Mykhailo Dovhanych, 21, our Pentester has become a local celebrity. He made the digital world a bit safer by discovering a Zero-day vulnerability and getting his first CVE. We asked him a couple of questions to learn more about this exciting story:

UnderDefense: What is the official name of your position in the company?
Mykhailo: I’m a Penetration Tester, but personally, I prefer to call it Red Team Operator (laughing).

UnderDefense: When did you decide that you want to work in the CyberSec industry? Why?
Mykhailo: I`ve been into cybersecurity since 2019 when a couple of my friends decided to go to military universities. I planned to join them, but then I realized that cyberspace is the “5th field” of war, the most interesting for me. I felt like I could definitely make a contribution there. So I made the decision to advance in Offensive Security.

UnderDefense: What software was this vulnerability found in?
Mykhailo: I found it in Pi-hole. Pi-hole is a free, open-source software for Linux that acts as a DNS sinkhole and ad blocker. It is designed to run on a Raspberry Pi, but can also be installed on other Linux-based systems. Pi-hole blocks ads by routing DNS queries for known ad-serving domains to a “black hole” effectively preventing ads from appearing on devices that use it as their DNS server.

UnderDefense: Who uses Pi-hole? How many people could be affected?
Mykhailo: These are individuals and organizations that want to block unwanted ads and trackers on their network, including homes, small businesses, and schools. Also, it is used by individuals who want more control over their privacy and security when browsing the internet. There is no exact data regarding Pi-hole installs and active users, but approximately hundreds of thousands could have been affected, possibly even more than half a million.

UnderDefense: What is the nature of the vulnerability you found? 
Mykhailo: The vulnerability is that attackers could access information about domains from these blacklists created by the administrator. These blacklists contain confidential information that should not be disclosed. Since tracking domains are constantly changing, it’s not easy to record all of them and keep the blacklists updated. So updated lists of such domains are sold on the internet and you can buy them for a few dollars. In this particular case, the client who buys and implements such a list is in danger. Attackers can obtain these lists for free by exploiting the vulnerability. When we announced it to the developer, it had a “Zero Day” status, meaning that all versions were vulnerable.

UnderDefense: Was this vulnerability fixed?
Mykhailo: With the help of search engines Shodan, ZoomEye, and special Google Dorks, it was possible to select publicly available DNS servers and get all blocked domains from them. Currently, there is an updated version of the Pi-Hole Admin Panel without this vulnerability.


You can learn more about the above-mentioned CVE here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23513

Major ransomware attacks and serious data breaches still dominate the news headlines. Companies must show dedication to cybersecurity if they want to protect data and gain the trust of potential and existing consumers.

For any business wishing to offer the highest level of commitment to partners and clients, SOC 2 is a well-known audit and a reliable validator. SOC2 Certification is a good idea for companies that have their own product and want to ensure product security, confidentiality, and availability to their current or new customers and partners. Businesses that outsource some of their data operations prefer to work with secure contractors who can provide evidence of putting optimal security policies into place and thoroughly protecting sensitive data. Vendors who have earned SOC 2 Certification are the ones who have implemented policies with the necessary levels of security throughout their organization to safeguard data.

This article will clarify the SOC 2 audit process along with the functions of SOC 2 auditors.

What does SOC 2 Compliance Mean?

SOC 2 (Service Organization Controls 2) is both an audit procedure and criteria that specify how an organization should manage internal controls.SOC 2 is a set of security and privacy standards and compliance requirements designated by the American Institute of Certified Public Accountants (AICPA). It was geared toward technology-based companies that use cloud-based storage of customer data or a cybersecurity compliance framework The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manner.

