Web Application Security

Web Application Security

Protecting Web Apps Protects the Company and Customers

Web application security refers to the measures and practices taken to protect web applications from unauthorized access, data breaches, and other malicious activities. It involves implementing relevant techniques, technologies, and best practices to ensure the confidentiality, integrity, and availability of web applications and their supporting systems.

The following factors underpin the importance of Web Application Security.

  • Data Protection: Web applications often handle sensitive user information such as personal details, financial data, and login credentials. Without proper security measures, this data becomes vulnerable to theft, manipulation, or destruction.
  • Compliance Requirements: Many industries must meet specific compliance standards and regulations, such as the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance can result in severe legal consequences and financial penalties.
  • Protection against Attacks: Web applications are prime targets for various cyber attacks, including XSS, SQL injection, and DDoS attacks. These attacks can lead to unauthorized access, data loss, service disruption, and reputational damage.
  • Business Continuity: A successful cyber attack or breach can significantly impact the availability and functionality of a web application. Downtime and loss of functionality can result in financial losses, disrupted operations, and dissatisfied customers.
  • Competitive Advantage: Being able to demonstrate one’s security posture has become a crucial competitive differentiator. Organizations that prioritize web application security and demonstrate their commitment to protecting user data gain a competitive edge. By offering a secure and reliable application, businesses can attract more users, retain existing customers, and differentiate themselves from competitors.

Common Threats to Web Applications

Here are some common web app threats (much more can be viewed at the various OWASP Projects: Top Ten Web Application Security Risks, API Security Top Ten, and the draft OWASP Top 10 for Large Language Model Applications)

ThreatDescription
Cross-Site Scripting (XSS) attacksExploiting vulnerabilities to inject malicious scripts into trusted websites, allowing unauthorized code execution in browsers.
SQL injection attacksManipulating user input to inject malicious SQL queries into a web application’s database, potentially gaining unauthorized access or executing arbitrary commands.
Cross-Site Request Forgery (CSRF) attacksForcing authenticated users to unknowingly perform unwanted actions on a web application by exploiting their existing session credentials.
Session hijacking and session fixationUnauthorized individuals gaining control over a user’s session by intercepting or manipulating session identifiers, allowing them to impersonate the user and potentially access sensitive information or perform malicious actions.
Brute-force attacksRepeatedly attempting various combinations of usernames and passwords to gain unauthorized access, exploiting weak or easily guessable credentials.
Distributed Denial of Service (DDoS) attacksOverwhelming a web application’s resources or infrastructure by flooding it with a massive volume of requests from multiple sources, leading to service disruption or complete unavailability for legitimate users.

Best Practices for Web Application Security

It’s never good to stick only with what could go wrong. Here are actions to take to secure web applications:

Best PracticeDescription
Input validation and data sanitizationEnsuring that all user input is properly validated and sanitized to prevent malicious input that could lead to security vulnerabilities.
Implementing secure authentication and authorization mechanismsImplementing robust authentication and authorization mechanisms to verify the identity of users and control access to resources.
Using encryption and secure communication protocols (HTTPS)Employing encryption and secure communication protocols, such as HTTPS, to protect data transmission between the client and the server.
Regularly updating and patching software componentsKeeping all software components, including frameworks, libraries, and dependencies, up to date with the latest security patches and updates.
Employing strong password policies and multifactor authenticationEnforcing strong password policies, including complexity requirements, and implementing additional authentication factors for enhanced security.
Conducting security testing, vulnerability scanning, and code reviewsPerforming regular security testing, vulnerability scanning, and code reviews to identify and address any potential security weaknesses or flaws.
Implementing a Web Application Firewall (WAF)Deploying a Web Application Firewall (WAF) to monitor and filter incoming and outgoing web traffic, protecting against common web attacks.

