Protect your DICOM from Cyber Attacks

Learn about the types of cyber attacks that can disrupt your DICOM and the ways you can prevent and protect your radiology and imaging services from being impacted

How to protect your DICOM from cyber attacks

DICOM stands for Digital Imaging and Communications in Medicine. It is a standard protocol for managing, storing, and transferring medical images and related data in a digital format. It ensures that medical images and information can be exchanged between different imaging systems and healthcare providers, regardless of the manufacturer or the location of the devices. 

DICOM is widely used in the field of radiology and medical imaging. It covers various medical imaging modalities, including X-ray, MRI, CT scans, ultrasound, and nuclear medicine. It ensures that the images and data generated by these modalities are standardized and can be viewed and interpreted by radiologists and other medical professionals.

DICOM files use layered approaches to store data that can not only contain images but also patient information, examination details, the imaging equipment used to capture the image, and the image itself, including its size, orientation, and other relevant metadata. This information is stored in a standardized format that can be interpreted by different software applications and devices, regardless of their manufacturer or origin. This makes it easier for radiologists to interpret and analyze images, as they can access all the necessary information in one place.

Imaging professionals and radiologists use DICOM in several ways. For example, they may use it to:

  • Store and retrieve medical images and related information from a central archive or picture archiving and communication system (PACS)
  • Share medical images and related information with other healthcare providers or facilities
  • Analyze and manipulate medical images using specialized software applications
  • View and interpret medical images on specialized imaging workstations or other devices

DICOM is a critical component of healthcare systems today. It has become an essential tool for medical professionals to enhance the accuracy of diagnosis, plan effective treatments, and improve patient outcomes. It is essential to understand the potential data breaches and cyber attacks that can negatively impact your DICOM and/or the DICOM images used in your healthcare setup. 

Potential Cyber Attacks on DICOM

Like any other digital system, DICOM is vulnerable to a range of data breaches and cyber attacks, some of which are described below:

  1. Unauthorized access: Unauthorized access can occur due to weak or stolen passwords, unsecured remote access, or unpatched vulnerabilities in the system. Attackers can use this access to steal or modify patient data, install malware or ransomware, or use the system as a launching pad for further attacks.
  2. Data interception: DICOM data can be intercepted in transit by unauthorized personnel, which can expose sensitive medical images and patient information. This can happen through methods such as eavesdropping on network traffic or exploiting vulnerabilities in the encryption protocols used to protect the data. An example of data interception is a MITM (man-in-the-middle) attack.
  3. Man-in-the-middle (MITM) attack: In this attack, an attacker intercepts communication between 2 parties and alters or manipulates the data. In the case of DICOM, an attacker can intercept the image data being sent between imaging professionals or radiologists and modify it before forwarding it to the intended recipient. This could lead to misdiagnosis or incorrect treatment.
  4. Malware and ransomware attacks: Malware and ransomware attacks can infect a DICOM system and cause damage to the software and data. Malware can compromise the system’s security by gaining access to sensitive data, while ransomware can hold the system hostage, until a ransom is paid.
  5. Social engineering attacks / Phishing attacks: Social engineering attacks can involve phishing emails or phone calls to trick users/employees into giving up their login credentials or other sensitive information. This can lead to unauthorized access to the DICOM system and the potential exposure of sensitive medical data.
  6. SQL injection attacks: SQL injection attacks exploit vulnerabilities in the software code of the DICOM system to gain unauthorized access to the data stored within. Attackers / Hackers can use these vulnerabilities to steal data, modify records, or cause other damage to the system.
  7. Distributed Denial of Service (DDoS) attacks: DDoS attacks can overwhelm the DICOM system with a flood of requests, causing it to crash or become inaccessible to legitimate users. This can result in significant disruption of healthcare services and patient care.
  8. Insider Threats: Insider threats can arise when authorized personnel misuse their privileges to access and misuse patient data, such as selling or leaking confidential information to unauthorized third parties.
  9. Password attacks: Password attacks are a common type of cyber attack where an attacker tries to guess or brute-force passwords to gain access to a system. If a DICOM system is protected by weak or easily guessable passwords, an attacker can gain unauthorized access to PHI and other sensitive information.
  10. Data theft: Once an attacker has access to your DICOM, they can steal sensitive patient information such as names, addresses, medical records, and billing information. The attacker can then use this information for financial gain or identity theft.
  11. Physical Security Breaches: Physical security breaches, such as theft or unauthorized access to DICOM storage devices or physical records, can compromise patient data confidentiality.

Medical and imaging professionals must be aware of these potential data breaches and cyber-attacks and take appropriate measures to prevent them.

How to prevent a data breach in DICOM 

To prevent data breaches in DICOM, we recommend you take the following steps:

  1. Ensure Secure Access Control: Limit the access of DICOM systems to authorized personnel only, implement role-based access control, and enforce strong password policies to prevent unauthorized access.
  2. Use Encryption: Encrypting DICOM data both in transit and at rest will help ensure that any intercepted data cannot be read without the correct decryption key.
  3. Ensure Secure Configuration: Ensure that all DICOM systems are configured securely, including the DICOM Servers and that default passwords are changed to strong ones.
  4. Regularly update software and hardware: Regularly update all software and hardware to ensure that vulnerabilities are addressed and security patches are applied. Outdated software and hardware are more vulnerable to attacks.
  5. Conduct User Training / Staff Training: Conduct regular security awareness training for staff, including education on phishing attacks and how to identify and report potential security threats.
  6. Create an Incident Response Plan: Establish an incident response plan in case of a data breach or security incident. The plan should include steps for containment, investigation, and reporting.
  7. Limit Data Retention: DICOM data should be retained for only as long as necessary. Limiting the amount of data stored in the system reduces the risk of a breach and minimizes the impact of a breach if it occurs.
  8. Ensure Regular Monitoring: Regularly monitor DICOM system activity and audit logs to detect any unusual activity and investigate any suspicious activity promptly.
  9. Conduct regular security audits: Conduct regular security audits to ensure that the system is compliant with industry standards and regulations and that any vulnerabilities are identified and addressed.
  10. Continuous monitoring of security controls: Continuous monitoring can help identify vulnerabilities and potential security threats. This will help you stay ahead of potential security risks and zero day attacks.
  11. Use firewalls and intrusion detection systems: Firewalls can be used to restrict unauthorized access to DICOM systems. Intrusion detection systems can be used to monitor and detect any suspicious activity within the system.
  12. Limit / Disallow access on personal devices: DICOM images and data can be stored on local devices, such as laptops or USB drives, which can be lost or stolen. Radiologists may also use mobile devices to access DICOM files and other patient information, but these devices can be vulnerable to attacks if they are not properly secured. Create a security policy that disallows or limits access to DICOM images on personal devices.
  13. Vet Third-party DICOM software: Radiologists often use third-party DICOM software to view and analyze medical images. If this software is not vetted properly, it can contain vulnerabilities that can be exploited by attackers.

How databrackets can help you secure your DICOM and Radiology / Imaging Infrastructure

With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to your unique requirements. We have supported Radiologists, Imaging professionals, and organizations working in the healthcare industry with a wide variety of customized services.

We offer consulting and hybrid services to help you undergo a thorough Security Risk Assessment and ensure your systems meet the security benchmarks in your industry. Our certified experts have also developed specialized Do-It-Yourself Assessments for organizations with a well-developed in-house IT team. Connect with an Expert, and explore how our services can help your organization. 

Related Links:

Security Tech Investments for Top 10 trends in 2023

How to Select a Security Vendor

What is the HIPAA Security rule?

What are the new controls added to ISO 27001 in 2022?

Explore the new controls added to ISO 27001 in 2022 and recommendations to implement them

New Controls added to ISO 27001 in 2022ISO 27001 is a globally respected information security standard. It is officially referred to as ‘ISO/IEC 27001’ and is part of the ISO/IEC 27000 family of standards for information security management. It is designed, updated and regulated by the International Organization for Standardization

While ISO 27001 Certification is popular for the enhanced level of security it ensures in an organization’ Information Security Management System (ISMS), it is also preferred by Senior Management because of the contracts they can apply for with an ISO 27001 Certificate. Organizations around the world prefer to work with B2B partners and vendors who comply with ISO 27001 controls. They tend to include this certification or a proof of compliance in their RFQs / RFPs. 

The latest ISO 27001 update in 2022 introduced several changes starting with the name. The current edition of this standard is now referred to as ‘ISO/IEC 27001:2022’. Organizations certified against the 2013 revision (the previous edition) have till Oct 21, 2025 to transition to the new update. 

While the Structure of ISO 27001 has not changed, major changes have been introduced in Annex A, starting with the introduction of 11 new controls. Other changes include splitting one control, renaming 23 controls and merging 53 controls. Let’s explore the controls added to ISO 27001 in the 2022 update. 

Threat Intelligence: Threat intelligence is the process of gathering, analyzing, and sharing information about potential and actual cybersecurity threats. It involves collecting data from various sources, including vulnerability databases, vendor-supplied patches, external threat feeds, social media, and other open-source intelligence (OSINT) tools, and using it to identify and mitigate potential risks to your organization’s network, systems, and data. You can use threat intelligence for various functions, including identifying and blocking malware, tracking and analyzing the activities of cybercriminals, detecting and responding to security incidents, and improving your security posture. Effective threat intelligence helps organizations better understand the nature and scope of potential threats and improve their ability to respond to them.

Information Security for use of Cloud Services: Information security is crucial when using cloud services because these services involve storing and processing sensitive data on third-party servers that are not under your direct control. The security of your data and systems depends on the security measures put in place by your cloud service provider. Cloud service providers typically offer a range of security features, including encryption, access control, firewalls, intrusion detection and prevention, and regular security audits. The shared security responsibilities of the cloud model requires customers to evaluate the efficacy of the security features offered and ensure their policies and procedures are in sync with the level of security you have promised your clients. 

In addition to relying on the security measures provided by your cloud service provider, you can take several steps to further enhance the security of your data and systems in the cloud. These may include implementing multi-factor authentication, using strong passwords and regularly changing them, limiting access to sensitive data, monitoring user activity, and periodically reviewing and updating your security policies and procedures.

