Penetration Testing Helps with Compliance for SOC 2, PCI, and HIPAA
Penetration testing – sometimes called white-hat hacking – is how companies manage risk, increase business continuity, and protect clients from data breaches. In highly regulated industries such as healthcare, banking, and service industries, it also helps companies stay compliant.
What is penetration testing?
Penetration testing, sometimes called pen testing is a simulated cyber attack whose objective is to identify vulnerabilities that black hat hackers can exploit to nefarious advantages. Pen testing generally involves five stages:
- Planning and reconnaissance – The pen tester determines the goals for the test and gathers intelligence on the system.
- Scanning – Here, the tester analyzes how the system will respond to the test.
- Gaining access – The hack begins! The tester uses a strategy like cross-site scripting, SQL injection, or backdoors to see where he or she can break into the system.
- Maintaining access – How long can the white hat hacker (the good guy) stay inside the system? Is it long enough to burrow deeper into the data that black hat hackers could be trying to steal?
- Analysis and configuration review – The tester compiles a detailed report on the results.
Pen testing also tests incident response capabilities. Is your organization prepared to respond to an incident? It is best to practice incident response procedures before a real incident occurs.
What is the purpose of conducting a pen test?
Pen tests let companies know if their data is easy for a hacker to steal. It answers the question: Is my customer’s data safe?
Why does that matter? What makes cybersecurity so important? Security breaches are expensive. According to Business Insider, US companies lose an average of $7 million in a single data breach. Hacking victims pay high fees to IT specialists who can restore the data. They also have to shell out money for legal services, fines from regulatory agencies, and pay public relations firms to reestablish their good name.
None of that considers customer loss. Research cited by the Business Insider says that 76% of customers would leave a company with a record of multiple data breaches.
What are the different types of pen testing?
In keeping with the hacker world’s love for colored hat analogies, pen testing includes Black Box, Gray Bod, and White Box assessments:
- A Black Box penetration test is typically the least expensive option. The testing analyst receives no background information. The black box most closely resembles a real hacker’s experience, but a cyber criminal may have unlimited time while a black-box tester operates within time constraints.
- A Gray Box penetration test is typically priced between a black and white box test, but varies depending on the scope of the engagement. With the Gray Box penetration test, the analyst receives some information to help with their research. In many cases, a gray box test can produce as much data as a white box test. Gray box testing is authenticated testing at a user level, and it should be used for almost all web applications that require user access.
- A White Box penetration test is often the most expensive, but also the most accurate and comprehensive of the three. In this assessment, the tester is given extensive information about the environments before testing. White box has administrator or root-level access.
Regulatory Industries that Need Penetration Testing
Due to the highly regulatory nature of some industries – such as service providers, healthcare, and banking – penetration testing is essential to ensuring compliance. Below are some of the common regulations that require penetration testing for compliance:
SOC 2 Trust Service Principles Source: https://www.ssae-16.com/soc-2/
Penetration Testing required for the SOC 2 Type II initial audit, then every 180 days after.
SOC stands for Service Organization Control, and SOC 2 compliance is the industry standard for technology for SOC members. To become SOC 2 compliant, companies must conduct a cybersecurity audit. This audit analyzes five controls, known as the Trust Service Principles: security, availability, processing integrity, confidentiality, and privacy. Auditors assure that these five controls are relevant to the industry. Cybersecurity experts recommend penetration testing once a quarter or twice a year as part of SOC 2 compliance audits.
There are two types of SOC 2 Audits – Type I and Type II. A SOC 2 Type I audit is more of a documentation review, whereas a SOC 2 Type II audit is a review of operations – control implementation effectiveness.
Penetration testing is primarily used to test control effectiveness in SOC 2 Type II audits.
Below is a high-level comparison of SOC 2 Type I and SOC 2 Type II:
- SOC 2 Type I – an audit of management’s description of a service organizations system and the suitability of the design (documentation) of controls. A SOC 2 Type I audit looks at “a point in time” of the systems in scope, how management of the organization describes the systems, and what controls are in place around the systems. An auditor will issue an opinion (attestation) based on management’s description of the controls and a review of the documentation (artifacts provided) around these controls.
- SOC 2 Type II – an audit of managements description of a service organizations system and the suitability of the design and operating effectiveness of controls. A SOC 2 Type II audit looks at how the controls are described and used over a minimum of a 6-month time-frame. The intent is to determine if controls are functioning as described by management. An auditor will test the controls and provide an opinion (attestation) based on the description by management versus the operating effectiveness (test results) of the controls.
Penetration Testing provides the technical evaluation of security controls for HIPAA compliance
Penetration Testing required at least annually.
Medical information is highly valuable – perhaps more profitable to hackers than credit card data. It often includes social security numbers, birth dates, insurance numbers, diagnosis codes, and billing information. Hackers can use this data to commit identity fraud and to secure false prescriptions. It is vital that medical institutions perform regular pen testing to assure themselves, their clients, and their regulatory agencies that data is safe from prying eyes.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is the US federal law that governs the privacy, safety, and electronic exchange of medical information. As part of remaining compliant with HIPAA, medical institutions must perform regular technological tests of their data security. What better way to test a system than to think like the person hacking it? That’s what a pen tester does.
Specifically, HIPAA Evaluation Standard § 164.308(a)(8) applies to penetration testing. A covered entity or business associate is required to perform a periodic technical and nontechnical evaluation. A technical evaluation is typically defined as performing a vulnerability assessment or a penetration test. Essentially, the technical evaluation provides validation that the controls defined in the documentation are actually implemented effectively and working as described. The nontechnical evaluation assesses the plan on paper, whereas the technical evaluation assesses the implementation of the plan. An independent third-party should perform the technical evaluation.
Additionally, NIST has issued guidance (NIST 800-66) for HIPAA that states, “Conduct trusted (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.”
Penetration Testing required every 180 days by an independent penetration testing organization. Does not have to be a ASV or QSA.
PCI DSS stands for Payment Card Industry Data Security Standard. It’s the rulebook that governs how customer card data gets managed. Recently, it was adapted to require both a vulnerability scan and a pen test. The vulnerability assessment and penetration test must include the perimeter of the Cardholder Data Environment (CDE) and any systems which, if compromised, could impact the security of the CDE. Pen tests must be performed at least once annually and every six months for service providers.
Penetration Testing assesses the controls used to protect the CDE for PCI DSS
Speficically, PCI DSS 3.2 distinguishes between a vulnerability scan (Requirement 11.2) and a penetration test (Requirement11.3), both of which are required for PCI DSS compliance. PCI DSS Requirement 18.104.22.168 requires an organization perform penetration testing on CDE segmentation controls every six months. The PCI Security Standard Council’s guidance states organizations should:
Examine the results from the most recent penetration test to verify that:
- Penetration testing is performed to verify segmentation controls at least every six months and after any changes to segmentation controls/methods.
- The penetration testing covers all segmentation controls/methods in use.
- The penetration testing verifies that segmentation controls/methods are operating and effective, and isolate all out-of-scope systems from systems in the CDE.
- Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tested exists (not required to be a QSA or ASV)
What are the benefits of pen testing?
Pen testing improves security by revealing existing vulnerabilities in your system. It reveals which vulnerabilities are easy for a hacker to exploit and which are safe. Pen testing also gives you a glimpse into how effective your security strategy is. It answers the question: could we prevent or reverse a data breach with minimal damage or time lost? Perhaps most importantly, pen testing keeps your company in good standing with vendors, clients, and regulatory agencies.
What do I need to consider when choosing a penetration testing vendor?
Make sure the team you choose is certified and experienced. The members should hold credentials such as the EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (LPT), Offensive Security Certified Professional (OSCP), or Certified Ethical Hacker (CEH). Ask if they perform both manual and automated testing and if they will show you the documented process they follow. (The answer to both should be yes!) A quality team will protect your data during and after the test.
Staying compliant in a highly regulatory environment means keeping up with the latest cyber security strategies. Calling in a third-party white-hat hacker or incorporating penetration testing into a managed services contract is a great way to ensure your data stays protected. Although many regulations only specify a penetration test annually or every 6-months, we recommend a quarterly program that includes validation testing.
Contact us for a free consultation on penetration testing.