Monthly Archives: April 2020

SOC 2 and NIST 800-53

SOC 2 and NIST 800-53

Both SOC 2 and NIST 800-53 play a large role in regulatory compliance. Both aim to protect data in the cloud and are critical in today’s environments to ensure information security. The SOC 2 Framework and NIST 800-53 Publication go hand- in- hand, and adhering to both sets of controls will provide your company with sufficient data protection.

In order to assess our information systems, we first need to take a closer look at both SOC 2 and NIST 800-53.

SOC 2

SOC 2 is a framework created by the American Institute of Certified Public Accountants (AICPA). SOC 2 is one of the most used frameworks in the technology industry and applies to all organizations and enterprises where customer data is stored and processed in the cloud. SOC 2 is unique to each individual organization and can be lined up with specific business practices. SOC 2 also aligns with requirements of today’s cloud environment.

Trust Service Criteria (TSC)

The Trust Service Criteria (TSC) serve as the control areas for managing a reporting on information and systems. The five TSC are as follows:

  1. Security: Protection of resources against unauthorized access. Examples include multifactor authentication and an intrusion detection system.
  2. Availability: The accessibility of system, products, or services as stated in the Service Level Agreement (SLA). An example would be a failover cluster.
  3. Processing integrity: Whether or not a system achieves its purpose. Assessing if the system processing is complete, accurate, timely and authorized.
  4. Confidentiality: The information is restricted to a specified set of persons or organizations, as stated in the agreement. For example, using encryption and network security tools.
  5. Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organization’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.

Type 1 and Type 2

A SOC 2 Type 1 Audit assesses systems at one point in time. It tests to see whether the system’s design is suitable to meet the relevant trust principles. A SOC 2 Type 2 Audit tests the operational effectiveness of systems over a period of time. Most companies will start with a SOC 2 Type 1 and then follow with an annual SOC 2 Type 2 audit. 

Requirements

The main requirement for SOC 2 is that the organization must develop written policies and procedures that are followed by everyone. The organization must also actively monitor all systems and information, ensuring that there is no unusual activity or access. It is also crucial that the organization sets up automatic alerting for anomalies when accessing data.

NIST 800- 53

NIST 800- 53 is a publication providing comprehensive security controls for federal information systems, published by the National Institute of Standards and Technology (NIST). NIST 800-53 covers steps in Risk Management Framework. It includes 8 control families and over 900 requirements. Organizations may also adhere to controls which apply to them and the security level of the data they store (Low, medium, or high). These controls can be tested during a SOC 2 audit. NIST provides guidance for complying with FISMA.

FISMA

To demonstrate compliance with NIST 800-53, organizations should look to becoming compliant with the Federal Information Security Management Act (FISMA). FISMA is a requirement for federal agencies to develop, document, and implement an information security and protection program.

Some specific goals of FISMA include:

  • Implementing a risk management program
  • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
  • Ensure the integrity, confidentiality and availability of sensitive information

FISMA requires organizations to do the following:

  • Maintain an inventory of information systems.
  • Categorize information and information systems according to risk level.
  • Maintain a system security plan.
  • Implement security controls
  • Conduct risk assessments.
  • Certification and accreditation.
  • Conduct continuous monitoring.

Best practices for FISMA are geared towards federal agencies that protect sensitive data. Best practices and requirements include encrypting everything, keeping up to date with FISMA standards, classifying information as it is created, and maintaining documentation of FISMA compliance efforts.

Compliance with both SOC 2 and NIST 800-53 provide organizations with a number of benefits, especially increasing data security. The main difference between the two is that SOC 2 is part of the System and Organizational Controls (SOC) framework, and NIST 800-53 is a publication. A full mapping of SOC 2 and NIST 800- 53 can be found on the AICPA website.

Security and Privacy Issues with Zoom

Security and Privacy Issues with Zoom

With the increase of employees turning to remote work during the pandemic, companies have been relying on video conferencing platforms, such as Zoom, for regular meetings and communication between employees. According to Check Point, there have been 1,700 new Zoom domains registered since the pandemic began, a quarter of these domains were registered just in the past week. Attackers have noticed the spike in users, which raises concerns for businesses that use Zoom. There have also been an increase in privacy concerns due to the sensitivity of information that is now being transferred over the platform.

In Zoom conferences, anyone with the right link can enter a teleconference and share a screen, even without a Zoom account. There have been new complaints about users being Zoom- bombed, which is when unwanted guests intrude on video meetings for malicious purposes. Recently, two online classrooms in Massachusetts were interrupted by an anonymous attacker during instruction. During the online classroom meeting, an unidentified person yelled profanity during instruction before shouting the teacher’s home address. Another classroom was disturbed by an intruder who displayed his hate tattoos to all the students and the teacher.

There have been several of these intrusions on online classrooms as well as in business conferences. Users have made several reports of conferences being interrupted by graphic images and threatening language. As a result, many schools and businesses have completely switched to other platforms, such as Microsoft Teams and Google Hangouts.

This is not the first time Zoom had security flaws in their platform. In 2019, security researcher Jonathan Leitschuh found a vulnerability in the Mac Zoom Client. When a user downloaded the Zoom app, Zoom silently installed a hidden web server on the device without the user’s permission. This web server allowed websites to join in on any Zoom call when their video camera was activated, a flaw that also impacted Ringcentral. This web server remained on the device, even if the Zoom app was uninstalled. At the time, there were 750,000 companies using Zoom for business purposes that were put at risk due to this vulnerability. Apple and Zoom have since resolved this issue for Mac users.

Another vulnerability found by Check Point researchers was quickly fixed by Zoom. Zoom calls had a randomly generated ID number between 9 and 11 digits long that allowed users to locate and join a specific call. Check Point researchers were able to predict which were valid meetings and join in on them. Zoom allows video conferences to have hundreds of participants, so it was easy for an attacker to join a call unnoticed. Zoom recently changed the randomly generated numbers into a more “cryptographically strong” one, added more digits to meeting ID numbers, and made requiring passwords default for future meetings.

Allowing vulnerable servers to run on devices makes it easier for attackers to intrude on conferences. While removing the vulnerable web server was a big help, attackers are still able to access meetings over Zoom. Officials warn businesses and individuals about an increase in phishing emails for attackers to enter and exploit networks. These can be especially detrimental to remote workers, as cybersecurity and information security is often weaker at home than in the office. Check Point researchers confirmed that at least 70 of the newly created Zoom domains were being used maliciously, often as phishing websites in order to steal unsuspecting users’ personal information.

Users have also expressed concerns over Zoom’s privacy flaws. Zoom allows hosts to see if participants have been on a different screen for more than 30 seconds. Additionally, for paid subscribers, a host can record the meeting and have access to text files of any active chats that take place during the meeting. The host can then save these files to the cloud where it can be shared and accessed by other authorized users.

Earlier this week, there were questions raised about Zoom sharing customer data with Facebook, even if the users did not have a Facebook account. The Zoom app notified Facebook when the user opened the app, details on the user’s device including where the device is located and phone carrier, and a unique advertiser identifier created by the user’s device. With this information, companies could target a user with specific advertisements. This practice is not new and is fairly common with major applications. Several apps use Facebook’s Software Development Kit (SDK) to implement features on their apps, which ultimately sends information to Facebook. This concern has since been addressed and fixed by Zoom. Zoom now enables users to log in with Facebook via browser, rather than through the Facebook SDK.

The privacy of Zoom calls has particularly raised concerns for parents whose children are now using Zoom for education. However, Zoom claimed that their service for schools complies with federal laws on educational and student privacy.

Many officials are worried that Zoom has not taken any precautions when dealing with the spiked volume of users. The New York Attorney General warns that the existing security practices may not translate well with the volume and sensitivity of data now being transferred through Zoom.

Zoom’s cloud meeting app is now one of the most popular apps being downloaded on iPhones. Here are some tips to protecting your Zoom conferences:

  • Keep conferencing private rather than public and refrain from posting the links to your conferences on social media
  • Keep the screen- sharing feature only to the host
  • Lock meetings when they are in session so no new participants can join
  • Mute participants and disable the file transfer feature when it is not in use