One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. “Test the Security of Your Information Systems: A Penetration Testing Case Study”
Businesses continue to innovate and adopt new technologies with the goal of making operational processes more efficient. Recently, the newest technology trend, blockchain, has gained much attention from companies, technology innovators, and regulators. Although the technology itself is not new, it’s adoption into the commercial world is. “Security Considerations for Using Blockchain Technology in Healthcare”
In October 2016, Uber the global car sharing company, experienced a massive breach whereby hackers stole personal data from approximately 57 million users and drivers. After a year of concealment without regulatory notice and payment to the hackers to destroy the data, Uber finally disclosed the breach. As a result, Uber has undertaken a large investigation into the hack.
Although Uber is under much scrutiny, there are several lessons executives, vendors, and business associates can learn from this breach. Any organization, regardless of size or type, can experience an attack, therefore it’s important to recognize the current risks to mitigate and prevent them.
Three significant takeaways from the Uber breach that every organization should follow as best practices:
- Restrict access with proper authorization and access controls
- Improve third-party vendor management
- Design and follow an incident response program
Restrict Access With Proper Authorization and Access controls
From a technical aspect, the Uber hackers first targeted and gained access to a private code repository, GitHub, utilized by Uber software engineers. There the attackers acquired login credentials to the company’s Amazon Web Services (AWS) account, where personal data, including names, email addresses, phone numbers, and even license numbers were archived.
To prevent unauthorized access, businesses should take the proper measures to limit access through proper authentication and access controls.
For users of GitHub, restricting user groups based on roles and responsibilities can provide additional levels of security and control as well as give greater visibility for monitoring activities and committed changes. For further protection, businesses should educate their employees to never save or share passwords and consider implementing Universal Second Factor Authentication (U2F).
Improve Third-Party Vendor Management
When using third-party vendors, it’s incredibly important to use the utmost due diligence. For Uber developers, two mistakes were made while using a third-party, GitHub. The first was the accidental misuse of GitHub’s functionality, and the second was the poor review of information sent to the third-party.
As the investigation is still pending, it’s difficult to pinpoint how the hackers accessed Uber’s GitHub account. However, it’s possible that the company did not adequately leverage gitignore files, a feature designed to ensure sensitive files are not uploaded to a git repository allowing hackers to access credentials, passwords, keys, and other sensitive data.
Therefore, organizations using cloud service providers and repositories should carefully review all files and source codes before uploading. The attackers gained access to Uber’s AWS account by finding stored credentials in a source code that was uploaded by Uber to GitHub. To help prevent this type of attack do not hard code credentials within source code and review source code files prior to an upload, even if using gitignore, to ensure any credentials have been scrubbed.
Additionally, if an organization uses multiple repositories they should always keep one secure by switching access to private. This creates one copy of the repository that an organization can trust and recognize as a single source of truth.
Design and Follow an Incident Response Program
Good business practices always include an Incident Response Program with a set of policies, procedures, and processes to appropriately address, mitigate, and respond to an incident. Depending on the organization, some of the elements of the program may be legally mandatory.
For Uber, the apparent disregard or lack of an appropriate incident response resulted in major legal and regulatory consequences. As a state and federal requirement, Uber was obligated to notify affected users and government agencies when sensitive information, such as driver’s license data, had been breached. The failure to disclose the hack resulted in customer lawsuits over negligence of their data.
To prevent and/or properly moderate an incident, organizations should design and follow an incident response plan that best suits their needs and requirements.
A successful Incident Response Program should help an organization to:
- Prepare: Teach employees to handle potential incidents
- Identify: Recognize and determine whether an event is an incident
- Contain: Limit damage and isolate to prevent further damage
- Eradicate: Investigate and remove cause
- Recover: Complete elimination of threat
- Improve: Complete incident documentation and learn for the future
Security threats and data breaches can occur to any organization. It is imperative to recognize the valuable lessons learned from the Uber attack, to prevent your organization from becoming a victim.
