Achieving a SOC 2 compliance status is a year long audit process requiring organizations to demonstrate several critical domain compliance, control, policy, and risk mitigation. A critical component of the SOC audit is the continued usage and consumption from pen testing and vulnerability scanning. Organizations that invest in pen testing recognize the importance of ongoing and continued vulnerability testing against their public systems along with testing their internal controls. These exercises are extremely important in obtaining a SOC 2 certification. Several organizations hire 3rd party experts to come into their environment to execute a series of attacks ranging from a brute force cyber attack, denial of service, and account takeover just to name a few. Many times ‘White-Hat” hacking attempts are done without the employee’s knowledge.
What Is The Purpose Of SOC Pen Test?
Reducing Risk in the enterprise
CISO’s and CIO’s continue to leverage cyber insurance as a means to offset risk within their environment. These leaders recognize the need to leverage cloud service providers that made the capital investment in becoming a SOC 2 compliance offering. Many companies lack the capital and internal manpower to build their own data centers along with sustaining a SOC 2 compliance environment.
SOC 2 pen test is to identify vulnerabilities within the system so they can be fixed before the company suffers from a breach. Pen testing specifically uses a series of threat vectors including account takeover, password spraying, and social engineering in an attempt to gain access to a client facing system. The sole intend to find systems that are vulnerable before the threat actors become aware.
Along with these attack methods, the 3rd party testing group will run a series of attacks against regulated platforms that align to the SOC 2 compliance standards. These platforms could include virtualization machines, docker containers, hosted firewalls from 3rd party providers, along with a direct attack against storage arrays and hyperconverged platforms.Cloud providers and application hosting companies are not required to maintain SOC 2 compliance for their services and platform. However, companies today mandate their IT and DEVOPS teams to only work with SOC 2 compliant vendors, because getting SOC 2 compliance services ensures they as an organization are taking all necessary steps to deliver the highest degree of protection for their data.
SOC 2 Auditing Standards
SOC compliance is broken out into 2 classifications; SOC 1 and SOC 2.
Under the SOC1 framework, vendor systems need to validate their design along with ensuring their teams have enabled various security controls and principles.
Under SOC 2 framework, vendors need to prove their effectiveness with managing and maintaining their various security controls.
SOC is based on AICPA’s Trust services criteria. The trust services criteria for SOC 2 compliances extracts a portion of the domains within the 17 within the COSO framework. COSO, better known as the committee of sponsored organizations developed the 17 elements for the internal controls.
It’s made up of five primary “trust categories,” previously referred to as principles:
a.) Security
b.) Availability
c.) Processing Integrity
d.) Confidentiality
e.) Privacy
Along with element domains, audits will extend their review to several elements from the Common Criteria framework including:
- The control environment (CC1 series)
- Communication and information (CC2 series)
- Risk assessment (CC3 CC7 series)
- Monitoring of controls (CC4 series)
- Control activities related to the design and implementation of controls (CC5 series)
Each of the framework categories entailed several internal control and functional capabilities. A key component when executing a Pen test is to validate these controls are active, functional, and to update based on industry and vendor best practices per the trusted and common criterias.
Vulnerability Scanning
Regular vulnerability scans also help organizations manage the priority of remediation of the deployment of net-new adaptive controls. Vendors like Tenable, developed a scanning platform clients can deploy in their environment for 24 x 7 scanning. Companies that make this investment do so in order to know before, during, and after their annual audits where their most critical vulnerabilities reside. Along with scanning, Tenable also provides the ability to remove a device or system that is vulnerable and remediate prior to re-insert the component back into the network. As part of the SOC 2 compliance Trusted Services Critical, audits will leverage the Common Criteria CC7.1 element to validate continued vulnerability and configuration testing as risk mitigation strategy.
When a Vulnerability Scan is needed?
Vulnerability scanning similar to pen testing exposed ongoing risks to an organization through continuous assessment. Vulnerability scanning helps exposure systems that may not be patched, corrected or possibly misconfigured requiring remediation. Conducting a pen test after the system has been remediated should be considered as standard operating procedure.
Ongoing Risk Assessment with pen testing and vulnerability scanning
Continued assessments provide a prioritized list of patches and systems that require attention and when they should be addressed. An effective vulnerability assessment should:
- Start the process of identifying systems with possible vulnerable issues. (vulnerability)
- Identify the impact of systems with vulnerability issues and their impact to the organization. (Risk management)
- Work to find and prioritize vulnerabilities (Risk management)
- Execute a pen test after remediation steps have been executed (pen test)
- Document workflow for continuous monitoring, remediation, and verification of the systems compliance. (Compliance)
After the completion of a SOC 2 audit, the organization still needs to maintain the ready-state of the systems. Over time, several issues could impact the SOC 2 compliance readiness and status including:
- Firewall rules, intrusion detection, and weak passwords within the multi-factor authentication services. These infrastructure systems are constantly under attack from hackers attempting to penetrate the corporate system. These systems also need to be patched frequently.
- Unauthorized access, issues with internal controls, and in proper deployment of adequate controls are common items pen testers look for in their vulnerability scans.
Are organizations required to execute an Internal and External pen Test?
Is an organization required to perform both an internal and external pen testing routine in order to maintain their SOC 2 compliance? That depends on the system, data location, and compliance mandate. In many cases, separate evaluations, configuration audits, and comprehensive evaluations should be conducted for both internal and external systems. Detailed activities between the internal and external systems will vary over time. Part of SOC 2 compliance is the assurance the provider will maintain a steady-state through the year and not just only during the auditing period. Most SOC 2 compliance audits tend to run from two weeks to eight months depending on the organization. Organizations need to maintain well over 80 to 100 various controls. Anytime during the evaluation window, an organization fails in maintaining the various trusted criteria areas, the auditors could issue a failed status report. Maintaining a steady workstream of pen testing is critical before, during and after the SOC 2 compliance auditing process.
Frequency of pen testing
A company unwilling to invest in frequent pen testing for both environments only will set up their organization for future attacks. Principled companies that stand firm on protecting their data along with their client’s information, recognize the value of Pen testing to start ongoing attacks to prevent issues like company hostage from Ransomware.
Current security policies maintained by the information security department should mirror Acceptance Security Practices governing the Pen testing between the two areas within the corporate system.
A formal risk assessment program incorporates quarterly security review, the guidelines for Pen testing, and a strategy to manage critical system files in case of a pivoting attack. Organization at risk is defined by the identification of the asset, the current risk score, and over cybersecurity risk to the company. Common attacks continue to plague organizations. These common attacks including port scan, network scanning, and dangerous script configurations exploitation, all have an bearnes on the risk score placed on the corporate asset.
A comprehensive evaluation of the results of the pen test along with detailed activities of known threats including false positives should be evaluated by the risk management department.
Critical Post Pen Testing Recommendations for SOC 2
Pen testing for SOC 2 compliance will bring to light several recommendations for remediation. Deploying a monitoring system, and reviewing the security automation process, better known as SOAR.
Post pen testing remediation could include full automation capabilities including:
- Removing a system from a production status to a secured remediation area within the network.
- Automated Patch management can be applied to the inflected systems
- Execute a pen test to validate if the system has any security and adaptive control issues prior to moving the system back into production.
Conclusion
Please reach out to speak to our team of experienced auditors if you would like to learn more about SOC 2 compliance requirements. While pen testing is not required for SOC 2 compliance, companies that choose to invest in the testing demonstrate to their clients, employees, and shareholders a culture of caring when it comes to data protection and overall security of the organization.