Emerging Trends and Technologies in Web Application Security

New technologies always bring new risks and threats, but they also bring benefits. Some new trends that do just that are:

A. Machine Learning and AI-based security solutions: Machine Learning (ML) and Artificial Intelligence (AI) are being leveraged to develop advanced security solutions that can detect and mitigate sophisticated attacks.

B. Behavior-based anomaly detection: Behavior-based anomaly detection techniques focus on monitoring and analyzing the behavior of users, systems, and applications.

C. Containerization and microservices security: Containerization and microservices architectures provide increased flexibility and scalability for web applications. From a security perspective, they offer improved isolation, making it harder for an attacker to compromise the entire system if one container or microservice is breached.

D. Serverless architecture and security implications: Serverless architecture (where applications run on third-party infrastructure without the need for managing servers) can positively impact web application security. The cloud provider handles infrastructure security, including updates and patching. This allows developers to focus more on application-level security.

Security Awareness and Training

Security Awareness and Training extends well beyond having every employee watch a 15-minute video once a year. Those developing the applications need to be aware of these items to properly create a secure web app ecosystem:

  • Growing Threat Landscape: By staying aware of the latest security threats and trends, organizations can proactively adapt their security measures to mitigate new risks and vulnerabilities.
  • Rapid Technological Advancements: New features, APIs, and architectural approaches introduce both opportunities and risks. Ongoing security awareness ensures that developers and security teams stay updated on best practices and techniques to secure the latest technologies, preventing security gaps in newly implemented features.
  • Compliance and Regulatory Requirements: Compliance standards and regulations related to web application security are subject to updates and revisions. Ongoing security awareness ensures that organizations stay informed about any changes in compliance requirements, enabling them to adapt their security practices and maintain compliance with industry regulations.
  • Continuous Improvement and Adaptation: The security landscape is a dynamic environment, requiring a proactive and iterative approach. Ongoing security training promotes a culture of continuous improvement, encouraging organizations to regularly evaluate and enhance their security practices, perform security testing and audits, and adopt emerging security technologies and methodologies.
  • User Trust and Reputation: Web application security directly impacts user trust and an organization’s reputation. Users expect their data to be protected, and any security incidents or breaches can significantly damage trust in the application and the organization behind it.

Earning Trust

Having a third-party test your web applications, whether upon major releases or on a regular schedule, is important to gaining and maintaining customer trust in the security of your applications. Contact us today to find out how Cybersecurity Crusaders can algin with you and your business in your journey to trust and security.

Network Security: Searching for the Gaps

Network Security: Searching for the Gaps

Business Uptime

Customers rely on businesses to store and share sensitive information such as customer data, financial records, and proprietary information. A data breach can disrupt business operations, causing significant financial losses. Many industries are subject to regulations that require certain levels of network security. Failure to comply with these regulations can result in fines, legal liability, and reputational damage.

There’s no doubt that network security is vital to business functions.

Understanding Network Threats

Network threats involve more than someone just tapping a network cable or cutting some cords. Other threats faced by businesses include:

  • Phishing
    • This is first in line because Phishing is the most common crime. Phishing attacks (part of social engineering) involve the use of fraudulent emails, phone calls, or text messages to trick employees into revealing sensitive information such as login credentials, financial data, or personal information.
  • Malware
    • Designed to disrupt, damage, or gain unauthorized access to computer systems, malware includes viruses, worms, Trojan horses, and ransomware.
  • Insider Threats
    • Insider threats involve malicious (e.g., stolen intellectual property) or accidental actions (e.g., file deletion) by employees, contractors, or other insiders that can result in the loss or theft of sensitive data.
  • Advanced Persistent Threats (APTs)
    • APTs are long-term, targeted attacks that are designed to gain unauthorized access to a network or system and remain undetected for extended periods.
  • Distributed Denial of Service (DDoS) attacks
    • DDoS attacks involve flooding a network or server with traffic to overwhelm it and prevent legitimate users from accessing the system.
  • Zero-day Exploits
    • Zero-day exploits are vulnerabilities in software or hardware that are unknown to the vendor or manufacturer, making them difficult to defend against.
  • Physical Security Breaches
    • Even though so much has been moved to the cloud, physical security breaches are still a major attack vector. They involve unauthorized persons accessing a company’s physical facilities, such as server rooms or data centers, and steals or damages sensitive data or equipment.