ICT Readiness for business continuity: ICT (Information and Communication Technology) readiness refers to the preparedness of an organization’s technological infrastructure and systems to respond to unexpected events or disruptions, such as natural disasters, cyber-attacks, or power outages. On the other hand, business continuity refers to an organization’s ability to continue its essential functions and operations during such events, minimizing the impact of the disruption on its operations, customers, and stakeholders. ICT readiness is crucial for business continuity because it enables organizations to maintain communication, data, and information flows even in challenging circumstances. Some ways in which ICT readiness can support business continuity are:

  • Data backup and recovery
  • Remote Access
  • Redundancy and failover systems
  • Cybersecurity

Physical Security Monitoring: Physical security monitoring is a critical component of an organization’s information security management system (ISMS) in compliance with ISO 27001. It is the process of monitoring, evaluating, and controlling physical access to an organization’s premises, data centers, and other critical areas that house sensitive information. Physical security monitoring aims to prevent unauthorized access, theft, damage, or destruction of an organization’s assets, including its people, facilities, and equipment. Some of the key components of physical security monitoring for ISO 27001 include:

  • Access control
  • Security surveillance
  • Monitoring and Physical barriers such as fences, walls, gates, or locks 
  • Alarm systems such as fire alarms, intrusion detection systems, or panic 
  • Incident response procedures 
  • Training and Awareness 

Configuration Management: Configuration Management is critical for ensuring the security of an organization’s information assets, including hardware, software, and data. In ISO 27001, Configuration Management is part of the Information Security Management System (ISMS) defined in clause 7.5.1. Its purpose is to ensure that information systems and assets are identified, controlled, and maintained throughout their life cycle. This includes identifying and documenting the configuration of information systems, maintaining the integrity of information assets, and ensuring that changes to information systems are properly authorized and controlled. 

The configuration management process typically involves the following steps:

  • Identification of all hardware and software components 
  • Establishing a baseline configuration for each component
  • Implementing controls to ensure that all changes made to the system components are authorized, documented, and tracked. 
  • Monitoring the system components and configurations to ensure they comply with the established baseline configuration. 
  • Reporting on the configuration management process and its effectiveness to ensure that the organization’s information system remains secure and in compliance with applicable laws, regulations, and standards.

Information Deletion: Information deletion is an essential component of information security. It involves securely and permanently removing information from all storage devices, including hard drives, USB drives, memory cards, and other digital storage media. 

ISO 27001 provides guidelines on how organizations can ensure that information is deleted securely. These guidelines include the following:

  • Defining deletion procedures, including identifying the types of information that need to be deleted, the methods of deletion, and the roles and responsibilities of individuals involved in the deletion process.
  • Use secure deletion methods that render the information unrecoverable. This can include overwriting the information with random data, physically destroying the storage device, or using specialized software to erase the data securely.
  • Ensure secure disposal of storage devices through physical destruction or secure disposal methods that prevent the information from being recovered.
  • Maintain records of all deletion activities, including the type of information deleted, the date and time of deletion, the method used, and the individuals involved in the deletion process.

Data masking: Data masking is a security technique used to protect sensitive data by replacing it with a fake value while keeping its original format and structure intact. The purpose of data masking is to prevent unauthorized access to sensitive information, such as personally identifiable information (PII) or confidential business data.

To implement data masking for ISO 27001, organizations can use a variety of techniques, such as:

  • Substitution involves replacing sensitive data with a fictitious value, such as a random string of characters or a fake name. 
  • Shuffling involves reordering the values of a dataset while maintaining its overall structure. 
  • Encryption involves transforming sensitive data into an unreadable format, which can only be accessed with a decryption key.
  • Redaction involves removing sensitive information from a document or file. For example, blacking out a customer’s social security number on a printed document.

Data Leakage Prevention: Data leakage prevention (DLP) is a critical component of information security management in ISO 27001. It refers to the process of identifying, monitoring, and controlling sensitive data that may be at risk of being disclosed or exposed to unauthorized parties.

To prevent data leakage, an organization can implement various technical and procedural controls such as:

  • Network segmentation: Network segmentation is a technique that divides a network into smaller subnetworks, which helps to control the flow of data between different segments. By segmenting the network, an organization can create a boundary that can be monitored and controlled to prevent unauthorized data transfer.
  • Access control: Access control is a mechanism that ensures that only authorized personnel can access sensitive data. This can be done by using strong authentication mechanisms, such as two-factor authentication, and by implementing strict access control policies.
  • Data encryption: Data encryption is the process of transforming data into an unreadable format, which can only be decrypted with a secret key. By encrypting sensitive data, an organization can prevent unauthorized access to the data in case of data leakage.
  • Data loss prevention software: Data loss prevention (DLP) software is designed to monitor and control the flow of sensitive data within an organization. DLP software can detect and prevent unauthorized data transfer, block access to unauthorized devices, and provide alerts for suspicious activities.
  • Employee training: Employees are often the weakest link in an organization’s security chain. Providing employees with regular training on data security policies, procedures, and best practices can help prevent data leakage.

Monitoring Activities: Monitoring activities are essential to maintaining the effectiveness of the ISMS and ensuring that information security risks are identified and addressed promptly. Here are some of the monitoring activities that organizations should consider while implementing controls to comply with ISO 27001:

  1. Security Incident Monitoring to identify potential threats or vulnerabilities and to take steps to prevent them from occurring in the future.
  2. Access Control Monitoring to ensure that policies are working as intended to detect and prevent any unauthorized access attempts or other security breaches
  3. Monitoring Compliance with the organization’s policies and procedures, as well as with legal and regulatory requirements 
  4. Vulnerability Scanning to identify and address vulnerabilities before they can be exploited
  5. Monitoring System Logs for unusual activity that could indicate a security breach
  6. Risk Assessment to ensure that the organization’s information security remains effective in the face of evolving threats

Web Filtering: Web filtering is a mechanism used to control or restrict access to websites and online content based on predefined policies and prevent a security risk to an organization’s information systems. It is one of the controls that can be implemented to protect an organization’s information assets from unauthorized access, use, disruption,  disclosure, modification, or destruction.

ISO 27001 requires that organizations establish policies and procedures for web filtering to protect their information assets from security threats such as malware, phishing, and other cyber attacks. These policies should be designed to meet the organization’s specific security needs and regularly reviewed and updated to reflect changes in the threat landscape.

Web filtering can be implemented using a variety of techniques, such as content filtering, URL filtering, and IP filtering. Content filtering involves examining the content of web pages and filtering out unwanted or harmful content based on predefined criteria such as keywords, categories, and file types. URL filtering involves blocking or allowing access to specific websites based on their URL address or domain name. IP filtering involves blocking or allowing access based on the IP address of the user’s computer or the website they are trying to access.

Web filtering policies should be implemented to strike a balance between security and user productivity. The policies should be reasonable, effective, and practical while allowing users to access the resources they need to do their jobs. ISO 27001 also requires organizations to provide awareness training to employees on the risks associated with browsing the web and the importance of following web filtering policies.

Secure Coding: Secure coding is a software development practice that aims to minimize the risk of vulnerabilities and weaknesses that could be exploited by attackers. It refers to the practice of writing software code that is resilient against security vulnerabilities. 

When it comes to secure coding, ISO 27001 emphasizes the importance of incorporating security measures into the software development lifecycle (SDLC) from the outset. This means ensuring that security considerations are integrated into every phase of the SDLC, including requirements gathering, design, coding, testing, and maintenance. 

To comply with the ISO 27001 standard, organizations must implement secure coding practices that include:

  • Secure design principles: Software design must include security considerations from the outset, including secure architecture, security protocols, and security controls.
  • Threat modeling: The software must be analyzed for potential vulnerabilities and threats, and appropriate security controls must be implemented to mitigate those threats.
  • Code review: All code must be thoroughly reviewed to identify and address potential vulnerabilities and weaknesses.
  • Testing: The software must undergo rigorous testing to identify and address potential security issues before it is released.
  • Secure coding standards: Developers must adhere to established secure coding standards such as the OWASP Top 10 to ensure that the code is developed in a secure and consistent manner. 
  • Training: All developers must be trained in secure coding practices to ensure they know the latest threats and best practices.

databrackets and ISO 27001:2022 

databrackets has a team of certified ISO Lead Auditors. We are accredited to certify organizations who clear the final assessment for their ISO/IEC 27001 Certificate. However, our entire range of services for ISO 27001 includes:

  1. ISO 27001 Implementation / ISO 27001 Compliance
  2. ISO 27001 Certification
  3. Do-It-Yourself ISO 27001 assessment toolkit

All our ISO services involve the use of our secure, user-friendly online assessment platform called ‘dbACE’. On this platform we identify gap areas, prioritize solutions, and help organizations demonstrate compliance with ISO 27001 standards. We offer a ‘Readiness Assessment’ service to organizations and a separate ‘Certification’ option to organizations who are already poised to undergo the final assessment. In keeping with ISO standards, we do not offer both services to the same organization. 

To help organizations who have a strong IT team and who only need a checklist to get ready for the final assessment, we have a DIY (Do It Yourself) assessment toolkit with all the clauses and controls stipulated by ISO 27001:2022. Customers need to upload their data along with evidence and mark the clause/controls’ ‘implementation’ status for Stage 1 and Stage 2 Assessments.

Our auditors conduct an impartial assessment based on the evidence provided and record their findings on our platform. This helps them communicate the results and seek corrective measures wherever necessary – all in one location. The dbACE interface makes the turnaround quicker and saves time, effort and, thereby, costs. The documentation for the audit from start-to-finish takes place on this platform. This includes the final report that reflects the status of the customer’s adherence to ISO 27001 standards and guidelines.

Top 5 CMMC Implementation Gaps

Explore the CMMC compliance process with an RPO and avoid the top 5 implementation gaps

CMMC is a security framework that is mandatory for contractors who want to work with the Department of Defense (DoD). It is based on the US National Institute of Standards and Technology (NIST) family of standards, specifically on NIST SP 800-171. It was first introduced as a 5-tiered framework in 2020. The next version of the framework, CMMC 2.0, is currently being finalized with a 3-tiered structure and several updates.

