Know Your Options: Levels of Service for External Network Penetration Tests

Thinking about hiring a firm to conduct an external network penetration test? What is an external network penetration test and why you need one? Or, have you recently been disappointed with an external network penetration test engagement? At KirkpatrickPrice, our experienced penetration testers want our clients to walk away from each engagement knowing that they are more prepared to combat advancing cyber threats. We are committed to conducting the most realistic, thorough testing as possible because when an attacker compromises your external network, it’s likely that they won’t stop there. They’ll go a step further and utilize social engineering tactics, like creating phishing emails specific to your organization, to further infiltrate your environment. That’s why we recommend knowing your options and understanding the different levels of service available for external network penetration tests.

Choosing Levels of Service for External Network Penetration Tests

Standard – External Network Penetration Test

An external network penetration test provides insight into what an attacker outside your network could exploit. Findings might include:

  • Discovery of open ports, protocols, and services that were accidentally exposed to the Internet
  • Discovery of data leaks, such as excessively open permissions on Amazon S3 buckets
  • Identification and exploitation of old or unsupported systems. These are especially prone to compromise since exploits are more likely to be widely available
  • Identification and exploitation of unpatched or misconfigured systems. On multiple occasions our testers have found systems with remote-code execution vulnerabilities or misconfigurations that allow passwords to be leaked, among other bugs
  • Broken encryption methods (most common on websites, but also for systems like SSH or VPN servers)

Advanced – External Network Penetration Test Plus Social Engineering

A good ethical hacker will want to utilize as many tactics as possible to discover potential vulnerabilities in an external network. That’s why our penetration testers take external network penetration tests to the next level – the advanced level. They don’t feel like they’re delivering on their work until they go the extra mile and use creative ways to exploit your external network. This typically looks like social engineering methods, such as phishing, to make the penetration test more realistic. An external attacker is not just interested in checking the security of your network perimeter and moving on if they don’t find anything – they’re interested in using external-facing systems (such as email) to get directly into the network. When you’re selecting a firm to conduct your external network penetration testing, consider ask them about social engineering. This provides additional value, such as:

  • Measures mentioned for external testing alone
  • Reviewing layers of security – if an employee accidentally gives away a password when phished, does this impact the external security and how?
  • Testing security awareness of employees when it comes to email and phone
  • Evaluation of how well email protection/spam filtering measures and protects users from potentially dangerous content
  • Evaluation of how well endpoint protection protects users

Because hackers are so likely to compromise environments using multiple attack vectors, we highly recommend understanding your options when it comes to levels of service and choosing an advanced level external network penetration test. This extra measure will test to ensure that all potential vulnerabilities are found. 

Case Study: Advanced External Network Penetration Test

Did you know that in 2019, 32% of breaches involved phishing and over 60% of breaches involved the use of stolen credentials? Phishing is one of the simplest and most frequently used attack methods used by malicious hackers. Educating your employees on how to identify and report such emails is essential – and it’s a skill that needs to be thoroughly tested by someone experienced in creating realistic phishing emails. Our penetration testers have executed phishing attempts that have been so convincing that 40% of IT personnel compromise their passwords.

In one engagement, a KirkpatrickPrice penetration tester performed a red team engagement on a casino and resort. In order to gain access to the network, the penetration tester sent out a phishing email that impersonated the casino’s HR department. The email stated that there was a new HR portal that employees needed to log in to and verify their personal information. If they didn’t, the phishing email threatened that a delay in payroll might occur. The penetration tester even went as far as creating a fake HR portal webpage identical to the casino’s brand and linked to it in the phishing email. With the fear of payroll being impacted, many employees (even some HR employees) clicked on the phishing link, allowing the penetration tester to obtain several sets of credentials and utilize a VPN connection to access the network of the casino. From there, they were able to compromise the entire network.

Had this casino opted to only do a standard external network penetration test, it’s likely that the phishing email never would’ve been created and the casino would have no idea that its employees so easily click on a phishing email. Instead, the casino and resort would have only received findings of things like open ports, protocols, and services that were accidentally exposed to the Internet, or unpatched or misconfigured systems, and it would be left vulnerable to more thorough hackers.

Getting the most out of your penetration test comes down to choosing the right penetration tester and knowing your options for the levels of service. If you’re in the process of selecting a firm to conduct penetration testing for your organization, let’s chat more about the different levels of service for external network penetration tests and how we can partner to get you the results you need.

