Do You Need a Web Application Penetration Test?

Learn how web application pen tests are conducted

web application pen test, web application penetration test, pen test, pen testing
George Mateaki
Security Analyst
QSA, CISSP
If your business uses web applications to store, process or transmit sensitive data, they could be vulnerable to hackers. Many hackers will compromise companies through web applications and their underlying software/libraries. It’s important for your business to find and remediate any vulnerabilities your web applications may have. This is where web application penetration testing comes in.

What is a web application pen test? 

An application web penetration test is an assessment of the security of the code and use of software/libraries on which the application runs. Pen testers are security analysts that will look for vulnerabilities in a web app such as:

  • Injection vulnerabilities
  • Broken authentication
  • Broken authorization
  • Improper error handling 

What’s the difference between an application pen test and a network penetration test?


Despite what you may think, there is a significant difference between these two types of penetration tests. Network penetration tests focus on the design, implementation, and maintenance of a network. It also looks at the services hosted on it. A web application pen test focuses more on apps and security surrounding them, such as coding flaws and insecure use of software.

SEE ALSO: Different Types of Penetration Tests for Your Business Needs


Why get an application pen test?

Your developers aren’t perfect, and the applications you use likely have security vulnerabilities. A developer’s job is to build an application that performs a function. Vulnerabilities can often be introduced into the application through poor coding practices lack of authentication, etc.

web application penetration test, penetration testEven if you are up to date on software patches and security, cybercriminals are constantly evolving their methods. Penetration testing can ensure your web applications aren’t vulnerable to attacks, and they help you avoid compromise.

You should also remember that penetration tests are often required by mandates like PCI DSS and HIPAA.

Which applications should be tested?

Should you test every web application that your business uses? Probably not. What you do need to test is any application written by or specifically for your organization that transmits sensitive data.

Performing an application penetration test

There are four stages to manual penetration testing

  1. Walkthrough
  2. Identify Issues
  3. Exploit issues
  4. Documentation

Walkthrough
This is an overall view of the application’s functionality. At this point the pen tester is familiarizing themselves with the application.

Identify issues
This is where the pen tester looks for vulnerabilities. Some questions they may ask themselves are:

    web application pen test, penetration test, pen test
  • What does the request do? 
  • What shouldn’t the request do?
  • How are errors handled? 
  • Is user input sanitized or validated?

Through these questions, the pen tester can find potential security vulnerabilities in the web application and its underlying software.
Exploit Issues
This is where the pen tester tries to see how serious the issues are. They determine the actual impact the issue may make on the web application’s security. Essentially, they try to hack the web application through the issues they’ve identified.

Documentation
This is the final step, and it’s where the pen tester sends a report of the findings. This is the only deliverable and it’s important it’s done right. Otherwise post-test action on the findings would be difficult.

Pen testers should document for each issue:

  • What it is
  • Where it is
  • What is the impact
  • How to remediate it

Evaluating pen test providers

There are many service providers that offer penetration tests, but not all are created equal. When choosing your provider, you’ll want to keep a few things in mind. Here are some questions you should ask them before you sign on the dotted line:

  • Do the penetration testers have experience relevant to your environment? 
  • Are they certified? 
  • Do they have client referrals? 
  • What experience do they have with your security standard? 
  • How long have they been pen testing? Look for a seasoned vet. 

Remember, a penetration test can help you find potential security problems, and help you prevent your business from getting compromised. They are worth the cost.

Need a penetration test? Talk to us!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.




What's in Our 2018 SecurityMetrics HIPAA Guide?

A Look into the 2018 SecurityMetrics Guide to HIPAA Compliance 


We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guide book is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst, SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau, Curis Practice Solutions

Download the 2018 HIPAA Guide here


A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA, we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends


This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule


Top Tips for Better Data Security 


As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:


Incident response plans
PHI encryption
Business associate agreements
Mobile device security
HIPAA-compliant emails
Remote access
Vulnerability scanning
Penetration testing

A proactive, offense-minded approach


Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center, 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.


PCI DSS Requirement 12: Leverage Policy to Improve Security


Learn how to get compliant with PCI DSS Requirement 12. 


