Author name: Sushma Singh

A Complete Guide to Identity and Access Management And IAM Tools for Your Business
BUZZ Essentials

A Complete Guide to Identity and Access Management And IAM Tools for Your Business

Do you know what identity and access management is and why it is crucial for your business? If not, you are missing out on a powerful way to protect your data streamline your operations, and enhance your customer experience. According to a report by IBM, the average cost of a data breach in 2023 was $4.45 million, the highest in 17 years. Moreover, 80% of these breaches involved compromised or stolen credentials. This shows how important it is to have a robust identity and access management (IAM) system in place to prevent unauthorized access and safeguard your sensitive information. In this blog, we will explain: What is IAM? How does it work? What are its components? And finally, how BUZZ can be of help to you? We will also discuss the benefits of privileged access management (PAM), a subset of IAM that deals with high-risk accounts and resources. By the end of this blog, you will have a clear understanding of how IAM can help you improve your business security and efficiency. What Exactly is Access Management? Access management is the process of granting or denying access to specific resources or services based on predefined policies and rules. Access management helps businesses control who can access what, when, where, and how. For example – access management can ensure that only authorized employees can access confidential files or that customers can only access their own accounts and data. Access management is essential for businesses of all sizes and industries, as it helps them: Protect their data and assets from unauthorized access, theft, or misuse. Comply with regulatory and legal requirements, such as GDPR, HIPAA, PCI-DSS, etc. Reduce operational costs and complexity by eliminating redundant or unnecessary access rights. Improve user experience and satisfaction by providing seamless and secure access to the services they need. What is Identity Management? Identity management is the process of creating, managing, and verifying the identities of users and devices that access a system or network. Identity management helps businesses establish the identity of each user and device and assign them unique identifiers, such as usernames, passwords, tokens, biometrics, etc. Identity management is vital for businesses of all sizes and industries, as it helps them: Enhance their security and trust by verifying the identity of each user and device before granting access. Streamline their authentication and authorization processes by using single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), etc. Increase their productivity and efficiency by automating identity lifecycle management, such as provisioning, de-provisioning, updating, etc. Personalize their user experience and engagement by providing customized services and offers based on user preferences and behavior. What is Identity and Access Management in Cyber Security? Identity and access management (IAM) is the combination of identity management and access management. IAM is a comprehensive framework that enables businesses to manage the identities and access rights of their users and devices across multiple systems and platforms.  IAM is a key component of cyber security, as it helps businesses protect their data and resources from unauthorized or malicious access. To illustrate the importance of IAM in cyber security, let there be a businessman named John. “John does not use an IAM tool for his online store. John has a simple username and password for his admin account, which he uses to manage his inventory, orders, and payments, etc. He also has several employees who have access to different parts of his store, such as customer service, marketing, accounting, etc. One day, John receives an email from a hacker who claims to have hacked his admin account and demands a ransom to release it. John is shocked and confused, as he does not know how the hacker got his credentials. He tries to log in to his store, but he finds that his password has been changed. He also notices that his inventory has been tampered with, his orders have been canceled, his payments have been diverted, and his customers have been spammed with malicious links. John realizes that he has been a victim of a data breach, and that his business is in jeopardy. He wonders how he could have prevented this from happening, and what he can do to fix it.” If John had used an IAM tool, he could have avoided this situation by: Using strong and unique passwords for his admin account and changing them regularly. Enabling MFA for his admin account and requiring it for any sensitive actions. Implementing RBAC for his employees and granting them the minimum access rights they need to perform their tasks. Monitoring and auditing the activities and logs of his users and devices to detect any suspicious or anomalous behavior. Using SSO to simplify and secure access to his store and other third-party services he uses. By using an IAM tool, John could have improved his security posture and reduced his risk of data breach. However, since he did not have an IAM tool, he had to face the consequences of the hacker’s attack. John learned a valuable lesson from the data breach and realized the importance of having an IAM tool for his business. What are the components of Identity and Access Management? The basic components of IAM are: Identification The process of collecting and verifying the information that uniquely identifies a user or device, such as name, email, phone number, etc. Authentication The process of verifying the identity of a user or device by using one or more factors, such as password, PIN, fingerprint, face recognition, etc. Authorization The process of granting or denying access to specific resources or services based on the identity, role, and permissions of a user or device. Account management The process of creating, updating, deleting, and managing the accounts and credentials of users and devices. Directory service The service that stores and organizes the information and attributes of users and devices, such as name, email, phone number, role, permissions, etc. Audit and compliance The process of monitoring, logging, and reporting the activities and events

Database Exploitation with Time Based SQL Injection
How-To

Database Exploitation with Time Based SQL Injection

There are different types of SQL Injection attacks such as Error based, Time based and Boolean based. Each of the types of SQLi has the potential to cause a complete data breach in an organization. In this article, we are going to explore the Time Based SQL Injection attack. This type of SQL Injection utilizes the database time delays function to extract or dump the database. Let’s explore this in detail. The article is divided into below sections – What is Time Based SQL Injection Attack? SQL Delay Query Examples Time Based SQL Injection Payloads Identify if the Application is Vulnerable to Time-Based SQLi Dumping the database using Time Based SQL Injection Find MySQL Schema names using Time Based SQLi Find names of all tables under the schema in MySQL Time Based SQL Injection Prevention Techniques Conclusion What is Time Based SQL Injection Attack? We can define the Time Based SQL Injection Attack as follows – Time Based SQL Injection attack is a type of SQL Injection attack that relies on time delays in SQL query execution to infer information about database schema structure and the database contents. It is a type of inferential injection attack in which the attacker has to infer (guess, enumerate) the database structure to exploit it. Unlike in Error based SQL Injection attacks, here the application does not send any database information back to the attacker in any form. Instead, the attacker uses database time delay functions to dump the data. After executing a query that triggers a time delay on the database server, the attacker monitors the application’s response time to note whether the time delay has happened on the database server or not. If the application responds slowly as per the time delay set by an attacker, then the attacker gets a clue that the application is vulnerable to Time based SQL Injection. Let’s now first see what these SQL delay queries look like.   SQL Delay Query Examples The below tables mention the delay query syntax of different database server vendors. Database Type SQL Delay Query Description MySQL select sleep(5); Takes 5 seconds for execution. do sleep(10); Takes 10 seconds for execution. MS SQL Server wait for delay ’00:00:02’​; Takes 2 seconds for execution. PostgreSQL pg_sleep(4); Adds a sleep time of 4 seconds. For example, if you run the below query in the MySQL server, it will take 5 seconds before the query returns the version number result. select version(), sleep(10); Now, let’s understand how these time delay queries are used in time based SQL Injection payloads. Time Based SQL Injection Payloads Using the time delay queries of various database server vendors, below are some Time-based SQL Injection payloads for MySQL. ,(select * from (select(sleep(10)))a) %2c(select%20*%20from%20(select(sleep(10)))a) ‘;WAITFOR DELAY ‘0:0:30′– This GitHub repo has a comprehensive list of time-based SQL Injection payloads. Identify if the Application is Vulnerable to Time-Based SQLi Now, you can use the above time based payloads to identify if the application is vulnerable or not. For this, find just one vulnerable input parameter of the application using the below steps – Identify all input parameters of all APIs of the application using a tool like BurpSuite. Insert the time delay SQLi payloads mentioned in the above section in each parameter 1 by 1 and observe the application response time. Any parameter that triggers a slow application response, is the vulnerable one. Note: Even if just 1 parameter is vulnerable, that’s enough to dump the entire database using a Time based SQLi vulnerability. Here, we can surely say and report that the application is vulnerable to time-based SQLi. Dumping the database using Time Based SQL Injection To dump the database using a Time-based SQL injection vulnerability, you need to use conditional expressions. Let’s understand how it works under the hood. For MySQL, below is the syntax for a conditional expression. if(condition, when_true, when_false) Now, the logic to dump the data is, we have to make a guess and then conclude that whether our guess is right or wrong. We use our guesses in the ‘condition’ part and put the query delay function in the True part. If you observe a delay in application response, then it means the condition was evaluated to True. Meaning, that our guess used in the condition is correct. Now, here’s the interesting part. We will now enumerate or guess the database details piece by piece i.e. character by character. For example, if we have to guess the database has a table named ‘products’, then we will guess it, character by character i.e. p,r,o,d,u,c,t,s. So, for the first letter ‘p’, we enumerate all characters between ‘a’ to ‘z’. So, we need a total of 26 enumerations just to guess the first letter of a table. Let’s walk through this process with some real examples. Find MySQL Schema names using Time Based SQLi As mentioned before, for dumping data with time-based SQLi, you need to make guesses and try out all the guesses. For example, with the below query, we try to guess the name of 1 schema from the MySQL database. We know schema name can be read from MySQL table information_schema.SCHEMATA from column name ‘SCHEMA_NAME’ using the below query- select SCHEMA_NAME from information_schema.SCHEMATA s limit 1; Now, let’s use the query delay function and conditional expression to get the first letter of the schema name. Refer the below query – select if(substring(SCHEMA_NAME,1,1) = ‘a’, sleep(5), ”) from information_schema.SCHEMATA s limit 1; Here, we checked if the first letter of the schema name is ‘a’ or not. If it is, the query will sleep for 5 seconds. We make all 26 permutations and for 1 character we will see the query execution sleep for 5 seconds. So, this way using time-based SQL Injection, the database can be dumped. Find names of all tables under the schema in MySQL Once you identified the schema name, you can find table names using the below query and make guesses for every character using the sleep function. SELECT table_name FROM information_schema.tables limit 1; Query with sleep function – select if(substring(TABLE_NAME,1,1) = ‘a’, sleep(5), ”) from information_schema.TABLES s limit 1; Time Based SQL Injection Prevention Techniques There is no special

The Crucial Role of Identity and Access Management in Small Business
BUZZ Essentials

The Crucial Role of Identity and Access Management in Small Business

He was once locked up in a cupboard and robbed blind – he had let a stranger inside his house. Another time, a psycho stalker barged inside his house – he didn’t have locks or latches to restrict that unauthorized entry! We’re talking about none other than Joey Tribbiani! But more importantly, why are we talking about him when we should be discussing access management in cybersecurity and its importance for SMBs? Well, that’s because the many incidents that happened in Joey’s life in the iconic 90s sitcom, ‘F.R.I.E.N.D.S’ have many uncanny similarities with cyber attacks and data theft. How cyberattacks on SMBs happen The types of security lapses that give hackers/phishers unprohibited entry within a system/server How setting up security frameworks like identity and access management can seal vulnerabilities and security gaps to prevent cyberattacks Dear Sirs’ and Madams’, we kid you not! The biggest cybersecurity lesson we took from Joey’s life is that giving everyone equal access and authorization rights is an open invitation to unwanted situations that can otherwise be avoided. Many SMBs make this same mistake. They give all their employees equal access and authorization rights to all files, apps, devices, and data. Result? The cybersecurity framework of the entire company is put into jeopardy. Wherein businesses should focus on implementing such practices that give users the least rights (limited to their designations and departments). This is precisely the purpose of practicing different techniques in privileged access management. Does this tickle your mind too? Care to entertain some insights on how identity and access management can save your business from phishing and MITM attacks? If yes, this post is the good news you were waiting for. We’ve created this article exclusively for all you SMBs. It will walk you through the meaning and purpose of all types of access management practices – Identity Verification, Role-based Access Control, SSO, MFA, and Access Reviews and Audits. Dive in! What is Identity and Access Management in Cybersecurity? Remember when Joey received his very first fan mail from his very own stalker?’ More importantly, remember how his excitement had turned into a moment of panic when he realized that the psycho stalker – Erika Ford – entered his building unprohibited? We can’t stop thinking what could have been had Erika been a psycho killer or an impulsive thief instead of a beautiful stalker. It’s this episode that goes on to show how anyone can access anything at any point in time when there are no policies to allow or deny entry. And this is the kind of mess that identity and access management aims to resolve in a workplace. Also known as IAM, identity access management is a framework of different policies, technologies, and tools that help a company control which user can access which app/data/info. It’s like a filtering strategy. Every user or device is assigned an exclusive digital identity. Then, the different tools in the access management system start performing their duties. The end goal of implementing access management is to ensure that: Unauthorized people are denied access Authorized people do not face trouble accessing data Every user is able to access only that part of the database which they’re authorized to access based on their job roles Once the role/responsibility of a user changes, access rights that are no longer applicable to the new role get revoked Is Access Management Relevant for SMBs? Let’s explain the importance of privileged access management for your business with a simple example. Suppose a software developer, let’s call him Drake Ramoray, joined a company. While working with the company, Drake performed exceptionally well and was promoted to be the senior software developer. His job role allowed him complete access to the source code, database, cloud servers, and CI/CD pipelines. Then, Drake upskilled himself further and became the Product Manager. He no longer works in the tech department. But here’s the issue — he has moved departments and is now in the product team, but he still has access to apps and cloud-based servers with tech data from when he was a senior software developer with the company. Can you imagine what would happen if, one day, Drake’s system falls victim to a cyberattack? If phishers are able to barge inside his system, the company will suffer substantial losses! Not only will the attackers get their hands on data about the product, but the tech data Drake had access to will be stolen too! If only this company had practiced access management, Drake wouldn’t have had access to information no longer relevant to his department and designation. While there’s no 100% guarantee that he wouldn’t have fallen prey to phishers, what’s certain is that the damage would have been a lot less severe. And this is why identity access management is essential for SMBs. You might not realize, but your company could be loaded with many Drakes’ you do not even know of! When SMBs implement the different types of access management controls, they’re safeguarding their business from phishers who are always on the lookout to hack systems and extort hefty ransoms! Access Management Techniques for SMBs There are different access management techniques, each catering to a different problem in cybersecurity. Such a variety bamboozles businesses, and companies fail to determine which ones are relevant to them. And if they choose wrong, they are most likely to lose to cyber criminals! If you’ve been meaning to implement access control in your company too and feel confused, look no further. We have you covered! Here are the five access management techniques that you must implement. Identity Verification Before authorization comes authentication, where the identity of the users is verified. It is essential to identify users to ensure they are who they claim to be. Alongside software and data protection, identity verification is also responsible for protecting the hardware since that’s where all the data is. The hardware includes storage devices, servers, and networks. If this is left unchecked, the chances of ransomware