Rulemaking for CMMC 2.0 is scheduled to be completed by the end 2023 and it is expected to be part of DoD contracts. Organizations are encouraged to complete the implementation process before the end of 2023, to ensure they can complete the certification process in time to bid for contracts, as this requirement is phased-in during FY 2024.

databrackets and Tego believe that DIB companies / Organizations seeking certification (OSCs) should be made aware of the CMMC implementation gaps, so they are able to avoid them. databrackets is enroute to becoming a CMMC Third Party Assessment Organization (C3PAO), that will conduct CMMC audits and issue the CMMC certificate. This blog is part of our collaborative effort with Tego, a Registered Practitioner Organization (RPO) committed to supporting organizations comply with CMMC 2.0 benchmarks and meet technological and process requirements. We have also jointly presented a webinar ‘Prepare for CMMC 2.0’ to help DIB companies plan their CMMC journey.

CMMC Compliance with an RPO

A Registered Practitioner Organization (RPO) offers consulting services to help you get ready for your CMMC Certification by a C3PAO. To avoid the implementation gaps that you may encounter, let us begin by discussing the CMMC compliance journey, when you work with an RPO.

1. Pre-assessment and Gap Analysis of your existing controls against CMMC requirements
2. Creating a Plan of Action & Milestones (POA&M) to identify the steps and technology you need to address the gaps
3. Cost-benefit analysis of a CMMC Certification
4. Implementation of new controls identified in the POA&M
5. An RPO can help with 1. through 4.
6. C3PAO Assessment and Certification

When you engage the right RPO, and undergo a thorough pre-assessment and gap analysis, you can identify and prioritize your gaps at the outset. This saves time and helps you create plans of action and milestones (POA&Ms) that will ensure you meet CMMC benchmarks. We recommend using the CMMC framework as a risk management tool and a best practice framework as well. Once you correctly identify the gaps and fix them, your RPO should be monitoring your progress and adjusting their assessment of your security posture. Once they confirm that you are ready, you can proceed with the assessment by a C3PAO and get certified.

NIST SP 800-171 Self-Assessment

Sometimes, companies begin their CMMC journey by conducting a self-assessment using NIST SP 800-171. Typically, the scoring is inaccurate and almost always over-favors the controls in their environment. Additionally, the self-assessment may be done by somebody that’s not there anymore or done by one person who hasn’t engaged multidisciplinary inputs that are required for understanding the control environment. An RPO can assess your environment more accurately because CMMC 2.0 includes additional security requirements that go beyond the scope of NIST 800-171. It is important to note that identifying what you’ve done so far to evaluate yourself is a huge step forward when you undergo a pre-assessment. This not only shows maturity but also helps them when they engage an RPO.

Cost of CMMC Implementation

The cost to implement CMMC 2.0 controls depends on the size and complexity of your organization. In general, the cost depends on the scope and the controls you need to implement. The cost of the report by the RPO depends on the scope and assets while the cost of the additional controls you need to implement will depend on your environment. The best way to manage the cost is to engage an RPO and analyze your specific environment to get an idea of what the cost will be. You need to make sure there’s a business case for it, particularly if you plan to comply with CMMC 2.0 Level 2. There needs to be a reckoning with your business model. During your pre-assessment, you need to identify if it’s worth continuing business in the DIB because it is going to be a substantial investment.

Engaging with a C3PAO

As you move through that POA&M process, if they have been written correctly, you will be able to estimate when you will meet your milestones and be ready to engage a C3PAO. You don’t have to have them completed before you engage the C3PAO. In fact, as you’re moving through the plans of action with still some open, it’s recommended that you try to engage the C3PAO without losing time. When the rulemaking is finished and CMMC certification becomes a requirement, there’s going to be a rush on getting appointments with a C3PAO. Working with a good RPO can help you manage your compliance process and get confident about meeting your milestones.

Time required to comply with CMMC

While the journey to becoming CMMC compliant seems extensive, the total time required depends on the organization and whether you are aiming for CMMC Level 1 or Level 2. The total time required also depends on the size of your organization, how complex your systems are and how much Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) you have in their environment. Some organizations only need to comply with Level 1 because they just have FCI. Others have CUI in very managed locations. Your RPO should be validating these elements and once you’re able to identify where your CUI is, you can estimate the time it would take your organization to comply with CMMC standards. Level 1 compliance may take 2-4 months and Level 2 may take longer since it has many more controls.

Top 5 Implementation Gaps for CMMC

Understanding these nuances of the process, will help you understand the top five implementation gaps for CMMC

  1. CMMC 2.0 Standards: Understanding the actual operational requirements to meet the CMMC standards.
  2. System Security Plan: Establishing a suitable System Security Plan to meet CMMC compliance requirements.
  3. Risk Management Plan:  Developing a comprehensive data security and risk management plan.
  4. Implementation: Securing the IT infrastructure and implementing the necessary security controls.
  5. Training:  Educating and training users on proper security practices and procedures.

Few organizations invest time and resources to understand their operations, track where CUI is and try to manage it. The key is in understanding how protected information moves through your environment. There are a lot of ways to do it. Tego interviews various stakeholders from the organization. A roundtable discussion of who’s using CUI is always the best place to start. This includes the person who did the NIST 800-171 scoring, HR, the Heads of the lines of business, etc. RPOs also employ various tools that help you identify and then mark the CUI in your environment over time. This is critical since protected information enters and exits your environment and you need to identify where it is in your CRM, in your unstructured data etc. Most of those tools also offer additional security that can complement control requirements in CMMC.

The next critical point is establishing a suitable System Security Plan. Some organizations use NIST 800-171 to complete a self-assessment, but they don’t really embrace the framework through which they want to manage their risk.  The SSP is a comprehensive plan that outlines an organization’s approach to securing its systems and protecting its sensitive information. It is a key component of the CMMC assessment process and is required for all CMMC certification levels.

The SSP must be prepared and maintained by the organization seeking CMMC certification, and it must address all aspects of the organization’s security posture, including physical security, access controls, incident response, network security, and system configuration. The SSP must also include detailed information on the organization’s cybersecurity policies, procedures, and practices, as well as any third-party service providers used by the organization.  The SSP addresses completeness and eliminates big gaps. For example, if you have a network administrator do the NIST 800-171 score without complete awareness of where CUI was, which is the number one gap, you end up having organizations that lack actual alignment with NIST 800-171. We have seen a lot of things on paper where the organization hasn’t really embraced the comprehensive data security and risk management plan. Within those controls, are actions that you need to take and things you need to do. Organizations who want to be CMMC compliant, need to run a secure organization based on that framework.

Organizations also tend to have compliance gaps because of budgeting. Complying with NIST 800-171 and CMMC is an opportunity for organizations to refresh their security infrastructure. We have seen some neglect in this area with regard to investment in tools. Organizations need to take the time to invest in this critical update. We have had tough conversations about the cost because it can become very expensive. Planning to work with the DoD forces organizations into making an investment in their security infrastructure, to become CMMC compliant.

Lastly, educating and training security users or training users in security practice is important. Users are always the number one risk in any organization, in any context. We have seen this being neglected or lacking in organizations. Training needs to go beyond just doing phishing campaigns and an annual security awareness training.

We would also like to mention that some organizations will endeavor to manage CMMC compliance over time. While, it is still recommended to maintain a relationship with your RPO in an advisory context, some organizations may want to manage day-to-day compliance with internal staff.  In that case, it is recommended they get some staff members CCP Certified.  Organizations can get that  training through our partners. In addition to that, there are some things that may not require a CCP from the operation side where you want individuals such as a network admin to be schooled on the specific requirements that you need for network security, and we can also offer those trainings as pursuant to the requirements in CMMC.

Without having CMMC compliance, you will ultimately be precluded from participating in contracts as a subcontractor or prime in the DIB. So, you’re going to have to invest your time and resources in the requirements if there’s a business case for it and embrace the fact that there’s going to be money spent. Aside from the risk of losing DoD contracts, this is a best practice framework. Alignment to it and following CMMC certification standards reduces risk in your environment too. So, there are more benefits to comply with it, apart from the revenue that could come from a DoD contract.

Engaging with an RPO for your certification efforts is recommended because the RPO has invested the time and energy to understand the specifics of CMMC and its requirements. Doing that pre-assessment gap analysis is the way to prioritize what you need to do both for certification and for risk reduction. As an RPO, Tego offers technical mitigations, which they are  suited for because they are an IT professional services organization, capable of helping with a security infrastructure refresh. They’re also available to help implement controls such as network segmentation, the hardware upgrades, server OS upgrades. They extend their support with all of these under the management of the CMMC Registered Practitioners (RPs) that are on staff at Tego.

Co-Author : Greg Manson

Greg is the Vice President of Security, Audit and Compliance at Tego.  He is an ISACA Certified Information Systems Auditor (CISA) and a Certified Data Privacy Solutions Engineer (CDPSE). He is a Registered Practitioner (RP) and Tego is a Registered Provider Organization (RPO). He assists many customers in the Defense Industrial Base navigate the strict requirements of the Defense Acquisition Regulations Supplement (DFARS).

Security Tech Investments for Top 10 trends in 2023

Explore security tech investments to prevent cyberattacks from paralyzing your operations and impacting your revenue in 2023

Security Tech for top trends in 2023How do you prevent cyberattacks from impacting your business operations? This is the big question organizations have been asking in the wake of growing cyberattacks across industries. A growing number of data breaches have led to loss of customer data, disruptions in services, significant financial losses in addition to penalties and fines by regulatory bodies, loss of brand reputation, along with a host of other damaging outcomes. As cybersecurity and compliance experts, we decided to take a preventative approach and help businesses learn about the ways they can avoid a cyberattack from paralyzing their operations and damaging their revenue.

The risk of cyberattacks have not only been growing over the last decade, they have also been well documented as a global risk, not limited by geographical boundaries, the size of the business, or net worth of the individuals they impact. The Global Risks Report 2020 by the World Economic Forum placed cyberattacks on critical infrastructure as the top 5th global risk in 2020. On page 63 of the report, they also mention “Cybercrime-as-a-service is also a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.” While we continue to explore the role of AI in contributing to security threats and security tech, we are confident that organizations will triumph by using a variety of tools that can help them safeguard critical infrastructure, customer data, sensitive information, and business operations.

