Onsite Audits for Cloud Environments

Do you provide cloud solution services? Or, does your organization utilize the services of cloud providers? At KirkpatrickPrice, we understand that it’s important to recognize the value of cloud environments and technology, while also understanding the risk that is coupled with storing data in the cloud. Whether you provide the cloud service or use it for your business, you should know that the services are secure – and that includes auditing both the virtual and physical environments used to provide cloud services. In this webinar, KirkpatrickPrice Lead Practitioner, Mike Wise, discusses why onsite visits are the smart choice for cloud environments.

Why Onsite Audits are Necessary for Cloud Environments

The assumption that everything is based in the cloud is simply not true. Not only is it inaccurate, it is harmful to an organization to believe an onsite analysis of its security controls is a waste of time. While your data may be stored in the cloud, your physical security processes, onsite technologies, and personnel who process the data are not in the cloud. Think about it: how many processes related to your cloud environment aren’t actually in the cloud? For example:

  • You can’t manage the cloud from the cloud. Who is responsible for managing it? Where does that oversight take place? How is it secured?
  • Development and DevOps activity don’t take place in the cloud. How do you ensure that the changes you’re making to your cloud environment are secure? Who is in charge of overseeing changes and implementation?
  • Human resources, onboarding, training, team meetings, stand-ups – they don’t take place in the cloud. How are you training your personnel about cloud security?
  • Governance and compliance don’t take place in the cloud. How could this impact the security of your cloud environment?

Overcoming the misconception that everything is in the cloud is necessary if you want to make sure that the cloud environment your organization uses is secure. To learn more about why onsite audits are necessary for cloud environments, about shifting the risk when migrating to the cloud, and about how different cloud models impact your security efforts, download the full webinar now or contact us today to speak to one of our cloud experts.

Executive Insight into the Importance of Penetration Testing

You’ve seen hacking portrayed in Hollywood films, but have you seen how hackers can be an ally in your fight for security? Ethical hacking plays a key role in identifying what malicious outsiders are planning against your organization’s sensitive assets. If you’ve been wondering about the trends in penetration testing and how other organizations utilize these tests to creatively improve security, download this full webinar to hear from KirkpatrickPrice’s President, Joseph Kirkpatrick, as he discusses creative approaches to penetration testing, how executives use penetration testing to evaluate security effectiveness, and how to overcome fears and misconceptions about penetration testing.

Getting the Most Out of Your Penetration Test

When organizations invest in penetration testing, they’re likely looking for a quality, thorough third party who is able to uncover vulnerabilities that their teams can’t or wouldn’t find and provide remediation strategies and guidance to improve security. In order to do so, though, penetration testers must go beyond routine approaches to ethical hacking, like walk throughs and merely passing reports presentations to committees, and instead employ creative methods, like advanced social engineering methodologies used by KirkpatrickPrice penetration testers.

For example, when KirkpatrickPrice penetration testers begin an engagement, they’ll be sure to do their due diligence when it comes to reconnaissance. Our pen testers will stimulate real-life hacks by:

  • Using online research via the Dark Web
  • Entering a physical location using methods like tailgating or copying badges
  • Using pre-text calling
  • Using spear-phishing

By employing such creative means to test an organization’s security, executives will gain a greater holistic insight into the security of their organization, and they’ll be better prepared and empowered to make decisions about improving the organization’s security hygiene.

Do you want to make sure your organization is getting the most out of your penetration testing results? Are you ready to learn how executives can use the findings of a penetration test to better improve organizational security hygiene? Download the full webinar now or contact us today to speak to an Information Security Specialist.

Think Like a Hacker: Common Vulnerabilities Found in Web Applications

According to the 2019 Verizon DBIR, web applications are a top vector in data breaches. But is your organization doing anything to mitigate this threat? Are you educated on what vulnerabilities web apps like yours are facing? In the first installment of our “Think Like a Hacker” webinar series, one of our expert penetration testers, Stuart Rorer, dives into the most common vulnerabilities found in web applications during penetration tests. If you’re interested in learning about common ways your web applications may be compromised by a malicious hacker, remediation tactics for mitigating threats facing your web apps, and how to continue to stay abreast of cyber threats with KirkpatrickPrice’s pen testing services, watch the full webinar now.

Web Pages vs. Web Applications

When it comes to ensuring the security of a web app, there is one critical thing to keep in mind: web apps are not the same as web pages. Web pages are static, whereas web applications are dynamic and respond to user interaction. What does this mean? It means that web pages are simple: you view the page, and there is usually very little that can be attacked, aside from the underlying infrastructure. When there is added dynamic functionality, such as adding a search option, there is greater risk for a malicious attack because there’s a level of interaction with the underlying system. So, what common vulnerabilities are found when there’s added dynamic functionality? We’ll give you five.