Businesses should implement security measures that can protect against these and other security threats to ensure the confidentiality, integrity, and availability (CIA triad) of their sensitive data and systems.

Identifying Security Gaps

Before implementing security controls, the assets have to be properly identified and categorized. Not only that, but a gap analysis has to be performed to determine any security gaps.

Businesses can identify security gaps before they are exploited by reviewing the following. While each of these is also a best practice, considering new and reviewing current implementation will also reveal any gaps in how they’re supposed to be implemented, how they actually are implemented, and what needs to be changed in the processes, policies, and procedures.

  • Regular Security Assessments
    • Regular security assessments can help businesses identify potential security vulnerabilities before they are exploited. These assessments can include penetration testing, vulnerability scanning, and risk assessments.
  • Network Monitoring
    • Network monitoring can help businesses detect and respond to potential security threats in real-time. This can include monitoring network traffic, system logs, and user behavior.
  • Security Patching and Updating
    • Applying security patches and updates to software and hardware can help businesses address known vulnerabilities and prevent them from being exploited by threat actors.
  • Access Control Reviews
    • Review the current controls will reveal items such as orphaned accounts and those who have Domain Administrator access. Access controls such as strong passwords, two-factor authentication, and role-based access can help businesses restrict access to sensitive data and systems and prevent unauthorized access.
  • Employee Training and Awareness
    • Employee training and awareness programs help educate employees on the importance of security and how to identify and report potential threats.
  • Third-Party Risk Management
  • Businesses should also assess the security of their third-party vendors and partners (sometimes fourth- and fifth-parties) and ensure that they have the appropriate security measures in place to protect data.

Best Practices for Securing Business Networks

Some best practices for securing business networks include:

  • Strong Passwords
    • Encourage employees to use strong passwords and implement password policies that require the use of complex and unique passwords. When possible, technically enforce these policies (e.g., Group Policy).
  • Apply Software and Hardware Updates
    • Regularly updating software and hardware can help businesses address known vulnerabilities and prevent them from being exploited by threat actors.
  • Network Segmentation
    • Network segmentation can help businesses limit the impact of a security breach by isolating critical systems and data from the rest of the network.
  • Encryption
    • Encryption can help businesses protect sensitive data in transit and at rest. This can include using SSL/TLS encryption for web traffic and implementing disk encryption for laptops and other mobile devices.
  • Monitor Network Traffic
    • Network traffic monitoring (this includes logging, monitoring, and alerting) can help businesses detect and respond to security threats in real-time. This can include implementing intrusion detection and prevention systems (IDS/IPS) and firewalls.
  • Conduct Regular Security Audits
    • Regular security audits can help businesses identify potential security vulnerabilities and address them before they are exploited.

Another important aspect of security included policies and procedures. There’s plenty of guidance for writing these, but they’re important for 2 main reasons: they provide 1) an objective reference for how businesses run their security, and 2) a reference for future leaders to be able to understand and implement appropriate security in the organization.

Contact a Trusted Advisor

Are you concerned about the security of your business network? Our company offers a range of security solutions designed to help businesses proactively identify and address potential security threats before they are exploited by threat actors. When you need help assessing and testing your network security controls, our team of security experts is here to help. Contact us today to schedule a consultation and take the next step towards securing your organization’s network.

Penetration Testing Frameworks

Penetration Testing Frameworks

Penetration tests are a vital component of a vulnerability management program. Vulnerability management can be confused with vulnerability scans, which, while necessary to an entire risk program, are not the same as penetration tests.

