System and Organization Control (SOC) report reviews are a common part of the third-party due diligence function. These reports can be lengthy, contain elements that you really need to understand and agree to, different reviewers may produce different results, and one must understand how to properly review them. It is not sufficient enough to only search to see if there are any exceptions noted in the report. Your team members have better things to do than read through SOC 2 reports all day. So, how can you automate SOC 2 Report Reviews? Velocity automates this for you!
Details
Velocity automates all the items necessary to properly review a SOC 2 report including, but not limited to, exceptions, management responses, trust criteria, ensuring the vendor and product match the expected solution, and more. The platform also extracts the “Complementary User Entity Controls” or CUECs and creates an “Acceptance” column so customers can formally agree to each control that they are responsible for. Velocity creates an executive report that customers can read instead of having to read a lengthy SOC 2 report. Customers can include details in the report such as listing the type of data that the vendor has access to.
Benefits
Speed – Velocity will give you time back in your day by automating the SOC 2 report review process.
Consistency – A company may have multiple employees that analyze a SOC 2 report differently. Velocity’s automation gives consistent results every time.
Accuracy – An employee may miss something when reviewing a SOC 2 report. Missed details can be costly for a company as this is the process used to identify risks within a third-party. Velocity is not only fast and consistent, but also accurate with the reviews. Velocity knows how to properly review a SOC report as it was built by practitioners.
Documenting Third-Party Due Diligence – Collecting a SOC 2 report is not enough. Companies need to document that they reviewed the SOC 2 report and Velocity provides a simple way to do that.
Full Assessment
Even after leveraging the automation within Velocity to review the vendor SOC 2 report, customers can still launch a full assessment on the vendor. For example, let’s say a customer receives a vendor SOC 2 report and uploads it into Velocity. The executive report that Velocity generates may contain concerning information about the vendor’s security posture. The customer can then choose to launch a full velocity assessment on the vendor to fully address the concerns and determine when the vendor will resolve the issues.
Conclusion
There is limited time in the day and Velocity is your go-to platform for automating SOC 2 reviews. Velocity has the benefits of speed, consistency, accuracy, and provides a way for customers to document their third-party review process.
System and Organization Control (SOC) reports have quickly become a standard request for SaaS application providers in order for customers to perform a security due diligence review. So, are all SOC reports the same? No! Should you read the SOC report? Absolutely! How should you properly review a SOC report? Read on 🙂
Background
SOC audits are only performed by a Certified Public Accountant (CPA) firm in accordance with the American Institute of Certified Public Accountants (AICPA) guidelines. The point of the examination is to measure the effectiveness of an organization’s controls and safeguards by an independent third party.
SOC Report Types
There are several types of SOC Reports as seen in the table below. The most often requested is the SOC 2 Type II as it covers a range of trust criteria and is an examination of controls over a period of time.
Type
Time Period
Details
SOC 1 Type I
Point in Time examination
Examines internal controls for financial reporting.
SOC 1 Type II
Examination over a period of time
Examines internal controls for financial reporting.
SOC 2 Type I
Point in Time examination
Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 Type II
Examination over a period of time
Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 3
Public facing report that is much less detailed and is used for marketing or public distribution. Less detailed version of a SOC 2 Type II.
Reviewing the SOC 2 Report
While all SOC reports generally have the same format, they vary in thoroughness depending on the auditing firm. Additionally, these examinations are not pass/fail and should be reviewed to fully understand the controls in place within an organization. The examinations cover controls that are in place for the trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that the customer chooses to be examined on. The auditor chooses a list of controls within audit categories to include for the examination. SOC reports can be over 100 pages long and the following are some areas that a reviewer should focus on.
Company and Scope
It may sound obvious, but a reviewer must ensure that the SOC 2 Type II report is for the solution’s company and solution. There are many times where Software as a Service (SaaS) companies give customers a SOC report for a cloud hosting provider (ex. AWS or Azure) because that’s where the solution is hosted. Unfortunately, the hosting provider SOC reports do not cover these SaaS solutions. Instead, the SaaS solutions should have their own SOC reports.
SOC Report Type
As explained above, there are different types of SOC reports. The SOC 2 Type II is the strongest and is frequently requested.
Trust Criteria
Companies select which trust criteria they want the examination to cover. The options are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most examinations include at least the Security trust criteria. It is important that the reviewer knows which trust criteria is included and if the auditor states that the trust criteria is met.
Audit Period
SOC 2 Type II reports are examinations of controls over a specific audit period. A reviewer should ensure that the audit period is recent.
Complementary User Entity Controls (CUECs)
SOC reports have a section titled “Complementary User Entity Controls” or CUECs. These are controls that the company states that the customer is responsible for. It is incredibly important that the customer understands what responsibilities the solution provider is putting back on them.
Audit Exceptions & Managers Response
While the audit is not pass/fail, the auditor does state whether certain controls were not present. These are usually listed as “exceptions” in a large table of controls that were reviewed during the examination. If there are any exceptions, the company can provide their explanation in a “Manager’s Response” section at the end of the report. For example, if an audit discovers that an employee’s access was not terminated immediately after dismissal, the company can respond by saying they now have procedures in place to immediately disable access upon any termination.
Audit Detail
Every audit firm is different, and some may perform more comprehensive audits than others. While it can be tough to determine the strength of an audit, a reviewer should read the entire report to understand the level of scrutiny that was performed. For example, a reviewer could see if the auditor reviewed penetration testing reports and see any details that the auditor provided around that control. A company can obtain a SOC report without having great security in place. The auditors should have the expert knowledge to conduct the examination per the specified trust criteria, but unfortunately this is not always the case.
How Can I Automate the Review of a SOC Report?
We get it, you’re busy and often do not have time to thoroughly review a SOC report. While Security professionals are often the individuals responsible for reviewing these reports, this process is not what they were trained for, nor should they have to prioritize these reviews over more pressing cybersecurity tasks. Thankfully there is a solution for this. Stern Security’s Velocity product has automated this entire SOC review process. Instead of spending an hour reviewing the 100+ page report, Velocity analyzes it for you, outputs a summary, and highlights any areas of concern. This is why Velocity is often called “A CISOs Best Friend”. Velocity helps security professionals utilize their time much more efficiently. Sign up for Velocity and start automating these SOC report reviews today.
Conclusion
All SOC reports are different, and each should be thoroughly reviewed to understand coverage, compliance, and areas of concern. Companies can obtain a SOC report without having great security in place. Velocity can automate the SOC report review process in order to make teams more efficient and effective.
A well-run cybersecurity team operates like a beautiful orchestra, each individual knowing their part and contributing to the same goal. A cybersecurity team may consist of team members wearing numerous hats ranging from management, to defensive, and offensive security. The offensive team members will attack their own organization to find vulnerabilities so the other teams can resolve the issues. The defenders will deploy security software and hardware to shield the organization from attack. Cybersecurity professionals have given color codes to roles within the security orchestra including “Red Team”, “Blue Team”, and “Purple Team”. So what is the difference between a Red Team, a Blue Team, and a Purple Team in cybersecurity? At a high level, the Red Team focuses on offensive security (attacking), the Blue Team works on defending the organization, and the Purple Team is a collaborative effort between the Red Team and Blue Team.
Red Team Details
The Red Team performs the offensive security functions within the organization. In other words, the Red Team mimics Tools Tactics and Procedures (TTPs) of real attackers to discover vulnerabilities, exploit them, and gain access to data. The Red Team is comprised of penetration testers (ethical hackers). The Red Team will provide the organization with reports of the discovered vulnerabilities. Members of the Red Team often have cybersecurity certifications geared towards penetration testing. Some of the common certifications for Red Teamers include:
OSCP (Offensive Security Certified Professional)
GPEN (SANS GIAC Penetration Tester)
PenTest+ (from CompTIA)
GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
Offensive Security Wireless Professional (OSWP)
Burp Suite Certified Practitioner (BSCP)
Blue Team Details
The Blue Team performs the defensive security measures within the organization. They utilize tools and strategies such as SIEMs (Security Information Event Management systems), IPS/IDS (Intrusion Prevention System / Intrusion Detection System), Firewalls, NAC (Network Access Control), Endpoint Protection, File Permissions Restrictions, DLP (Data Loss Prevention), Email Protection, Security Awareness Training, and more. Blue Team members have a wide area of knowledge in order to defend the organization from attack.