5 Common Vulnerabilities Found in Web Applications

When looking at the vulnerabilities found in web applications, it’s important to realize that all web applications are different: there are different frameworks, components, libraries, and services. Considering this, when undergoing a web application penetration test, there could be a number of vulnerabilities found, but the five we most commonly see at KirkpatrickPrice are:

  1. Misconfiguration
  2. Vulnerable third-party libraries and components
  3. Authorization issues
  4. Redirection issues
  5. Injections

Your organization’s web apps are only as strong as your latest penetration test. Have you found all of the vulnerabilities in your web applications? Could there be more you’re unaware of? Watch the full webinar now to learn about five common vulnerabilities or contact us today to speak to one of our Information Security Specialists about our web application penetration testing services.

What Does GDPR Mean for Marketing?

GDPR and Marketing: Why it Matters

Has your organization considered the GDPR implications for marketing? Because of the misconception that GDPR is solely for lawyers and information security teams, many organizations don’t realize how their marketing activities impact their GDPR compliance efforts. GDPR is more than a data privacy law. Instead, GDPR is a mandate that affects how organizations market, collect, use, and store consumers’ personal data, so GDPR compliance and awareness are just as important for the marketing departments as they are for IT departments.

However, because it’s been more than a year since the GDPR enforcement deadline, some might be wondering: why should we still care about GDPR implications for marketing? If organizations  started their GDPR compliance efforts more than a year ago, wouldn’t they have already considered how GDPR impacts marketing? While this line of thinking is common, here’s what organizations need to realize: whether or not your core services relate to marketing, you must understand the GDPR implications for marketing at your organization. Why? Because in the year since GDPR became enforceable, most data subject complaints relate to marketing. This means that if marketing is necessary to your organization and you market to data subjects, you must know the GDPR implications for your organization.

In this webinar, our Director of Regulatory Compliance, Mark Hinely, will discuss how to identify if GDPR applies to your marketing activities, the benefits of following privacy best practices, and what exactly those privacy best practices are that your marketing team should be following. By the end of the webinar, you’ll learn about these four key takeaways:

  1. Marketers need to identify a legal basis for their marketing activities.
  2. Marketers must review their privacy policies and ensure that they articulate what third parties are used during marketing activities, what personal information is used for marketing activities, and the legal basis for marketing activities.
  3. Marketers need to understand data subject rights, especially data subjects’ absolute right to object to direct marketing.
  4. Marketers must monitor member state publications to stay up to date on updates and enforcement actions.

Ready to watch the full webinar? Want to learn more about how your organization’s marketing activities can be GDPR-compliant? Contact us today.

Best Practices for Data Privacy

From GDPR, CCPA, PIPEDA, and so many other new data privacy laws going into effect, knowing which laws you need to comply with and how you should go about complying with them may seem like a daunting task. In this webinar, our Director of Regulatory Compliance, Mark Hinely, will discuss how organizations can perform their due diligence to ensure that they’re protecting their consumers’ privacy and will cover industry-accepted best practices that you can follow to lay the groundwork for future data privacy frameworks.

What are Best Practices for Data Privacy?

If your organization is questioning what best practices for data privacy you should follow, Mark Hinely provides four that can help you get started:

  1. Create an internal privacy framework
  2. Do more with less data
  3. Automate compliance efforts
  4. Get specific about your internal and external privacy posture

How Can You Establish an Effective Internal Privacy Framework?

An effective internal privacy framework is the foundation of your organization’s data privacy compliance efforts because it lays out what and how you’ll comply with the many privacy requirements applicable to your organization. Typically, when an organization creates an effective internal privacy framework, they’ll take the following into consideration:

  • Notices and disclosures
  • Access (Internal and External)
  • Breach notification
  • Consent
  • Risk
  • Designated responsibilities
  • Data retention
  • Vendor management

Like internal security programs established by organizations, however, there’s always sector- and organization-specific considerations that must be taken into account when creating an effective internal privacy framework. For industries such as healthcare, marketing, or education, there might need to be additional considerations regarding access to data or data retention. Organization-specific considerations, such as a debt collection agency, also needs to consider the types of data and processing they’ll use. Once these considerations have been made and the internal privacy framework has been designed, organizations need to document and implement it.

Overall, when you establish an effective internal privacy framework, you set your organization up for success when you’re faced with achieving multiple privacy considerations. If you want to learn more about industry-accepted best practices for data privacy and how they could benefit your business, watch the full webinar now. For more information on how KirkpatrickPrice can help you with your data privacy compliance efforts, contact us today.