Consultants at databrackets have worked with a wide variety of organizations for over a decade and helped them test their systems to meet compliance requirements and security benchmarks. With our  experience across security frameworks like ISO 27001, SOC 2, HIPAA, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11 etc., we have created a list of investments in security tech to help you prepare for the Top 10 trends in 2023.




 1) Creating a strong foundation for Cybersecurity

Data breaches are often linked to a weak foundation. As long as your system architecture, applications, and your access management is based on a strong foundation, the possibility of a data breach is minimized. Based on our experience, we strongly recommend that you consider some of the foundational technologies mentioned in the table below if you haven’t already implemented them.

Creating a strong foundation for cybersecurity
Security Tech
What is it?
Popular Brands
Multi Factor Authentication (MFA)
MFA helps you to verify the identity of the person accessing your data. It is an authentication system where a user is given access after providing 2 more pieces of evidence. An example of MFA is a Password / Pin along with a Code / OTP sent to your mobile number or an authenticator code generated in an app. Only a person who has both – a Password / Pin along with a Code/OTP, can login to your system and access data. This creates 2 barriers to reach data, ensuring that if even one is breached, the system protects the data from an unauthorized user. It is important to use password aging policies and regularly change the security questions in addition to MFA. Administrator accounts and personnel with access to a large amount of data and sensitive data / PII, must have MFA.
Microsoft Authenticator, Google Authenticator
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is used to create an encrypted connection between a device (computer, smartphone, tablet) and the internet. It encrypts your data and communication, keeps your identity hidden and allows you to send encrypted data through a private tunnel, even when you use a public network. This helps to prevent an attack called ‘Man in the middle (MITM) attack’. VPN is recommended for data being sent from remote locations to the cloud or on-prem site.
Cisco AnyConnect VPN
Security Operations Center (SOC) & Security Incident and Event Management (SIEM)
A Security Operations Center (SOC) and Security Incident and Event Management (SIEM) are strategies used to enhance cybersecurity by actively preventing a breach by monitoring network connections. A SIEM allows you to collect and analyze log data from all your digital assets in one place. This helps you to recreate cyber incidents from the past and understand new ones to analyze the details of suspicious activity and strengthen your level of security. A SOC helps you to prevent, detect, scrutinize, and respond to ongoing cyber-attacks. SIEM can help you detect a breach in a few hours as opposed to the usual time of several days, sometimes exceeding 100 days. SIEM services can be expensive because they are billed based on the log data generated.
Microsoft Azure Sentinel, Sumo Logic
Endpoint Detection and Response (EDR) & Extended Detection and Response (XDR)
An endpoint detection and response system (EDR) is a set of tools used on your devices as a final barrier. It automatically detects threats that have breached your internal security and sends you an alert. An Extended detection and response (XDR) consolidate data from a variety of tools and extends the visibility, your ability to analyze and respond across devices / endpoints, networks, workloads and users. These security technologies not only help you to detect an ongoing cyber threat but also to stop it before it affects your IT environment. They shorten the reaction time.
Sentinel One, CrowdStrike
Encryption software is used to conceal information from unauthorized personnel by translating it into a code. It uses digital keys and mathematical algorithms to encode data into ciphertext. Data can be decrypted only by authorized personnel who have the key. Encryption helps you maintain data privacy, confidentiality, integrity, and the authenticity of the source from where the data originated.
AES 256, AES 128, TLS 1.3
Data Loss Prevention (DLP)
DLP consists of a set of tools and processes to prevent the misuse, loss, and unauthorized access of information. There are 3 types of DLP software: Endpoint, Cloud, and Network. They begin by classifying the data to identify what is confidential and critical to the business. Then it identifies violations of company policies for compliance benchmarks like HIPAA, GDPR, etc. It enforces remediation of vulnerabilities by sending alerts and ensuring encryption is implemented to avoid misuse of data. DLP protects data at rest and in motion in the cloud, network, and endpoint.
Proofpoint, Symantec, Microsoft
A firewall is a network security device. It inspects the traffic to and from a network and authorizes or restricts it based on a set of security rules. There are different types of firewalls – packet-filtering firewalls, web application firewalls, next-gen firewalls, NAT firewalls and proxy firewalls.
Palo Alto, Cisco, Checkpoint
Cloud Storage
Cloud storage implies using ‘the cloud’ (multiple servers in a variety of secure locations) to store digital data instead of storing it on a device. This practice enables organizations to protect sensitive information more securely and ensure that it cannot be accessed, modified or deleted by unauthorized personnel.
AWS, One Drive, Google Drive

These tools create a strong security foundation and minimize the potential for a data breach by increasing the barriers for entry.

2) Stronger cybersecurity regulations

With the increased complexity of cyberattacks, regulatory authorities are aware of compliant organizations whose security has been breached. This points to the need to enhance security benchmarks and we foresee tightening of regulations and compliance benchmarks. To keep up with this trend, we recommend implementing and strengthening your GRC Program with high visibility for stakeholders and management. This will help management to know the level of security they will be committing to customers when they sign contracts, and what they need to implement and comply with. An integrated governance, risk and compliance program will also take into account the law of the land across countries and states. While there may be overlaps between security regulations, identifying the key regulatory requirements, being able to conduct a comprehensive assessment, identifying the gaps, and having a remediation program will be critical.

3) Continuous Compliance & Security Monitoring

With the growing trend of cyberattacks infiltrating an organization’s systems from multiple sources, there is a need to constantly monitor all security controls and ensure they are functioning at optimal capacity. Attacks today are often disguised as legitimate emails, links, messages and data which can be very destructive once they enter your systems. Without tools to check the contents of every byte and security controls to monitor every aspect of your IT architecture, 24/7, it may be difficult to protect sensitive information and stay compliant with security benchmarks. This is even more vital for organizations with data in the cloud. You may lose revenue not just due to a cyberattack but also from fines, penalties, loss of brand reputation and termination of contracts. It is critical to prove that your systems were compliant with all the security controls promised to customers at the time of the attack. This is where continuous compliance platforms come in since they are automated and mapped to the controls of security frameworks.

Continuous compliance and security monitoring software is offered by a variety of GRC platforms. They map the controls of security and privacy frameworks like ISO 27001, SOC 2, HIPAA, GDPR, NIST etc. and link it to the various tools in your system. They monitor deviations and send alerts about possible loopholes that need to be patched and breaches. While organizations can use automated cloud monitoring tools offered by AWS Security Hub, Microsoft Sentinel etc., there is a need to expand your scope and review your risk management plan. An integrated GRC platform that is built to showcase your compliance with security and privacy frameworks goes beyond cloud monitoring tools and helps you review your risk management plan on a regular basis and maintain updated reports about how your controls are performing vis-à-vis what is expected. These reports become your evidence documents and help you with audits and customer requests.

4) Managing hybrid & remote work environments

Insider threat is one of the greatest risks to security as seasoned hackers come up with newer ways of targeting employees, vendors and consultants who work closely with sensitive data. This threat gets magnified in hybrid and remote work environments, which have become the new normal after the Covid-19 pandemic. Organizations can invest in information, training, and security tech to ensure a high level of security in this new normal. Some key investments are:

1. Review the BYOD Policy and Technology: While several organizations have pivoted in the pandemic by using BYOD policies to support employees working from home, this measure is fraught with security risks. Some ways to make it more secure are by enabling the IT team to use a secure enclave on the business network to separate the business data and customer data from non critical resources. Additions to the BYOD policy also need to cover MFA, increased security awareness training, encryption of devices, the use of firewall(s) managed by the organization, EDR and XDR, mandatory use of a VPN and Cloud Storage. Organizations can also add SIEM, SOC and DLP, to ensure that every device that accesses sensitive information has a benchmarked level of security.

2. Increase the frequency of Security Awareness Training: People have been found to be the weakest link in cybersecurity. Technology cannot alter it’s behavior since it functions as per it’s programming. However, people, specifically employees, vendors, suppliers, and anyone who has access to sensitive information, can behave differently depending on how well they are trained. This puts the onus on the companies to train their staff more frequently, evaluate them frequently to make sure they understand the intent of the training. Companies also need to identify the areas where training isn’t adequate and then retrain them to ensure they are sufficiently equipped to handle any kind of incidents. You also need to update the security awareness training at regular intervals to include new threats that are gaining momentum and prepare your team to prevent a security incident.

3. Create a strong foundation for cyber security on personal devices: Using security tech for off-site work, ensures that sensitive information is accessed and used with the same level of cyber hygiene, as if the staff were on-site. We recommend the following tools to effectively manage remote and hybrid work.

  1. Multi Factor Authentication (MFA)
  2. Cloud Storage
  3. Firewall
  4. Virtual Private Network (VPN)
  5. Encryption of personal devices
  6. Endpoint detection and response (EDR) and Extended Detection and Response (XDR)

These tools help to create a level playing field and allow work to be done from any location. Encryption helps the IT team to erase the data and take control of the data if the device is lost.

5) Business Continuity Planning (BCP)

In 2022, extreme weather led to18 disasters in the US including floods, droughts, storms, and wildfires. This cost the economy $165bn in damages. Of these, Hurricane Ian in Florida cost $112.9bn in damages. Apart from the severe economic loss, several thousand businesses were disrupted. The disruption in business operations has been growing since the start of the Covid-19 pandemic in March 2020, the continuation of natural disasters in 2020 and 2021 along with the growing number of ransomware attacks. This has reached unprecedented limits since it is no longer restricted to the geographical boundaries of some countries.

To cope with this new normal, organizations need to build resiliency in their infrastructure and invest in business continuity planning. The plan needs to include all 3 pillars – People, Process and Technology, which are perfectly aligned to respond during disruptions. They need to build in redundancy with support resources as well, to manage any shortfall. They also need to go beyond having a plan and invest in a series of back-ups that can be accessed securely when the disruption occurs. They need to test the plan, run simulations, and make sure it works. The transition from regular business operations to the back-ups systems needs to be seamless.

6) Cyber Insurance

Cyber Insurance, as an industry, has been growing exponentially. According to a report by Verizon, ransomware attacks have grown by 13% in 2022, which is more than in the last 5 years combined. Organizations have begun to accept that these targeted attacks are no longer aimed at specific industries or large organizations. SMBs are just as likely to be targeted as large enterprises. A data breach leads to a loss of revenue, loss of trust from customers and a negative impact on your brand reputation along with fines and penalties by regulatory authorities. Cyber Insurance has been a panacea to protect the organization’s bottom line from some of these.

We recommend organizations learn about the eligibility criteria to get cyber insurance and manage their infrastructure and controls to meet these guidelines. Having a strong foundation for Cyber Security with MFA, Access Management, Identity and Authentication controls, Encryption, Cloud Storage, VPN and Firewalls is the starting point. Organizations should also undergo a comprehensive Security Risk Assessment with a detailed Vulnerability Assessment and Penetration Testing. This helps to find the loopholes in your systems, so you can patch them before they are compromised. A positive report from such an analysis is usually one of the key documents that underwriters require for cyber insurance.

7) Vendor Security and Third-party Risk Management

Vendors, suppliers and third parties present a significant risk to an organization’s IT infrastructure. They have access to organizational data that needs to be regulated. One way to ensure that they meet high security benchmarks, is to ensure they have an ISO 27001 or SOC 2 Certification and to ensure their involvement is limited to secondary functions not the core business. Outsourcing can be efficient when it is managed, and security guidelines are made mandatory.

As part of a strong vendor management program, we recommend creating a list of all vendors and categorizing them based on their involvement in the business and access to data. Vendors who are categorized as high risk and medium risk should be monitored more closely, regularly audited and they should also be required to publish their security guidelines.

 8) Implementing SOC & SIEM

A Security Operations Center (SOC) and Security Incident and Event Management (SIEM) are tools that help an organization create a strong foundation for cyber security and actively prevent a breach by monitoring network connections. A SIEM platform allows you to collect and analyze log data from all your digital assets in one place. This helps you to recreate cyber incidents from the past and understand new ones to analyze the details of suspicious activity and strengthen your level of security. A SOC helps you to prevent, detect, scrutinize, and respond to ongoing cyber-attacks.

They help you analyze logs in real time and identify a breach before it occurs. They offer the option of an automated response to deviations based on established security parameters. This goes beyond automated alerts and allows you to respond in time. SIEM can help you detect a breach in a few hours as opposed to the usual time of several days, sometimes exceeding 100 days.

SOC and SIEM, are not only becoming one of the must-haves for cyber security, one of the key arsenals in your toolkit against a hacking attempt, but also an integral part of regulatory compliance. Security frameworks have begun including them to ensure that cyber hygiene keeps up with the dynamic and complex nature of cyber-attacks today.

9) Hiring a CISO

 A Chief Information Security Officer is primarily responsible for managing the data security, privacy, regulatory and compliance requirements in accordance with the state, federal and international laws, as applicable. Large enterprises usually have in-house intelligence to ensure their investment in security tech is based on best practices and their CISO is the strategic head for those decisions. SMBs can benefit from this strategic guidance and manage their investment in security tech effectively, by hiring a CISO on a part-time basis. While cloud providers have several security features built into their services, the entire landscape of business operations is vast and has many loopholes that need to be protected. Hiring a CISO is a move that not only assures customers, but also helps companies stay up to date on their security investments.

10) Getting a Security or Privacy Certification

Security and Privacy certifications are highly valued by customers, partners and potential investors. Organizations have begun asking for certifications like ISO 27001, SOC 2, NIST Cybersecurity Framework etc. in their RFPs and RFQs. It is becoming the norm since these benchmarks confirm the level of cyber hygiene their systems and data will be exposed to. These certifications also help you answer vendor questionnaires that run into hundreds of pages, since the final report has a detailed analysis performed by independent and authorized personnel. Reviewing the final report is easier for your customer than going through every response in a vendor management questionnaire. We recommend getting a Security or Privacy certification not just for the competitive edge they give you, but also for the guidance about the security tech you need and the planning involved in streamlining your processes and building resiliency in your business operations. While the initial cost of meeting these benchmarks is high, in the long run, they support revenue generation and result in a high return on investment.

Can databrackets help you with security tech investments?

 Experts at databrackets have extensive experience in supporting organizations align their processes with security frameworks like ISO 27001, SOC 2, HIPAA, NIST SP 800-53, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CMMC, 21 CFR Part 11 etc. We are constantly expanding our library of assessments and services to serve organizations across industries. If you would like to connect with an expert to better understand how we can customize our services to meet your specific requirements, do not hesitate to schedule a consultation.

Related Links:

SOC 2 Type 2 Audit for SaaS Companies

Explore the SOC 2 Type 2 audit process, readiness tips, cost of SOC 2 certification and frequency of SOC 2 certification for SaaS Companies

SOC 2 Type 2 Audit for SaaS CompaniesGetting a SOC 2 Type II Report can be a game-changer for a SaaS Company. It can transform how you respond to RFQs and how you assure potential leads that your systems are secure. Most SaaS companies view the cost of a SOC 2 Certification / Examination as an investment in their future revenue. They plan meticulously to succeed in their SOC 2 audit and stay certified.

A SOC 2 audit is conducted by an authorized CPA firm or SOC 2 auditor that you select. During your SOC 2 audit, they assess the design and performance of your internal controls at a point in time or over a defined number of months. During the audit period they take a sample to test the end-to-end performance of these controls and report their findings. The results of the audit and the effectiveness of the controls are outlined in the SOC 2 audit report. This helps clients and business partners understand which Trust Services Criteria your systems adhere to. By staying SOC 2 certified, you can continue to assure stakeholders of the value of working with your company.

Preparing for your SOC 2 audit

SaaS companies begin preparing for their SOC 2 audit by implementing the internal controls that are important to their clients. They gather evidence and documentation and look for a SOC 2 auditor who understands their industry and customer requirements. One way to verify the authenticity of the CPA Firm / SOC 2 auditor is by checking the AICPA’s Public File Search.

As you prepare for your SOC 2 Type II audit or during the audit itself, you may face challenges with their SOC 2 auditor that can be avoided. One such confusion is with regards to the Trust Services Criteria.

Are you expected to follow all the Trust Services Criteria?

AICPA has outlined 5 Trust Services Criteria as part of the SOC 2 framework – Security, Availability, Confidentiality, Privacy and Processing Integrity. However, any organization that wants to get SOC 2 certified, is allowed to select the criteria they want and implement the respective internal controls. During the SOC 2 audit, your auditor is only expected to review the criteria that you have selected. They cannot ask you to comply with more criteria than the one(s) you have selected.

Typically, a SaaS company may choose to implement the follow Trust Services criteria:

  1. Security: This focuses on protecting information and all systems from unauthorized access.
  2. Availability: This focuses on the resiliency of the infrastructure, information and software.
  3. Confidentiality: This refers to the company’ ability to restrict access and ensure that data is disclosed only to authorized personnel or organizations.

They may also choose to implement certain controls under the remaining 2 criteria if their clients require it.

  1. Privacy: This addresses the organization’ ability to protect Personally Identifiable Information (PII) and ensure that it cannot be used to identify any individual. Privacy as a TSC, is primarily essential for Direct to Consumer engagement.
  2. Processing integrity: This verifies if the systems achieve their purpose – the delivery of complete and accurate data, within the correct timeframe and level of access.

What happens in a SOC 2 audit of a SaaS company?

A SOC 2 audit only begins when all the controls are in place and all aspects of information security are performing as designed. To check their level of preparedness, SaaS companies may opt for a SOC 2 Readiness Assessment. This can be a failsafe option since all the controls are tested and evidence is systematically organized and checked by a consultant. You get an opportunity to plug the gaps, complete your evidence collection and begin writing the ‘Management’ Assertion’. This section is submitted by the company to the SOC 2 auditor and included in your SOC 2 Report. During this time, you can also vet potential SOC 2 auditors and finalize the scope of your engagement.

Once you select your auditor, discuss your engagement and finalize your scope, the audit period begins on the date decided by the SOC 2 auditor. The first SOC 2 examination period is usually 3-6 months. The company cannot modify any process during the audit period. The start date of a SOC 2 audit is in the future, and it is shared with the CPA firm. Performance evaluated outside of the SOC 2 audit period cannot influence or be part of the SOC 2 report.

The audit period begins with the auditors collecting evidence for all the controls and for some controls with populations, selecting a random sample from a population of data, based on AICPA Guidelines and scientific sampling principles. During the SOC 2 audit, auditors observe security controls in action as they relate to the random sample. The company is expected to showcase evidence and confirm that all the controls have been designed and implemented per intent. If controls are implemented correctly and the company is SOC 2 ready, customer data is protected, and no violation is observed. The absence of activity during the audit is a sign of success since it implies that all aspects of data protection are in place. The testing of the controls starts immediately after the audit period ends. The sample’s test results are included in the SOC 2 report.

How is a SOC 2 Type II audit different for a SaaS Company?

Physical security controls may not be applicable for a SOC 2 certification / examination of a SaaS company because the tech infrastructure is hosted with a Cloud Service Provider. Since  SaaS companies outsource it to a 3rd party, they are responsible for it. As a result, an on-site audit may also be optional for a SaaS company.

Your SOC 2 audit might also include reviewing the SOC 2 reports of your vendors and partners. Your SOC 2 auditor might verify and validate CUECs of your vendors as well.

How regularly are you required to perform a SOC 2 audit?

A SOC 2 report is valid for 12 months. SOC 2 audits are conducted every 12 -18 months to help you stay certified. You reserve the right to change your SOC 2 auditor after every engagement and modify the Trust Services Criteria during each SOC 2 audit. In our experience as SOC 2 Readiness Assessment consultants, we have observed that SaaS companies usually add additional controls and criteria while continuing to implement previous controls. They also tend to improve in the way they structure and gather evidence to reduce the amount of time and effort during each SOC 2 audit.

What is the cost of a SOC 2 Certification / Examination?

The cost of a SOC 2 certification can be divided into 2 sections:

Cost of SOC 2 Readiness Assessment: Consultants who specialize in preparing firms for SOC 2 can help you  design /implement new controls, draft and implement policies and procedures, provide customized staff training, review your evidence documents and help you draft the ‘Management’ Assertion’. They can also help you streamline the Complementary User Entity Controls (CUECs) that your customers will need to have in place to use your services properly. Some examples of CUECs are password complexities, time out parameters and MFA.  These have to be set up by the customer, not necessarily the SaaS company. The client and SaaS company have shared a responsibility to ensure security. The SaaS company is responsible for defining CUECs clearly and your customer is responsible for implementing them.

Working with a SOC 2 readiness partner who has previous experience in your industry can also help you streamline the Trust Services Criteria that will be important to your clients. This will help you plug any gaps and not only help you prepare for your SOC 2 audit but also for the RFQs where you will include your SOC 2 Report. A typical SOC 2 engagement for readiness could cost anywhere from USD 10,000 – 50,000.

Cost of SOC 2 Certification / Examination: A SOC 2 examination by a CPA firm could cost anywhere from USD 15,000 – 30,000 depending on the trust services criteria you select. However, the price should not be the predominant factor that influences your decision. A SOC 2 auditor who understands your industry will be able to clearly mention the Complementary User Entity Controls (CUECs) in the SOC 2 Report. These controls are intended for your customer – the actual consumer of the SOC 2 report. They inform your customer about the controls they need to implement in their systems to properly use your services. You also need to read the fine print that is part of the engagement contract and ensure that you are not legally obligated to work with the same SOC 2 auditor or authorized CPA firm for the next few years.

The ideal SOC 2 auditor is the one who respects your selection of the Trust Services Criteria, understands what your customer’s need to know and ensures that your scope is clearly mapped before the engagement begins. You can review some recommendations to help you avoid challenges you may face with a SOC 2 auditor.

 How databrackets can support your SOC 2 Journey ?

Experts at databrackets have extensive experience in supporting organizations that align their processes with AICPA’s Trust Services Criteria and prepare for a SOC 2 Audit. If you would like to connect with an expert to better understand SOC 2 and plan your SOC 2 journey, do not hesitate to schedule a consultation.

 Related Links:

Challenges you may face with a SOC 2 auditor

Explore some challenges you may face with your SOC 2 auditor and discover ways to avoid them

databrackets Infographics on Challenges with a SOC 2 auditorA SOC 2 certification / examination is pursued by service organizations who want to prove to potential customers that they can manage their data effectively. Typically a SaaS provider, Managed Service Provider (MSP), Network service provider and other service providers select an authorized CPA firm and an authorized SOC 2 auditor in it, to audit their system. Usually, the process may be smooth if they go through a readiness prep assessment and then select a SOC 2 auditor who is familiar with their industry and customer requirements. However, sometimes, you may find yourself in a difficult situation during your SOC 2 audit and you may want to consider changing your SOC 2 auditor.

A SOC 2 examination can be time consuming, and you can exceed your budget if it is not systematically planned. Sometimes, the challenges may arise from within the company and can lead to a blame game with the auditor. We highly recommend undergoing a SOC 2 readiness assessment, getting organized and vetting your SOC 2 auditor, to avoid such an occurrence.


Challenges you may face with a SOC 2 auditor:

1) Lack of engagement overview & scope analysis

Your SOC 2 audit can be a relatively seamless experience when your evidence matches the SOC 2 controls and the Trust Services Criteria you want audited. After you agree on the scope of the audit and your customer requirements, it is up to the SOC 2 auditor to discuss all the steps involved and the evidence that you will be required to submit. If the scoping is not clearly defined at the start, the auditor can go out of scope. This can be particularly confusing for companies who are new to SOC 2 and who need a proper orientation to the process. The process has to be matured and you need to gauge the process maturity of the CPA firm before finalizing your contract to work with them.

SOC 2 audits need to be conducted annually. As a result some CPA Firms also mandate the continuity of work for 3-5 years in their contracts. The SOC 2 framework and AICPA does not mandate continuing with the same SOC 2 auditor after you complete your engagement. This is yet another area of conflict that needs to be discussed at the outset, so you are well-informed before you sign your contract to work with the authorized CPA Firm.

There can be several pitfalls and unnecessary obstacles in your SOC 2 journey if your initial discussions are not thorough and if your auditor does not guide you properly. This is the root cause for most of the challenges you may face. We recommend that you review the rest of the challenges and draft a set of questions to vet the SOC 2 auditor before you finalize who will conduct your SOC 2 audit.

2) Time

The time spent with a SOC 2 auditor can seem excessive and hamper your ability to manage daily business operations. This can be challenging since the auditor might request a lot of information for the SOC 2 report, which you may not know is required. For example: documented proof of the management’s engagement on security issues. Proving this can involve going through several meeting documents. Audit time is not defined for a SOC 2 examination as it is for an ISO certification and this might result in unpleasant surprises for your team.

Additionally, some auditors share a spreadsheet and ask you to email evidence documents. This system can be chaotic since you need to see the correlation between the controls and the evidence / documents.

One solution we recommend is engaging the services of a SOC 2 readiness assessment partner, like databrackets, to help you get organized before your engagement with an auditor. At the outset we invite you to share your evidence on our platform as per the controls and corresponding Trust Services Criteria you have selected. This helps you to work systematically and share the evidence further with your chosen auditor. A SOC 2 readiness assessment not only helps you to save time and effort but also ensures that you have someone to check your evidence / documents and share feedback before the actual SOC 2 audit.

3) Lack of Industry Knowledge

The purpose of a SOC 2 examination / SOC 2 certification is to prove to your customers that your systems will effectively manage their data. However, at times, your SOC 2 auditor may not be familiar with your industry, day-to-day operations, SLAs and customer expectations. As a result, they may not be able to produce the kind of report that meets your customer’s expectations. This defeats the purpose of getting certified and could lead to frustration since the actual consumer of the SOC 2 report is your customer / stakeholder. If they do not get the impression that you are the right vendor for them after reading the report, the whole exercise will seem counterproductive.

Lack of industry knowledge also impacts a critical part of the report – Complementary User Entity Controls (CUECs). We have discussed this at length in the next section.

4) Unclear Complementary User Entity Controls (CUECs) in the SOC 2 Report

A customized SOC 2 report clearly outlines the Complementary User Entity Controls or CUECs in the description of the customer’s system. These controls are intended for your customer – the actual consumer of the SOC 2 report. They inform your customer about the controls they need to implement in their systems to properly use your services.

A SOC 2 auditor who is familiar with your industry can explain these CUECs in the SOC 2 Report. This is critical since the level of security, availability, privacy, confidentiality and processing integrity of your system can only be maintained when it is properly configured in the systems used by your customer. If your SOC 2 auditor does not understand your service requirements and which CUECs are critical in your industry, you may receive a SOC 2 report that does satisfy your customers and meet your objectives.

5) Selective examination of Trust Services Criteria

The SOC 2 framework permits clients to focus on the Trust Services Criteria which they want audited and exclude the rest. This flexibility exists since the SOC 2 Report outlines at the start which criteria and controls are being examined and then showcases if they function at optimal levels or not. SOC 2 allows you to select the Trust Services Criteria which you want to showcase. By using this method, the client’s customers are informed and empowered to take a decision to work with the client or not. While this is the ideal situation, if your SOC 2 auditor is unwilling to accept your decision, even when the rules permit, you may face a difficult situation. Your SOC 2 auditor may insist on an audit of all the Trust Services Criteria and not respect the flexibility accorded by the SOC 2 framework, 

6) Hidden Costs and Additional Expenses

SOC 2 audits are done by authorized CPA firms who may have sister concerns or partners who offer other services which may be helpful to your company. Sometimes, your SOC 2 auditor may try to up-sell / cross sell these services aggressively, under the guise of good advice. This can lead to a conflict and unplanned expenses.

Before your SOC 2 audit, you may also be advised to undergo penetration testing to check the security of your systems. This can be yet another hidden cost, which you can predict with a SOC 2 readiness assessment.

Each of these challenges are severe and it is important to avoid the possibility of going through any of them. Through this blog, we hope that you have been empowered to foresee potential pitfalls and vet the SOC 2 auditor in the introductory meeting, ask for a sample report for your industry, review the terms of the contract you will sign and follow-up on their references before you begin your engagement.

How databrackets can support your SOC 2 Journey

Experts at databrackets have extensive experience in supporting organizations align their processes with AICPA’s Trust Services Criteria and prepare for a SOC 2 Audit. If you would like to connect with an expert to better understand SOC 2 and plan your SOC 2 journey, do not hesitate to schedule a consultation.

 Related Links:

Anatomy of a Ransomware Attack and Lessons Learned

Anatomy of Kaseya ransomware attack and lessons learned : Zero Trust Security

The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in  the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Ransomware attack-Kaseya-databrackets infographics

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed.  This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller)  customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent.  The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

The Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

  1. A valid Agent GUID has been anticipated by the threat actors
  2. Threat actors created a “rogue” agent with a new agent GUID.
  3. Threat actors stole an agent GUID from a VSA agent-running host.
  4. Other vulnerabilities leaked Agent GUIDs
  5. Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware.  Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.


Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

  • Ransom demand
  • Number of systems affected
  • Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions  in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

  • Implementing user education and training
  • Automating backups
  • Minimizing attack surfaces
  • Developing an incident response plan
  • Investing in an EDR tool and MDR
  • Purchasing ransomware insurance
  • Storing physical and remote backups
  • Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

How to Select a Security Vendor

Know the factors that need to be considered before selecting a security vendor

databrackets infographics on Security Vendor SelectionAccording to the 2022 Verizon Data Breach Investigations Report, 62% of network breaches occurred through an organization’s partner. Statistics like this challenge the notion that having security vendors and sharing data is a secure way to achieve organic growth.

Organizations today are also facing the new reality of a hybrid work environment with decentralized offices, flexible remote work practices, greater health precautions in the workplace, and dynamic security threats. As you navigate the altering landscape of work during a pandemic, it becomes increasingly important to minimize costs, respond to new conditions, and plan to future-proof your organization.

Finding the right security vendor to protect your organization’s data while meeting your budget can prove challenging, given the sheer number of vendors and solutions available.  A good starting point would be a checklist to evaluate vendors and ascertain if they are the right fit for your organization.

We have outlined how to select a security vendor based on the factors listed below:

1. Data Sharing Process
2. Background
3. Certifications and Credentials

4. Security posture
5. Customer References
6. Pen Testing Report
7. Policies and Procedures
8. Post engagement support

1. Data Sharing Process

To conduct a successful vendor selection process, you must begin by analyzing the protocol of the working relationship you plan to create with the vendor. You need to understand the information / data that will be shared between your organization and the vendor. Organizations often tend to narrow down a list of possible security providers to the top 3-5 and pass it along without going into these crucial details – a recipe for failure.

Review the following questions vis-à-vis the internal processes in your organization.

  1. How much access will they have? This might be in a tiered internal system, with level one access becoming the least critical and level four access being the most critical.
  2. Which systems will they be able to access?
  3. What information will be shared between the organization and the security vendor? Will Personally Identifiable Information (PII), health care data, intellectual property, or similar sensitive files be disclosed?

Different organizations have varying levels of risk. For some organizations this necessitates an on-site assessment, including pen testing, while for others, it can be conducted from the desk. Knowing ahead of time how much access the security vendor will have and what type of data will be shared is critical. With this information in mind, you should have an idea of how thoroughly your security vendor should handle your organization’s data.

2. Background

Assess critical aspects of a vendor’s credentials and background. Review the following questions vis-à-vis the portfolios of the vendors you are considering.

a. Are they trustworthy?

While only some security vendors are ready to share information about their clients, they should be able to issue letters of recommendation. A simple phone call or email to a previous or present client can clear up any confusion about a vendor’s credentials, abilities, and capacity. Additional research, including online reviews, discussion board comments, etc., can also go a long way toward finding the right fit for your business.

b. Do they understand your industry?

Although many security components are universal, several organizations have specific technical requirements and rules. Ensure that your security vendors are familiar with your organization’s software, technology, and any industry-specific legal requirements. It is preferable to have a vendor who has worked in a similar setup.

c. Is the company stable and financially sound and has insurance?

According to a recent poll, 25% of SMBs declared bankruptcy after a data breach, and 10% went out of business. In worst-case scenarios, the vendor’s insurance could potentially cover your business loss for negligence and errors during the engagement.

d. What is their contingency plan if something goes wrong?

Since breaches have become the third certainty in life, after death and taxes, it’s critical to choose a security vendor with a reputation for adequately preparing their clients for the terrifying reality of a breach and a track record of getting them through it.

3. Certifications and Credentials

Certifications confirm that a vendor has good security hygiene. Many security vendors claim to be experts while having very few industry-standard credentials or qualifications. Before working with a vendor, look for certifications such as CompTIA, GSEC, CISSP, or CCSP. You also need to ensure that everybody who has access to your network and data has been thoroughly trained and verified.

ISO 27001, or its American counterpart, NIST, is one of the most widely used standards for describing information security management. These standards make it mandatory for all procedures to be documented and adhere to data security protocols. They govern both the technical infrastructure requirements and the manner in which a business operates. Adhering to these standards ensures that your client data is secure, communication is private, and your employees have been adequately vetted and trained.

The PCI DSS is a payment card industry standard. It is one of the highest security certifications a supplier may acquire for payment information data protection. Other security certificates are more industry-specific, although they also indicate a high level of maturity in the security program. HIPAA compliance is necessary in the United States if you deal with Protected Health Information (PHI). GDPR mandates the data privacy rules that are essential in Europe.

In addition, a recent SOC 2 examination report of a vendor validates their technology, processes, and people by a third-party auditing firm.

4. Security Posture

Revisiting the 2022 Verizon Data Breach Investigations Report – it was found that 62% of network breaches occurred through an organization’s partner. Before onboarding a security vendor, you must thoroughly examine their security posture to avoid being part of this statistic. For most organizations, this is an expensive and time-consuming process. However, you can define acceptable risk levels and create language to verify that your entire third-party network satisfies the security standards and protocols that your organization adheres to.

Establish a culture of cross-collaboration across departments. Everyone from the CEO, CIO, and CFO to the head of the legal department should be involved in assessing your organization’s risk appetite – what is acceptable and what is not. Then, define risk parameters, for example, the imposition of additional contractual controls depending on a specific vendor’s rating. Lower-rated items may require more extensive controls to satisfy your acceptable risk threshold.

5. Customer References

Require each security vendor to provide a list of three references. Then, make sure to call or email those references and respectfully ask questions , including but not limited to the following:

      • Were their personnel knowledgeable?
      • How would you rank their product or service quality?
      • Did you get the level of service you were promised?
      • What steps did they take if something went wrong?
      • Did you have to revisit any shortcomings in the security protocols?
      • Would you recommend the vendor to other businesses? Why or why not?

6. Pen Testing Report

Many security certifications necessitate a penetration test to uncover potential flaws. Security-conscious businesses frequently run them internally to prevent leaks and breaches. A formal report on the test results will contain sensitive information they would be reluctant to reveal. However, you might discuss test results during chats and negotiations with a potential security partner. It would help to inquire about the last time the security vendor conducted a test, who conducted it, and what suggestions were provided. You may not be given complete details, but the fact that the test was taken illustrates the company’s commitment to security standards. It is permissible to enquire whether the vulnerabilities have been addressed and additional safeguards have been taken.

7. Policies And Procedures

If an organization values security, it will implement policies and procedures to meet that critical objective. A solid information security policy should address software and hardware usage and maintenance, Internet usage, email communications, access controls such as password management, and customer data processing. Organizations must inquire about the security vendors’ policies, procedures, and implementation.

Hiring And Training Procedures :

People are the weakest link in any security system, no matter how sophisticated the cyberattack is. According to a Tessian Report, 43% of US and UK employees made mistakes that weakened the level of cybersecurity.

Inquire about how the security vendor hires and trains new staff. What are the credentials and certifications of their personnel? Do they conduct background checks? How frequently do people undergo retraining? Do employees have to sign NDAs? Were there any previous data leaks? All of these inquiries are appropriate before entrusting someone with your assignment.

8. Post Engagement Support

Hackers are opportunistic; ransomware, malware, and phishing efforts have increased during the Covid-19 pandemic, and they can strike anytime. IT and security vendors should ideally have resources available to respond to a cyber incident 24 hours a day, seven days a week, and develop a communication channel with you.

The only way to defend everything you’ve worked so hard to create is to be cautious about security lapses. There are several factors to consider while choosing the ideal business partner. We encourage you to use this checklist to evaluate the list of vendors you shortlist and make a sound business decision.

databrackets as your security vendor

With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers, and other commercial organizations. Contact us to know more about how our services will help your company. We would be happy to connect with you.

Vulnerability Assessment vs. Penetration Testing

Know the difference between vulnerability assessment and penetration testing; and the importance of implementing both

Growing need for VAPT infographic-databrackets

Every business with digital assets is at risk of being hacked, no matter how big or successful it is on a global scale. Reports show one ransomware attack occurred every 11 seconds in 2021.  These attacks could hurt anyone, from a multimillion-dollar company to a small business starting to make some sales online.

A vulnerability assessment report tells you where potential risk is and the steps you can take to reduce it. A vulnerability assessment focuses on your systems, network, and the places people can connect.

A Penetration Test or Pentest is an authorized simulated attack on computer systems to assess security. Penetration tests simulate various business-threatening attacks and can examine any system component with the right scope. Penetration testers use the same Tools, Tactics, and Procedures (TTPs) as attackers to find weaknesses in a system and show how they affect business.

Comparing penetration testing and vulnerability assessments helps understand their roles in your organization’s security practices and determine your needs.


Vulnerability Assessment


What is a Vulnerability Assessment?

Vulnerability assessments identify, classify, and prioritize computer, application, and network vulnerabilities. Vulnerability assessments examine information system security flaws; it checks for vulnerabilities, assign severity levels, and suggest solutions.

Why are Vulnerability Assessments needed?

A vulnerability assessment determines an organization’s areas that need improvement. This process helps the company understand its assets, security flaws, and risk, reducing the likelihood of a cyberattack. It also guides risk assessment for weaknesses.

Depending on your organization, you may need regular vulnerability assessments to stay compliant. Compliance regulations have evolved to address security issues and vary by region/industry. Examples include GDPRs, PCI DSS, and HIPAA. These standards require regular assessments to demonstrate sensitive customer data is being protected properly. Vulnerability Assessments are comprehensive security processes that include:

  • Checking security protocols
  • Password safety of routers and Wi-Fi networks
  • Reviewing network strength against network intrusions, DDoS, and MITM attacks
  • Network port vulnerability scanning

How often do you need to perform a Vulnerability Assessment?

How often assessments must be done is set by compliance requirements. While legal regulations may require them less frequently, in the best-case scenario, assessments should be done once a month. Businesses generally get the recommendation to scan their internal and external systems at least once every three months.

Major standards’ frequency levels:

  • Payment Card Industry Data Security Standards (PCI DSS): Every three months
  • The Health Insurance Portability and Accountability Act (HIPAA): Does not require scanning but mandates that a detailed assessment process must be set up
  • Cyber Security Maturity Model Certification (CMMC): Once a week to once every three months, depending on what auditors need
  • National Institute of Standards and Technology (NIST): Every three to four months, depending on how the organization is run

What’s in the Vulnerability Assessment Report?

Vulnerability Assessment involves vulnerability scanning and technical judgment. A Vulnerability Assessment report includes an organization’s security policy and other security products utilized. The Vulnerability Assessment suggests risk-mitigation measures afterward.

A Vulnerability Assessment report analyzes an organization’s systems, identifies vulnerabilities, and rates their severity. Security professionals use automated and manual testing tools for these assessments.

How do Vulnerability Assessments benefit you?

Vulnerability Assessments help you:

  • Discover security flaws to help organizations stay one step ahead of attackers
  • Catalog all network devices, including the purpose and system information
  • Plan upgrades, installations, and inventory of all enterprise devices
  • Define network risk
  • Optimize security investments with a business risk/benefit curve

How do you perform a Vulnerability Assessment?

  1. Establishing the testing scope

Establish a Vulnerability Assessment methodology:

  • Locate your sensitive data
  • Find hidden data
  • Identify mission-critical servers
  • Select systems and networks
  • Check ports, processes, and configurations
  • Map the IT infrastructure, digital assets, and devices
  • Streamline the process
  1. Identifying vulnerabilities

Conduct a vulnerability scan of your IT infrastructure and list all security threats. This step needs an automated vulnerability scan and a manual penetration test to ensure correct results and reduce false positives.

  1. Analyze

A scanning tool generates risk and vulnerability assessments. Most tools have a CVSS (common vulnerability scoring system) score. These scores show weaknesses. Prioritize them by severity, urgency, potential damage, and risk.

  1. Addressing vulnerabilities

After identifying and analyzing vulnerabilities, choose a fix—options include mediation and remediation.

Remediation resolves vulnerabilities. It can be done by installing security tools, keeping products up to date, or using other methods. All stakeholders must participate in vulnerability remediation based on identified priorities.

Google Trends for Vulnerability Assessment vs. Penetration Testing

Trends_Vulnerability Assessment_PenTest

Google trends show that penetration testing’s relative interest nearly peaked last year. Organizations are grouping Vulnerability Assessment and Penetration Testing (VAPT) to improve security maturity.

Penetration Testing

What is Penetration Testing?

Penetration Testing (or Pentest) is the authorized simulation of various business-threatening attacks on computer systems to evaluate security. Penetration tests determine if a system can handle attacks from authenticated and unauthenticated users and system roles. Pen testers use the same tools, methods, and processes as attackers to find weaknesses in a system and show how they may affect business. Pentest can examine any system component with the right scope.

Why is Penetration Testing important?

  • Find vulnerabilities that traditional IT security tools miss
  • Identify weak spots in an application or network that hackers might use to get into the system
  • Establish customer and company trust
  • Protect company data and reputation; data leaks ruin reputations

Preparing for attacks from hackers or employees who leak confidential information is important. A non-destructive penetration test can identify security vulnerabilities before an attack and recommend improvements.

How often do you need to perform Penetration Testing?

At least once a year, penetration testing should be performed to improve IT and network security management and to reveal how malicious hackers may exploit newly discovered threats (0-days, 1-days) or emerging vulnerabilities. For example, PCI DSS compliance requires annual penetration testing or major infrastructure or application upgrades.

IT Governance recommends an annual Level 2 penetration test for high-profile or high-value organizations. Organizations with a low-risk appetite should do level 1 penetration tests often (usually every three months).

What’s in the Penetration Testing report?

Penetration Testing reports detail security test vulnerabilities. The report lists weaknesses, threats, and solutions. The Pen Test Report provides a complete overview of vulnerabilities with a POC (Proof of Concept) and priority remediation rating for each issue and its impact on your application/website.

A good penetration testing report includes an executive summary, vulnerabilities, business impact, and recommendations to fix them.

How do you perform Penetration Testing?

Planning and reconnaissance, scanning, system access, continued access, and analysis/report comprise the penetration testing process. Ethical hackers can look at a system, figure out its strengths and weaknesses, then choose the best tools and methods to break into it. Penetration testing begins long before a simulated attack.

Planning and Reconnaissance

The first penetration phase involves simulating a malicious assault to obtain as much system information as possible. Ethical hackers look at the system, its weaknesses, and how the technology stack reacts when a system is broken. The methods include Social engineering, dumpster diving, network scanning, and domain registration information retrieval. Employee names, emails, network topology, and IP addresses are searched. The audit goals determine the type of information and investigation depth.


Penetration testers scan systems and networks based on planning findings. The scan identifies system vulnerabilities that could be exploited for targeted attacks. All this information is crucial to the success of the next steps.

System Access

Pen testers use system vulnerabilities to enter infrastructure. They escalate privileges to show how deep they can get into target environments.

Continued Access

In this step, the Pentest identifies which data and services one can access to gain the most privileges, network knowledge, and system access. Pentesters should stay in a system long enough to mimic hostile hackers’ intentions.

Analysis and Reporting

The security team writes a comprehensive penetration testing report of their results at the last stage. Finally, they recommend safeguards to prevent future attacks. Attacks have skyrocketed in recent years and don’t appear to be slowing down, so the number of precautions needs to be adjusted accordingly.

How does Penetration Testing benefit you?

  • Reveals the system’s weaknesses
  • Reveals the system’s strengths
  • Prevents Hackers from Infiltrating Systems
  • Verifies if your system design meets the current regulations
  • Helps ensure an experienced hacker cannot access your data
  • Shows how a hacker might attack your system. This distinguishes them from most other testing choices
  • Helps establish customer trust, showing you’re correcting problems and working hard to serve clients well
  • Helps budget your security expenditure


Vulnerability Assessment vs. Penetration Testing

Vulnerability Assessment vs. Penetration Testing
Vulnerability Assessment
Penetration Testing
Identifies, analyzes, remedies, and discloses security problems. Security techniques help companies limit their “attack surface.”
Detect and exploit computer system flaws. This simulated attack finds vulnerabilities that attackers could exploit.
On average, it is performed every quarter
At least once a year
Finds and categorizes system vulnerabilities.
Exploits weaknesses for insights.
Lists all system vulnerabilities detected during a scan by severity and offers fixes.
Details vulnerabilities found during a security test, list flaws, threats, and possible remedies.
Performed by
Vulnerability scanning is a largely automated process
Penetration testing is a hybrid process that combines automated scanning with manual interaction.
Automated vulnerability assessment saves time and money.
A penetration test is a time-consuming and costly process.
Vulnerability assessments typically cost $2,000–$2,500, depending on the number of IPs, servers, or apps checked.
Website penetration testing costs $349–$1499 per scan.
Depending on your needs, SAAS or web application scans cost $700–$4999.
Website penetration tests cost $2500–$50,000.
Pentesting mobile and web apps cost $1500–$5000.
Cloud, network and device pen testing quotes vary in cost $400–$2000.
White-box penetration testing: $500–$2000 per scan
Black-box penetration testing: $10,000–$50,000 per scan
Grey-box penetration testing: $500–$50,000 per scan
Rarely yield zero false positives.
Exposes the network to fraudsters, hackers, or severe data loss.
Best Suited
Suitable for a multimillion-dollar SaaS firm or a small e-commerce venture that relies on data that must routinely check for security flaws.
Ideal for firms with sophisticated applications and valuable data.
The report will detail all potential vulnerabilities and may rank vulnerabilities by network threat.
The penetration tester acts like a hacker to attack vulnerabilities (in an ethical manner) without stealing, exploiting, or destroying network data.


Why might an organization need to conduct Vulnerability Assessments and Pen Testing?

Most of the time, Vulnerability Assessments and Penetration Tests are grouped. A good security program will use vulnerability and penetration testing to improve security maturity.


Vulnerability scans are often confused with penetration tests but provide different benefits. The best vulnerability management solutions regularly find, evaluate, report, and rank weaknesses in software and network systems. The findings are presented in an easily understandable format to protect your business-critical assets.

Vulnerability scans cannot replace penetration tests. Vulnerability scans identify risks at a high level while penetration testers investigate them. Penetration tests can show if vulnerabilities can be exploited to access your environment, whereas vulnerability scans cannot. Most vulnerability scans are automated, making them a better option for daily use. Alongside penetration tests, reviewing your environment’s vulnerabilities frequently can alert you to new vulnerabilities and their severity.

How can databrackets help with VAPT?

Before an attacker can discover the network, application, cloud service, and code vulnerabilities, databrackets’ A2LA-accredited process and pen testers can quickly and cost-effectively identify security vulnerabilities.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

7 Benefits of SOC 2

Explore the benefits of being SOC 2 Certified as you begin your SOC 2 journey

A SOC 2 Report helps organizations to prove their commitment to customer data security and meet the eligibility criteria of a potential client’ RFQ. More and more clients have been asking for proof of SOC 2 Compliance while evaluating if they want to work with a vendor. This is particularly relevant for technology service providers, SaaS providers, and any organization that stores and processes customer data.

Technically, SOC 2® is not a certification. It is a report on the organization’s system and management’s internal controls relating to the Trust Services Criteria. It includes the auditor’s opinion of control efficacies on protecting data, also known as a ‘SOC 2® Attestation’.

databrackets Infographics on 7 Benefits of SOC 2

As security partners who have worked with countless SaaS providers to prep their organization for a SOC 2 Audit, we at databrackets have observed the following 7 key benefits of SOC 2:

1. Meet regulatory requirements: Once you are SOC 2 Compliant, you are aligned with AICPA’s regulatory controls. A SOC 2 certificate is proof of that.

2. Supervise your organization: SOC 2 compliance mandates supervising all aspects of information security across all processes internally along with setting the benchmarks for vendors who manage customer data. In order to accomplish this, a robust process is designed, and its effectiveness is verified once an organization is SOC 2 Certified.

3. Get a leading security certification issued by an independent 3rd party: A SOC 2 Examination is conducted by an authorized and certified CPA. This gives credibility to the process and ensures it is conducted in an objective way. As a result, it is considered to be a highly valued certification.

4. Sign new deals: You can sign more deals and increase the number of clients once you prove your ability to effectively manage customer data with a SOC 2 Certificate.

5. Assure existing customers: You can prove to your existing customers that your company not only manages their customer data with the highest level of information security, but that this has also been verified by an authorized CPA firm after a rigorous SOC 2 audit.

6. Strengthen Vendor Management: You can set the benchmarks for vendors and ensure compliance with the highest level of information security.

7. Monitor internal corporate governance and risk management processes: You can design and monitor risk management processes and internal corporate governance in accordance with the SOC 2 framework.

Experts at databrackets have extensive experience in supporting organizations align their processes with AICPA’s Trust Services Criteria and prepare for a SOC 2 Audit. If you would like to connect with an expert to better understand SOC 2 and plan your SOC 2 journey, do not hesitate to schedule a consultation.

Related Links: