing your due diligence when partnering with business associates and validating that your vendors will do everything they can to keep PHI secure. Are you sure your business associates are performing their due diligence? How are you staying on top of your vendors’ compliance efforts? Contact us today to learn more about KirkpatrickPrice’s services and how they can help you ensure that you’re able to deliver the quality, secure healthcare services that your patients deserve.

More HIPAA Compliance Resources

Penetration Testing in Support of HIPAA Compliance

Road to HIPAA Compliance: Managing Business Associate Compliance

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

What is Risk Management?