Make sure you are using the right cybersecurity test for the right purpose.
Many companies (and sometimes their cybersecurity consultants) refer to a vulnerability assessment and a penetration test as the same thing, and while they both serve to protect a networked environment, they are not. Unfortunately, the interchangeable use of these two terms blurs the lines between these two very distinct activities and can result in missed opportunities to find, repair and defend an organization against cyberattacks.
A simple way to understand the differences is that a vulnerability scan, which can be automated, searches for network issues like missing patches and outdated protocols, certificates, and services. A penetration test is a proactive attempt to actively exploit a weakness once found.
Though both a vulnerability assessment and a penetration test are individually important elements of a well-rounded cybersecurity program, they are designed with different goals.
What is a Vulnerability Assessment?
A vulnerability assessment is a scan intentionally designed to identify configurations on your systems that could possibly be exploited by an attacker. A good vulnerability assessment scan will identify all system vulnerabilities, assign a level of risk or score to each and prescribe a fix.
Many companies look to third parties to perform this assessment, and their report of findings should provide a clear understanding of what vulnerabilities exist and what needs to be fixed first. This type of assessment needs to be executed regularly to maintain network security, with attention paid when network changes like new equipment installation occurs or when new network functionality or services are added.
What is a Penetration Test?
A penetration test is a fundamental part of most required cybersecurity regulatory or compliance program requirements, like PCI compliance.
A penetration test is more complex than a vulnerability assessment, with multiple steps involved. It’s designed to identify system or network vulnerabilities that can be exploited by a hacker; and attempts to exploit those vulnerabilities and illustrate the level of risk involved by simulating a hypothetical attacker’s attempts to gain unauthorized access to critical systems or networks.
Penetration testing is a form of “ethical testing” that gives qualified and trusted cybersecurity consultants a green light to break into their client’s computers or devices to test their network’s defenses. If successful, the client gets the opportunity to shore up their network’s defenses, and even an unsuccessful attempt at a break-in holds a positive outcome, as it is an indication – although not an absolute certainty – that the organization’s defenses are secure.
Freed Maxick Cybersecurity Services
Today, companies need both vulnerability assessments and penetration testing to protect their company’s assets (and reputation), their employees, and the data they hold about their clients. In either case, having the knowledge to decide which is truly needed for your organization now and in the future, and most importantly, which service you are receiving from a vendor, is vital information for you and your company.
We can help.
Freed Maxick’s dedicated team of cybersecurity risk experts performs vulnerability assessments, penetration tests and designs comprehensive cybersecurity risk management programs. We work closely with your team through each step in our proven process to reduce any concerns or impacts and provide our industry recognized consultation.View full article
Employee Benefit Plan data is an attractive target for cybercriminals
Today’s businesses learn more about cybersecurity every day, but it’s still a challenge to stay ahead of those who could hack their systems for fun or profit. With stories of cyber breaches reported in almost every news cycle, executives have come to appreciate the importance of protecting customer data from outside attacks. But customers aren’t the only people who share private data with businesses.
Employees submit sensitive personal information to their employers and the benefit plan managers that employers choose. The data shared can range from the same type of financial information that businesses get from customers to much more sensitive health and personal information than most companies would ever request from clients or customers. Cybersecurity efforts generally offer some benefit to every type of information a business needs to guard, but employee benefit plan (EBP) data deserves some extra attention.
EBP data is a prime target for cyber-attacks because:
- It’s almost entirely electronic,
- It’s typically maintained on multiple systems (e.g. the employer’s, the third party administrator’s, the payroll provider’s), and
- Updates are transmitted regularly among the parties.
Protecting Sensitive Employee Benefit Plan Data From a Cybersecurity Attack
Hackers can approach from a variety of directions. They can phish in the employer’s environment, attack firewalls at a plan administrator, or intercept transmissions of data passing between the parties. It’s not hard to figure out when your paydays are, or when you transmit W-2s to your employees.
