Manoharan Mudaliar

Cyber Security Consultant

A Penetration Testing Guide for Compliance

The world today is more regulated than it ever was. The business landscape for example is inundated with regulations and legal requirements that should be followed for smoother operations. Organizations across all industries have to comply with a myriad of regulations and standards set for information security.

Consumers provide businesses today with tons of sensitive data pertaining to their own personal selves and their financial status. The stakes surrounding consumer data are higher than they ever were, considering the sensitivity of data businesses now have, and the damage that consumers will experience if the data lands in the wrong hands.

In many regulations concerning consumer data, businesses are required to partake in penetration testing, which is a type of ethical hacking practice to address and identify vulnerabilities present in the security for your networks, applications and systems. Some regulations and laws directly ask for penetration testing protocols, while others imply it through the need to build additional assessment processes to mitigate the cyber risk looming over organizations.

In this blog we take a look at some of the common standards and regulations related to pen testing and provide you with the guidance you need.

GDPR

GDPR is the Godfather of all data regulations and governs countries and organizations operating within European markets. GDPR, which is short for General Data Protection Regulation, has been around for a couple of years now and imposes the responsibility of securing consumer data on businesses.

The United Kingdom has enshrined GDPR requirements within its own Data Protection Act of 2018. These regulations were crafted well in advance to take center stage once the UK leaves the European Union.

The GDPR covers all facets of data protection and especially highlights the need for organizations to improve the security and governance surrounding consumer data. Organizations handling personal data should have the best measures in place to ensure that data is secure at all times and is being governed appropriately.

The GDPR Article 32 specifically requires organizations to implement, “A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing”.

The Information Commissioner’s Office or ICO is the authority responsible for managing and checking on data protection in the United Kingdom. ICO has clearly mentioned in its online guidance that organizations regularly conduct the vulnerability scanning and penetration testing assessments laid down by the GDPR. Any risks that are identified during the testing phase should appropriately be identified and handled in the right manner. In accordance with the focus on personal information by GDPR, organizations should ascertain key endpoints where testing is necessary.

I advise you to conduct GDPR penetration testing on an annual basis to screen your internal and external data infrastructure. Organizations should also include web app testing within the pen testing model, if the business in question includes payroll systems, CRM systems, email and other sensitive personal data online.

ISO 27001

ISO 27001 is an internationally acclaimed and followed information security standard that comes within the ISO/IEC series of international quality standards. The ISO 27001 standard basically mentions a wide framework of controls related to Information Security Management Systems (ISMS).

To become certified with this standard, organizations should build a fine set of security controls. These security controls should deal with identifying and assessing certain security risks currently present across the networks in place.

The ISO 27001 is clear in outlining that organizations have the liberty to set security controls based on their own assessment of security risks. This ensures that no set of controls highlighted in the ISO are mandatory, and in fact, it mentions a list of best practices that you should consider and keep up with.

Objective A.12.6.1 of ISO 27001 clearly states that all information related to technical security vulnerabilities in the system should be gathered and improved upon in a timely manner. All organizations should determine their exposure to these vulnerabilities and put up appropriate measures to determine the right way forward.

Penetration testing can come in handy across multiple stages of an ISMS project or task. Organizations should hence look to find a more flexible penetration testing provider that not only tailors the assessment, but also meets the bespoke requirements. Risks identified during the pen testing process should ideally be treated as part of a continuous improvement process. No risk should be left lying around.

PCI DSS

Out of all data that consumers provide on a payment or an ecommerce platform, cardholder data is perhaps the most important. The information on a consumer’s card is extremely sensitive and shouldn’t land in the wrong hands. The Payment Card Industry Data Security Standard, or PCI DSS, lists a set of requirements for businesses to follow. All companies who process online transactions and gather card data from consumers are required to partake in PCI security audits for full compliance.

Requirement 11 of PCI DSS 3.2 is clear on what it demands from businesses. The requirement asks businesses to authorize frequent penetration testing protocols. Organizations that gather consumer cardholder data and fall within the domain of PCI DSS must always perform external and internal pen testing on an annual basis. The tests should also be performed after any significant changes to the infrastructure.

Organizations performing pen testing to comply with the regulations and guidelines mentioned by PCI DSS should identify issues such as poor access controls, coding vulnerabilities, encryption flaws and unsafe configurations.

NIS Directive and Regulations

The NIS Directive, better known as the Network and Information Systems Directive, is currently in place within the UK, as part of their pan-EU plans. The directive is in place to improve the security and reliance of critical services online.