Why penetration testing? According to Verizon’s 2022 Data Breach Investigations Report (DBIR), 80% of data breaches for the current report are due to External actors. This isn’t much of a change from Verizon’s 2008 report, when it was 73%. Pentesters are necessary to an organization’s security to provide this kind of external attack tactic, but with the confidence that the protectors and defenders, not criminals, are doing the testing.

Penetration testing involves numerous tasks involving different stages. Frameworks provide penetration testers a structure to follow, keeping the details and activities from becoming chaos. It’s like the quote “Time is what keeps one thing after another from becoming everything at once.” Frameworks keep one task after another from turning into every task at one time. The pentester may have a terrific capacity for memorization, but there are so many things to do and remember that one missed detail can ruin the test.

Frameworks also provide a ready reference to customers. When a pentester says, “I use X framework,” or “My methodology is based on Y framework,” then the customer can easily check online to verify details of what’s being performed. A transparent reference provides a higher level of trust and confidence between the vendor and client.

We’ll cover some of the most widely known frameworks and end with the importance of customized ones.

We’ll start with 2 historical frameworks. While outdated they are still in the wild because they have great information.

Historical Pentesting Frameworks

  • The Information Systems Security Assessment Framework (ISSAF) is no longer maintained, and therefore outdated (if you go to oissg.org or search on whois.com/whois, you’ll see the domain is for sale). But the 845-page PDF, dated May 2006 (hard to find, but free) is a wealth of information, being a compendium of terms, processes, concepts, and tools.
  • Th Penetration Testing Framework is a site with a ton of technical information, even for non-pentesters. You’ll find it at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html. Your browser may give a warning to Proceed with Caution. This is an HTTP, not HTTPS, site, but is worth a visit.

Penetration Testing Frameworks

Image by Gerd Altmann from Pixabay
  • The Open Source Security Testing Methodology Manual (OSSTMM) created by ISECOM (Institute for Security and Open Methodologies). The OSSTMM doesn’t focus so much on tools so much as on testing controls to meet regulatory requirements. You’ll find it here: https://www.isecom.org/research.html
  • The Open Web Application Security Project (OWASP) provides the OWASP Testing Guide (OTG) (https://owasp.org/www-project-web-security-testing-guide/stable/)  and focuses on web application security testing throughout the software development life cycle (SDLC). Because of the focus on web apps, it doesn’t delve into networks or non-web servers, but for those testing web applications it’s an invaluable framework.
  • The National Institute of Standards and Technology (NIST) created a cybersecurity framework (https://www.nist.gov/cyberframework) to help organizations of all sizes and industries improve security by providing guidance on implementing activities appropriate to a company’s individual risks.
    • The Penetration Testing Execution Standard (PTES) provides a high-level view of pentesting tasks and stages. The presentation of steps and guidelines, without giving specific steps, gives great flexibility in creating one’s own methodology. You’ll find it here: http://www.pentest-standard.org/index.php/Main_Page
  • Honorable Mention:
    • The MITRE ATT&CK Framework is sort of a reverse pentesting framework because it points out the criminal attacker’s method. Knowing this can help organizations better defend themselves from cyber attacks. https://attack.mitre.org/

Framework Customization

Image by Gerd Altmann from Pixabay

With these, and many more, pentesting methodologies, what do you choose? Which is right? Each of these has pros and cons depending on what one tests. For example, if one wants to test the wi-fi security of its wireless endpoints, OWASP would not be a good fit. And it’s likely that implementing the NIST framework would be overwhelming and cost-prohibitive to a small-medium business (SMB) that simply wants a few servers, a handful of workstations, and the firewall tested once a year.

To better accommodate individual corporate needs, and providing better focus, experienced pentesters will develop their own framework or methodology to best suit the needs of their customers and market.

Cybersecurity Crusaders has developed our own methodology based on the PTES framework. This personalized methodology is DAER.