More Penetration Testing Resources

5 Critical Things to Consider When Choosing a Pen Tester

3 Hacks to Get the Most Out of Your Penetration Test

What Should You Really Be Penetration Testing?

Security Awareness Training Requirements: SOC 2, PCI, HIPAA, and More

What is a Secure Software Development Life Cycle

Have you ever worked on a project without clear direction or guidelines? It can be stressful and pointlessly chaotic. Without structure and task lists, what could have been a basic project turns into a mess of miscommunication. The same principle applies to software development management. In an age where software development is a core function of most organizations, specific and detailed processes need to be in place to ensure information systems are well developed. What is a secure software development life cycle (SDLC)? What should you include in your SDLC? Let’s talk through these software development life cycle basics.

What is a Software Development Life Cycle?

An SDLC is a framework that helps define tasks and work phases that are used by system engineers and developers to plan, design, build, test, and deliver information systems. Why is software development management important to your organization? It’s about maintaining a secure environment that supports your business needs. It’s made up of policies, procedures, and standards that guide your organization’s secure software development processes. There are many software development models that can be implemented in your organization. These methodologies include waterfall, agile, lean software development, DevOps, Iterative Development, Spiral Development, and V-Model Development.

The 5 Phases of an SDLC

For whichever software development methodology your organization implements, you’ll find a common structure between the various models. These five phases of a software development life cycle can be identified in each methodology:

  1. Planning – Start your secure software development by mapping out a timeline, requirements, and any preliminary details necessary.
  2. Analysis – The organization defines objectives, project goals, and the functions and operations of the application.
  3. Design – Detailed screen layouts, business rules, process diagrams, pseudocode, and other documentation is laid out. Development begins and secure code is written.
  4. Implementation – Testing and integration bring all the pieces together in an environment that checks for errors, bugs, vulnerabilities, gaps, and interoperability.
  5. Maintenance – Once your software is developed, maintaining updates, performance evaluations, and making any changes to the initial software are key maintenance procedures.

How will Software Development Management Make You More Secure?

The process of developing and building secure software can help your development team understand common security pitfalls to avoid. In the complex world of software development, it’s easy to miss issues in your code when you aren’t implementing a detailed plan of action. By using the right tools to aid in secure software development, you can cut down on costs, increase efficiency, and implement continuous testing to reduce risk. If information security is your priority, you need to ensure your software development life cycle is up to standards. To learn more about security testing and third-party penetration testing, contact KirkpatrickPrice today. Let’s make sure your security practices are working for you, not against you.

More Resources

PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

Compliance Is Never Enough: Secure Software Development

Think Like a Hacker: How Could Your Mobile Apps Be Compromised?

How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

The Need for a Culture of Cybersecurity at Work

According to IBM Security’s 2019 Cost of a Data Breach report, “The average total cost of a data breach in the U.S. has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years.” What does this mean for organizations looking to prevent data breaches and security incidents? It means that in order for organizations to adequately prepare to deal with today’s cyber risks, avoid costly fines and penalties for non-compliance, and give clients the peace of mind they deserve, their corporate structure should reinforce a culture of compliance – one that is strongly embedded into the organization, clearly visible in the company’s org chart, and focused on cybersecurity.

Cybersecurity is a Company-Wide Effort

Establishing a culture of cybersecurity at work is no longer just a best practice – it’s absolutely necessary. But for many organizations, initiatives that emphasize both cybersecurity and compliance haven’t been a major focal point for departments outside of IT. Because IT has traditionally been the sole bearer of cybersecurity and compliance initiatives, cybersecurity and compliance best practices are only seen as a small component of the business strategy instead of being a strategic initiative in itself. In order to make this happen, a culture of cybersecurity should be embedded into every aspect of your organization – even in your org chart. While it will depend on factors like your organization’s size, industry, budget, or personnel experience, there are typically three ways to emphasize cybersecurity through your org chart: top-down, bottom-up, and network. Whichever way you structure it, there needs to be clear lines of communication between personnel vertically and horizontally.

