Blog | United States | WebCheck Security

Larger companies easily engage companies like Webcheck Security for >$20-$60k regularly to perform cyber control gap or maturity assessments, usually against frameworks such as CIS 20, ISO 27001, NIST, or against limited scope surrounding PCI, HIPAA, or other privacy standards.


That's wonderful - but what about smaller companies? Verizon's annual data breach report has now indicated that for years, more than 43% of the businesses being attacked are in the SMB category. You hear about the large breaches, but not the small ones (which are equally as devastating to SMB.)


Small businesses tend to say, "But we have no servers or infrastructure internally (or very little) and we're not a target." Until they have a security incident which rattles the owners. Suddenly they get it - that cyber security cannot be an afterthought.


So what is it that Webcheck Security would do for a small business with limited infrastructure? What is the value of paying for an annual assessment and "renting" an information security officer for a few hours every month? Does it cost $20k?


Answering the last question first - no, a small business won't pay $20k for an effective assessment. What then is the actual value of shelling out a few thousand dollars to have a cyber maturity assessment performed?


First, it is important to remember that the in-depth analysis performed in a maturity assessment has less to do with copious infrastructure than systems of operation, procedures and policies. For example, as our experts proceed, he or she will be both doing an analysis of and asking questions about:

  • Disaster Recovery Policy

  • Incident Response

  • Business Continuity (intertwined with the former but distinct in purpose)

  • Password management and procedures

  • Storage of PII/PHI/PCI and other critical data and/or intellectual property/proprietary operational data

  • Cyber insurance

  • Security Awareness Training policies

  • Email defense mechanisms

  • Endpoint schema

  • Data Exfiltration possibilities

  • Corporate SaaS access, configuration, including Multi-Factor Authentication

  • Acceptable Use Policies

  • VPN and remote usage

  • Shadow IT

  • Vulnerability scanning - internally and externally

These are just some of the things that would be reviewed for gaps and effectiveness. In many cases a small company may be doing some things right but there will be many recommendations for “moving the needle” and in other cases there will be significant exploitable policy/procedure gaps which our practitioners will identify and document in a prioritized manner.

Part of the trick with cyber security is the recognizance that it’s not an IT problem and IT controls, but a combination of policy, procedure, best practices controls as well as the application of the right controls in a way that makes sense for your business.


For example, for most small businesses, the practitioner won’t be recommending expensive SIEM software and monitoring on a limited budget and infrastructure, rather many of the improvements or recommendations will be based on a dozen small things that if done properly can make a monumental difference in the business' overall cyber hygiene!

Then post-assessment, the small business can choose to move forward with monthly information security "rental", in which it will have the advisement to move forward in the right order and right way in addition to actual policy writing assistance. Having a prioritized roadmap to move forward and improve cyber hygiene - which is really about mitigating risk - is a critical exercise for small business.


In summary, cyber maturity assessments for small and medium businesses are a critical component of risk mitigation. It won't cost an arm and a leg, and the risk mitigation ROI for budget freed to have a prioritized roadmap can be critical to successful business continuity in the face of ever-increasing cyber threats!


  • Webcheck Security

Updated: Apr 21

Our Free Guide to Validating PCI


You may have heard PCI compliance is important, but have been putting it off due to confusion. Now, you're noticing monthly charges on your provider statement from 25-60 dollars a month. Following hours of phone calls, you find out you're being charged a non-compliance fee. In fact they've been charging you for months. Additionally, they may have told you that, if hacked while non-compliant, fines can be hefty! There is a simple way to fix that. We are here to help!


There are literally thousands of businesses in America – merchants and service providers alike – who have no clue how to really succeed in validating PCI, so you aren't alone. Penetration testing and IP vulnerability scanning are often part of that compliance. You may need guidance in understanding of which Self-Assessment Questionnaire (SAQ) to pick, how to approach the requirements, and where to go for the services. That's why Webcheck Security exists!


Navigating the world of PCI Compliance can be seem daunting, but thanks to our helpful guide, we hope it will be much easier to understand. It will give you a brief summary of PCI and how you can begin.

Download this guide HERE for free.