Because DAER is based on PTES, it has a solid foundation in an industry-wide accepted methodology, and through experience has been adapted to better fit customer needs. You can think of it like buying a house. The house is new and good but remains just a structure with potential until the buyer proceeds to make the house a home by changing what needs to changed to fit the buyer’s needs. Pentest frameworks are much that way – they all provide a great starting point, but the pentester is the one who has to “live” in the framework, and needs to adapt, combine, and mesh other aspects to fit properly.

DAER consists of 4 stages:

  1. Discover
  2. Analyze
  3. Exploit
  4. Report

DISCOVER

During the Discover phase, we identify target systems, network ranges, ports and services, and vulnerabilities in running services and configurations by using a series of reconnaissance exercises. The objective of this stage is to identify your organization’s critical assets.

ANALYZE

During the Analyze stage, findings from the Exploit stage are analyzed from a business perspective to effectively translate the vulnerabilities into business risks.

EXPLOIT

During the Exploit phase, techniques used by criminal hackers are simulated in a controlled manner to verify the identified vulnerabilities and assess the extent of their effects.

REPORT

To ensure the success of the entire exercise, comprehensive reports are presented and submitted to the management during the final Report stage. Additionally, a compliance report, a risk assessment report along with a strategic risk treatment plan shall also be developed specifically for your organization.

The DAER methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Cybersecurity Crusaders’ pentesters have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. We will assess your IT infrastructure by performing security assessments of your controls and components, including human, physical, wireless and data networks.

The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.

Contact us for a free consultation to see how Cybersecurity Crusaders can help you improve your corporate security.

Penetration Testing and MSPs

Penetration Testing and MSPs

(source: pablo.buffer.com)

Managed Service Providers

MSPs provide invaluable services to companies with minimal or no IT staff. When prospects sign on as customers, they’re expecting the experts to be ready at a moment’s notice to fix any issues based on their contract. One request that arises is the infrequent, perhaps semi-annual, request for pentesting. Perhaps the client looking to assure their customers of an advantage in the marketplace. Maybe the client is going to acquire another business and needs to verify that business’s security. Or they have a pending sale that will more than offset the cost of a pentest. Possibly, they’re looking at getting SOC 2, or some other certification, or even entering the regulatory landscape for something like HIPAA or PCI DSS.

Another inherent demand is the foundational premise that an MSP implicitly – if not explicitly in contract – makes the MSP itself responsible for securing the client’s networks and computer. Clients may focus on adding technology while reducing administration, but they may not understand that each technology opens up more attack vectors. With the increased demand for ensuring a client’s security, above and beyond providing managed services, what can an MSP provide that would create a competitive advantage against other MSPs?

Improving Client Security

For MSPs, the focus is on IT services, and adding on internal security staff will be expensive, perhaps more than is worth any benefit. Moving from being an MSP to being an MSSP may prove too much of a resource burden.

One popular and necessary information security service is a vulnerability assessment. Vuln tests and assessments are essential for an org’s security posture and could be provided by an MSP, but the assessment is not necessarily a reflection of a company’s true security stance because it’s missing manual intervention and probing of systems. Additionally, a client can potentially perform vuln testing at will, using less expensive tools, less than what an MSP can provide. Internal pentesting by a company is beneficial, but it’s not considered vendor neutral. Internal penetration testing is good for bolstering confidence in your security, but only if it’s an addition to third-party testing.

Turning One-Off Purchasers into Customers

(source: pablo.buffer.com)

MSPs may have many break/fix clients who only interact with them when IT problems strike. What if more of those break/fix clients could not only see the benefit of managed services, but also be shown the advantage of better securing their infrastructure? What if the MSP could prove to customers that they have improved security because of the managed services?

Third-party penetration testing could turn break/fix clients into customers. Break/fix vendors send a professional IT technician to a customer’s location to analyze and determine system issues, then provide on-prem remedies. Businesses are charged for those services rendered, and the services don’t carry contracts or subscriptions with ongoing fees built in. If those one-off clients could be provided a fuller service by an MSP, it can prove to be a competitive advantage for both the MSP and the irregular customer.