If you would like to learn more about these best practices and how A-LIGN can assist your organization in preventing an attack, please contact us at [email protected] or 1-888-702-5446.
Today, many businesses are presented with the opportunity for growth and development. With these new opportunities come risks and challenges, many of which they have never seen before.
The digital landscape is as vast as it is complex, and businesses are seeking proactive guidance to address their information security risks, as well as meet their compliance requirements. Some of the available solutions for tackling these emerging challenges are through specific audit and security assessments.
Although audits can seem daunting, there are many benefits beyond complying with customer requests and improved information security. Conducting annual audits and assessments can also lead to an overall increase in revenue.
Some of the advantages of having an audit conducted include:
- Winning and retaining clients
- Improving operations
- Facilitating strategic initiatives
Winning and Retaining Clients
In most industries, an assessment of the organization’s information security is required prior to conducting business. This necessity is key to driving and winning new business, as well as retaining existing clients, as audits demonstrate an organization’s due diligence in adhering to security requirements and safeguarding client data.
One of the largest benefits is the source of revenue affiliated with the audits. Through maintaining, assessing, and validating controls, a business can attract prospective clients and provide current clients with necessary assurance of processes.
“We are fast growing and we keep expanding our scope adding additional audit frameworks, locations around the globe, and new services. Our clients depend on the accuracy and details that are provided in these audits,” stated Virtustream, an A-LIGN client since 2011.
By complying and maintaining current customer requirements, businesses can easily meet future requests from prospective customers, thus streamlining the sales cycle. Audits can even help a business enter new markets. Through adhering to robust requirements businesses can address unique needs of new clients in different sectors. This competitive advantage can diversify a client base and be used to facilitate future sales.
Everyone knows the foundation to a good business often relies on management’s commitment to good governance. When businesses undergo an audit, it can promote a sound infrastructure and system through the implementation of the proper internal policies, procedures, and controls.
myMatrixx, a client since 2011, described how A-LIGN became an invaluable partner providing solutions that “helped [them] establish and maintain [their] compliance and governance initiatives.”
By building a reliable foundation, businesses can cut costs and make business operations more efficient, allowing executives to focus on improving products and services with opportunities for scalable expansion.
During an audit or assessment, an independent third party examines the business process controls to validate legitimacy, the reports generated post-audit can identify areas for improvement and provide possible remediation, allowing businesses to enhance their operational system to work more efficiently.
Facilitating the Future
Audits are great snapshots of a businesses’ current processes, therefore when brainstorming and planning for strategic initiatives, audit reports can provide valuable insights to help business executives focus on what matters most.
“A-LIGN looked beyond the foyer, as to whether these things could be regularly done or performed. That’s important because you’re not just auditing the client for the current period, hopefully, you’re setting the client up for continued success” said Advanticom, Inc., a client since 2016.
An audit report can help identify areas of weakness that may need to be addressed prior to future development and expansion. Thus, a business can become proactive, rather than reactive when planning for growth.
The A-LIGN Difference
A-LIGN customizes our compliance solutions on a case by case basis to streamline the audit process allowing our clients to have the peace of mind of improved security and reduced risk, along with the ease of working with a single provider.
A-LIGN’s goal is to exceed expectations on every level and help our clients overcome any security or compliance hurdle they may face. We use a company-wide approach to ensure our team of professionals perform at the highest possible standard, delivering the best quality in support.
“Part of our mission at A-LIGN is that we believe every client deserves the highest quality audit execution and deliverables. Therefore, we are universally committed and invested in our clients and their success for the future. By maximizing the long-term value of our audits, we can help our clients build a lasting infrastructure scalable for any lifecycle growth.” said Scott Price, CEO of A-LIGN.
When organizations improve their operations and facilitate strategic initiatives, executives can expand and develop their business thus diversifying and increasing their revenue streams.
If you would like to learn more about A-LIGN and how we can assist your organization in meeting your security, compliance, and privacy needs, please contact us at [email protected] or 1-888-702-5446.