The NIS Directive typically applies to all operations of essential services or OES. These services include transport, healthcare providers, utilities and Relevant Digital Service Providers (RDSP). Online marketplaces, cloud computing services and online search engines are also included in these essential services.

The NIS Directive doesn’t directly impose penetration testing standards, but there are regulations within the plan that mandate effective protection against cyber risk and attacks. The Objectives A and B within the plan require businesses to enable assessments, verification, inspections, testing and auditing for a secure environment.

While the NIS Directive doesn’t necessarily delve deep into the requirements of testing, it draws parallels with the requirements and guidelines mentioned as part of the GDPR. OESs and RDSPs can follow testing procedures required by the GDPR to remain safe on the NIS front.

NHS DSP Toolkit

The Data and Security Toolkit is a self-assessment tool in place for organizations in the UK’s healthcare sector. The tool basically helps organizations in healthcare to improve security by benchmarking against NDG Standards. NDG or National Data Guardian standards apply to all organizations currently operational in the social care and healthcare sectors.

Standard 9 of NDG clearly outlines that an actionable strategy should be in place to protect sensitive IT systems and consumer data from cyber threats. This strategy should at least include penetration tests that cover critical network infrastructure and your web services.

The NHS Digital guidance clearly recommends that organizations should tread carefully when scoping tests to prevent adverse effects on the systems or assets being assessed. Sub clause 9.4.3 also recommends organizations to find a penetration testing provider that can help them handle tests easily.

Choosing a Pen Testing Supplier

Reading through and complying with the numerous requirements and regulations of security legislations can be daunting and intimidating. However, it is equally important to understand the benefits that come out of testing your core network processes and gateways. While penetration testing has innumerable benefits of its own, you can also comply with different regulations by holding regular tests on an annual basis.

Any organization looking to perform penetration testing for compliance and security purposes should preferably try to find a flexible provider who not only understands the regulation, but can also tailor their testing methods to your industry and services. Your pen testing provider should understand the requirements you have and the latest pen testing standards that can be used to meet your demands.

Finally, it is crucial that you don’t view penetration testing as a tick-box exercise performed purely for compliance. Penetration testing is critical for your organization’s rapport and data security methods, and you should perform it regularly to keep up with the ever changing threat landscape.

A cyber security consultant can help you perform penetration testing and remain compliant. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

 

The Advantages of Cloud Computing for Businesses

Advantages of Cloud Computing for Businesses

The rise of cloud computing has made the limitations of conventional IT infrastructures far more apparent. As a result, businesses with inefficient IT environments are struggling to adapt and respond to marketplace trends and changes as they occur.

Luckily, cloud adoption can address most of these issues. According to a RightScale survey that was conducted in 2018, 96% of respondents used at least one private or public cloud system. 71% used a hybrid private-public cloud system, 21% used a public cloud system, whereas 4% used a private cloud system.

If you’re on the fence about making the switch to the cloud, this piece will walk you through the many advantages that cloud adoption provides to businesses. Take a look:

Read moreThe Advantages of Cloud Computing for Businesses

Cloud Security in 2020: Understanding Misconfiguration Risk

Cloud Security in 2020

The COVID-19 pandemic has led to a seismic shift in how we work, forcing many organizations across the globe to adopt a work-from-home model.

However, the transition to remote work has left a majority of IT professionals concerned about security breaches. According to a recent report by Fugue, 96% of cloud engineering and IT teams are working from home, and 84% are concerned about the security vulnerabilities that come with managing cloud infrastructures remotely.

One of the major findings of the report is that cloud misconfigurations are a leading cause of data breaches in the cloud. Between 2018 and 2019, cloud misconfigurations cost companies an estimated $5 trillion.

In this piece, we’ll discuss cloud misconfiguration risks in detail.

Read moreCloud Security in 2020: Understanding Misconfiguration Risk

A Look at Pen Testing in the Age of Cloud Computing

Testing in the Age of Cloud Computing

According to a recent report by Fugue, cloud misconfigurations are the leading cause of data breaches in the cloud. Between 2018 and 2019, cloud misconfigurations cost companies an estimated $5 trillion worldwide.

With this in mind, cybersecurity measures for cloud computing must account for the kinds of cloud misconfigurations that would occur as a result of user error. Penetration testing, or pen testing for short, must be able to attack and correct these cloud misconfigurations.

In this piece, I provide recommendations for ways to approach pen testing in a cloud infrastructure.

Read moreA Look at Pen Testing in the Age of Cloud Computing

Microsoft Office 365 security best practice and recommendation

U.S. Govt Issues O365 Security Practice and Recommendation

Summary

The majority of businesses are shifting to Microsoft Office 365 and other cloud services to amp up collaborations within their departments to fulfill the “telework” requirements. However, due to the rapid deployment of these cloud services, organizations may be ignoring the security factor associated with these third-party platforms.

