How pentesting brings you closer to a 100% safe cyber security cloud environment
- Case Study
You might be familiar with this situation: you have a tip for your colleagues, but you struggle to explain it clearly. So, you quickly record a video to illustrate your point, right? At Dichterbij, they also value learning from each other, but these videos were usually shared via WhatsApp. Not entirely privacy-friendly and highly susceptible to data breaches. While WhatsApp provides end-to-end encryption, organizations have limited control over what happens to the information on their employees' mobile devices.
Fortunately, Dichterbij found a solution in the form of an external tool that shares videos in a centralized cloud. However, CISO of Dichterbij, Patrick Thijssen, saw a risk in this approach: "By centralizing your information in a cloud, you become a 'honeypot' for cybercriminals." Hacksclusive was tasked to test any vulnerabilities in the system.
Every action is accompanied by information, even in the healthcare sector
Dichterbij employs 4500 healthcare professionals across 67 day care locations and 940 residential locations for individuals with physical or intellectual disabilities. As the Chief Information Security Officer, Patrick Thijssen is responsible for ensuring the availability, integrity, and confidentiality of information.
"A significant amount of sensitive information is handled within Dichterbij, such as all the patient data we possess. I often joke that if someone within the organization can name a process where information is not used, they will receive a prize."
It may be tempting to think that everyone should have access to all that information within an organization. However, that is exactly what shouldn’t be done. Patrick believes it is essential to explain to employees why they may not always have access to certain information and that access is dependent on their role within the organization. Fortunately, they usually understand. As the CISO of Dichterbij, his role has a significant human aspect.
"When working with sensitive information like clients' personal data, you have a duty of care. As a healthcare organization, it is crucial to have a clear understanding of who has access to which information and who does not."
Patrick Thijssen - Chief Information Security Officer at Dichterbij
Honeypot for Cybercriminals
To foster knowledge sharing, a considerable amount of information is exchanged among colleagues, ranging from tips and tricks to onboarding protocols. However, both Patrick and the Dichterbij board recognized the risks associated with this practice. They decided to consolidate this information and store it in a centralized location. They opted for a solution provided by an external party, which stores the information in a central cloud and grants access through personal IDs.
Although this initially appears to be safer, Patrick saw a significant risk: "From a small chance of a small-scale data breach on one mobile device, there is now a greater chance of problems because anyone with malicious intent can access all the data." It's as if you collect all the watches, wallets, and car keys from your sports team in a bag and leave it in an unlocked locker room.
As an organization, blindly trusting your external software or application provider is not advisable. Since the application provider Dichterbij collaborated with couldn't answer all security-related questions about the cloud platform, Patrick decided to have the system undergo a penetration test. Through his network, he came across Martijn Baalman from Hacksclusive. He presented him with a specific question: "If we get hacked, we have a problem. So, I want to know what can go wrong so that I can prevent it."
Organizational versus Technical Risk
“To get the most out of a penetration test, it is important for an organization to have a clear understanding of what constitutes an organizational risk and what constitutes a technical risk. This means that Hacksclusive identified some vulnerabilities that are technically unsafe but pose virtually no organizational risk to Dichterbij."
Consequently, Hacksclusive and Dichterbij compiled a list of findings, categorizing action items based on high or low levels of risk. This list was ultimately shared with the application provider, who then began resolving the vulnerabilities. One advantage of working with Hacksclusive is that within the dashboard, each item can be tracked, indicating the steps taken to address it. "The provider’s developers also have access to the dashboard. They fix a problem and report back to Hacksclusive, who can then verify if it has indeed been resolved. For us, the Hacksclusive dashboard also serves as a project management tool. Additionally, this environment acts as an archive, allowing us to demonstrate how we addressed vulnerabilities at a later stage."
The ‘necessity’ of speed
When installing a new application, the goal is to be able to start using it as quickly as possible. However, speed is not relevant in a penetration test, according to Patrick. He says, 'Although Hacksclusive can operate swiftly thanks to their cloud platform, speed is not important in this context unless you have an urgent issue.'
"Thoroughness is the most important aspect. Thanks to Hacksclusive's creative approach to penetration testing, they uncovered a vulnerability that was completely outside the agreed scope. In addition, we find traceability to be very valuable. If we overlook something while addressing vulnerabilities and still get hacked, I can at least demonstrate that we looked into it. That we made an effort to prevent damage."
"For us, the Hacksclusive dashboard also serves as a project management tool. Additionally, this environment acts as an archive, allowing us to demonstrate how we addressed vulnerabilities at a later stage."
Patrick Thijssen - Chief Information Security Officer at Dichterbij
Safely share sensitive findings amongst coworkers
In the same vein that Dichterbij appreciates the many advantages of a cloud-based system for their employees. Patrick notes that this work process is also reflected in Hacksclusive's penetration testing processes." Previously, pentest reports were shared via email, but now all interim findings and reports are securely placed in a cloud environment. Team members have their own accounts in the online environment and can safely view the data.
When asked about the greatest advantages of Hacksclusive, Patrick is clear: "The cloud based platform with centralized information is an absolute unique selling proposition of Hacksclusive. Both the ethical hackers from Hacksclusive and the software developers are closely involved. The findings from Hacksclusive are submitted as tickets to the engineers, who can work through the list of findings in a clear and organized manner."
As a final tip for other healthcare organizations, Patrick suggests, "Establish ownership of information and describe what ownership means for your company. And then critically evaluate which information you share with whom and why. It is unnecessary, and rather risky, to give everyone in an organization access to all available information."
This case was written in collaboration Dichterbij.
Related stories
-
blog posts
Where do hackers come from?
At Hacksclusive,every day our hackers help organisations make their digital products and services a little more secure. Our hackers do this by, for example, assessing the configuration of a Docker container or Kubernetes cluster, examining the source code of a REST API for possible vulnerabilities or testing the security of an Android app. Hacksclusive provides the knowledge and skills of its hackers as a service. The Hacksclusive platform plays an important role in this. It ensures that our hackers can work efficiently and have as much time as possible to discover vulnerabilities. Just as importantly, it not only gives our clients insight into which hacker did what, how, and when, but it also provides an understanding of the root causes of vulnerabilities and how the security of their digital products and services can be improved.
Of course, having such a platform sounds great. But without hackers, it’s worth nothing. So, where do hackers come from?
Origin of hacking
The word hacking is derived from the Germanic word hakkon and it literally means to chop. It wasn't until the 1980s that the word took on the meaning of “breaking into a computer”. The association of the word hack with the computer originated at the Massachusetts Institute of Technology (MIT) in the 1960s. Students in the model railroad club called any new connection or improvement to the train circuit a hack. Not much later, creative applications developed by scientists and students for the university computer—beyond the device's intended purpose—were also called “hacks.” The people who created them called themselves hackers.
-
blog posts
CISO's are NPC's
On Wednesday, October 9, the Platform for Information Security (PvIB), ISACA Netherlands Chapter, and NOREA, the professional organisation for IT auditors, organised the 20th edition of the Security Congress. Together with Edo Roos Lindgreen, I was one of the speakers. With the theme ‘Expect the Unexpected,’ I addressed, among other topics, the role of the CISO.
-
blog posts
Navigating NIS2: a guide to cybersecurity compliance
As of October 2024, NIS2 is legally mandatory, and to aid in preparation, the National Cyber Security Center has launched a self-evaluation tool. Organizations completing the self-evaluation can determine if they fall under the NIS2 directive and whether they are considered "essential" or "important" according to this directive for the functioning of society and/or the economy. Failure to comply with this law can result in legal consequences and potential fines. Therefore, it is crucial to make timely preparations and ensure that your organization complies with the requirements of NIS2.