For this week’s “In the News”, perform research on one of the following:
- new testing requirements (e.g. SSAE18 SOC1 or SOC2)
- new testing requriements put into place due to regulations
- how security assessments and testing integrates with other domains, such as cloud network architecture, or software development lifecycle?
Recently, Microsoft released Azure Attestation to all Azure cloud users, Azure Attestation is a platform within the cloud service that verifies how trustworthy a platform is as well as the integrity of the parts that make up the platform. The Platform as a Service can also be used to help protect customer data that is currently being used, which is increasingly becoming more and more as organizations opt in to Azure and other platforms alike. Attestation includes many benefits including a built in business continuity and disaster recovery plan implementation and and creation and configuration of policies to make token generation safer and more secure. Having a cloud service implement a form of security assessments is incredibly crucial as some organizations do not have the built-in infrastructure to perform the assessments themselves, especially in the remote work environment we are currently in.
https://www.infoq.com/news/2021/03/microsoft-azure-attestation-ga/
Hi Krish, I feel like Microsoft’s release of Azure attestation was a great business move on their end. They can close in the gaps many customers face by offering off-the-shelf BCP and DRP, collect insights/data from customers, and also continuously develop their platform based on these recommendations. I’m interested to see how their competitors will match up as well.
Great point, Mei. This could help some businesses that may otherwise put off developing thorough BCPs and DRPs.
I have to agree that Attestation is a good move given the overly alert landscape we have right now. There have been such amazingly public breaches in the last 2 years that having a one stop shop solution for you is enticing! I wonder what the controls are around the data storage that the service offers vs the attestation piece? Could there be a conflict of interest?
Krish,
Your link was very helpful, i was able to follow the link and download some documents as regards to MS Azure Attestation.
New Top 20 Secure-Coding List Positions PLCs as Plant ‘Bodyguards’
A new open-source guide has been unveiled by a group of Cybersecurity experts, aimed at reimagining the Programmable Logic Controller (PLC) as the last line of cyber defense in an industrial process. The guide includes 20 recommendations for configuring PLCs for resilience to security incidents.
They hope to help PLC vendors and their industrial clients incorporate secure programming techniques when configuring PLCs for use in their industrial environments. This measure in turn will help mitigate some cybersecurity attacks, hence preventing industrial disasters caused by a security incident.
The PLC top 20 List, as it is known, is like application security coding best practice such as Microsoft’s Secure Development Lifecycle or OWASP’s Secure Coding Practices but customized to specific PLC capabilities. The secure coding practices are therefore grouped by security objectives, encompassing integrity, and hardening the attack surface, resilience and monitoring certain PLC values for indicators of security issues.
https://www.darkreading.com/vulnerabilities—threats/new-top-20-secure-coding-list-positions-plcs-as-plant-bodyguards/d/d-id/1341289?&web_view=true
Hi Humbert,
This post is great, and i encourage other members to go download a presentation on the link especially if you work as a consultant or mid sized company.
Presentation is tittle “Thriving as a Small or Midsize Business with a Strong
Cybersecurity Strategy”
https://www.lawfareblog.com/regulatory-alchemy-turning-cybersecurity-guidelines-rules
Something I did not know, the TSA does not only oversees the airports, but they also oversea the Pipelines in the US. The TSA previously had Security “Guidelines” in place, but did not seem to be followed, which as resulted in the cyber attacks on the Colonial pipeline and creating a national gas shortage on the east coast of the united states.
“In early May, the Colonial Pipeline carrying fuel to the East Coast shut itself down after being hit by ransomware. The resulting lines at some gas stations gave new urgency to decades-old warnings about the vulnerability of critical infrastructure to cyberattack. The TSA, which oversees not only airport security but also pipelines, responded with its directive effective May 28 and promised more.”
So since these guidelines were not being followed, they were made mandatory in place of everything the TSA manages. Most of the reporting on the emergency directive has focused on its requirement that operators of major pipelines must report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. These guidelines date back all the way to 2002, with their current version put in place in 2018. They have last revised the guidelines April 2021. “the guidelines say that pipeline operators should have a risk-based security plan, which should include risk assessments, personnel training and security testing, among other elements. Section 7 of the guidelines focuses specifically on security measures for cyber assets. It is based on the voluntary Framework for Improving Critical Infrastructure Cybersecurity issued by the National Institute of Standards and Technology (NIST).”
With this in mind, last week the TSA made it that it is required for pipeline operators to immediately review Section 7 of the pipeline security guidelines, assess whether their current practices and activities to address cyber risks align with the guidelines, identify any gaps, identify remediation measures that will be taken to fill those gaps, spell out a timeline for implementing those measures, and report to the TSA and CISA within 30 days.
2017 – Deloitte – New Regulatory Requirements in Patch Management
Not brand new but this regulation requires the financial sector and investment firms to implement:
1) A security monitoring process rapidly notifying institutions of new vulnerabilities.
2) A patch management procedure for swiftly addressing significant vulnerabilities.
According to Deloitte, “the internal audit function will cover these controls as part of their on-going audit plan, particularly reporting any failure in implementing a known patch and document the reasons for the failure in an audit point.
https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu_regnewsalert-cssf-circular-it-outsourcing_29052017.pdf
Patch management procedures are so important. Far too many organizations fall victim to attacks that could have been prevented by implementing available patches!
So true, Amy! If an organization is not following best practices when patching, just imagine what else is wrong. It is a recipe for disaster!
Patch management is an overwhelming endeavor depending on your technology landscape. Automation of patch management helps but your security professionals have to be up to date on changes and should not be limited to the technological changes. Not all patches are made equal and one has to weight in the business advantage of applying a patch. Even in in-house developed software you have to weight the pros and cons. Patches include “enhancements” as well as bug fixes. You need to determine whether those enhancements are white noise, or impact your business for the good and the bad. Patches don’t only fix bugs. So you have to be sure you understand if you can even apply a patch without applying all that is included. (not usually the case) Either way I wouldn’t go so far as to day that patch management is an “afterthought” but more that is is something people just can’t really wrap their heads around and find value in because they simply are overwhelmed.
Since 2020, there has been a dramatic shift in cybersecurity testing for quality assurance and software tests. From a BitSight study, “82% of stakeholders accepted that users perceive security as growing essential in making decisions for their enterprises. The damage connected with cybercrime is projected to hit $6 trillion annually by 2021”. Due to our current cybersecurity climate, organizations must remain compliant with regulatory standards for software development testing.
They can do so by using different methods of code testing, having segregation between production and development, documenting change management processes, defined policies and procedures, and investing in automated code testing tools. Some new trends are highlighting Testing Centers for Quality, using API and Service test Automation, and emphasizing the focus on quality assurance based on user experiences, DevOps, and agile best practices.
https://dzone.com/articles/top-15-software-testing-trends-to-watch-out-in-202
I posted this in the wrong place at first. SMH
Hi Mei,
82 % is a great number because years ago, it was an afterthought. Stakeholders, more and more, understand that IT Security needs to be fully intertwined with business goals to succeed and thwart breaches. Also, users from bottom to the top of the organizational chart need to be security aware. Security awareness is key in preventing one of the easiest avenues of attack: Human incompetence!
This is a very insight full post as regards to our profession.
“The damage connected with cybercrime is projected to hit $6 trillion annually by 2021”. Due to our current cybersecurity climate, organizations must remain compliant with regulatory standards for software development testing.”
The best thing about this article as mentioned is that “82% of stakeholders accepted that users perceive security as growing essential in making decisions for their enterprises” this means we are trending in the right direction as regards to bringing stakeholders to take security seriously.
Public companies are required to follow the rules stated in the Sarbanes-Oxley Act (SOX). This includes rules on internal controls, reporting on those controls, record storage requirements, and more. The AICPA created a generally accepted auditing standard, SSAE 16, followed by the updated version, SSAE 18, for financial reporting which is helpful in complying with parts of SOX. SSAE 16 and SSAE 18 include System and Organization Controls reports (SOC) which are to be completed by a Certified Public Accountant. The SOC reports are verifiable and show the controls that a vendor has in place as well as the effectiveness of those controls.
https://www.infosecurity-magazine.com/opinions/soc-audit-reports/
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html
Hi Mei,
82 % is a great number because years ago, it was an afterthought. Stakeholders, more and more, understand that IT Security needs to be fully intertwined with business goals to succeed and thwart breaches. Also, users from bottom to the top of the organizational chart need to be security aware. Security awareness is key in preventing one of the easiest avenues of attack: Human incompetence!
Organizations have many reasons for taking a proactive and repetitive approach to addressing information security concerns. According to the ISACA, the rationale behind performing the assessments is cost justification, productivity, breaking barriers, self-analysis, or just communication. Numerous conditions can impact the schedule. Depending on the size and complexity of an organization’s IT organization, it may become clear that what is needed is not so much a thorough and itemized assessment of precise values and risk but more general prioritization. The major factor include is the risk appetite of the company. Moreover, assessments are mainly dependent on the specific organization. Also, if one is unsure of what kind of assessment the organization requires, a simplified assessment can help determine. The basic objective of the security assessment is to understand the existing system and environment and identify risk through the risk of the information/ data collected.
Reference
N.A. (2010). Performing a Security Risk Assessment. ISACA. Retrieved from https://www.isaca.org/resources/isaca-journal/past-issues/2010/performing-a-security-risk-assessment
Proactive protections have really come to the forefront given the nearly daily reports of data breaches in allegedly secure systems. As breaches continue to occur, regulations and laws continue to respond. Having proactive testing procedures is critical in this threat filled environment. Security Magazine put out an article on penetration testing and how this could be used in the modern regulatory and legal landscape. It highlights the “northern star” of security regulations – GDPR and how even there there isn’t proper mention of “penetration testing or to any other specific security controls or processes. The statutory language of GDPR is purposely left generally vague to give broad discretion to competent courts and national DPAs (Data Protection Authorities) to determine what reasonable, adequate or risk-based cybersecurity should mean in practice.”
A call has been made to action when the EDPB (European Data Protection Board provided guidelines on “Regular penetration testing is expressly mentioned in several examples on how hypothetical data breaches could and should have been prevented by the data controller.” It also highlights that pen testing is proactive at finding vulnerabilities so they can be fixed before going live. The ICO (Information Commissioner’s Office has also created a comprehensive guide specifically mentioning pen testing to ensure that “existing security measures are effective.”
The article goes into further detail for US compliance with pen testing provisions:
– US DoD’s CMMC (Cybersecurity Maturity Model Certification): imposes periodical penetration testing the Level 4 and 5 DoD contractors and the CA.4.227 practice requires a periodical Red Teaming against organizational assets in order to validate defensive capabilities.
– The New York Department of Financial Services (NYDFS) issued its own cybersecurity regulations specifically obliges the covered entities to perform penetration testing at least annually.
– PCI DSS imposes annual penetration testing of the CDE scope by the Requirement 11.3, – Law in Nevada. Washington, Ohio and Utah
– The FTC (Federal Trade Commission ordered to implement regular penetration testing in its consent order against Zoom.
– U.S. HHS’s Office for Civil Rights (OCR) is the principal HIPAA enforcer published a detailed framework for security and privacy assessment for Centers for Medicare & Medicaid Service (CMS) with a section dedicated to penetration testing.
– SEC’s OCIE (Office of Compliance Inspections and Examinations) released a risk alert notice in November 2020 with a section imposed by the Act that that safeguards for clients’ privacy should include properly established and documented penetration testing program.
– Post the SolarWinds attack companies are asking vendors for ISO 27001 or SOC 2 annual audits reports, AND summaries of penetration testing reports and remediation steps taken.
Overall this was incredibly informative! It’s highlighting that pen testing is no longer a formal process but a “legal duty” that is a valuable contribution to the competitiveness of the business in the global market.
References:
https://www.securitymagazine.com/articles/95477-penetration-testing-in-the-modern-regulatory-and-legal-landscape
https://www.immuniweb.com/compliance/pci-dss-compliance-cybersecurity/
https://www.immuniweb.com/compliance/nist-compliance-fisma-dfars-cmmc/
SOC 1 (SSAE 16/SSAE 18) – New Standards for SOC 1 Reports
Statement on Standards for Attestation Engagements (SSAE) 16 came about for a number of fundamental reasons, one of the most important being that of SSAE 16 to closely mirror and align itself with ISAE 3402, the globally accepted standard for reporting on controls at service organizations. The regulatory landscape has changed dramatically in recent years, forcing many service organizations to undergo an examination of their control environment. As such, SAS 70 the U.S. standard for reporting on controls at service organizations, was well positioned to accommodate the needs of businesses for compliance reporting purposes, ultimately allowing it to play a dominant role, both regionally and internationally. However, its limitations forced changes, resulting in the issuance of SSAE 16, which effectively supersedes SAS 70 on or after June, 15, 2011. Following the issuance of SSAE 16, SSAE 18 is now the standard used for issuing SOC 1 reports dated on or after May 1, 2017.
https://socreports.com/white-papers/soc-1/why-a-new-standard