Details

There are various security best practices and recommendations available to deploy. I strongly recommend to fine-tuning based on the deployment and design architecture, and never one size fits for all. Due to COVID-19 current situation and becoming a new normal for every organization and most of the works are carried from home “WHF.”

Microsoft O365 provides cloud-based email capabilities, also, chat and other various cloud applications. While the abrupt shift to work-from-home may necessitate the rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

The below mentioned are the few best practice for O365 deployment;

Best Practices for O365 Deployment

Enable Multi-Factor Authentication for Administrator Accounts

Azure subscribers are, by default, assigned to the role of Global Administrator. These administrators have the highest privileges that permit them to modify every setting in your Azure Active Directory (AD) in an Office 365 environment. They can add new usernames and modify the old ones, assign tasks, reset passwords, manage licenses, and domain names. In an on-premise Active Directory environment, this is similar to the role of a domain administrator.

The Azure Global Administrator accounts are created before any other account so that they can start with tenant configuration and user migration. These Global Administrator accounts aren’t granted multi-factor authentication by default. Even the new feature “secure by default” also needs to be enabled by the subscriber first. This feature helps with effectuating administrators’ usage of Multi-factor Authentication. The Global Administrator accounts are open to the internet because they are cloud-based. Lack of security can make these accounts vulnerable to online attackers, and they can hack into customers’ accounts during user migration to Microsoft Office 365.

Assign Administrator Roles Using Role-Based Access Control (RBAC):

Given the privileges assigned to the Global Administrator’s role, these accounts should only be used when required. It’s best to use specified administrator roles for Azure Active Directory (AD) such as application administrator, application developer, authentication administrator, and others to avoid or at least minimize the assigning of high-level privileges.

Shifting to the less-privileged rule can minimize the risks of a data breach if any account of administrator is attacked. Administrators must be assigned permissions limited to their roles and tasks.

Enable the Unified Audit Log (UAL):

Unified Audit Log is a logging feature in Microsoft Office 365 that comprises events and data related to Exchange Online, Azure Activity Drive (AD), SharePoint, OneDrive, Power Bi, and other online services offered by O365. This event log allows administrators to keep an eye on any malicious activities or actions against organizational policies. To ensure maximum data protection, the Security and Compliance Center is allowed access to the Unified Audit Log.

While all users don’t have permissive privileges in an Office 365 environment, they can still access information that can be damaging for a business if retrieved by unauthorized personnel. Also, cybercriminals can breach into unauthorized user accounts via phishing emails. They can further breach into other organizations’ cloud system via the applications and features that the hacked user account has access to.

Disable Legacy Protocol Authentication When Appropriate

Azure Activity Directory (AD) is a feature that Office 365 uses to corroborate with its email service, Exchange Online. It is linked to a variety of devised protocols including:

  • Post Office Protocol (POP3)
  • Simple Mail Transport Protocol (SMTP)
  • Internet Message Access Protocol (IMAP)

However, these protocols do not support the modern multi-factor authentication features because they are used with the senior email clients. Subscribers and users have access to disable the legacy mail protocols at any given time. However, if senior email clients are necessary for a business, the legacy protocols won’t be deactivated if a tenant or user tries to disable it. This leaves email accounts with only a password and username as the principal method for authentication and increases the risk of internet attacks.

One way of handling this security issue is to create a log of all the user email accounts that still require the use of legacy protocol and only authorize those accounts to access the protocols. Using the policies of Conditional Access in Azure Active Directory can help minimize the number of users allowed to access and authenticate with the legacy mail protocols. Taking these measures will significantly decrease an organization’s risk of cyberattacks.

Enable Alerts for Suspicious Activity

Enabling alerts and Unified Activity Log (UAL) in a Microsoft Office 365 environment can largely enhance an organization’s effectiveness in pinpointing malicious activities happening within their cloud. It will alert the Security and Compliance Center whenever an abnormal event is identified. It’s advised for the organizations to at least enable alerts for suspicious logins, such as those from unrecognized IP addresses and user accounts that have exceeded the benchmark set for sent emails.

Incorporate Microsoft Secure Score

Microsoft also offers a built-in feature called the Microsoft Secure Score, which measures an organization’s security condition relative to the Office 365 services it uses and offers recommendations for improvements and upgrades.

Though the recommendations offered by this tool do not provide information on all aspects of security configuration, it’s still beneficial for organizations because Office 365 keeps upgrading and adding to its offerings. Microsoft Secure Score provides a centralized dashboard to organizations for timely tracking of activities and enhancing compliance and security within the Office 365 environment.

Combine Audit Logs With Current Security Information and Event Management (SIEM) Tool:

Organizations must integrate their existing log management and tracking solutions with their O365 Unified Audit Log (UAL). It will further enhance their ability to identify abnormal activities on-premises and correlate them with potential malicious activities in the Office 365 environment.  This will ensure that you can detect unusual activity in your environment and correlate it with any potential anomalous activity in O365.

It’s highly recommended that organizations practice the following measures:

  • Enabling multi-factor authentication (MFA). This is one of the most effective mitigations to eliminate the risk of credential theft of administrators and users in the O365 environment.
  • Securing Azure AD Global Administrators from cyberattacks and following the rule of “Least Privilege.”
  • Authenticating Unified Audit Log (UAL) in the Security and Compliance Center.
  • Enabling alerts for proactive actions against malicious logins and emails.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

Key benefits of cloud computing

The Evolution of Information Technology

Before we dive deeper into the world of cloud computing, let’s first examine the evolution of information technology.

Information technology went through a series of changes on its way to cloud computing. To understand where we stand today, we must be informed about where we stood in the past. This brief history will enable you to appreciate everything that makes cloud computing better and different than traditional Informational Technology (IT).

The age of computing began in the 1970s when businesses focused on significant infrastructures, including:

  • Mainframes
  • Big point-to-point networks
  • Centralized databases
  • Big batch jobs

By the end of the last decade, terminals were introduced into personal computers. During the same period, hierarchical systems were decentralized, with a broader, expansive collection of storage and computer servers dissipated throughout a company. Though batch jobs were still a norm, several programs became influential during this age, ultimately gaining better, more advanced, and user-friendly visual interfaces along the way. Infrastructure would, in general, be related to applications, and critical applications generally required costly infrastructure.

Additionally, this era also observed the ascent of databases, which were key to business growth, as they held critical data controlled by the applications in the implementation of business processes. This information was typically organized, graded, and firmly connected to the corresponding processes.

The excursion to cloud-based computing requires hefty investments throughout the company, with focus on all parts of the business, including the finances, compliance, legal obligations, internal policies, technological development, executive and corporate sponsors, risk mitigation, and strategy. Considering the large number of business components, it requires a generous amount of work and time to move everything to cloud computing.

Now that you’ve understood the background let’s explore the basics and general characteristics of cloud computing.

What’s Cloud Computing?

Cloud computing is a framework that enables businesses to have on-demand, pervasive, and convenient access to shared computing resources that can be quickly provisioned and disseminated with minimal efforts and interaction of the company’s management or service provider.

Understanding the basic characteristics of cloud computing is essential in picking the right cloud computing service for your business, or a cloud service could be fully utilized. Unless a solution or service aligns with the following essential characteristics, you can’t call it real cloud computing.

It refers to a process in which a user can access several computational properties, including communication networks, cloud services, and storage facilities. In cloud computing, the services are offered according to the performance of the infrastructure and the system responsible for the development and deployment of the cloud software. After the payment is made, the user can avail the following services:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

In simpler terms, cloud computing is the execution of all computing services needed on-demand, ranging from integrated applications to data storage and power processing. Cloud computing extends to the distribution of resources, software, and information via a single network. The data storage is performed on physical and virtual servers that are overseen by the service provider. For example, Amazon manages its cloud computing product, Amazon Web Services (AWS). Businesses can easily access the data stored on the cloud network using the internet, and they can utilize this information for making essential day-to-day decisions.

Essentially, cloud computing delivers countless benefits in the Information Technology landscape. It can decrease the IT expenses in an organization to a large extent, especially when it comes to maintenance of the systems and software. A cloud computing user can use the available resources in the cloud network, instead of worrying about purchasing costly IT systems.

Additionally, the operating costs of the IT department reduce significantly because of the following reasons:

  • The cost of purchasing a new system and software upgrades decreases.
  • You no longer need a large team of IT specialists to run the systems, resulting in reduces payroll expenses.
  • A quicker system eliminates delays in the fulfilment other business processes.
  • You require fewer IT employees and minimal use of personal computers, leading to a reduction in energy consumption and bills.
  • It and cloud computing must be interrelated to reduce expenses.

Governance Risk Compliance (GRC) Framework and Cloud Computing

Cloud Computing Governance

Cloud computing governance is an innovation in the paradigm of governance that is focused on responsibility, adjusting benefits, alleviating risks, and allocating resources to make profitable decisions. It established internal policies that offer a direction for appropriate control and investment in cloud computing services. Governance frameworks integrated with cloud computing can significantly improve an organization’s governance on an industrial level. Additionally, cloud computing governance can be integrated with the current standards of governance in an organization, allowing for better growth and flexibility.

Cloud Computing Risk and Compliance

Cloud computing plays a significant role in risk mitigation and compliance with internal policies and state laws. Every business has a different type of risk, but they are mostly related to finances. However, as mentioned before, cloud computing allows for a significant reduction in IT expenses, especially IT operations costs. Cloud computing risk works on ten primary principles. A better understanding of these principles provides a direction for businesses to migrate further into cloud computing. The four main principles of cloud computing risk are:

  1. Vision
  2. Visibility
  3. Sustainability
  4. Accountability

When businesses abide by these principles, it becomes easier for the managers to devise strategies that can alleviate potential risks associated with cloud computing.

Characteristics of Cloud Computing

The five essential cloud computing characteristics are:

  1. On-Demand Self-Service
  2. Broad Network Access
  3. Resource Pooling
  4. Measured Service
  5. Rapid Elasticity

Let’s have a closer look at each of the characteristics:

On-Demand Self-Service

On-demand self-service means that cloud computing allows for the delivery of resources wherever and whenever they are required. From the perspective of security, cloud computing has experienced some difficulties pertaining to the operation and delivery of cloud services. It may violate a company’s internal policies because you don’t need approval from the finance, purchase, or any other department in a company for an on-demand self-service. It implies that these services can be used by any individual who holds a credit card.

Self-service also suggests that a cloud computing user can manage, configure, or access the cloud services without the intervention of a cloud service provider after completing the user activities.

Access to a Broad Network

Cloud is continually operating and available, offering users broader and more flexible access to essential data and resources. Talk about feasibility! You can access whatever information, whenever you require it, and from any remote location if you have the applicable credentials. In principle, you will only require a stable internet connection and the accreditations to access any resource you require. Today’s digital landscape is highly dependent on smartphones, and other smart gadgets and organizations are shifting their infrastructures accordingly. Cloud computing is user-friendly for all such smart devices. However, non-standardization, device incompatibility, and failure to implement security controls can somewhat be a challenge in assessing some cloud services.

Resource Pooling

It is another benefit that cloud computing offers to businesses. We have been a period where we had to request the finance and procurement department to buy more computing capabilities to fulfil IT operations. On average, these computing systems could use 80 to 90 percent of the resources for limited hours and only once a week. Cloud computing allows for resource pooling on a broader landscape accessible to all the users and clients. These pooled resources are then modified and scaled according to the resource requirements of each user. Cloud service providers usually have a massive database of resources fetched from thousands of applications, network devices, servers, and other sources. An incredibly expansive resource base allows for efficient accommodation of a large number of clients and facilitating each client according to their resourcing needs.

Monitored Service

Cloud computing offers an extraordinary benefit that conventional IT systems struggle with. It allows the users to monitor, measure, and report their resource usage, leading to countless advantages, and better transparency between the client and the cloud service provider. Cloud services also allow businesses to keep tabs on their costs and control them. Businesses are only required to pay for the services they avail, and they can even ask for the breakdown of resource usage or a detailed invoice for any service. In addition to this, it allows proactive companies to monitor the resource usage by each business unit or department so they can quantify the costs accordingly, allowing IT and finance to quantify the exact usage and costs by department or by business function — something incredibly challenging to accomplish in a conventional IT environment.

Rapid Elasticity

This refers to cloud computing’s ability to quickly provide users with additional storage, compute power, data, and other resources, according to their changing and growing needs. Users may not be able to realize this benefit because the resources are continually added to the cloud for a seamless experience.

Also, since cloud computing operates on a “pay-to-go” structure, users only have to pay for the resources they use. They can monitor the costs of their additional resource usage and limit them in case of a negative ROI. This is especially beneficial for businesses that need to expand their operations during certain seasons, occasions, or festivals. For instance, a clothing business can reap the benefits of rapid elasticity during the Christmas sale season, when the sales rise exponentially. On the other hand, if this clothing business were to use traditional IT systems, it would have to spend a massive sum in capital expenditures to cope with skyrocketing demand.

Conclusion

In a nutshell, cloud computing is an incredible revolution in the world of technological advancements. It has helped businesses transform the strategies they once used to manage their data and ensure good governance and profitability. The advantages offered by cloud services are enormous for cost reductions, business growth, and smoother and quicker operations. Though many organizations seem to be concerned about cybersecurity when it comes to managing data on a vast landscape, cloud computing eliminates the risk of a security breach with its advanced tools.