Some common certifications on the Blue Team side include, but are not limited to:
Certified Information Systems Security Professional (CISSP)
Various product-specific certifications
Purple Team Details
The Purple Team is generally a collaborative effort between the Blue Team and the Red Team. The Red Team may walk through various stages of an attack using a framework such as MITRE ATT&CK. At the same time, the Blue Team will see which attacks are discovered or blocked and make changes as appropriate. This collaborative effort between teams helps streamline improvements to the security posture. Another positive outcome from the teams working together, is that instead of feeling bad when an attack succeeds or fails, both teams are learning from each other and understand that they are working towards the same goal.
How Can Stern Security Help?
Stern Security has extensive experience working with organizations on Purple Team engagements. The company emulates known threat actors using their Tools Tactics and Procedures (TTPs) to work through the various stages of an attack as charted within the MITRE ATT&CK Framework. Stern Security works with an organization’s Blue Team to see which attacks are discovered, blocked, and which attacks bypass defenses. Our team also helps Blue Teams design defenses to block similar attacks in the future. To top it off, Stern Security gives the Blue Team kudos for all mitigated attacks. Expert penetration testing services are a popular service offering by our organization. Stern Security’s Velocity application can be used to perform internal risk assessments, identify gaps, and view actionable recommendations to improve security.
Conclusion
Within a cybersecurity team, Blue Teams are defensive, Red Teams are offensive, and Purple Teams are a collaborative effort between the Blue and Red Teams. Individuals within these groups may have different skillsets and certifications, but they are all working towards reducing risk within the organization.
Technology has dramatically changed almost all aspects of human life, giving us amazing communication ability, a healthcare revolution, financial opportunities, and safe energy, all growing at exponential rates. These benefits become risks if the technology is not made secure. At Stern Security, our mission is to secure the planet, business by business, industry by industry. Everyone can play a part and make a difference. You can start today by educating your loved ones about securing their data and identities. Businesses have a critical role to play and can join us in this battle to safeguard the planet. Review the top 10 online safety tips below to protect yourself and your family.
Top 10 Online Safety Tips
Enable Two-Factor Authentication – Passwords alone cannot protect your online accounts. Criminals can easily guess or steal passwords to get into your email, social media, or banking sites. Two-factor authentication (2FA), sometimes called “multi-factor authentication (MFA) is an extra layer of security that uses a second item to confirm your identity. This second item may be your phone, fingerprint, or a device plugged into your computer. For example, in addition to your password, a website may send a code to your phone that you need to type in. A criminal would now need to steal your password and gain access to your phone in order to get into your account. Here is a large list of online services with their instructions on how to enable two-factor authentication: https://2fa.directory/
Freeze Your Credit – If your personal information is stolen, a criminal may try to open credit cards or obtain a loan in your name. By freezing your credit, access to your credit report will be restricted which will limit the ability for new loans or credit cards to be opened. Your credit can be unfrozen any time you need to get your credit pulled. Freezing your credit is free and to do this you will need to contact each of the three credit bureaus: Equifax, Experian, and Trans Union. There are many third-party services that will offer to do this for you, but do not use these third-party services. This government website will direct you to each of the three credit bureaus to help set up credit freezes and fraud alerts: https://www.identitytheft.gov/#/CreditBureauContacts
Keep Devices Updated – Your phones, tablets, laptops, and desktops all need to get updated regularly to receive the latest protection. Set your devices and apps to update automatically to receive the latest security patches.
Backup Important Files – It is crucial to back up your important files on your devices. In the case your device is stolen, damaged, or infected with ransomware, you will need a way to get your important files back. There are many services that can help you back up your information such as iCloud on Mac devices, OneDrive on Windows, Google Drive on Android, Dropbox, etc. You can even back up to a USB drive and store it somewhere safe. It is a good idea to have at least one backup that is not always connected to your computer so if your computer gets infected with malware (ex. ransomware), it cannot affect your backup.
Limit Posting Personal Info – Anything that you post online can be used by criminals to get access to your accounts, physical property, or even get access to you. If your banking account is protected by secret questions such as “What was the name of your first pet?”, criminals may read your social media posts to find that information. If you post online that you’re going on vacation, criminals know that no one is at your house. It is important to also speak to kids about speaking to strangers online or posting information that could endanger their safety. You can also make some of your online accounts private if you don’t need many people to see the information.