PCI compliance, pci dss, pci requirement 12, pci dss 3.2
Michael Simpson
(QSA, CISSP, CCNP)
If your organization has ever had a Payment Card Industry Data Security Standard (PCI DSS) assessment, you’ve probably noticed the big emphasis on having documented security policies and procedures. During an assessment, QSAs will typically verify that specific requirements are defined in company policies and procedures. Then, they’ll follow predefined testing procedures to verify that those controls are implemented in accordance with the PCI Data Security Standard and with written company policies.

pci dss, pci requirement 12, pci compliance, pci dss 3.2, security policyThere’s a good reason for this emphasis on written policies and procedures. If you have well-defined security policies and procedures—and you train your employees to follow them—you’re more likely to maintain a PCI-compliant, secure environment.

Requirement 12 of the PCI DSS calls for businesses to "maintain a policy that addresses information security for all personnel." Documentation also helps protect your business from potential liability should an attacker breach your organization’s data. Thoroughly documenting security policies and procedures helps forensic investigators see what security measures your company has in place.

Where do I start with documenting my data security policies and procedures?

If you’re starting from scratch, the thought of drafting all the required PCI DSS policies and procedures probably seems daunting. To give you a place to start, here’s a list of some policy/procedure items that need to be documented:


  • Firewall configuration/hardening standard
  • Server and workstation hardening standards
  • Data retention and disposal policies
  • Software development life cycle
  • User provisioning/de-provisioning procedures
  • Password policies
  • Physical security policies and procedures
  • Log monitoring and escalation procedures
  • Employee manuals 

  • Appropriate use policies
  • Staff training procedures
  • Third-party vendor management 

  • Disaster recovery and incident response plans 



One approach to starting your policy and procedure documentation is to look through the PCI DSS and take note of all requirements that would need to be addressed in the security policy. Think about the day-to-day duties of staff. Which ones would be made safer and more PCI-compliant with the help of a written procedure. We recommend that you reach out to your QSA and ask for a list of required policy elements to guide you in this process.

To save time, consider purchasing ‘PCI policies and procedures’ templates. Or, look for publicly available examples of written security policies. Using policy templates can greatly reduce the time it takes to generate policy documentation, but be sure you customize the templates to fit your unique environment. Otherwise, if you are following a ‘compliance as a checklist’ mentality, written policy and procedure documentation will do nothing to foster a security-minded workforce or to reduce your risk of becoming part of next year’s breach statistics.

pci dss, pci requirement 12, pci compliance, pci dss 3.2, security policyLeverage your risk assessment process

PCI DSS Requirement 12.2 says you should perform an annual risk assessment that identifies critical assets, threats, and vulnerabilities. An annual risk assessment will help you identify, prioritize, and manage information security risks. While performing your risk assessment, look to see if any of the risks identified during the risk assessment process can be reduced by a change in your security policy or by drafting new procedure documentation and training staff on following the new procedures.

Your security policies and procedures should be living documents. As your business environment or the threat landscape changes, you should revise policies to address these changes. Companies should review their policies at least annually to ensure they still meet the needs of the business.

Train employees

To help protect sensitive data, make sure employees are aware of company policies and procedures, and that they receive regular security awareness training. While we might be inclined to believe employees should inherently understand foundational data security principles and accompanying policies and procedures, that is simply not the case. Here are some tips to help your staff become a security asset instead of a liability:


  • Set monthly training meetings: focus each month on a different aspect of a data security, such as passwords, social engineering, email phishing, etc. 

  • Remind frequently: could be an email, newsletter, during standup meetings, and/or a PCI DSS security webinar with education and tips.
  • Train employees on new policies ASAP: address security and PCI policies with newly hired employees soon after they’re hired.
  • Make training materials easily available: Intranet/internal sites are a great way to keep training and policy materials accessible.
  • Create incentives: reward your employees for being proactive.

  • Regularly test employees: foster an environment where employees aren’t afraid to report suspicious behavior. 



Vendor management

As you draft security policies, realize that the policies’ effects need to be felt beyond the doors of your business. No company runs in isolation. Your company’s information security policy needs to specifically address how it will manage third-party relationships—especially when those third parties can affect the security of your cardholder data. Vendor management policies should proscribe a “vendor vetting process” that will ensure you meet due diligence prior to engagement with a service provider. Your information security policy should also define a process for vendors to follow, to ensure all service providers continue to handle your company’s data in a secure and PCI-compliant manner.

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.


Holiday Security Tips

holiday security, data security, data breach

How to protect your business from data breach and theft. 

data breach, security tips
Michael Simpson
(QSA, CISSP, CCNP)

Most wonderful time of year for criminals?

Winter holidays are synonymous with shopping. Black Friday, Cyber Monday, last minute Christmas gifts, and the like mean more transactions and more credit card spending. In fact, the Winter holiday months account for %19.7 of annual retail spending in the United States.

While the busyness and bedlam of the holidays can provide cover for cybercriminal activity, there are a few things your business can do to protect against data breaches this holiday season.

Bad security habits plus chaos equals crimes of opportunity. Because cybercriminals continually scan for the “lowest hanging fruit” in terms of exploitable security weaknesses, you can prevent a majority of successful breaches simply by practicing good data security habits:

holiday security, data security, data breach Follow the most current NIST password recommendations.


The organization recently overhauled its guidelines for password creation. They now advocate using easy-to-recall-but-lengthy “pass phrases,” in place of the traditional minimum-length, randomly generated passwords. Long passwords/pass phrases (at least 10 characters) made of common, memorable words are mathematically harder to crack than short passwords with added symbols and numbers. More tips for creating strong pass phrases.

Update software and systems. 


Many successful exploits are against unpatched systems or computers. After a vulnerability is known, and a corresponding patch is released, it’s critical that you update your systems. Typically, a critical patch should be updated on your systems within 30 days, but we recommend as soon as possible. Hackers will quickly craft exploits to match the vulnerability, because they know that most businesses won’t install patches in a timely manner—and for those that do, the patch may not reach all computers and devices. It’s good practice to have a member of your IT team assigned to stay on top of updates.

Review security procedures with staff. 


Phishing campaigns spike during the holidays because the transaction volumes create an environment of increased susceptibility to being deceived into opening an email and clicking on a link. Employees will likely receive emails (and increasingly, SMS texts) with fake coupons, malicious attachments, even spoofed shipping notifications and party invites. The aim of these schemes is to collect sensitive personal or corporate information or serve malicious malware. Make sure to review email and website security policies, guidelines, and procedures with employees, in addition to your regular security training.

Check for card data with discovery tools. 


Storing unencrypted cardholder data on a server poses a risk for the company. Once a hacker gets access to a system, stored unencrypted payment data makes it it’s easier for them to export and sell your customers’ credit card numbers and sensitive information. If you must store cardholder data, it is best practice to encrypt it while it is stored or transmitted. You should use a trusted card data discovery tool to find out if you are inadvertently storing plain text cardholder data anywhere on your systems or devices. 

If your company takes orders over the phone or mail, you should be sure that if cardholder data is written down, it is properly destroyed in a timely manner.

data security, holiday security Test website and network with vulnerability scanning. 


Companies don’t want to be inconvenienced in the middle of the busy holiday season with an emergency maintenance window in order to fix misconfigured firewalls, remove malware hazards or remote access vulnerabilities. A company should be proactive rather than waiting for a data breach to clue them in. Regular vulnerability scanning is an essential procedure that checks for vulnerabilities and security holes that could enable backdoors, buffer overflows, denial of service, and other types of malicious attacks which ultimately could cause downtime and prevent potential orders from taking place.

Avoid problems—prepare now


Transaction volumes during the holidays add complexity to the task of protecting corporate, customer, and personal data. Even so, industry-wide education and implementation of best practice security measures will go a long way toward minimizing the effectiveness of attacks and preventing data breaches. Sound security principles and proactive best practice implementation, policy and procedures will serve as the foundation for your business’s cybersecurity this holiday season. Avoid snags, upsets, delays—or a devastating breach—by getting into good security habits now.

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.




5 Security Best Practices for Protecting Your HIPAA-Compliant Data

hipaa, hipaa security, data security

What do these situations have in common?

  • April 2017: Augusta University Medical Center reported that it had become a victim of phishing for the second time within a twelve-month period. 
  • From December 2016 through early 2017, a trio of cybercrime rings took over 26,000 open MongoDB servers and demanded ransom
  • July 2017: A successful intrusion of Medical Oncology Hematology Consultants was detected, a breach which compromised 19,203 patient records
  • June 2017: Ransomware brought down Pacific Alliance Medical Center. Two months later, the firm said the attack impacted 266,123 patients.

Adnan Raja
These are all examples of HIPAA violations that took place in 2017. And each is a nightmare scenario healthcare organizations should hope to avoid. Forget the threat to credibility—including the much-dreaded Wall of Shame—the sheer expense of such a breach is overwhelming. The average drop in revenue at a healthcare firm after a data breach is $3.7 million.

Since these data breaches are more common and costly than many would like to think, this post will go over some HIPAA fundamentals and review security best practices for protecting HIPAA-compliant data. Here are a few tips and best practices your organization can integrate into your environment to help secure protected health information (PHI) that is under your watch:

1. Encrypt everything.

Encryption is critical. A study published in Perspectives in Health Information Management in 2014 examined all HIPAA breaches on file with the HHS Department. At the time of the report (which used all events through September 22, 2013), 27 million records had been compromised via successful attacks of 674 covered entities and 153 business associates. These breaches included intrusions related to hacking, improper disposal, loss, theft, and unauthorized access. They occurred in various digital environments—devices and back end systems—as well as physical documents.

The study provided data about types of breaches, and it reveals how rampant data theft is. Here are the top five types of breach in descending order of volume, with the number of individuals, covered entities, and business associates affected in each case—numbers that in the last few years have grown even more:

  1. Theft: 12,785,150 people (via 344 CEs and 52 BAs)
  2. Loss: 7,359,407 people (via 74 CEs and 23 BAs)
  3. Hacking or IT event: 1,901,111 people (via 59 CEs and 20 BAs) 
  4. Unauthorized access: 1,334,118 people (via 136 CEs and 44 BAs) 
  5. Improper disposal: 649,294 people (via 32 CEs and 5 BAs)

A major concern with “data breach by theft” isn’t the theft itself. In each of those cases, unencrypted information was left on the devices. Encrypting information means that even if bad actors steal digital information, encryption makes that information unusable. When encrypted correctly, ePHI may not fall under the Breach Notification rule, even when the system storing it is physically stolen.

2. Assess your risk.

hipaa, hipaa security, data securityConduct a complete risk assessment of all the elements of your ecosystem that store, process, or transfer electronic PHI (ePHI). Make sure to evaluate the ways in which your information could be exposed. If your environment includes a data center, you should ask these questions:

  • Are natural disasters common in the location of the data center? 
  • Is there a responsible party associated with all hardware components? 
  • Have you assessed the security mechanisms that are now in place and any risks that are present? 
  • Have you taken into account all ways in which ePHI is accessed or manipulated within your system? (Consider the creation, receipt, maintenance, and transfer of ePHI).

3. Training is fundamental.

You must properly train your staff, especially since the cybersecurity threat landscape is evolving, and comes with an increasingly sophisticated toolset for accessing your data. Phishing campaigns were created to elicit simple yet devastating mistakes from employees. If a staff member clicks on a link or submits data—like a username or a social security number—they essentially hand over the keys to your organization’s data environment. It’s scary but true that something as simple as a fake email could create a point of entry for attackers to exploit.

Keep in mind that no matter how extensive your training program is, people make mistakes. Back up your training program with technical security controls that prevent employees from installing malware or visiting spoofed websites.

4. Be vigilant and ready to act.

Although not fun to think about, it's critical to be prepared for the possibility of a breach. You need a planned response that is easy to execute, but thoroughly designed. The Office for Civil Rights’ checklist lists the steps of a proper response after a breach of HIPAA-protected material:

  1. Carry out your response and mitigation steps. 
  2. Stop the attack and contain the threat to privacy and security. 
  3. Report the incident to law enforcement. 
  4. Submit the relevant cyber threat indicators to federal and information sharing and analysis organizations (ISAOs).
  5. Notify the Office for Civil Rights quickly, within 60 days following the detection of a breach that compromised at least 500 people.

5. Read business associate agreements and find partnerships you trust. 

Due diligence will help you avoid making decisions that might leave you vulnerable. Whether your organization is a covered entity or business associate, you need to be certain that any vendor relationships related to PHI or ePHI are designed to protect the data as defined within HIPAA. Whenever you look at a new potential agreement, it’s important to check that the outside entity regularly scans its system for security risks. You also want to know that their staff has been properly trained, and that they have designated security and privacy officers.

While a business associate agreement is necessary from a legal standpoint, it won't protect you at a technological level. To make sure the systems themselves are properly secured and controlled, look to see if the provider has been validated for HIPAA compliance by a qualified, third-party assessor.
Do you need to secure your HIPAA data systems? It may help to put things into perspective to look at the experience of a single organization. See how Complete HealthCare Solutions followed the above best practices to secure their PHI and ePHI.

Author Bio: Adnan Raja has been the Vice President of Marketing at atlantic.net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.