The third-party penetration testing model helps keep tests consistent because a client’s internal pentesters might tailor the methodology around what they think should be tested based on the knowledge of any recent updates or changes (not counting the possibility of a conflict of interest). Third-party testers will have a more objective view of testing, not making assumptions as to what should be tested. Third-party testing also avoids conflicts of interest. They are paid to be disinterested and impartial, so working with a provider without them being on your payroll leads to increased trust.

As an MSP, adding third-party pentesting to your repertoire can help customers create a better total security program. While you may implore your customers to implement X, they may decide against it (whether due to cost, lack of time, no interest, etc.). An independent penetration test might well bring up not only verified reasons for implementing X but could also uncover other vulnerabilities that can be solved by you as the MSP. This data will be beneficial both to the customer in their security program and to you, the MSP, as a provider of new and necessary services.

Offering pentesting services can assist an MSP if a current client needs to move from on-prem to a hosted platform. After such a major move, clients will want to ensure that their security posture has remained as effective as before, if not improved. They may also want a third-party baseline scan before moving to the cloud.

Third-party pentesting provides added insight into a customer’s network security because it performs exploitation and post-exploitation to demonstrate the impact of attacks such as numerous attempts at privilege escalation and lateral movement. Even if a pentest does not uncover blatant vulnerabilities (e.g., XSS, SQLi), this objectivity opens up other areas where the customer may be vulnerable. As an example: what if a pentester can uncover a wiki or support site that contains a login that isn’t validated, which can then lead to creating an account that allows that account to pull organizational data, however minimal (e.g., ticket number and details, names, and email addresses)? A third-party penetration testing firm can provide a wealth of actionable knowledge for both the client and the MSP.

Leveraging Teamwork

Hiring third-party testers relieves the resource burden on an MSP. Professional pentesters as on-prem staff can be expensive – not only is initial certification pricey, but ongoing training is expensive. Outsourcing this can be for the same reasons that your customers rely on you – reduction of expenses. While you may be able to afford some staff with certain certifications, your clients – for reasons such as regulations or internal policies – may require certain certifications that you don’t have. Your personnel may have OSCP or CEH, but what if DoD clients require Pentest+, or other clients require GPEN? Hiring third-party pentesters can greatly increase offerings by selecting testers who are both expert and certified according to the needs of your clientele.

It may be too expensive to move to being an MSSP, so adding penetration testing services might be the right move.

Cybersecurity Crusaders’ penetration testers have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.

The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Contact us for a free consultation.

Pentesting as Part of Reasonable Care for Strengthening Law Firm Security

Pentesting as Part of Reasonable Care for Strengthening Law Firm Security

The Need for Data Security Protection

In March 2021, Formal Opinion 498 was release by the Standing Committee on Ethics and Professional Responsibility of the American Bar Association. These rules guide lawyers, when conducting virtual legal practices, as follows:

In compliance with the duty of confidentiality, lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation and take reasonable precautions when transmitting such information.

To make a blanket statement for the world re: most of 2020-2021: if something could be done virtually, it was done virtually.

While the pandemic response drove technology to new heights, it also drove cybercrime to new heights. Not far into the whole situation, worldwide, an exponential number of homes were both a new workplace and a new vector of attack.

In an article from Bloomberg (https://news.bloomberglaw.com/tech-and-telecom-law/kaseya-hack-pushes-companies-to-deepen-attorney-it-relationship), the reporter states the issue, the tension, and the solution:

An attack on file-sharing company Accellion Inc. affected several law firms earlier this year, and clients are asking more and more questions about the security postures of the law firms they work with…Clients are getting better at managing their own risk, and with that I’m seeing a sharper and sharper look as well as greater scrutiny of providers, including law firms…Don’t just check the box…Have the lawyers and info security teams sit together and really collaborate.” (emphasis mine)

With law firms under increased security guidance and more intense scrutiny, they need to up their game in the protections they provide for the data of both their clientele and their firm.