With so many potential vulnerabilities, what steps can employers take to protect sensitive employee benefit plan data? Here are five strategies your organization can deploy:
- Internal Cybersecurity Strategy – Prepare a Cybersecurity Risk Management Plan
The first step every employer needs to take to protect EBP data is to account for it in a . Everybody lives in fear of hearing that their customers’ credit card info has been stolen and posted to the web, so they focus efforts on protecting customer transactions. Employers need to treat EBP data with the same sense of urgency and make sure that internal cybersecurity plans address specific needs in this area.
- Point out that phishing scams can target benefit information just as easily as they target customer databases.
- Coordinate with benefit providers to train employees on how they initiate contacts. If your 401(k) provider says, “We never initiate a contact via e-mail,” your people need to be suspicious if they get an unexpected e-mail from them.
- Cybersecurity penetration tests need to include EBP systems.
- External Cybersecurity Strategy – Have an Expert Prepare a System and Organization Control Report (SOC Report)
EBP service providers typically place a high premium on cybersecurity. They understand how attractive their systems are to hackers and how much their reputation depends on protecting client data. But how can you evaluate the effectiveness of a provider’s data security precautions?
These external service providers can hire CPAs to prepare “System and Organization Control” (SOC) reports that communicate relevant information about the effectiveness of their cybersecurity risk management programs. Employers who outsource employee benefit functions can review these reports to learn more about how a provider protects the sensitive information it receives.
- Transmissions - Evaluate the Security of Your Communication Channels
Don’t overlook the fact that employee benefit plan data needs to get from your protected environment to your provider’s protected environment without being hijacked along the way. Be sure to evaluate the security of your communication channels and consider options for encryption and securing shared servers.
In the event two providers share data directly (such as a payroll service transmitting data to a 401(k) provider), take time to verify that their handoffs meet your requirements.
- Mitigation of Cybersecurity Damages – Basic Alerts
As much as businesses plan to manage cybersecurity risks, no system is invincible. For this reason, your EBP cybersecurity plan must provide for the mitigation of damages in the event of a breach. You should have some basic alerts drafted to notify affected individuals as quickly as possible, and you should consider providing benefits like credit monitoring so that employees can protect themselves before their data is used fraudulently.
- Connect with Freed Maxick Cybersecurity Experts
In a competitive employment market, businesses need to take every step possible to make themselves attractive to potential employees and to avoid the kind of damage that an EBP breach can cause to a reputation.
If you’re wondering whether your cybersecurity risk management plan adequately covers your EBP needs, Freed Maxick can help. We have the experience to evaluate all facets of your EBP security and to help you remediate any issues that may exist.
For more information, please contact us here or call 716.847.2651.View full article
Authored by: Mohan Areti and Danny Walker
As more organizations harness the power of big data and data analytics, the collection and storage of data puts organizations at great risk of cyber-attacks. Any collection of sensitive data and PII (Personally Identifiable Information) by you or your company could make you prime targets for cybersecurity attacks. Attackers are looking to steal sensitive information (SSNs, Bank Account Numbers, or Credit Card Details) or any other non-public information.
One of the most common and effective attacks, being deployed against organizations of all sizes across all industries is phishing. Phishing is an attempt to access non-public or sensitive information through a disguised communication that appears to be from a known or reputable source (e.g. your organization’s IT department, commonly used services such as Amazon, Netflix, or FedEx.). Sophisticated attacks will even mimic your business associates or coworkers, often times requesting you to do a simple task such as review a document or check your password security. Phishing attacks generally ask the user to click on a link or attachment, at which point malware (or other software) is installed on the computer, giving the attackers a pathway to access non-public data or obtain browser information.
Types of Phishing Attacks
There are several types of phishing attacks that are currently being used to gain unauthorized access to non-public data and/or systems. Being aware of these different types can help you and your organization best protect assets and identify an attack before it harms your company:
- Deceptive phishing: Impostors mimic a legitimate internal contacts (IT departments or coworkers) or other legitimate companies (Amazon, Visa, FedEx) to make the user open a file or attachment without thinking twice about it.