What Is The Difference Between SOC 2 Type 1 and Type 2

There are two types of SOC 2 reports Type I and Type II

SOC 2 Type I report

• evaluates a company’s controls and attests an organization’s use of compliant systems and processes at a specific point in time
• describes the controls in use by an organization and confirms that the controls are properly designed and enforced and they fulfill the required Trust Services Criteria

SOC 2 Type II report

• includes everything that is part of a Type 1 report, along with the attestation that the controls are operationally effective and function as intended
• assesses how the controls function over a period of time, generally 3-12 months.

When deciding between the two, take into account your objectives, budget, and time constraints.

You can start with the SOC 2 Type I report, however you will probably require a Type II report at some point because many clients are rejecting Type I reports.

Why SOC 2 Compliance Is So Important and Which Benefits it Gives to Business

Even though SOC 2 compliance is not mandatory, clients frequently demand it from the companies they do business with, particularly for cloud-based services, to guarantee the security and privacy of their data. Service providers or SaaS businesses that handle, store in the cloud, or transport consumer data are strongly urged to implement SOC 2. Being SOC 2 compliant, which is determined by an independent technical audit, guarantees that you have the protocols, infrastructure, and technologies in place to safeguard your clients’ and customers’ information from illegal access from both inside and outside the company.

SOC 2 compliance entails the following:

• Your business is aware of what typical operations involve, and you constantly monitor any suspicious or unusual activity, document system configuration changes, and keep an eye on user access privileges
• You have the required tools in place to identify threats, notify the appropriate parties, and take action to protect data and systems from unauthorized access or use
• You will be provided with the required information about any security incidents so that you can assess the severity of the issue, make the necessary system or process alterations, and restore the integrity of the data and processes

Benefits of SOC 2 Certification:

1. Reputation and Trustworthiness
   The SOC 2 Certification shows that the company has taken all necessary precautions to prevent a data breach, which fosters strong credibility and trust with clients and business associates and protects and improves the company’s reputation. SOC 2 demonstrates to your clients that you are actually trustworthy with their data.
2. Competitive Edge
   With SOC2 Certification you have an advantage over your competitors in terms of both operational market and sales potential since businesses only want to work with secure vendors that have put in place the necessary precautions to prevent data breaches. A SOC 2 Certificate differentiates your business from other businesses that do not have it and have not invested any effort or money into SOC2 compliance.
3. Better Quality Services
   A SOC 2 audit can help you enhance your security mechanisms and operational efficiency. Processes and controls can be optimized based on your organization’s awareness of the cyber security risks that your clients encounter. This will enhance your services in general. SOC2 Certification assures your customers of implemented security measures for preventing breaches and securing their data and ensures that the system is protected against unauthorized access (both physical and logical).
4. A “must-have” for IT organizations and commitment to IT security
   SOC2 Audit & Certification proves your company’s unwavering dedication to general IT security as the cloud steadily overtakes on-premises storage. Customers receive reassurance that their data is secure and that internal policies, processes, and procedures have been matched to industry best practices. SOC 2 involves more than just certification or adhering to the five trust principles. It`s setting up a safe and secure system within your company which is very important.
5.  Compliance
   Companies and corporations can show their dedication to data security and privacy by adhering to SOC 2 standards. The standards of SOC 2 are consistent with those of other frameworks, such as HIPAA and ISO 27001 certification. As a result, after you have obtained SOC2 Certification, it will be simpler for you to comply with additional regulatory criteria. It might speed up your company’s overall compliance efforts.
   
   Your company risk and security posture, vendor management, internal controls, governance, regulatory supervision, and much more are all covered in a SOC 2 report. Achieving compliance may also prevent your company from fines and other legal repercussions.

Who Can Perform a SOC 2 Audit?

A SOC 2 audit can only be performed by independent CPAs (Certified Public Accountants), specifically those specializing in information security.

The AICPA’s set of professional standards governs SOC 2 auditors’ work. The preparation, execution, and oversight of the audit must also adhere to a number of rules. Additionally, a peer review is required for all AICPA audits.

In order to prepare for SOC audits, CPA companies are permitted to employ non-CPA individuals with relevant information technology (IT) and security expertise; however, CPAs are still required to deliver and disclose final reports.