3 Ways an Org Chart Reinforces Cybersecurity

Top-Down Org Chart

Perhaps the most common org chart is the top-down structure; it starts with the Board of Directors and ends with entry- or low-level employees. In order to emphasize a culture of cybersecurity at work in this org chart model, the Board of Directors needs to set the tone for compliance initiatives. This means that in the company’s business strategy, cybersecurity and compliance will be strategic initiatives and not merely a responsibility that IT reports on. A basic rendering of a top-down org chart might look something like this:

Top-Down Org Chart

Bottom-Up Org Chart

Opposite to the top-down org chart model, bottom-up org charts are less common but empower lower-level employees to take part of the culture of cybersecurity at work. In these models, low-level employees often feel like they have a greater role in creating and maintaining a culture that focuses on cybersecurity and compliance because they understand that their day-to-day tasks play a key role in the company’s overall business strategy. This org chart also opens up more lines of communication between upper management and lower-level employees, as employees are likely to feel more empowered to identify and report on issues when they know that their bosses will listen to their concerns and make corrective actions when necessary. A bottom-up org chart typically looks like an inverted pyramid, like the following:

Network Org Chart

More and more businesses are relying on third-parties to supply information security services for their organization, especially those companies who don’t have the time, budget, or personnel resources to meet their growing cybersecurity needs. But when major components of the business are outsourced, maintaining a culture of cybersecurity and compliance becomes more difficult. By developing a network org chart, businesses can clearly see where they’ve outsourced components of the business, where they’re located, who is responsible for overseeing those vendors and their compliance efforts – all while showing where in-house departments are, who oversees them, and what tasks they’re responsible for. A network org chart might look something like this:

 

Regardless of the org chart model your business uses, ensuring that every employee knows who they need to be communicating with is essential, especially in regard to a culture of cybersecurity at work. If you’re looking to revise your company’s org chart, let’s chat so you can find out how KirkpatrickPrice can help!

More Cybersecurity Resources

How to Lead a Cybersecurity Initiative

Auditor Insights: Compliance from the Start

Fact or Fiction: Everything You Need to Know About Leading Compliance Initiatives (Webinar)

Vendor Due Diligence Checklist (With Downloadable PDF)

What is a Vendor Due Diligence Process?

Vetting and choosing vendors are some of the most important decisions you’ll make for your business, especially when it comes to information security. They could do everything from run your call center to store your data, monitor your systems, or destroy your records. Yes, you can outsource a process or a department to vendors – but you can never outsource risk. No matter the vendor, they pose some level of risk to your organization – especially financial risk, operational risk, reputational risk, and cyber risk – because they have access to your data, network, hardware, cloud, and more. This is why you must thoroughly vet potential vendors using a vendor due diligence checklist.

Once you’ve narrowed your vendor options to those that can support your needs, it’s time to gather the information that will help you take a risk-based approach to vendor selection – this is the vendor due diligence process. This information should help you rank the risk that potential vendors would pose to your organization, which strengthens your organization and protects you from insecure or irresponsible vendors.

Streamlining the vendor due diligence process is essential to its success so that it doesn’t become arduous and intimidating. Plus, vetting your vendors isn’t a one-time process; you should continually assess whether they’re introducing more risk into your environment or meeting your security standards. In order to streamline this process, we’ve put together a vendor due diligence checklist as a guide. This checklist isn’t extensive – questions could change based on your requirements or the company, industry, size, or region. It asks potential vendors to submit general information about their company, a financial review, reputational risk information, evidence of insurance, technical documentation regarding information security, and their policies. The more you know about potential vendors, the easier it is to assess their risk. Let’s take a look!

Vetting with a Vendor Due Diligence Checklist

General Information

There are obvious, foundational documents that are absolutely necessary to obtain from potential vendors. This general information will confirm that the company is legitimate and licensed to do the work you need. This includes items like articles of incorporation, proof of location(s), any dba, aka, or fka information, and an overview of the company structure.

Financial Review

Assessing financials may seem irrelevant to your vendor selection process, but you do want to ensure that potential vendors are financially solvent. Would you want to partner with a company that may not be in business next year? To perform a financial review, you will need to know major assets, principal owners, loans, etc.

Reputational Risk

When you choose to work with a vendor, you’re putting part of your business in their hands. Take choosing an audit firm, for instance. Would you want to hire a firm whose managing partner for audit quality was convicted of fraud? Absolutely not – that’s why assessing reputational risk is so important, even with companies you would typically trust (like a Big Four firm or even household names). If you don’t include reputational risk in your vendor due diligence process, you may miss information that would have changed your decision, like complaints or reports from the CFPB or BBB.

Insurance

Gathering insurance information from potential vendors is similar to gathering general information – it’s a must-have and foundational to your decision-making. Gather information on general liability insurance, cyber insurance, or insurance specific to services.

Information Security Technical Review

When a vendor performs a service for you that impacts your data security or privacy programs, you must do a thorough vetting of their information security program. The more they are willing to show you during the vetting process, the better. A good starting point is collecting internal or external audit reports, pen testing reports, and their history of data breaches.