The Importance of Trust

Trust is important. Even more so when it comes to all the confidential data that law firms must handle.

As an example: After a deponent has accepted the transcript of a deposition, that transcript is stored for permanent record. How important is it to the deponent, even to all parties involved, to keep that document secure? It may be available for distribution, but can it be changed? Part of the process is ensuring that it remains immutable. What could happen if someone was able to get in and change the deposition?

In 2016, over 2.6 terabytes of data (containing 11.5 million files) were extricated from Mossack Fonseca, a law firm headquartered in Panama. The case of the “Panama Papers” was one of the largest breaches of all time and implicated numerous world leaders who participated in forming shell companies for offshore wealth management. (for more recent coverage, research the recent news about “Pandora Papers)”

Two of the primary causes of the breach were:

1) unencrypted emails, and

2) outdated Drupal server.

Additionally, the servers and workstations were not properly segmented.

While the first issue might be more about user training (not encrypting sensitive emails when sending them), the other issue (and other related problems) is technical and just might have been discovered by having a third-party test both the external services and internal setup. The missing controls could have been discovered by internal personnel, but internal staff are prone to underestimate of tone down the severity of issues.

Also consider the case of “Shore et al v. Johnson & Bell, Ltd” (also from 2016). (https://law.justia.com/cases/federal/district-courts/illinois/ilndce/1:2016cv04363/325450/56/)

This was the first class-action suit regarding law firm data security, claiming that the firm Johnson & Bell was guilty of legal malpractice because it allowed information security vulnerabilities which put client information at risk.

The suit did not end in class-action, but it was a wake-up call to law firms to protect both their data and their reputations.

Confidentiality and Integrity

You’re likely familiar with the CIA triad – Confidentiality, Integrity, and Availability. For the jurisprudence realm, Confidentiality and Integrity are of utmost importance. While there are many security components involved in ensuring that information can only be seen and changed by those with the authority to see and change it, an important factor is penetration testing.

Whether you need a penetration test for compliance, for proving to customers that you take cybersecurity seriously, or you simply want to prove to yourself, your partners, and your staff that you have a strong security posture, Cybersecurity Crusaders will help.

The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for customers and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Contact us for a free consultation.

Improving Cybersecurity for Financial and Healthcare Organizations

Improving Cybersecurity for Financial and Healthcare Organizations

Image courtesy of pixabay.com

Recent Events

In mid-August 2021, a major financial services giant reported a data leakage on its site and mobile app that allowed customers to view the data of other customers. For financial firms like this one, two of the highest costs are fixing the cause of the breach and regaining customer trust.

Also in mid-August 2021, a US health system suffered a security incident that resulted in service cancellations and emergency room diversions. For healthcare companies like the one in this example, one of the greatest costs is getting things back up and running (both in downtime and lost revenue), and one of the largest threats is patient damage or even loss of life.

Before proceeding, no blame is intended – crimes happen, and will continue to happen, even with the best security. What is intended is for industries to take note of the seriousness of cybersecurity and invest in it to the greatest extent possible.

Healthcare industries have been shown to be increasingly targeted (you can read Sophos’ study on ransomware in the healthcare industry here: https://secure2.sophos.com/en-us/content/state-of-ransomware.aspx).

Financial firms continue to be major targets due to the literal treasure chests they hold. (see this recent NY Time article about what leading banking execs consider the primary threat to financial institutions: https://www.nytimes.com/2021/07/03/business/dealbook/hacking-wall-street.html)

Regulations and Requirements

Almost everyone in these industries is familiar with the following acronyms: FDIC, GLBA, PCI-DSS, SOX, HIPAA, HITRUST. Add to this the ever-expanding list of individual state regulations for privacy (e.g., CPA (Colorado Privacy Act), CPRA (California Privacy Rights Act), and there’s a clutter of acronyms that remains difficult to keep track of.