- Malware-Based phishing: Distributing malwares as attachments using phishing emails. Usually malicious programs baked into pdf and word documents. You won’t know this Malware exists when you open the document.
- Key loggers and screen loggers: Records all user activity by tracking keystrokes and screenshots of the user.
- Session hijacking: Exploits compromised internet browser security, allowing the attacker able to steal cookies and active session information.
- DNS-Based phishing: By hijacking the DNS (Domain Name System), web requests are redirected to phishing websites, which seems to be identical to the actual website.
- Spear phishing: Phishing attacks designed to target specific groups of users (products, employees of company, or users groups).
- Whaling: Phishing attacks specifically targeting senior executives and board members to attain special access or sensitive information.
Phishing Prevention: How Can Your Company or Organization Avoid Becoming a Victim?
Employees are the biggest cybersecurity risk to your organization, and frankly, all of the investments made by your IT department cannot stop an attack initiated when an employee clicks on the wrong link.
Ways to avoid becoming a victim of a phishing attack include:
- Educate your team: conduct security training for all employees as vigilant employees are the best weapon against a phishing attack.
- Deploy Social engineering services: social engineering is a “fake” phishing campaign conducted by a third party that mirrors what a real phishing campaign would look like without compromising your data or system security. You can target certain employees or groups and customize how sophisticated you want the phishing campaign to be.
- Think twice, before you click: Train employees that when they get an email from suspicious sources with web links and downloadable attachments, they should to scan those web links before they click.
- Update your browser, antivirus and firewall: Periodically make updates and maintain latest version of all software and browsers being used.
- Implement security controls: your IT department should install and maintain the most current email filtering software and email encryption.
- Report phishing activity: employees need to be trained to report possible phishing emails to the IT department. We also recommend reporting phishing activities to an outside party, such as the Anti-Phishing Working Group (firstname.lastname@example.org), which consists of a group of ISPs, security vendors, financial institutions, public and private organizations and law enforcement agencies. They use these reported emails to analyze the attacks and to design preventive controls.
There is Little to No Doubt that Your Company Will be Phished
You and your organization will be attacked. There is no way to avoid it. However, there are ways to avoid becoming the victim of a successful attack to be successful. Educating yourself and your employees is the best way to stop a phishing attack in its tracks. Social Engineering services, vulnerability and penetration testing, and overall IT risk assessments can help prepare your organization to successfully handle an attack.
If your company is concerned about phishing prevention or cybersecurity, call Dave Hansen (585) 360-1481 or Danny Walker (716) 362-6274.View full article
A New Form of Assurance for the Ever Increasing Cyber Threats
Cybersecurity breaches across the country and around the world have heightened the awareness and attention of business executives, financial investors, boards of directors and the general public. With the number of breaches on the rise many experts are saying it’s a matter of when, not if, a breach will occur at any organization.
Although no one form of control can guarantee 100 percent security, a well-defined and implemented cybersecurity risk management framework will substantially reduce the likelihood of a breach.
With the implementation of the System and Organization Control (SOC) Report for Cybersecurity, the AICPA recognized the need to help organizations report on the effectiveness of their internal controls designed to prevent, detect, and respond to cybersecurity threats. Their objective is to provide a mechanism for providing corporate directors, senior management, and other constituents of organizations information on an organization’s cybersecurity program through the use of a common reporting framework of criteria designed specifically for evaluating cybersecurity risk.
The new SOC for Cybersecurity is designed to be a reporting mechanism for any organization, not just service organizations (i.e. organization that provide services to other organizations), which is how all other SOC reporting options are currently designed by the AICPA (SOC 1, 2, and 3 examinations). This reporting option was constructed with the mindset to provide a consistent reporting mechanism for any company looking for assurance over its cybersecurity controls.