Policy Review

Policies and procedures are the backbone of any organization. If a potential vendor cannot provide policies that cover change management, data retention, or privacy, they probably do not have the controls needed to protect your organization’s data network, hardware, or cloud.

 

 

Choosing Vendors

Once your potential vendors have submitted all of their answers from the vendor due diligence checklist, you may be in one of the following situations:

  • A potential vendor is not willing to answer all of your questions. Depending on the nature of your question, you may have the right to be suspicious of their processes and determine that they do not understand your standards.
  • A potential vendor answers all of your questions but their evidence proves they pose significant risk to your company, and it is unreasonable to try and mitigate. Cross them off your list!
  • A potential vendor doesn’t quite meet your standards, but the risk they pose isn’t significant, and they are willing to improve their information security practices in exchange for your business. Now it’s up to you to determine what you require of them to change – more frequent pen testing? A SOC 1 Type II report? The inclusion of new Trust Services Criteria in their SOC 2 audit? Better policy documentation?
  • You have more questions based on a potential vendor’s initial answers. Ask them! If they want your business badly enough, they will cooperate with your due diligence process.
  • One potential vendor’s security processes stand out among the rest – your choice is easy!

If you don’t currently perform vendor due diligence, consider using our vendor due diligence checklist as a guide. If you choose a vendor without vetting and assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can put your business in jeopardy. Have more questions about vendor relationships and they can impact information security? Want to put KirkpatrickPrice through your vendor due diligence checklist? Let’s talk today!

More Vendor Due Diligence Resources

What to Look for in a Quality Vendor

How to Read Your Vendor’s SOC 1 or SOC 2 Report

Vendor Compliance Checklist

Common Gaps in Vendor Compliance Management

How to Build an IT Asset Management Plan

How you can best manage your data and assets in a time where information security threats are everywhere? What is asset management and where do you start with it? Let’s start with a basic definition. Asset management is properly defining and categorizing an organization’s assets. A well-developed asset management plan can help you make strategic moves to increase your organizational security. With any plan for IT asset management in place, you should have established processes for receiving and transferring assets, migrating virtual systems, detecting and responding to incidents, continuous monitoring, and applying patches and updates to address vulnerabilities.

How Can You Benefit from an IT Asset Management Plan?

NIST Special Publication 1800-5 on IT asset management explains the benefits of a thorough asset management plan in six parts:

  1. Proper asset management increases the ability for your organization to respond to security alerts quickly as the location, configuration, and owner of various devices can be accessed quickly.
  2. Your organization can turn its focus to the most valuable assets and therefore increase cybersecurity resilience.
  3. When you conduct an audit, auditors will have detailed information about your systems because of well-managed assets.
  4. It helps to better define your budget as you can determine which software license are actually utilized and which you pay for, but do not use.
  5. Your employees will be able to use your asset management plan to know what is installed and any alerts or errors that might come up, so that you can minimize help desk response times.
  6. Any patching that needs to be done on your software can be done correctly and reduce attack surfaces of devices with a well-developed IT asset management structure.

These benefits arise from a well-developed asset management plan that follows guidelines set up by publications such as NIST. When you face the difficulty of IT asset management, you might find yourself looking for guidance on how to responsibly track the status and configurations of your assets. That’s why we, at KirkpatrickPrice, have developed an outline of an asset management plan to get you started.

 

 

Risk-Based Approach to an Asset Management Plan

While your customized asset management plan will be tailored to your organization’s security needs, this tool can be helpful in giving you a path towards security compliance. Organizing and maintaining an asset inventory works as a foundation for a through information security program. You can organize your asset inventory in many different ways: individually, systematically, or through portfolios. Every organization will define their assets according to their needs, but it is recommended that the selection process be based upon risk. At what risk level is each asset? By classifying and analyzing assets according to what critical risk stage they’re in, you can help measure the effectiveness of your security strategies.

If you’re serious about implementing information security practices, you need to be mindful of the importance of proper asset management. Don’t let undetected vulnerabilities and mismanaged risks be the problems that plague your information security plan. Instead, use asset management tools and perform regular penetration testing to protect your valuable assets. Contact KirkpatrickPrice today to learn how we can help you achieve your information security goals!

More Resources

How Can Penetration Testing Protect Your Assets?

Why Bother With An Information Security Program?

What Should You Really Be Penetration Testing?