Automate SOC 2 Report Reviews

Automate SOC 2 Report Reviews

System and Organization Control (SOC) report reviews are a common part of the third-party due diligence function.  These reports can be lengthy, contain elements that you really need to understand and agree to, different reviewers may produce different results, and one must understand how to properly review them.  It is not sufficient enough to only search to see if there are any exceptions noted in the report.  Your team members have better things to do than read through SOC 2 reports all day.  So, how can you automate SOC 2 Report Reviews?  Velocity automates this for you!

Details

Velocity automates all the items necessary to properly review a SOC 2 report including, but not limited to, exceptions, management responses, trust criteria, ensuring the vendor and product match the expected solution, and more.  The platform also extracts the “Complementary User Entity Controls” or CUECs and creates an “Acceptance” column so customers can formally agree to each control that they are responsible for.  Velocity creates an executive report that customers can read instead of having to read a lengthy SOC 2 report.  Customers can include details in the report such as listing the type of data that the vendor has access to.

Benefits

  1. Speed – Velocity will give you time back in your day by automating the SOC 2 report review process.
  2. Consistency – A company may have multiple employees that analyze a SOC 2 report differently.  Velocity’s automation gives consistent results every time.
  3. Accuracy – An employee may miss something when reviewing a SOC 2 report.  Missed details can be costly for a company as this is the process used to identify risks within a third-party.  Velocity is not only fast and consistent, but also accurate with the reviews.  Velocity knows how to properly review a SOC report as it was built by practitioners.
  4. Documenting Third-Party Due Diligence – Collecting a SOC 2 report is not enough.  Companies need to document that they reviewed the SOC 2 report and Velocity provides a simple way to do that.

Full Assessment

Even after leveraging the automation within Velocity to review the vendor SOC 2 report, customers can still launch a full assessment on the vendor.  For example, let’s say a customer receives a vendor SOC 2 report and uploads it into Velocity.  The executive report that Velocity generates may contain concerning information about the vendor’s security posture.  The customer can then choose to launch a full velocity assessment on the vendor to fully address the concerns and determine when the vendor will resolve the issues.

Conclusion

There is limited time in the day and Velocity is your go-to platform for automating SOC 2 reviews.  Velocity has the benefits of speed, consistency, accuracy, and provides a way for customers to document their third-party review process.

SOC It to Me: How to Properly Review a SOC Report

SOC It to Me: How to Properly Review a SOC Report

System and Organization Control (SOC) reports have quickly become a standard request for SaaS application providers in order for customers to perform a security due diligence review.  So, are all SOC reports the same?  No!  Should you read the SOC report?  Absolutely!  How should you properly review a SOC report?  Read on 🙂

Background

SOC audits are only performed by a Certified Public Accountant (CPA) firm in accordance with the American Institute of Certified Public Accountants (AICPA) guidelines.  The point of the examination is to measure the effectiveness of an organization’s controls and safeguards by an independent third party.

SOC Report Types

There are several types of SOC Reports as seen in the table below.  The most often requested is the SOC 2 Type II as it covers a range of trust criteria and is an examination of controls over a period of time.

TypeTime PeriodDetails
SOC 1 Type IPoint in Time examinationExamines internal controls for financial reporting.
SOC 1 Type IIExamination over a period of timeExamines internal controls for financial reporting.
SOC 2 Type IPoint in Time examinationExamines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 Type IIExamination over a period of timeExamines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 3 Public facing report that is much less detailed and is used for marketing or public distribution.  Less detailed version of a SOC 2 Type II.

Reviewing the SOC 2 Report

While all SOC reports generally have the same format, they vary in thoroughness depending on the auditing firm.  Additionally, these examinations are not pass/fail and should be reviewed to fully understand the controls in place within an organization.  The examinations cover controls that are in place for the trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that the customer chooses to be examined on.  The auditor chooses a list of controls within audit categories to include for the examination.  SOC reports can be over 100 pages long and the following are some areas that a reviewer should focus on.

