If you’ve ever asked multiple vendors for bids on a penetration test, you know side-by-side comparisons quickly break down. How can three bids for the same service span a $10,000 price range?
Clearly, qualitative differences lurk in the fine print. But how do you sort it out? Start by trusting your gut when it tells you that the low price probably has a catch. And then think about why you’re investing in a pen test in the first place. A mediocre penetration test may check a compliance box for you. But it also can leave you with a false sense of security.
“You might do phishing and a vulnerability scan and check the list for the year. But there’s so much more that goes into it,” says Pratum Senior Penetration Tester Jason Moulder. “If you’re not doing a comprehensive approach and incorporating all the elements of how an attack plays out, you don’t see the big picture.”
To make sure you’re getting a pen test that’s worth your investment, ask the following questions.
Make sure you understand the difference between a vulnerability scan (vuln scan) and a pen test. Pratum includes a vuln scan as part of its pen testing to identify misconfigurations, missing patches, etc. But a surprisingly low pen test price quote might indicate that a company plans to run only a software scan of your system rather than sending a human pen tester to test your defenses as a hacker would. Ask vendors exactly how many human hours they’re budgeting for manual testing activities such as confirming vulnerabilities, exploiting them and attempting to pivot into a breach of the larger system.
Automated scans can find only the weaknesses they’re told to look for. Plus, vuln scans can produce false positives by flagging incorrect headers or by flagging subcomponents that don’t actually compromise the overall system.
A human pen tester can vet the scan’s results for actual threats, plus explore vulnerabilities that the scan doesn’t know to look for. Real hackers use unpredictable methods that a vuln scan can’t simulate. “Just last year,” Jason says, “a few kids figured out how to bypass certain logins just by mashing keys on the keyboard. Those are the kinds of things you just won’t get outside of the human aspect.”
If a penetration testing vendor’s proposal talks mostly about the proprietary technology they use, ask for more details. That could mean that they plan to rely heavily on automated scans rather than deploying human experts to truly test your system.
Industry certifications indicate testers have a solid grounding in fundamentals such as attack life cycles. Look for titles such as Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), GIAC Certified Intrusion Analyst (GCIA) and GIAC Web Application Penetration Tester (GWAPT).
But acronyms after a person’s name don’t guarantee real-world experience. Ask for resumes of the testers who will work on your project. (Many companies keep their pen testers anonymous. But you can still ask for the resume of “Tester A.”) Some companies win your business by talking about their overall experience and then assign your project to an entry-level employee who wasn’t involved in any of the impressive projects you based your decision upon.
An experienced pen tester approaches every engagement with a high level of curiosity and creativity because that’s what a hacker will do. For example, a high-level pen tester working on a university job might research which of the school’s departments have recently received grants and target those departments for attacks. If they’re getting grants, they probably have valuable intellectual property to steal.
Make every decision with the idea that you’re building a system to stop hackers who do whatever it takes to break in. You need a savvy pen tester with the same mindset.
Remember how heist movies always feature teams of specialists who each step in to disable the security system, crack the safe, drive the escape car, etc.? In the same way, the best pen testing vendors assign multiple experts to your job. For a comprehensive test, you want a team that takes its best shot at your system with pros versed in software development, Internet of Things (IoT) devices, hardware and more.
Pen testing is both art and science. While the tester’s creativity plays a key role, they should anchor their approach in industry-recognized methodologies. Ask vendors about what drives their approach. For example, Pratum derives its penetration methodologies from NIST SP800-115, the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), Penetration Testing Framework, and other industry best practices.
A good vendor asks about your objectives. “We need to understand your perceived value of the test,” Pratum’s Jason Moulder says. “That helps us adjust the scope to either a more granular type of test or a broader test that incorporates all the elements required to address the scenario they have in mind.”
For example, telling a vendor you want to “do a pen test on our web app” could mean a lot of different things. Should the test be limited to the app itself? Should testers go after the infrastructure behind the app? If the tester can compromise the network via the app, should they keep going to see how much data they can access? Clear answers during scoping will produce the specific results you’re looking for.