Differences Between the SOC for Cybersecurity and the AICPA’s SOC 2 Examination Option - A Supplement, Not a Replacement
This new SOC report supplements the AIPCA’s SOC 2 reports on an organization’s controls designed to meet the Trust Services Framework, which currently does not include criteria for an organization to report on its controls specifically designed for cybersecurity risk.
With the increased scrutiny and evaluation of third and fourth-party service provider risk as part of comprehensive vendor management programs mandated by various regulators, the SOC 2 was considered inadequate in many ways with respect to addressing cybersecurity controls. The new SOC for Cybersecurity will help organizations bridge that gap.
Other noteworthy differences between the SOC for Cybersecurity and SOC 2 reports:
- The SOC for Cybersecurity is not restricted to service organizations and can be a reporting mechanism for any company’s cybersecurity framework. The SOC 2 is designed to report on controls over a service organization’s security, availability, processing integrity, confidentiality
- SOC 2 reports can be issued under two types, one of which includes an evaluation of the design and operation of controls over a period of time, thus providing greater assurance to users of the report that the controls are in place and operating within a service organization’s control environment. The SOC for Cybersecurity report does not include information on control design and operating effectiveness over a period of time, potentially providing less assurance that the controls for the entity’s cybersecurity program are indeed in place and operational on a continuing basis.
- Many organizations use third-party service providers to operate various aspects of their business, commonly resulting in reliance on those subservice providers to have controls of their own. SOC 2 reports enable a service organization to identify the controls they expect their third-party providers to have implemented and allows them to carve-out those control responsibilities from their control environment. However, the SOC for Cybersecurity does not offer an option to delegate any related control responsibilities to third-parties. Instead organizations are responsible for having all controls required to meet the cybersecurity framework requirements outlined by the AICPA.
What SOC Report Should You Consider?
Regardless if you are a user of reports or a service provider with the objective of providing your customers with some degree of assurance, chances are no single SOC report will meet all the needs of your organization.
There are several considerations that may make one report more applicable than another, however increasing demands for greater clarity and reassurance may mean more than one report is required.
The broader needs of most user entities will largely be covered by a SOC 2 examination, including the relevant scope of services and trust service principles that relate to its commitments and requirements to customers. That said, the increased attention and focus on cybersecurity may still require completion of a separate SOC for Cybersecurity.
As seen within the new regulation over cybersecurity issued by New York State’s Department of Financial Regulators, regulators are putting increased pressure on their constituents and adding requirements for vendor management programs to be more comprehensive, specifically to include due diligence measures that cover cybersecurity.
And to provide the necessary assurance being sought by an organization’s leadership and investors, the SOC for Cybersecurity provides an opportunity to answer the questions being asked by so many.
If in doubt, or to learn more about SOC reporting options for your company, contact our dedicated team of professionals that focus and provide SOC services on a national basis. Click here or call Dave Hansen, Principal, at 585.360.1481 to connect.View full article
If you are a third-party provider of cyber services to a “covered entity” in New York State, the Department of Financial Services just made your life harder.
The New York cybersecurity legislation that went into effect on March 1, 2017 (23 NYCRR Part 500) imposes new cyber security requirements on financial institutions, insurance agencies, and other covered entities which pass down and through to you.
Here are a few highlights of the legislation that could have an impact on your policies, processes and cyber security practices:
- Each Covered Entity will do an assessment of you based on the services you provide and your access to information systems and/or nonpublic information belonging to them.
- Based on the assessment, each Covered Entity you work with will define the minimum cybersecurity practices required for you to implement and operate to do business with them.
- The regulation outlines specific sections of the regulation (e.g. encryption, multi-factor authentication) you must implement if you have access to any information deemed non-public, or access systems that store such information.
- There will likely be uncertainties and a lack of consistency in the way each Covered Entity deals with you as the regulation leaves the definition of acceptable minimum cybersecurity practices by third party providers up to each Covered Entity. However, since their evaluation of you will be reviewed and assessed by the DFS, we anticipate the requirements will vastly mirror what they are required to comply with as part of the regulation.