The service organization may put the AICPA logo on its website if the CPA’s SOC audit is successful.

A verified SOC 2 report is valid for a year from the date it was issued. A licensed CPA firm’s external auditor must also complete all future annual audits.

What are SOC 2 Trust Services Criteria (TSC)?

When it comes to data security, the SOC 2 Trust Services Criteria (TSC) is one of the most critical standards. These standards cover everything from physical security to data encryption. Once an organization decides to undergo SOC 2, one of the first steps is identifying which of the five Trust Service Principles to include in the report:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

An organization can choose to address one or more of these principles, while Security is mandatory. Not all the principles are required to be addressed, but, it is preferable that the principles applying to the organization and the services it provides to its customers, should be included.

Security

This principle requires that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives. Organizations can achieve this by using elements and strategies such as firewalls and two-factor authentication. These components make it harder for unauthorized people to access your data.

Availability

The availability principle requires that system operations and services are available for authorized use as specified by the customer or business partner. To meet these criteria, organizations must have a written policy that includes measures to prevent, detect, and correct interruptions to service availability. In addition, the policy should address system maintenance, capacity planning, incident response, and business continuity.

Processing integrity

This principle states that all business systems and controls must protect the confidentiality, privacy, and security of information processing. It refers to the completeness, validity, accuracy, timeliness, and authorization of system processing.  Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or accidental manipulation. To meet this principle, organizations must have security controls to protect data from unauthorized access and ensure that companies process data consistently and accurately.

Confidentiality

This principle requires organizations to design and implement controls to safeguard the confidentiality of sensitive information. It is crucial for SOC 2 compliance as it helps to ensure that only authorized users have access to sensitive data. Confidentiality requirements may be contained in laws, regulations, contracts, or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary and intended only for entity personnel. Confidential information may include personal information and other information, such as trade secrets and intellectual property.

Companies must carefully control physical and logical access to their systems to meet these criteria. They must also implement mechanisms to prevent, detect, and respond to attempts to compromise the confidentiality of data.

Privacy

While confidentiality applies to various types of sensitive information, privacy applies only to personal information. In addition, the privacy objective addresses requirements regarding the collection, use, retention, disclosure, and disposal of personal information. To comply with the privacy principle, organizations must implement physical, technical, and administrative safeguards to protect data from unauthorized access. They must also provide customers with clear and concise detail about their privacy rights and how the company will use their data.

The process of achieving SOC 2 compliance

A SOC 2 audit is a multi-step procedure, which can initially seem complex given the fact that some suppliers offer compliance software and other vendors are also certified SOC 2 auditors.

Below you can find a checklist of practices that will be reviewed while evaluating a company`s management process readiness:

• 20+ policies and procedures to describe all established processes required by SOC 2
• Organized asset management
• Security monitoring and incident response establishment
• Risk assessment and mitigation
• User access review
• Internal audit report
• SOC report review
• Security Awareness Training
• Meeting minutes
• Internal target SLA
• HR compliance

