Ask the Expert: Penetration Testing

Penetration Testing for HIPAA Compliance

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets – especially Electronic Protected Health Information (ePHI). Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in unauthorized access to ePHI.

In this webinar, KirkpatrickPrice’s Lead Penetration Tester answers your questions about penetration testing, including:

  • What is the difference between penetration testing and vulnerability scanning?
  • Should penetration testing include a human element or can it be done using tools alone?
  • Do I have to hire a third party to perform penetration testing?
  • How often should I have penetration testing done when preparing for a HIPAA assessment?
  • Should I retest after remediation?  Should that be included from the firm I work with?
  • How do I know which level of penetration testing is right for me?  What are the options?
  • How do you choose targets in large IP address spaces?
  • What is the difference between web application penetration testing and network penetration testing?
  • Does penetration testing include API testing?
  • How do you balance applying automated tools to the target vs something manual to the target, like someone at a laptop?
  • As the IT landscape continuously grows, how do you ensure that you get the correct skills on a penetration test, since no one knows everything?
  • How does KirkpatrickPrice price penetration testing engagements?

More Penetration Testing for HIPAA Compliance Resources

HHS.gov HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework

Internal vs. Third-Party Audits: Why You Need to be Leveraging Both

Internal Audits vs. External Audits

Is an internal audit enough? Should you utilize both internal and external audits? This is an ongoing conversation in our arena. But at KirkpatrickPrice, we know that there is power in having both perspectives, especially when it comes to conquering your compliance goals. If you want to prove to your stakeholders that you’re willing to do everything you can to take control of the cyber risks your organization is faced with, listen as KirkpatrickPrice’s Founder and President, Joseph Kirkpatrick, discusses the real differences between internal and external audits and how the difference could impact your organization’s compliance efforts.

According to the Institute of Internal Auditors, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. While internal audits are useful in that they are closely aligned with your organization’s objectives, are conducted by experts in your unique business rules and applications, and are also familiar with your organization’s personalities, relationships, and histories, they also shouldn’t be solely relied upon. In fact, internal audits are often weakened because tunnel vision develops by internal audit staff; it can be difficult to maintain current trends and issues; there’s limited staff and resources that can hold back adoption of new techniques; and lastly, their voice can lose influence over time.

On the other hand, external audits can strengthen your internal audit processes, as they offer independence and objectivity, subject matter experts, enhanced credibility with partners and stakeholders, and a wide array of resources to address your unique challenges.

Investing in external audits can be challenging depending on your size, personnel, experience, time, and financial resources, but at the end of the day, they can enhance your internal audit program and give you the third-party assurance you need to validate the accuracy of your internal audit findings.

Watch the full webinar on-demand now to learn more about the differences between internal audits and external audits, find out tools internal auditors should be equipped with, and more.

Top Mistakes C-Level Execs Make When It Comes to Security and Compliance

How Can C-Levels Overcome Compliance Challenges?

The growth and maturity of the security function will only rise as far as its leader’s capacity. Cyber and compliance threats are advancing, threatening our organizations’ financial and human resources. Because of this, business leaders must learn how to overcome the potential mistakes they make when it comes to information security and compliance and develop our leaders to face the potential mistakes we make when it comes to information security and compliance. What are some of the common mistakes C-level executives make when it comes to overseeing security and compliance? In this webinar, Joseph Kirkpatrick will teach executives how to conquer challenges like implementing a culture of security throughout your organization, overcoming the language barrier of cybersecurity and technology, common misconceptions around security and privacy, and developing the talent of your personnel.

The First Mistakes Executives Need to Overcome

When first establishing your business culture, what did you want it focus on? Integrity? Team-oriented atmosphere? Maybe even fun? While these are all notable components to a business culture, if security is remotely of any interest to you, you’ll also include it the culture you establish. Why? Because whatever you base your culture on – whether it’s teamwork or security – it’ll be something you’ll train on regularly, discuss often, and your personnel will be more likely to actively participate in the culture. How can you do this? By creating a cybersecurity culture management plan. This plan should define your organization’s security objections, establish education and training requirements, and place personal responsibility on employees to ensure security. After all, everyone – regardless of your position in the company – plays a role in security.

Culture Training is a Necessity

If you aren’t conducting some type of culture training, you should be. As millennials become a bigger portion of the workforce, businesses are experiencing increasing security incidents. While in the past, it was considered that the older generations – those with less technology experience – were more like to fall victim to social engineering attempts, millennials are the ones that pose the greatest threat to your business as they’re more likely to share and connect with strangers online. Because of this, you must adjust your training. Ask yourself: Are you providing the necessary and the right training to the newest members of your workforce? Do you millennial-aged personnel know not to share sensitive information online? What happens if they do?

Is your security culture non-existent? Need more information on culture training? It’s never too late to address the culture of security at your organization. Learn more about conquering this challenge and how to overcome four other mistakes by watching the full webinar now.

Fact or Fiction: Everything You Need to Know about Leading Compliance Initiatives

Why is Compliance is a Top 3 Initiative?

It’s no secret that the cyber threat landscape is evolving at an alarming rate. Now more than ever, businesses must implement compliance initiatives to avoid the growing threats of a cyberattack in the new decade. As a leader of your organization, it’s your responsibility to see this through. In this webinar, you’ll learn from KirkpatrickPrice President, Joseph Kirkpatrick, about everything you need to know about leading compliance initiatives.

According to a 2019 survey conducted by The Conference Board, “U.S. CEOs rank cybersecurity as their #1 concern.” Now, why is that? Take a look at just a few statistics that IBM’s 2019 Cost of a Data Breach report included:

  • The global average total cost of a data breach is $3.92 million
  • The global average size of a data breach is 25,575 records
  • The global average time to identify and contain a breach is 279 days
  • Inadvertent data breaches from human error and system glitches are still the root cause for nearly half (49%) of the data breaches studied in the report
  • If a third party caused the data breach, the cost increased by more than $370,000

As security incidents and data breaches are on the rise, C-suite executives must carry more of the responsibility to ensure that their organizations are prepared for the advancing threats of malicious individuals and groups.

6 Steps for Leading a Successful Compliance Initiative

While this list isn’t exhaustive and should be formatted to meet your business and industry needs, the following six steps can guide executives toward leading a successful compliance initiative, help prepare organizations against cyber threats, and ensure compliance.

  1. Connect the goal to your business’ purpose
  2. Accept responsibility
  3. Define priorities
  4. Choose the team
  5. Determine S.M.A.R.T. goals
  6. Enforce accountability

Want to dive deeper into these insights? Watch the full webinar on-demand now!

Think Like a Hacker: How Could Your Mobile Apps Be Compromised?

The Pros and Cons of Mobile Applications

When you provide mobile apps to customers, they’re expecting them to be secure. They’ve entrusted you with their sensitive data by using your product, and it’s up to you to protect that data. Businesses today must do everything possible to mitigate the advancing threats facing mobile apps, both internally and externally. How sure are you that your organization is doing this? In this webinar, KirkpatrickPrice expert penetration tester, Stuart Rorer, dives into the most common vulnerabilities found in mobile apps and discusses how penetration testing can help keep them secure.

Like all technology, mobile applications have some wonderful benefits, but also have some security concerns that need to be addressed. The trick is to learn how to better secure the technology to thwart attacks before they occur. So, while mobile technology has made nearly everything in our lives more accessible and efficient, the cons of mobile technology should not be forgotten. For example, on the physical side of mobile technology, there are numerous risks: BYOD policies are challenging for IT teams because they’re difficult to secure and keep track of, devices can be stolen, and attackers can hack the devices remotely via Bluetooth. At the application level, mobile applications are vulnerable to common security issues like insecure communications, poor information storage, web attacks, revealed code, and tampering.

7 Proactive Steps for Protecting Your Mobile Apps

From malware attacks and backdoor threats to problems with surveillance, mobile apps will continue to be one of the most targeted attack vectors in 2020. We believe that following these seven steps will help you thwart these security issues and protect your mobile apps.

  1. Stay abreast of the latest security news.
  2. Invest in secure coding and practices for development teams.
  3. Invest in routine – not just annual – penetration testing on mobile applications.
  4. Use code obfuscators to better secure code from decompilation.
  5. Stay on top of the OWASP Top Ten and use their resources to better understand security issues.
  6. Do not trust the device to protect your files.
  7. Always use secure communications to transmit information.

How sure are you that you have found all of the vulnerabilities in your mobile apps? Could there be more you’re unaware of? Watch the full webinar now to learn about common vulnerabilities in mobile apps or let’s talk about how our mobile application penetration testing services can benefit you.