Use a Password Manager – Passwords can be difficult to remember especially if you need to make complex passwords and if you have many accounts. People tend to use the same or similar password across all of their accounts to make things easy. Unfortunately, criminals know this and if they get into one of your accounts, they can get into all of your accounts if they have the same password or use a similar pattern. Password Managers should be used to create long random passwords for all of your accounts. All you need to do is remember one password – the master password to your password manager. Your master password/passphrase should be long, like a phrase or sentence that is personal to you, so it is not easy to guess. A couple examples of password managers include Apple’s iCloud Keychain and 1Password. Remember to enable 2-factor authentication on your password manager!
Email Cautions – Criminals know they can reach you via email so this is how many attacks start. They will try to send you phishing emails to entice you to click on a link and enter your password. They may try to send malicious attachments or links to infect your device. Even if you recognize the sender, if you’re suspicious about any email, delete it. If you know the sender, you can always call them to see if they really sent the message. When in doubt, throw it out.
Public Wi-Fi Cautions – Wireless internet access in public places like airports and coffee shops is convenient, but can be unsafe. These connections may be unencrypted or criminals may be using them to attack your device. If possible, try using your mobile phone’s cellular connection as a hotspot instead. If you must use public Wi-Fi (wireless), use with a VPN.
Encrypt Your Devices – Devices get lost or stolen. When your laptop goes missing, others can access your files if the device is not encrypted… even if you have a password on your computer. Encrypting your computer is free and easy. Macs have FileVault and PCs have BitLocker, which are both included with your computer (PCs may need a pro version of their operating system). Your mobile phones should have their own built-in solutions to encrypt the device.
Antivirus / Antimalware – Both macs and PCs get infected by malware so it is crucial that you install endpoint protection on these devices.
If you take care of these 10 items, you will be in very good shape to protect yourself and your information. Spread the word by helping your family and friends to do the same. Secure The Planet!
Updated on August 30th, 2023: Added additional information on password managers.
At Stern Security, we have declared February 2nd as Two-Factor Authentication Day! The date is 2/2 so naturally it’s the best day for this holiday. This is a day to spread awareness about 2-factor authentication which is one of the most important ways to protect your online accounts at home and at work. Using a password alone is not enough – you need two-factor authentication.
Forms of Two-Factor Authentication
Have you ever logged into a banking site on your computer by typing in your username and password and the site sends a text/SMS message to your phone to confirm your identity? That is two-factor authentication! It is using two different forms of authentication to confirm your identity.
There are three forms or “factors” of authentication:
Something you know: Password, Passphrase, PIN, Secret Questions, etc…
Something you have: Badge, Hard Token (ex. Yubikey), Phone, etc…
Something you are: A physical trait such as a fingerprint, retinal scan, FaceID, etc…
Two-factor authentication uses two different factors to authenticate an individual. In our banking example, using the password was the first factor (something you KNOW), and the second factor was the text message to the phone (something you HAVE). This is much more secure than just the password alone because that can be stolen or guessed.
Are there other names for Two-Factor Authentication?
Two-Factor Authentication goes by many names and abbreviations. Some of the other names include: Multi-Factor Authentication (MFA), 2-Factor Authentication (2FA), and Two-Step Verification. Yes, there are some slight differences between Two-Step Verification and Two-Factor Authentication, but we’ll cover that in a separate article.
Why Do We Need Two-Factor Authentication?
A password alone will not protect your account. Your password could be guessed or intercepted. Additionally, companies get hacked frequently and some of your passwords are probably publicly available. Sites like Have I Been Pwned track compromised accounts in over 600 sites and allow you to look up if your account was in one of those known breaches. If a site is hacked, it may not matter if your password was strong if the site was not storing the password properly. However, many people do not choose passwords wisely and tend to pick passwords that are easy to remember like Password123!, P@ssw0rd, or Winter2022. In our penetration testing engagements, we often get into accounts because of these weak passwords. If you are only relying on a password to protect your account, you are putting your account at great risk.
What is NOT Two-Factor Authentication?
Sites that ask for a password and follow up with secret questions (ex. What is your dog’s name) are not using 2-factor authentication. Both password and secret questions are “Something you Know” so this is using one factor twice.
Where Should I Enable Two-Factor Authentication?
You should enable two-factor authentication on any account that supports it. This includes email (ex. Gmail, Outlook, Yahoo, Apple), social media accounts (ex. Twitter, LinkedIn, Facebook, Instagram), password managers (ex. 1Password, LastPass), gaming sites (ex. Epic, Blizzard) and banking sites. Most modern applications should support some form of two-factor authentication. To get an idea of many sites that support two-factor authentication, please look at the 2FA Directory.