Company and Scope

It may sound obvious, but a reviewer must ensure that the SOC 2 Type II report is for the solution’s company and solution.  There are many times where Software as a Service (SaaS) companies give customers a SOC report for a cloud hosting provider (ex. AWS or Azure) because that’s where the solution is hosted.  Unfortunately, the hosting provider SOC reports do not cover these SaaS solutions.  Instead, the SaaS solutions should have their own SOC reports.

SOC Report Type

As explained above, there are different types of SOC reports.  The SOC 2 Type II is the strongest and is frequently requested. 

Trust Criteria

Companies select which trust criteria they want the examination to cover.  The options are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy.  Most examinations include at least the Security trust criteria.  It is important that the reviewer knows which trust criteria is included and if the auditor states that the trust criteria is met.

Audit Period

SOC 2 Type II reports are examinations of controls over a specific audit period.  A reviewer should ensure that the audit period is recent.

Complementary User Entity Controls (CUECs)

SOC reports have a section titled “Complementary User Entity Controls” or CUECs.  These are controls that the company states that the customer is responsible for.  It is incredibly important that the customer understands what responsibilities the solution provider is putting back on them.

Audit Exceptions & Managers Response

While the audit is not pass/fail, the auditor does state whether certain controls were not present.  These are usually listed as “exceptions” in a large table of controls that were reviewed during the examination.  If there are any exceptions, the company can provide their explanation in a “Manager’s Response” section at the end of the report.  For example, if an audit discovers that an employee’s access was not terminated immediately after dismissal, the company can respond by saying they now have procedures in place to immediately disable access upon any termination.

Audit Detail

Every audit firm is different, and some may perform more comprehensive audits than others.  While it can be tough to determine the strength of an audit, a reviewer should read the entire report to understand the level of scrutiny that was performed.  For example, a reviewer could see if the auditor reviewed penetration testing reports and see any details that the auditor provided around that control.  A company can obtain a SOC report without having great security in place.  The auditors should have the expert knowledge to conduct the examination per the specified trust criteria, but unfortunately this is not always the case.

How Can I Automate the Review of a SOC Report?

We get it, you’re busy and often do not have time to thoroughly review a SOC report.  While Security professionals are often the individuals responsible for reviewing these reports, this process is not what they were trained for, nor should they have to prioritize these reviews over more pressing cybersecurity tasks.  Thankfully there is a solution for this.  Stern Security’s Velocity product has automated this entire SOC review process.  Instead of spending an hour reviewing the 100+ page report, Velocity analyzes it for you, outputs a summary, and highlights any areas of concern.  This is why Velocity is often called “A CISOs Best Friend”.  Velocity helps security professionals utilize their time much more efficiently.  Sign up for Velocity and start automating these SOC report reviews today.

Conclusion

All SOC reports are different, and each should be thoroughly reviewed to understand coverage, compliance, and areas of concern.  Companies can obtain a SOC report without having great security in place.  Velocity can automate the SOC report review process in order to make teams more efficient and effective.

Red Team vs Blue Team vs Purple Team Cybersecurity Roles

Red Team vs Blue Team vs Purple Team Cybersecurity Roles

A well-run cybersecurity team operates like a beautiful orchestra, each individual knowing their part and contributing to the same goal.  A cybersecurity team may consist of team members wearing numerous hats ranging from management, to defensive, and offensive security.  The offensive team members will attack their own organization to find vulnerabilities so the other teams can resolve the issues.  The defenders will deploy security software and hardware to shield the organization from attack.  Cybersecurity professionals have given color codes to roles within the security orchestra including “Red Team”, “Blue Team”, and “Purple Team”. So what is the difference between a Red Team, a Blue Team, and a Purple Team in cybersecurity?  At a high level, the Red Team focuses on offensive security (attacking), the Blue Team works on defending the organization, and the Purple Team is a collaborative effort between the Red Team and Blue Team.

Red Team Details

The Red Team performs the offensive security functions within the organization.  In other words, the Red Team mimics Tools Tactics and Procedures (TTPs) of real attackers to discover vulnerabilities, exploit them, and gain access to data.  The Red Team is comprised of penetration testers (ethical hackers).  The Red Team will provide the organization with reports of the discovered vulnerabilities.  Members of the Red Team often have cybersecurity certifications geared towards penetration testing.  Some of the common certifications for Red Teamers include:

  • OSCP (Offensive Security Certified Professional)
  • GPEN (SANS GIAC Penetration Tester)
  • PenTest+ (from CompTIA)
  • GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
  • Offensive Security Wireless Professional (OSWP)
  • Burp Suite Certified Practitioner (BSCP)

Blue Team Details

The Blue Team performs the defensive security measures within the organization.  They utilize tools and strategies such as SIEMs (Security Information Event Management systems), IPS/IDS (Intrusion Prevention System / Intrusion Detection System), Firewalls, NAC (Network Access Control), Endpoint Protection, File Permissions Restrictions, DLP (Data Loss Prevention), Email Protection, Security Awareness Training, and more.  Blue Team members have a wide area of knowledge in order to defend the organization from attack. 

Some common certifications on the Blue Team side include, but are not limited to:

  • CompTIA Security+
  • GIAC Certified Incident Handler Certification (GCIH)
  • GIAC Security Essentials (GSEC)
  • Certified Cloud Security Professional (CCSP)
  • Certified SOC Analyst (CSA)
  • Certified Threat Intelligence Analyst (CTIA)
  • Certified Cyber Forensics Professional (CCFP)
  • CompTIA Cybersecurity Analyst (CySA+)
  • Systems Security Certified Practitioner (SSCP)
  • Certified Information Systems Security Professional (CISSP)
  • Various product-specific certifications

Purple Team Details

The Purple Team is generally a collaborative effort between the Blue Team and the Red Team.  The Red Team may walk through various stages of an attack using a framework such as MITRE ATT&CK. At the same time, the Blue Team will see which attacks are discovered or blocked and make changes as appropriate.  This collaborative effort between teams helps streamline improvements to the security posture.  Another positive outcome from the teams working together, is that instead of feeling bad when an attack succeeds or fails, both teams are learning from each other and understand that they are working towards the same goal.

How Can Stern Security Help?

Stern Security has extensive experience working with organizations on Purple Team engagements.  The company emulates known threat actors using their Tools Tactics and Procedures (TTPs) to work through the various stages of an attack as charted within the MITRE ATT&CK Framework.  Stern Security works with an organization’s Blue Team to see which attacks are discovered, blocked, and which attacks bypass defenses.  Our team also helps Blue Teams design defenses to block similar attacks in the future.  To top it off, Stern Security gives the Blue Team kudos for all mitigated attacks.  Expert penetration testing services are a popular service offering by our organization.  Stern Security’s Velocity application can be used to perform internal risk assessments, identify gaps, and view actionable recommendations to improve security.

Conclusion

Within a cybersecurity team, Blue Teams are defensive, Red Teams are offensive, and Purple Teams are a collaborative effort between the Blue and Red Teams.  Individuals within these groups may have different skillsets and certifications, but they are all working towards reducing risk within the organization.

Top Tips to Stay Safe Online

Top Tips to Stay Safe Online

Background

Technology has dramatically changed almost all aspects of human life, giving us amazing communication ability, a healthcare revolution, financial opportunities, and safe energy, all growing at exponential rates. These benefits become risks if the technology is not made secure. At Stern Security, our mission is to secure the planet, business by business, industry by industry. Everyone can play a part and make a difference. You can start today by educating your loved ones about securing their data and identities. Businesses have a critical role to play and can join us in this battle to safeguard the planet. Review the top 10 online safety tips below to protect yourself and your family.

Top 10 Online Safety Tips

  1. Enable Two-Factor Authentication – Passwords alone cannot protect your online accounts.  Criminals can easily guess or steal passwords to get into your email, social media, or banking sites.  Two-factor authentication (2FA), sometimes called “multi-factor authentication (MFA) is an extra layer of security that uses a second item to confirm your identity.  This second item may be your phone, fingerprint, or a device plugged into your computer.  For example, in addition to your password, a website may send a code to your phone that you need to type in.  A criminal would now need to steal your password and gain access to your phone in order to get into your account. Here is a large list of online services with their instructions on how to enable two-factor authentication: https://2fa.directory/
  2. Freeze Your Credit – If your personal information is stolen, a criminal may try to open credit cards or obtain a loan in your name.  By freezing your credit, access to your credit report will be restricted which will limit the ability for new loans or credit cards to be opened.  Your credit can be unfrozen any time you need to get your credit pulled.  Freezing your credit is free and to do this you will need to contact each of the three credit bureaus: Equifax, Experian, and Trans Union.  There are many third-party services that will offer to do this for you, but do not use these third-party services.  This government website will direct you to each of the three credit bureaus to help set up credit freezes and fraud alerts: https://www.identitytheft.gov/#/CreditBureauContacts
  3. Keep Devices Updated – Your phones, tablets, laptops, and desktops all need to get updated regularly to receive the latest protection.  Set your devices and apps to update automatically to receive the latest security patches. 
  4. Backup Important Files – It is crucial to back up your important files on your devices.  In the case your device is stolen, damaged, or infected with ransomware, you will need a way to get your important files back.  There are many services that can help you back up your information such as iCloud on Mac devices, OneDrive on Windows, Google Drive on Android, Dropbox, etc.  You can even back up to a USB drive and store it somewhere safe.  It is a good idea to have at least one backup that is not always connected to your computer so if your computer gets infected with malware (ex. ransomware), it cannot affect your backup.
  5. Limit Posting Personal Info – Anything that you post online can be used by criminals to get access to your accounts, physical property, or even get access to you.  If your banking account is protected by secret questions such as “What was the name of your first pet?”, criminals may read your social media posts to find that information.  If you post online that you’re going on vacation, criminals know that no one is at your house.  It is important to also speak to kids about speaking to strangers online or posting information that could endanger their safety.  You can also make some of your online accounts private if you don’t need many people to see the information.
  6. Use a Password Manager – Passwords can be difficult to remember especially if you need to make complex passwords and if you have many accounts.  People tend to use the same or similar password across all of their accounts to make things easy.  Unfortunately, criminals know this and if they get into one of your accounts, they can get into all of your accounts if they have the same password or use a similar pattern.  Password Managers should be used to create long random passwords for all of your accounts.  All you need to do is remember one password – the master password to your password manager.  Your master password/passphrase should be long, like a phrase or sentence that is personal to you, so it is not easy to guess.  A couple examples of password managers include Apple’s iCloud Keychain and 1Password. Remember to enable 2-factor authentication on your password manager!
  7. Email Cautions – Criminals know they can reach you via email so this is how many attacks start.  They will try to send you phishing emails to entice you to click on a link and enter your password.  They may try to send malicious attachments or links to infect your device.  Even if you recognize the sender, if you’re suspicious about any email, delete it.  If you know the sender, you can always call them to see if they really sent the message.  When in doubt, throw it out.
  8. Public Wi-Fi Cautions – Wireless internet access in public places like airports and coffee shops is convenient, but can be unsafe. These connections may be unencrypted or criminals may be using them to attack your device.  If possible, try using your mobile phone’s cellular connection as a hotspot instead.  If you must use public Wi-Fi (wireless), use with a VPN.
  9. Encrypt Your Devices – Devices get lost or stolen.  When your laptop goes missing, others can access your files if the device is not encrypted… even if you have a password on your computer.  Encrypting your computer is free and easy.  Macs have FileVault and PCs have BitLocker, which are both included with your computer (PCs may need a pro version of their operating system).  Your mobile phones should have their own built-in solutions to encrypt the device.
  10. Antivirus / Antimalware – Both macs and PCs get infected by malware so it is crucial that you install endpoint protection on these devices. 

If you take care of these 10 items, you will be in very good shape to protect yourself and your information.  Spread the word by helping your family and friends to do the same.  Secure The Planet!

Updated on August 30th, 2023: Added additional information on password managers.

Facebook (Meta) Healthcare and Tax Payer Breaches

Facebook (Meta) Healthcare and Tax Payer Breaches

Over the past year, news outlets have been buzzing about Facebook, now called “Meta”, collecting vast amounts of data from healthcare organizations and tax return companies.  Some of these companies are announcing breaches as a result of this data collection.

Why are Companies Sending Sensitive Data to Facebook?

Let’s be clear – Companies are not trying to send their sensitive information to Facebook.  Companies are NOT going to Facebook.com and uploading their customer information.  Instead, Facebook is collecting this information via web tracker software that they offer to companies for free to monitor website visitor behavior.  Companies invest a lot of resources in their websites to ensure their customers get the best value and can easily navigate their offerings.  In order to see how customers interact with their websites, companies install web trackers to monitor button clicks, visitor statistics, navigation errors, and more.  Most websites have a method of logging user behavior using trackers that are generally hidden from the website visitor.  A couple of the many website trackers include Facebook’s Meta Pixel and Google Analytics.  Companies are using it to track basic website visitor information and often times they do not realize that Facebook may be collecting sensitive information.

What is Meta Pixel?

Meta Pixel is Facebook’s web tracker software.  Facebook’s Meta Pixel is popular, easy to use, and it’s free.   Any company can download the code, install it on their website, and instantly see information about website visitors.  Companies can log into a dashboard showing daily website visitor statistics.

Is a Vulnerability in the Meta Pixel Software Causing the “Breach”?

There is no known vulnerability in the Meta Pixel software that is causing the breaches.  Instead, companies are announcing breaches because Facebook is not supposed to receive sensitive information.  Since Meta Pixel is collecting more information than intended, and Facebook was not authorized to have access to this information, companies are listed it as a breach or a privacy violation.

What Companies are Affected?

The Markup news outlet wrote an investigative report about a number of hospitals that had the Meta Pixel code on their website and their patient protected portals (Feathers, Fondrie-Teitler, Waller, & Mattu, 2022).  Some of the affected hospitals immediately removed the Meta pixel software when they realized that it could collect more information than intended.  The Markup released another report showing how tax filing websites were sending sensitive tax payer information to Facebook by the same Meta Pixel software (Fondrie-Teitler, Waller, & Lecher, 2022).  While the healthcare and financial industries are in the news for these issues, the website tracker breaches surely affect many industries as the Facebook Meta Pixel code is installed on millions of websites.

How is Meta using the Data?

It is unclear how Meta is using the collected data.  Facebook itself may not know what it does with this data according to a Vice report based on a leaked internal Facebook memo (Franceschi-Bicchierai, 2022).  In the leaked memo, a Facebook engineer stated “We do not have an adequate level of control and explainability [sic] over how our systems use data”.

Number of Individuals Affected

According to the 2023 Velocity Healthcare Breach Report, in the healthcare industry alone, over 6,000,000 medical records were affected in 2022.  The affected tax filing companies have millions of customers.  The number of affected individuals is most likely much higher and continues to grow as more companies announce that they had the Meta Pixel software on their websites.

What Can Companies do to Prevent this in the Future?

Companies should thoroughly investigate all web trackers to determine how data is utilized before placing the code in production environments.  Many companies have methods to perform security evaluations on new third-parties as they go through the procurements system, but this scrutiny is not usually applied to free software such as Meta Pixel or Google Analytics.  Companies should ensure that any code changes go through a Software Development Lifecycle (SDLC) that includes a security analysis.

How can Stern Security Help?

Our cybersecurity services team has extensive experience analyzing web trackers and the data that they send outside a customer environment.  Additionally, Stern Security’s Velocity application can be used to get your third-party risk management program in order and evaluate vendor solutions for cybersecurity and privacy problems.

Works Cited

Feathers, T., Fondrie-Teitler, S., Waller, A., & Mattu, S. (2022, July 19). Facebook Is Receiving Sensitive Medical Information from Hospital Websites. Retrieved from The Markup: https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites

Fondrie-Teitler, S., Waller, A., & Lecher, C. (2022, November 28). The Markup. Retrieved from Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook: https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook

Franceschi-Bicchierai, L. (2022, April 26). Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document. Retrieved from Vice: https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes