Search

Insight

How to Use Privacy KRIs to Predict Future Risks

GDPR enforcement has kicked off, and the CCPA countdown has begun. With the threat of significant penalties for non-compliance looming, many organizations are placing a greater focus on data privacy. But is “checking the box” on compliance the only (or best) way to evaluate the effectiveness of your program?  Companies working to develop privacy programs that adapt with regulatory, industry, and technology change need a way to quantify and prioritize privacy risk. Privacy key risk indicators (KRIs) are designed to do exactly this. KRIs quantify the anticipated risks associated with an area of your privacy program, so you can prioritize risk mitigation appropriately, set clear objectives for your program, and establish a privacy risk appetite. In this post, we will look at how to apply KRIs, how to use the types of KRIs, and how to design a KRI framework for your privacy program.
Insight

Assessing and Ensuring GDPR Compliance for a Fortune 500 Cruise Line

Focal Point’s GDPR and global privacy services client (“the Company”) is a recognized leader in the hospitality and travel leisure…
News Article

Focal Point Joins the Identity Defined Security Alliance

Tampa, FL – February 28, 2019 – Focal Point is pleased to announce that it has joined the Identity Defined Security Alliance (IDSA), an industry alliance helping to improve security and cyber risk management by acknowledging the central role of identity in a hybrid and mobile world.
Insight

A New Tool for Finding Malicious JavaScript and Securely Using External Libraries

September 2019 Update: This JavaScript Security extension has been published by Burp Suite! You can install it directly within Burp, via the BApp Store feature in the Burp Extender tool. Why compromise just one website when you can compromise a whole bunch of them all at once? I'm sure that's what attackers were thinking in 2018 as they compromised content delivery networks (CDNs) and used them to host malicious JavaScript. And it’s a genius strategy! Compromised companies will unwittingly feed them sensitive customer data (e.g., credit card numbers), will never have any evidence of the attack, and will never know anything has changed. Meanwhile, their customers will receive malicious JavaScript libraries that the "victim" companies require them to load for a smooth customer experience. Then the sensitive information will be fed directly from the user to the attacker. Why is this so easy? Today, more sites are relying on JavaScript to enhance the user experience, and they are doing it in a way that makes it harder to evaluate referenced JavaScript libraries: they are using JavaScript libraries to load other JavaScript libraries into the Document Object Model (DOM). It can be challenging to track these issues down during a penetration test, especially when you have limited time and you want to deliver the highest quality results possible. To assist our partners, clients, and the security community in identifying these issues, we developed a Burp Suite extension. Burp Suite is a Java-based tool used by many security teams for web-application testing. This extension helps Burp Suite users evaluate JavaScript in use in web applications for subresource integrity and content security policy protections while comparing observed resources against threat intelligence feeds. You can download the extension for free via the BApp Store.
Insight

Boosting Organizational Success by Advancing Data Quality

This guide dissects the root causes of poor data quality and provides a step-by-step approach to achieving high data quality.
News Article

Focal Point Adds New Sales Leader to Accelerate Growth

Focal Point today announced the addition of Dan DeSantis as its Senior Vice President of Sales and Business Development. Dan joins Focal Point from Cisco Systems,
Insight

8 Areas to Include in SAP Access Control Testing

Information Technology General Controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objective of ITGCs is to ensure the integrity of the data and processes the systems support. Your SAP ERP applications cross all four systems: IT Infrastructure Applications, Databases, Operating Systems, and the Application Layer. Access control tests, our central focus for this post, are targeted at the Application Layer of your SAP applications. In a recent post, we discussed the importance of security health checks in monitoring SAP access, and today we want to continue the access security conversation by examining the importance of ITGC Access Controls testing in an SAP environment.
Insight

Implementing SailPoint IdentityNow at a Global Pharmaceutical Company

Focal Point’s IAM services client is a leading global pharmaceutical company, with more than 20 years of experience and operating…
Insight

Let’s Get Cracking: A Beginner’s Guide to Password Analysis

The Focal Point Attack & Penetration team performs many internal penetration tests that culminate in a compromise of Windows Active Directory domains and access to the password hashes of all domain users. Like many teams that provide pen testing services, we have a high-powered GPU-based password-cracking rig that we use to recover high-value or time-sensitive passwords. But sometimes we’re on-site without access to our VPN or we’re in the the reporting window following a test, and someone is using the rig for an active test. Whatever the reason, we still get a lot of mileage from the classic password cracker, john, even in this age of GPU-based cracking with hashcat (which we also love but is not the focus of this post).
New Search