On Thursday, October 26th A-LIGN held an Ask Me Anything (AMA) Q&A forum on Reddit, to conclude National Cyber Security Awareness Month by providing further insight into the data breach landscape. Members of our penetration testing team answered questions regarding penetration testing, hacking, and information security. Below are the top five questions asked during the forum and the answers provided by Managing Consultant, Kelly Matt, and Senior Consultants Van Bettis and Josh Valentine.
1. Are there any common problems that you find when conducting a penetration test? What tools are used to access a system?
The most common technical problems we find are SSL vulnerabilities, TLS, and encryption-level vulnerabilities. Default credentials are definitely used to access a system, even as simple as a WordPress default or a legacy system that was never changed. This is very common on printers and other polycom systems. We find that most organizations also lack a robust vulnerability management program.
2. Does it matter which type of 2-factor authentication you use (SMS, authenticator apps, physical devices)? Are some of them more secure from various attacks?
Absolutely! Text messaging is very susceptible to attacks. Many government entities and compliance regimes are no longer allowing multi-factor authentication (MFA) to be text-based. As long as you stay away from text-based MFA, you are in a much better state. If your options are either not doing anything or using text, I would still recommend using text. We recommend using MFA everywhere you can. Google Authenticator is open source and can be used anywhere. It can be tedious, but it’s worthwhile.
3. Have there been any hacks that you have been particularly proud of?
Using cross-site scripting as an initial attack vector, along with vulnerability stacking to compromise the database’s users. Once an affected user logged into the system, their credentials were immediately sent to an offsite location controlled by us. Vulnerability stacking is when you use multiple vulnerabilities to elevate an attack vector.
Vulnerabilities that were used in the attack: Cross-site scripting (XSS) and cross tenant access (accessing unauthorized tenant accounts from another tenant).
4. How does it feel to work in a field where you must “predict” what others may do? How hard is it to find solutions to the vulnerabilities that we see around?
Being an information security professional can feel overwhelming at times. The space is constantly evolving and changing and it would seem that Moore’s Law may, in fact, apply here too.
I have found that proactive processes that help identify and manage risks are of critical importance. The threat landscape is constantly evolving and a system that was perfectly safe this morning can have a Zero-day by the afternoon.
If you build a strong security foundation with measurable repeatable processes it is not that hard to defend against many of the most common attacks and vulnerabilities we see. Most of this starts with good IT hygiene and a strong culture of security.
5. When you hear of something like the Equifax breach what do you think? What could they have done differently?
Equifax had a vulnerability management program that missed a critical vulnerability allowing remote code execution. So yes, they had a program in place, however, it needed to be reviewed to ensure it was comprehensive in doing what they thought it was doing. They became security-complacent, and the breach was indicative of that. A third-party penetration test could have caught this vulnerability, no questions asked.
Have any questions regarding penetration testing and how to secure your organization from a data breach? Contact A-LIGN’s experienced penetration testers at [email protected] or 888-702-5446 for more information.
Following the 2017 AICPA Engage Conference in Las Vegas, one topic has been the center of discussion: Blockchain. Previously associated with online currencies such as bitcoins, blockchain has now grown to acquire investments in the billions. According to Google Trends, ‘blockchain’ has reached its peak search interest this past month since its first recorded interest in 2012, thus illustrating its popularity and emergence into commercial use. With cybercrime still rising, many industry leaders believe blockchain could be the future of new security tactics through decentralized cryptography. However, many still do not understand blockchain and its full functionality.
What is Blockchain?
Blockchain is an alternative technology used to manage, exchange, and store data. Due to its decentralized, distributed ledger infrastructure, blockchain’s transactional activities are transparent and unmodified, making them exceptionally secure. As a product of research and breakthroughs in cryptography and security, this new technology allows organizations to move assets quicker and safer.