Early on, you’ll make the key decision of deciding how much information to give the tester in advance. In a black box test, you tell them almost nothing about your environment. In gray box and white box tests, you give them different levels of information so that their work zeroes in on specific components.
Without a social engineering element, your pen test provides a very limited assessment of your security posture. Well-orchestrated, well-funded zero-day attacks grab a lot of headlines. But in the vast majority of cases, hackers rely on compromising end users in order to gain access to a system. So phishing tests, for example, should be part of a comprehensive pen test—and you should drill down on the vendor’s proposal there, too. “Generic phishing tests only provide about 60% of the potential value,” Jason says. “If you don’t test what can actually happen after someone clicks a fraudulent link, they don’t know actually know the impact it can have.”
Ultimately, the pen test is only as valuable as the report it produces. This document tells you what the testers did, what they found and what they recommend for closing the gaps. Don’t pay for a glorified template full of boilerplate graphics that tell you little about your specific security posture. Ask for a sample report and review it carefully to determine whether it provides the kind of solid information you could act on.
A mediocre report, for example, may describe a weakness in your system. But a detailed report may show you that hackers would have to get through 10 other layers to exploit a weakness. With that information, you can decide whether the vulnerability is an acceptable risk for your organization.
Also, ask how the vendor plans to walk you through the report. You’re paying enough that you should expect analysis of the results, not just a PDF sent by e-mail. The consultant’s personal review often helps connect the data points into an overall picture. “Sometimes a thing by itself is no risk,” Jason says. “But if it’s chained with other things, it becomes a big risk.”
The quote should include a retest of vulnerabilities at a set time (typically 90 days after the initial test). This gives your team time to address gaps and to get third-party validation that they were successfully remediated.
Pen testing is invasive, and there’s a chance that the tester’s actions could cause performance interruptions in your system. Confirm that the vendor you’re considering has insurance to cover business interruptions, restoration costs, etc. (The fact that pen testers can seriously disrupt your operations should be another strong incentive to confirm that you’re hiring a true pro for this work.)
Clearly, many factors go into an effective pen test. That makes sense for a service that represents a significant investment in protecting your organization’s future. For help determining what your next pen test should entail, contact Pratum today.
If it seems like your team spends more time every week answering client questions about your information security policies, you’re not alone. Vendor management has become an increasing point of emphasis for companies of all sizes. That means you’re probably allocating more and more resources to filling out forms explaining how you handle data. This trend will only grow, so it’s time to review a few best practices that can streamline your responses so that you can efficiently address your clients’ vendor management concerns and get back to your day job.
Driven by both legal concerns and worries about data breaches putting them out of business, companies are holding their vendors accountable with SIG questionnaires, SOC 2® certificates, proprietary security questionnaires and more. Companies recognize that their vendors’ risks are their risks, so they’re pushing stringent vendor management requirements all the way down their supply chain. When that initiative comes from a Fortune 500 company or government entity, the ripple effect means that even small companies now face the kind of security reviews that were once common only in larger firms.
Managing all the responses has become a major workflow issue. With every client putting their own slant on a set of core questions, you could easily tie up hours of employee time chasing down answers to the latest question about your security posture.
Vendor management was already a growing point of emphasis before two recent major breaches convinced even late-adopters that their supply chain needed a closer look. The headline-grabbing breaches of SolarWinds in December 2020 and Microsoft Exchange Server in March 2021 proved that even if your vendor is a global tech titan that dwarfs your company, you’re putting your operations into potentially uncertain hands. The Exchange breach alone resulted in compromises of an estimated 60,000 networks in early 2021.
The CMMC standard currently rolling out in every Department of Defense contract will require an estimated 300,000 companies to earn a third-party certification. Some major healthcare companies are now working only with vendors who earn a HITRUST CSF certification.
Many companies establish these requirements to avoid issuing data breach notifications, no matter what happens. These notifications can carry high costs both in raw dollars for the notification and potential fines and in damage to the company’s reputation. As a result, we’re seeing some companies require HIPAA compliance from their vendors, even if those vendors don’t typically handle PHI (Protected Health Information) for the larger company. The companies higher in the supply chain want to ensure that if they inadvertently share data with a partner, the partner has controls in place to prevent the need for a costly breach notification.
Many contracts now mandate security controls related to vendor management. “Right to audit” clauses are also gaining momentum, which means that a company can audit a vendor’s process if they suspect data is not protected. A failed information security audit could put the vendor in breach of contract.
In Pratum’s experience, only about 10% of these “right to audit” clauses are ever exercised. But large companies sometimes use the right to audit as a negotiating tactic. When a contract is up for renewal, the client company may call for an audit, reveal security gaps and seek pricing concessions if the vendor wants to retain the contract.
And keep in mind that if 10% of your, say, 80 clients exercised a right to audit in a given year, you would face eight audits. Some companies are successfully pushing back by getting a third-party certification such as those mentioned below and renegotiating contracts to include the right to audit only if a data breach actually occurs.
Pratum offers several recommendations to help you streamline this process:
Companies that can efficiently report on their security position often separate themselves from competitors. We’ve seen many clients get their big break when a major new customer calls with a rush job. The vendor that can submit their security reports at the same time as their bid typically wins the job, opening a new relationship with a potentially key client.
If you can produce a validated third-party certification (such as SOC 2®, HITRUST CFS or ISO 27001), you’ll instantly stand out from competitors who can present no more than their own statements about how they’re doing things.
Keep in mind that most companies aren’t looking to drop the contractual hammer on their vendors and cancel contracts. Most companies would prefer to keep working with proven vendors. So simply getting your information security house in order can probably secure your relationship and keep clients from considering other vendors.
For more insights on the current landscape in vendor management, watch Pratum’s recent Cybersecurity in 60 webinar.
If you could use help reducing the workload of responding to clients’ security requests, contact us today.
If it seems like you’re devoting more hours every month to reassuring partners that they can trust you, you’re not alone. In modern supply chains, companies regularly entrust their data to other organizations. HITRUST CSF is one of many compliance frameworks that aim to make everyone feel better about that data sharing. HITRUST CSF and other frameworks create objective industry standards for measuring another organization’s information security maturity. HITRUST CSF originated in the healthcare industry, but it’s a powerful framework that’s gaining traction in more fields, so it’s worth understanding how it may work for you.
The framework began in healthcare in 2007, when the HITRUST Alliance released its CSF (Common Security Framework). Like other frameworks and compliance protocols (such as SOC 2, PCI, HIPAA, GDPR and many others), HITRUST CSF provides objective criteria for measuring how an organization secures data. It also carries the added weight of third-party validation at its higher levels. That reassures your partners that you’re not just saying you have the right controls and policies in place; a third-party assessor has confirmed it. With a third-party certification like HITRUST CSF in hand, you can streamline many vendor security checks down to sending them a copy of your certificate rather than answering a long list of questions. A popular phrase describes this advantage as “assess once; report many.”
Because of HITRUST CSF’s healthcare roots, it naturally draws comparisons to HIPAA. One key difference is that HIPAA is a federal law, while HITRUST CSF is an industry-created standard. Also note that HIPAA is a self-attestation, meaning a company’s partners have no validation that an organization is actually doing what they say. HIPAA also contains a lot of subjectivity, leaving organizations to ask each partner exactly what they mean when they say “we comply with HIPAA.” Because HITRUST CSF is a detailed, objective standard focused on risk management, you know what it means when you see that certification. If you earn HITRUST CSF certification, you will definitely have covered your HIPAA requirements.
When organizations have a choice about which framework to use to satisfy client requests, they frequently compare HITRUST CSF to SOC 2. For most organizations, Pratum recommends starting with SOC 2 unless your partners are specifically requiring HITRUST. SOC 2 certification requires less time and expense, and SOC 2 allows more flexibility in defining your own control activities.
HITRUST CSF is gradually gaining traction outside the healthcare industry, and when version 10 arrives in the spring of 2021, it will include some new language targeted at making it applicable to more industries.
CSF contains 19 domains and 135 controls and offers three Implementation Phases that all build on each other. (In other words, if you reach Phase 3, you’ve covered everything in Phase 1 and 2.) The three phases of HITRUST are:
HITRUST CSF Readiness Assessment – Using the MyCSF online portal, you’ll walk through the framework yourself and receive a CSF Self-Assessment Report. Many companies hire an Authorized CSF Assessor to help with this process, which typically takes about six months.
HITRUST CSF Validated Assessment – This phase requires you to hire a third-party Authorized External Assessor organization, whose work normally includes an onsite visit. The assessor submits their report to HITRUST within the MyCSF tool and HITRUST then issues a Validated Report. This process normally takes another six months.
HITRUST CSF Certification – At this phase, HITRUST actually reviews and certifies the organization’s entries and the assessor’s validation. This process can take 3-4 months.
The most common driver for choosing any information security framework is that your customers demand it. In the healthcare space, some major companies such as Humana, CVS Caremark, United Healthcare Group and others refuse to work with any vendors until they complete a HITRUST CSF certification. In those cases, using HITRUST CSF is an easy decision, even if it’s not an easy process.
But many companies that have a choice in the matter are embracing HITRUST CSF, too. One of this framework’s advantages is the fact that if you’re working with partners across industries, you can use HITRUST for many of them. That can save you from trying to figure out the Venn diagram of multiple industry-specific frameworks. It also saves time and money because a single HITRUST certification may save you from complying with several other standards at the same time.
You should know at the outset that earning HITRUST CSF certification is a big undertaking. It requires about a year of work and a significant investment—$100,000 and up for most organizations. So the decision to pursue it obviously requires analysis of the business opportunities it will create for you (or preserve, if key clients are demanding you get it).
The process looks like this:
1. Scoping – You’ll start by using the framework’s system and organizational factors to scope your engagement. You’ll buy a license to HITRUST’s MyCSF online portal and fill out a detailed scoping questionnaire that leverages factors such as how much data you handle, how many active users you have, etc., to produce a list of the controls that will apply to you.
2. HITRUST CSF Readiness Assessment – Using MyCSF, you’ll do a thorough self-attested assessment of your current controls and policies. At this stage, you’ll be gathering documents, researching how you handle data and uploading documents and information to MyCSF. HITRUST reviews your submission to confirm that all the correct information is present and then issues a HITRUST CSF Readiness Assessment Report.
3. HITRUST CSF Validated Assessment – Now you’re ready to engage an Authorized External Assessor organization for a third-party validated assessment to affirm that the work you’ve done during the readiness assessment phase is still accurate and legitimate.
4. HITRUST Review – Through MyCSF, the External Assessor will submit their report to HITRUST for quality assurance review and the issuance of a HITRUST CSF Validated Assessment Report, which is valid for two years. To ensure you’re staying on track, your External Assessor will do a HITRUST CSF Interim Assessment after one year by testing some sample control requirements from across the 19 CSF domains.
HITRUST allows you to write corrective action plans (CAPs) for any areas where you fall short in your assessment. Typically, you’ll be expected to provide evidence in a year at the Interim Assessment that you’re taking meaningful action on your corrective action plan(s). And keep in mind that if you earn your certification with dozens of corrective action plans listed, your partners may decide that you have a long way to go and debate whether they can trust you with their data.
Pratum’s consultants specialize in a wide range of compliance frameworks and have assisted multiple clients with their HITRUST CSF journeys. Our consultants can assist IT teams with readiness assessments, identifying gaps and CAPs to implement new controls. HITRUST CSF puts a premium on seeing specific language in your policies, and our consultants can help ensure that you write them correctly.
Pratum also supports organizations during the validation stage. We’ll help interpret questions from the assessors and serve as your liaison to ensure that you can answer questions accurately and make your case when you feel an assessor may be viewing something incorrectly.
We’re eager to answer your questions as you consider whether HITRUST CSF is a smart investment for your organization. Please contact us today.