- It’s likely that if a Covered Entity you work with as cybersecurity policies and practices in place that address the following areas, so too will you:
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management;
(m) risk assessment; and
(n) incident response.
- From time to time, each Covered Entity you do business with will need to conduct a due diligence assessment of your cybersecurity policies and practices to see if they are compliant with their policies and practices, and the new regulation. We believe that a standard SOC 1 or 2 report will lack the specific attributes required to provide adequate assurance that your cybersecurity program is sufficient.
- You will be required to implement Multi-Factor Authentication or Risk-Based Authentication to protect against unauthorized access to Nonpublic Information or Information Systems.
- With certain exceptions, you will be required to implement encryption to protect Nonpublic Information in transit and at rest, which could be cumbersome and expensive.
- You will be required to provide notice of any cybersecurity event directly impacting your Information Systems or your Nonpublic Information affecting Covered Entities you do business with. This requirement may seem straight forward, but there is uncertainty as to what constitutes a cybersecurity event that warrants notification, and how quickly notification must be provided.
- All contracts with you have with third party providers will need to include “representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures.”
Will Your Customers Require You to Do a Cybersecurity Audit?
The possibility exists that a Covered Entity you’re doing with will require you to conduct and report on a comprehensive audit. However, this may be VERY difficult and problematic for both you and the Covered Entities you do business with.
We believe, however, that the best option for compliance purposes (and our recommendation) is that that you have a specific examination performed by an independent CPA firm to attest to your cybersecurity practices in place.
In fact, the AICPA recently released a Cybersecurity Risk Management Reporting Framework and a System and Organization Controls (SOC) reporting option specifically designed to provide a robust, consistent mechanism for reporting on the cybersecurity programs of companies as a means of providing assurance to users of the company.
Where to start?
We suggest that the first step in the process of getting into compliance with the 2017 New York State Cybersecurity Regulations and the requirements of the Covered Entities you do business with be a comprehensive assessment of your current cybersecurity program and controls against these regulations and other leading frameworks to validate its design and operation.
Our thorough assessment includes investigations of your policies, processes and practices governing your relationship with all relevant Covered Entities, as well as an assessment of their programs to provide assurances of you compliance with their requirements.
To schedule an initial consultation, click here or call Dave Hansen, Principal, at 585.360.1481. Or you can download our full New York Cybersecurity Regulation whitepaper here.
If you are a “Covered Entity” regulated by the New York State Department of Financial Services you must be compliant with the newly issued cybersecurity legislation that went into effect on March 1, 2017 (23 NYCRR Part 500), and you are also responsible for compliance by your third-party providers.
Third Party Cybersecurity Compliance Requirements in New York
Relative to how you employ and manage third party providers, here are a few highlights of the legislation that could have an impact on your policies, processes and cyber security practices:
- For the third party providers you work with, you will need to define the minimum cybersecurity practices required for them to do business with you.
- For the third party providers you work with, you will need to inform them of the sections of the regulation (e.g. encryption, multi-factor authentication) they must implement.
- You must do an assessment of each third-party provider’s cybersecurity program, policies and practices based on their access to your information systems and/or nonpublic information.
- You will be responsible for defining and communicating your acceptable minimum cybersecurity practices with each third-party provider you do business with.
- The cybersecurity policies and practices you have in place will likely need to be mirrored by each third-party provider you do business with.
- From time to time, you will need to conduct a due diligence assessment of your third-party providers’ cyber security policies and practices to see if they are compliance with your policies and practices, and the new regulation.
- Your third-party providers will be required to implement Multi-Factor Authentication or Risk-Based Authentication to protect against unauthorized access to your Nonpublic Information or Information Systems.
- With certain exceptions, your third-party providers will be required to implement encryption to protect Nonpublic Information in transit and at rest.
- Your third-party providers will be required to provide notice of any cybersecurity event directly impacting your Information Systems or your Nonpublic Information.