Basic Steps in Achieving SOC 2

1. Selecting a SOC 2 reliable partner for preparation and advice
   This step will be very beneficial for startups, first-timers, and businesses without a compliance specialist. In order to compare a company’s present security, availability, confidentiality, processing integrity, and privacy status with the SOC 2 framework, best practices, and the specific scope needed for the report, professional counsel is required.
2. Defining the scope
   Choosing which of the five Trust Service Principles to include in the audit is an important component of SOC 2. The TSPs that are included will determine the controls that will be monitored. The best approach is not to use a set list of controls under each criterion but one that is customized for your organization because every organization is unique. Therefore, the controls should address certain risks and factors that are relevant to a given company. The selected SOC 2 partner will assist in identifying which controls are necessary for each organization. Making decisions about the audit’s timelines is another aspect of scoping. If the organization is undergoing a SOC 2 Type II, this will also entail choosing the reporting period, which should be based on readiness and business objectives.
3. Selecting an auditor
   A SOC 2 audit can only be carried out by a certified, independent CPA company with expertise in information security or IT audits. The company must be affiliated with the AICPA and adhere to all rules and updates made available by the AICPA. It is crucial to choose an auditor who is knowledgeable about the needs of the organization as well as the industry in which the company operates. Selecting a firm whose auditors have substantial expertise and understanding of SOC 2 audits and have dealt with businesses of similar size is a significant factor to take into account. When choosing an auditor, keep in mind that audit charges and deadlines will vary as well.
4. Readiness evaluation
   This stage in SOC 2 preparation is crucial since it not only determines whether a company is prepared for its formal audit but also identifies any areas that still need improvement. A gap analysis will determine whether the control environment satisfies the pertinent SOC 2 criteria, and any remediation that is required will be carried out. Additionally, it is crucial to make sure that all appropriate documentation is obtained, including policies and procedures, and that all agreed-upon controls are put into practice. The selected SOC 2 partner will assess how well the organization’s controls are mapped to the pertinent criteria and points of focus.
5. The audit
   If a company is performing SOC 2 Type II, the formal audit will take place after the observation period. The controls in place will be evaluated by the auditor, primarily to determine if they are performing as claimed and in accordance with the standards outlined in the SOC 2 handbook. The SOC 2 Type I or SOC 2 Type II report for the company will be issued by the service auditor and include information on the test findings.
6. Report results
   The fact that SOC 2 is an attestation rather than a certification should not be overlooked. A SOC 2 report is an examination. The attestation report expresses the auditor’s judgment regarding the existence and compliance with the Trust Service Principles of an organization’s internal controls. Because of this, SOC 2 does not result in a pass or fail, it`s the auditor`s professional opinion.
7. Repeat annually
   It is critical to update a SOC 2 report after one year has passed in order to stay competitive and uphold the level of clients` expectations. It is extremely likely that some clients may switch to business competitors that are totally dependable and consistent with infosec compliance if a company does not pass an annual SOC 2 examination. According to the requirements, a  SOC 2 audit should be scheduled every 12 months. Companies should regularly check their pertinent controls throughout the year to make sure compliance is ongoing and goals are being fulfilled. Making sure policies and procedures are updated is part of this. It is not the best compliance practice to wait until a month before the scheduled audit to make sure everything is in order. Continuous audit management guarantees a company is SOC 2 ready before the audit.

Get Ready for Successful SOC 2 Compliance with UnderDefense

SOC 2 is the industry standard for infosec certifications, and while it is undoubtedly challenging, with the proper planning, direction, and tools, it is a process that is doable and rewarding. There are ways to make the processes simpler, function more efficiently, and demonstrate to the outside world that your company upholds the greatest standards of information security.

Because we are aware of how time-consuming achieving SOC 2 compliance may be, our platform includes SOC 2 controls, policies, tasks, and planning tools. You may quickly start crossing things off of your SOC 2 to-do list if you have a specially created security program based on your particular business processes and the SOC 2 architecture.

Talk with us about our mission to make SOC 2 readiness as painless as possible. It`s one easy thing you can do to get started now.

The human factor is the number one vulnerability in any cyber defense. Conventional Security Awareness Programs focused on automation surprisingly have proved ineffective even for giant corporations. We are not even speaking about small & medium enterprises lacking funds and resources. Security Awareness is a top priority for them.

Our Nazar Tymoshyk and Hlib (Gleb) Yevtushenko are going to share lots of insight on how to neutralize a ‘patient zero’, make the human layer one of the most effective pillars of your cyber defense, and significantly reduce the risk by combining Security Awareness with MDR.

Join our first virtual event “How to make your employees your first and best firewall against Hackers” from the “Lean Security Howtos” webinar series and learn how to mitigate human risks & avoid getting hacked!