Using blockchain enhances security by improving reporting through:
- Identity protection
- Data integrity
- Infrastructure defense
The New Method for Security
While blockchain currently exists in financial contexts, many industries including healthcare, manufacturing, and even the government can reap the security benefits. There are different types of blockchain, including public, consortium, and private. Blockchain can provide greater control variables, allowing organizations to have greater visibility over their ledger, transactions, and data. This is beneficial for organizations wishing to cut costs by removing third-party vendors that verify transactions. Thus, blockchain can mitigate fraud and cybercrime risks by eliminating the potential security and privacy trade-offs.
As stated by IBM, major benefits of blockchain are:
- Irreversible nature
- Low per-transaction cost
- Broad availability and global reach
The Future is Now
The continuous shift toward this cryptography solution is inevitable, and commercial blockchain is quickly entering beta stages. Organizations such as Microsoft and Dell are investing in blockchain research as a replacement for auditing needs. As this trend develops, organizations will learn more information about the exact capabilities and limitations of blockchain.
Although blockchain is resilient and may seem impossible to penetrate, it’s important to acknowledge that blockchain is still an emerging technology, meaning that there is still a possibility for unknown security risks and challenges to overcome.
To learn more about blockchain or the security solutions A-LIGN offers, contact us at [email protected] or at 888-702-5446.
As the world continues to advance, organizations are utilizing new technologies for improving their operations. The abundance of these new and emerging tools facilitate the way organizations conduct business through seamless communication and data transmission.
The significant threat regarding this movement are the various cyber security risks. Due to the value of data in this tech-driven world, organizations must recognize the associated risks and become well-versed to navigate the cyber security landscape and ensure data protection.
Do you take the necessary precautions to ensure your information is stored and secured safely online? As the internet plays a larger role in our daily activities, it is important to highlight the type and amount of information we share can be used against us. As a result, we compiled the top information security tips for your organization.
Securing Your Information Online
Before conducting any activity on a site, users need to make sure that the site is secure. You can check to see if the site is using a secure certificate and employing SSL (Secure Socket Layer) to secure your data in transit. This can often be done by looking at the address bar in your internet browser. Google Chrome users can often see a little lock that will show whether a site is using SSL by displaying a green lock to the left of the web address. Look for the lock!
Review Privacy Policies
Before posting on sites and sharing your information, review the privacy policies that are in place. This allows you to better understand how the information that you provide can be used by the site.
Beware of Social Engineering and Phishing
Typically, there are a few details that can indicate that an email or website may not be coming from a legitimate source. These tells include poor spelling and grammar, abnormal sender, and unfamiliar URLs. Also, abnormal requests such as an unanticipated account verification can also indicate that an email is part of a phishing scam. Verify the source before making a click.
The Less You Post, the Better
This might be an obvious one, but people tend to share sensitive information without realizing it. A hacker can use information like your birthday, address, where you work, and even pictures of your family to compromise your account. Consequently, the more information a hacker has on you, the easier it is for them to steal your identity.
Disable Automatic WiFi and Bluetooth Connection
When you are in public, your phone and computer can automatically connect to an unsecured WiFi or mobile hotspot. In addition, it might connect to other devices through your Bluetooth capability. Be sure to disable this auto-connection feature on your phone to ensure you are safeguarding your personal information and to keep hackers at bay.
Implement Stronger Password and Authentication
New rules for creating passwords were announced by the National Institute for Standards and Technology (NIST) this year, which include having a password between 8-64 characters long, and using longer phrases that are easier to remember. Additionally, you can implement two-factor authentication. This will provide a secondary form of ID outside of your typical password, which will strengthen your security.
Enhance Your Network Security
Invest in a Moreover, secure your WiFi connection by implementing a strong password and enabling WPA 2 and AES encryption.
Making Sense of the Information Security Tips
With these seven information security tips in mind, you can protect your personal information and identity to prevent a data breach from occurring. For more information regarding cybersecurity and data protection, take a look at our Cyber Defense Guide: Part 1.
For more information regarding information security, contact us at [email protected] or call 1-888-702-5446 to have an experienced cyber risk professional answer your questions.