Please contact us as we would love to help you on your journey.


Introduction


The world today is far different than it was one month ago.  For example, here in the United States, we were at all time stock market highs, and unemployment was at its lowest peak, right around 3.5%.  We had the longest economic boom period, lasting about 11 years in length. But, with the advent of the Coronavirus, that all came to a sudden halt, and now the reverse is happening, to another extreme.


Apart from the tragic toll it is taking on human lives, it has also made a tremendous impact upon the world of Cybersecurity.  For example:


  • The number of Phishing attacks has greatly increased.  Victims are not simply being sent to spoofed banking or other financial institution websites, they are now being lured into a spoofed Center for Disease Control (CDC) and World Healthcare Organization (WHO) websites.

  • Since just about every worker is now working remotely, all meetings, calls, etc. are taking place via Zoom.  But now they are becoming a target for the Cyberattacker, given this rise in demand.

  • Many domains are now being registered in order to launch spoofed and illegitimate websites.

  • The remote worker is now also becoming a prime target for the Cyberattacker.  The primary reason for this is that many businesses were in a rush to get their workers, and as a result, many of the laptops and other wireless devices do not have the proper security mechanisms installed onto them.

To demonstrate this, here are some illustrations as to how the Coronavirus impacted the Cybersecurity of Italy, one of the first companies to be hit hard with it:

(SOURCE:  1).

The above diagram represents the sudden spike in Phishing activity just from almost within the last month.

(SOURCE: 1).

The above illustration represents the sheer increase in fake login attempts into various types of websites and other critical resources.



(SOURCE:  1).

The illustration above shows the increased number of Cyberattacks that are taking place on the computers and wireless devices of remote workers.


But whatever the form of the threat variant is, the bottom line is that most of these Cyberattacks are Phishing based, redirecting victims to malicious websites and other types of web-based applications.  This drives home the point that websites need to be made much more secure.


One of the best ways to protect your businesses’ website (and even your business) in these trying times is to make use of what is known as Penetration Testing.


What Is Penetration Testing?


In more technical terms, Penetration Testing (aka Pen Testing) can be defined as follows:


“[It] is a simulated cyber-attack where professional, ethical hackers break into corporate networks to find weaknesses... [in] your network, application, device, and/or physical security through the eyes of both a malicious actor and an experienced cybersecurity expert to discover weaknesses and identify areas where your security posture needs improvement.


This testing doesn’t stop at simply discovering ways in which a criminal might gain unauthorized access to sensitive data or even take over your systems for malicious purposes. It also simulates a real-world attack to determine how any defenses will fare and the possible magnitude of a breach.” (SOURCES:  2 and 3).


One of the keywords to take serious note here is that of “ethical”. Yes, Pen Testers do have the mind like that of the Cyberattacker (or they could have been on themselves in a previous life, but decided to turn over to the good side), but what they engage in is for the good of the client. In other words, they will never step beyond the boundaries or the limits of what the customer wants. If a Tester feels that they need to, by the letter of the law, they have to ask for permission first from the customer and notify them in writing what more they are planning to do.


Pen Testing is actually a lot more complex than what the definition actually depicts. For example, various exercises can be conducted to see where weaknesses lie in just about any aspect of your IT and Network Infrastructure, which ranges all the way from both hardware to software applications. 


Why You Need Penetration Testing in the Software Development Life Cycle (SDLC) of Your Web Application


One of the primary sources in which a Cyberattacker can break through into your company are via the backdoors that are left in the source code of your web-based applications. Or the code itself may be weak in terms of security in different areas, because it has never been tested for that. 


It is important to keep in mind that software developers are very often under very serious time constraints to deliver the app on time and under budget, so testing for this kind of stuff is very often forgotten about. This is where the role of Pen Testing comes into play, and thus it is very important to partner up with a very well-established and reputable firm, such as that of Webcheck Security.


Keep in mind that you should not wait until the very end of the development of the source code (especially just before it is expected to be released into production) to Pen Test it, rather it should be done at different stages throughout the Software Development Life Cycle, or SDLC for short.


Here is why this is so important:


1. To stay one step ahead of the automated hacking tools:

Given just about how everything is accessible on the Internet these days, there is a plethora of online hacking tools that are available online so that even the most amateur of hackers could potentially break into the source code of your software application. By Pen Testing at different phases and continuing to do so even after the application has been released will more or less assure that it will not be vulnerable to all of these hacking tools.


2. Vulnerabilities can be fixed on time:

Let’s face it, just about every product or service out there in the marketplace has some sort of security vulnerabilities and weaknesses in them, whether they are known or not. But by testing the source code ahead of time, you will be able to address them as they come up and fix them before moving onto the next step of the SDLC. This not only helps to ensure a much smoother transition to the production environment, but it will also help to deliver the project on time to the customer. For example, if you wait until the very last minute to Pen Test the source code, and if a lot of vulnerabilities are found that need to be fixed, this will definitely push the delivery date by quite a bit, thus incurring extra expenses not only for the software development team, but for the customer as well.


3. The detection of security vulnerabilities that may have already existed:

In the previous examples, we have examined the importance of Pen Testing at the different stages of the SDLC. What happens if you depend on a third party to develop the source code you need, and they claim that they have tested it in terms of security and that all is “up to snuff”?  Do you put your faith in their word and deploy the application? Well, this is a situation that you never want to be in. If you are in this scenario, it is your responsibility to -make sure that the source code is tested thoroughly for any security gaps and weaknesses that may have already existed, and that are remediated before the actual application is launched. It is also quite important that you keep Pen Testing this source code (as well as for other software applications that you may have) on a regular basis, so that any future vulnerabilities can be detected and patched up quickly. By doing this, you are not only enforcing a proactive mindset with your IT Security Team, but you are also instilling a sense of a high level of confidence in your customers that you take protecting their Personal Identifiable Information (PII) very seriously.


4. To help prepare for the worst-case scenario:

Just suppose that after all of this Pen Testing that you have done, that the software application in question has actually been hit by a Cyberattacker (as previously mentioned, there is no guarantee on anything). Well, all is not completely lost. By having done so many of these exercises, your IT Security Team will be able to respond to that threat and mitigate much quicker than if they have never practiced it before. The result is a much-reduced downtime, and you will be able to bring back up your mission critical business processes in a much quicker timeframe.


5. It will allow you to stay ahead in terms of compliance:

Given the ever-changing dynamics of the Cyber Threat Landscape, pretty much all businesses are coming under the close eyes of government auditors to make sure that any customer data that they gather and retain come into compliance with such regulations as HIPAA, GDPR, the ISO 27001, PCI Data Security Standards, etc. If an organization fails in any regard to this, stiff fines and penalties can be imposed. But by conducting regular Pen Testing on the source code as it is the various SDLC phases and after, that shows to the auditors you are taking these various regulations very seriously, and that protection of customer information/data is of paramount importance.


Finally, as the diagram illustrates below, Pen Testing should be conducted after each and every phase of the SDLC, and one final exercise should be done just before it hits into production:


(SOURCE:  4).



How Webcheck Security Can Be Your Partner


Remember, conducting a Penetration Testing exercise is very serious; it is not something to take lightly at all. Whether you are developing the source code in house or for another organization, you need to partner up with somebody who has done this for a very long time and has the deep experience. Remember, one of the biggest risks of not conducting a thorough Pen Testing exercise is that of a lawsuit. 


If it is discovered later by a forensic analysis that there were security gaps and vulnerabilities in the source of the application in question, you could very well be sued, and because of that, even face financial ruin.


You can avoid all of this by partnering up with us Webcheck Security.  Contact us today for more information!!!


Sources

  1. https://threatpost.com/cynet-the-coronavirus-is-already-taking-effect-on-cyber-security-this-is-how-cisos-should-prepare/153758/

  2. https://www.csoonline.com/article/2943524/penetration-testing-tools-the-pros-use.html

  3. https://www.redteamsecure.com/penetration-test-need/

  4. https://www.stickman.com.au/why-penetration-testing-must-be-part-software-development-lifecycle/

Fill out this form and tell us how we may serve you!