Do Covered Entities Need to Require a Comprehensive a Cybersecurity Audit from Their Third-Party Providers?
Having all your third-party providers conduct an audit of their cyber security program may be VERY difficult and problematic for both you and them.
One alternative for compliance purposes for compliance purposes (and our recommendation) is that that you have a specific examination performed by an independent CPA firm to attest the cybersecurity practices they have in place.
Comply with New York's 2017 Cybersecurity Regulations: Start Here.
The process of getting into compliance with the New York State Cybersecurity Regulations and their “pass through” to your third-party providers should start with a comprehensive assessment of your current cybersecurity program and controls against the new regulations and other leading frameworks to validate its design and operation.
The experts in Freed Maxick’ s Risk and Technology Advisory and Assurance Practice can help you to this end, as well as assisting in development and implementation of a remediation plan.
Our thorough assessment includes investigations of your policies, processes and practices governing your relationship with all relevant third party providers, as well as an assessment of their programs to provide assurances of their compliance with your requirements.
You can download our full New York Cybersecurity Regulation whitepaper here. To schedule an initial consultation, click here or call Dave Hansen, Principal at 585.360.1481View full article
Online business is the new "Main Street" of America. According to the U.S. Chamber of Commerce, 74% of small businesses have a website online; many of these solely conduct business through their website. With an uptick of devices that increases social media presence (i.e. the smart phone, tablets, apps); businesses are able to conduct more of their daily activities online than ever before. This drive to do business or maintain a website online does not just apply to corporations, but to entrepreneurs looking to start or grow their business online.
While companies large and small are increasing their online business, larger companies have the capability to improve their defenses and resilience against cyber threats, leaving the small companies ripe for the picking for cyber criminals. Theft of digital information has become the most commonly reported fraud. Whether a business is utilizing, or thinking of utilizing cloud computing or just using email and maintaining a website, cyber-security should be part of the plan. It is a business’s responsibility for creating a culture of security that will enhance business and consumer confidence.
In order for businesses to stay a step ahead of cyber criminals these steps should be taken to increase security:
Train your employees in security principles- establishing basic practices and policies for online use, such as creating strong passwords, appropriate internet use, and rules on how to handle and protect customer information and vital data.
Protect computers, networks from cyber attacks- “cleaning” computers is one of the most vital things you can do to help prevent cyber attacks. For example having security software, web browser, and operating systems are the best defense against malware, viruses or other online threats.
Provide a firewall for your computer- a firewall is a set of related programs that prevents outsiders from accessing data on private network information. This includes ensuring that if an employee is working from home that their home system has firewall protection. One of the most common mistakes is downloading firewall programs but not “enabling” them; essentially “turning them on”.
Secure Wi-Fi networks- make sure that any Wi-Fi networks you have for your business is secure, encrypted and hidden. You can hide information by setting up your wireless access point or router so that it doesn’t broadcast a network name, and password protect access to the router.
Limit employee access to data- do not provide any one employee to all data systems. Employees should only be given access to the specific data systems that they need to perform their jobs, and should not be able to install any software without permission.
PCI Compliance is also a big part of being secure online. PCI DSS is the Security Standards Council that was put into place to ensure that businesses storing, transmitting, and processing payment card data, are not putting their customers or their business at risk of data theft or fraud. The PCI DSS has four levels of compliance, with number one set as the highest level. The level that your business requires depends on:
The volume of transactions you process, and
How you process them.
Cyber-security is a team sport. Taking actions that will better protect both vital data and your business operations will have positive consequences for the security of all businesses, communities and the country. Computers and networks are interconnected through cyberspace; that means that both public and private sectors share responsibility.
Freed Maxick CPAs
Freed Maxick’s tax team and enterprise risk management team want to make sure that your online business is secure. Our firm is registered with the Payment Card Industry Security Standards Council, LLP (PCI SSC) and has Qualified Security Assessor’s certified by the Council to validate an entity’s adherence to the PCI DSS. Contact us and connect with our experts.