Conclusion
Today, 2/2 is 2-factor authentication day so please ensure that you have 2-factor authentication enabled on all of your online accounts! Spread the word to your family, friends, and co-workers. As always, if you want to ensure your organization has all of the necessary security controls in place, including 2-factor authentication, you can use our Velocity application today. Happy 2FA Day!
Not all vulnerability scans are created equal. The configuration of a vulnerability scan makes an enormous impact on your results. Authenticated vulnerability scans will provide much greater insight into an organization’s security posture than unauthenticated scans. However, there is a place for unauthenticated vulnerability scans. This article discusses the differences between authenticated and unauthenticated vulnerability scans and when you should use each.
What are Vulnerability Scans?
Vulnerability scans are an automated process for searching devices for vulnerabilities. Vulnerability scanners are the applications or devices that perform the scans.
What are Authenticated Scans?
Authenticated scans are sometimes called “credentialed scans”. “Credentials” refers to a valid account for a system. So credentialed scans, or authenticated scans, are vulnerability scans that utilize valid accounts (username + password) to log into target systems.
Why Perform Authenticated Scans?
Imagine trying to determine if a house has a pest problem by only looking at the outside of the house. Sure, you may be able to see evidence of a pest problem, but you’ll definitely know there is a problem if you go inside. Unauthenticated scans are similar to the outside view only. Authenticated scans are similar to having the keys to the house and looking inside for problems. With an authenticated vulnerability scan, the vulnerability scanner logs into the device and performs detailed checks on the system patch level, permissions, installed applications, and more.
Scanning from Inside or Outside the Network
Scanning from the internet gives you a view of your publicly accessible devices. It’s a good idea to scan from the outside to see what is available. These external scans are often performed as unauthenticated scans to see how others see your devices from the internet. However, it is still a good idea to scan these same devices from the inside as authenticated scans to get a more comprehensive view of the vulnerabilities on the system. Additionally, internal resources should be scanned from the internal network as authenticated scans.
SNMP vs SSH Vulnerability Scans
When performing authenticated vulnerability scans on network devices or Linux systems, you often have the choice of utilizing SNMP (Simple Network Management Protocol) or SSH (Secure Shell). Usually, SSH credentialed scans give you more comprehensive results, but it really comes down to the permissions that are given to the credentials that you are utilizing.
Should I Choose Authenticated or Unauthenticated Vulnerability Scans?
Authenticated vulnerability scans give you a more comprehensive view of the vulnerabilities within your environment. If you have a choice, perform authenticated vulnerability scans. If you are performing external scans, it is common to performing these as unauthenticated scans, but you should still scan these same devices from the inside of the network as authenticated scans.
What Account Should be Used for Authenticated Scanning?
You should use a dedicated account with escalated privileges. This account should be limited to the vulnerability scanning process and should not have the ability to use VPN, RDP, or other tasks not associated with vulnerability scanning. This dedicated account should have a long random password with at least 20 characters. In penetration tests, our team has compromised vulnerability scanner accounts that had weak passwords and were not limited to the scanning process on the network.
How Often Should Vulnerability Scans be Performed?
The Center for Internet Security (CIS) version 8 Guide states that automated internal vulnerability scans should be performed on assets at least quarterly. This guide also recommends that external scans are performed at least monthly.
Should I Also Scan Internal Vendor Devices?
All of your internal assets should be scanned unless they are known to have problems with scanning. As part of your Third-Party Risk Management (TPRM) process, your organization should work with vendors to determine if their assets on your network can be scanned. These vendor devices should be scanned before placing them in production and then on a regular basis thereafter.
Are there any Devices that Shouldn’t be Scanned?
Some devices that are known to crash with vulnerability scans include: VOIP systems, printers, some medical devices, and certain SCADA (Supervisory Control and Data Acquisition) systems. Always scan in a non-production environment if you’re not sure about the stability of the system and consult with the vendor as necessary. Systems that cannot be scanned should be segmented on the network.
Conclusion
You will most likely perform both authenticated and unauthenticated scanning in your vulnerability management program. Each scan type has different uses, but authenticated scanning provides a more comprehensive analysis of a system.