For heavily regulated industries (such as financial and healthcare), regulations exist for a purpose. Customers are trusting these companies to securely store their money and their private information, and even provide life-sustaining services.

A major aspect of regulations and compliance is regularly performing an external third-party pentest. Having said this, there’s nothing yet to indicate that the companies mentioned above did not have penetration tests performed. But, the public, security practitioners, and, more importantly, the customers who were affected, wonder what went wrong. Were regulations and security practices followed? Were any findings from penetration testing and vulnerability scanning remediated, or at least in process of being remediated?

When it comes to regulatory actions, not every regulation requires pentesting, but there are 2 things to keep in mind:

  1. Pentesting can cover numerous requirements for many regulations, even if not noted specifically (PCI-DSS requires it in Requirement 11.3, but HIPAA doesn’t)
    1. E.g. HIPAA’s Evaluation Standard § 164.308, specifically (§ 164.308(a)(4))27, requires evaluating access control security measures. Pentesting covers this, the requirement for a security risk analysis, and potentially other areas.
    2. For more information on HIPAA requirements, see here: https://www.law.cornell.edu/cfr/text/45/164.308
    3. Consult with your HIPAA Security Officer for specific guidance for your healthcare org.
  2. While there’s no single PDF for “Cybersecurity Best Practices,” third-party pentesting is toward the top of the list for activities that assure prospects and customers that a company is truly investing in security best practices.

Every company wants to earn the trust of their customers, so creating a useful product or service that remains updated to serve their clientele is at the top of the list for gaining and keeping loyal customers. This workload in and of itself is daunting.

Part of the entire product & services strategy is assuring customers that the company’s offerings keep data private and secure. A significant factor in this is that federal and state governments also want to ensure that company’s do right by their customers. A couple prominent examples are HIPAA and GLBA. The regulatory requirements  for privacy and security by HIPAA and GLBA are not light. For regulated organizations who are also in the SaaS business, additional requirements such as SOC 2 or ISO 27001 compliance add an additional resource burden.

Regulations and compliance requirements are actually key components in a company’s reputation (they can be GREAT for marketing!), and are worth pursuing, gaining, and maintaining. As the old saying goes, “The devil is in the details.” It’s one thing to pay for any, much less all, of these; it’s another thing to attain them; it’s yet another thing to maintain them. Maintaining regulatory and compliance requirements is where the true ongoing cost comes into play – there are numerous activities that have to be recorded, saved, logged, noted, referenced, and updated each day/week/month/quarter/year.

Questions and Where to Go for Answers

The term “Trusted Advisor” is a vital term to know. Every company needs at least one for cybersecurity. It doesn’t matter who it is – what’s important is having someone who can more objectively assist with the ever-changing world of securing an organization, and is able to do it when a company needs the advice.

Numerous document repositories are either online or connected to something online. This provides great convenience for customers – and great convenience for criminals. As a business owner or leader, how certain are you of the online security of the data that you hold for your customers?

According to a recent Sophos article, one of the top 3 things victims wish they had done was make sure remote RDP was disabled. Do you know what ports are open? How can you find out? While you could have internal staff test for this vulnerability, or any number of vulnerabilities, an important aspect of securing an organization is having objective, disinterested, and external experts search for vulnerabilities and give expert advice on fixing them.

Here are some key questions to evaluate your cybersecurity posture:

  1. What are all your internet-facing resources?
  2. Do those resources contain sensitive data?
  3. Are those resources updated and secured?
  4. Are those same resources free of malware?

Cybersecurity Crusaders performs vulnerability assessments and penetration testing that not only fills regulatory gaps, but also works with you to further ensure your company’s security. The D.A.E.R. pentesting methodology provides a common, understandable, and repeatable framework for customers and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner.

Curious as to what sets Cybersecurity Crusaders apart from other vendors? Are you concerned your defense won’t stand up to malicious cyberattacks? We can help you find out. Contact us for a free consultation.