GDPR Compliance Simplified for SMBs
Compliance Simplified

GDPR Compliance Simplified for SMBs

Demystifying GDPR for Small & Medium Businesses In an era where data breaches and privacy concerns are escalating, the General Data Protection Regulation (GDPR) stands as a pivotal regulation in the realm of data protection and privacy. Originating in the European Union, GDPR has set a global benchmark for data privacy laws, significantly impacting businesses of all sizes, including small and medium-sized businesses (SMBs). For SMBs, the journey towards GDPR compliance may seem daunting due to limited resources and expertise compared to larger corporations. However, the importance of GDPR compliance builds trust with customers, enhances data security, and fosters a culture of privacy within the organization. This blog aims to demystify GDPR for SMBs, breaking down the complexities into manageable segments with practical, actionable guidance that balances simplicity with the depth of information. By the end of this guide, SMBs will have a clearer understanding of GDPR requirements and how to integrate them into their business practices effectively and efficiently. What Can You Expect Key GDPR Terminology Simplified for SMBs Decoding GDPR – A Detailed Look at Each Criterion Integrating GDPR Criteria into SMB Engineering Practices Practical Steps for SMBs to Achieve GDPR Compliance When and How to Begin Your GDPR Compliance Journey Summing Up the GDPR Journey for Small and Medium Businesses Frequently Asked Questions (FAQs) on GDPR for SMBs Key GDPR Terminology Simplified for SMBs Before diving into the specific criteria of GDPR, it’s crucial for SMBs to familiarize themselves with the core terms used throughout the regulation. Understanding these terms is the first step in comprehending the requirements and implications of GDPR. 1. Data Subject A data subject is any individual whose personal data is being collected, held, or processed. In an SMB context, this could be customers, employees, or any other individuals the business interacts with. 2. Personal Data Personal data refers to any information that can be used to directly or indirectly identify a person. This includes names, email addresses, location data, IP addresses, and more. For SMBs, this is the data they collect from their customers or employees. 3. Data Processing Data processing encompasses any operation performed on personal data, whether automated or manual. This includes collecting, recording, organizing, structuring, storing, adapting, retrieving, consulting, using, disclosing, disseminating, aligning, combining, restricting, erasing, or destroying data. 4. Data Controller A data controller is an entity (individual, organization, or authority) that determines the purposes and means of processing personal data. In the case of an SMB, it is typically the business itself making decisions about how to handle customer or employee data. 5. Data Processor A data processor is a third party that processes personal data on behalf of the data controller. This could include cloud service providers, payroll companies, or CRM systems used by SMBs. 6. Data Protection Officer (DPO) A DPO is a person with expert knowledge of data protection law and practices, who assists the data controller or processor in monitoring internal compliance with GDPR. While not all SMBs are required to appoint a DPO, it’s important to understand the role, especially if the business processes large amounts of sensitive data. 7. Consent Consent is a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. It involves a clear affirmative action signifying agreement to the processing of personal data. For SMBs, obtaining clear consent is crucial for many types of data processing activities. 8. Data Breach A data breach is a security incident in which personal data is accessed, disclosed, altered, lost, or destroyed without authorization. Understanding and preparing for potential data breaches is essential for GDPR compliance. Grasping these terms is fundamental for SMBs to navigate the GDPR landscape. It helps in understanding the regulation’s requirements and how they apply to the specific contexts of their businesses. This knowledge forms the foundation for implementing GDPR-compliant practices and policies. Decoding GDPR – A Detailed Look at Each Criterion SMBs must understand these principles thoroughly and apply them in their data processing activities. This may involve revising data handling practices, updating privacy policies, and investing in data security measures. 1. Lawfulness, Fairness, and Transparency Lawfulness: Data processing must have a legal basis, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests. Fairness: Processing should be fair to the data subject. This means considering how data processing affects the individuals and ensuring it does not have unjustified adverse effects on them. Transparency: Organizations must be transparent about how they use personal data. This involves clear communication with data subjects about data processing activities. 2. Purpose Limitation Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. This criterion ensures that data is used only for the reasons it was initially collected for. 3. Data Minimization Organizations should only process the personal data that is necessary for achieving the purposes for which it is processed. This means limiting the data to what is absolutely necessary. 4. Accuracy Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or deleted. This criterion emphasizes the importance of data accuracy in decision-making and personal rights. 5. Storage Limitation Personal data should be kept in a form that permits identification of data subjects for no longer than necessary. This involves implementing data retention policies and ensuring data is not kept indefinitely without a valid reason. 6. Integrity and Confidentiality (Security) Data must be processed securely by using appropriate technical or organizational measures. This includes protecting data against unauthorized or unlawful processing, accidental loss, destruction, or damage. 7. Accountability The data controller is responsible for, and must be able to demonstrate, compliance with the other GDPR principles. This involves documenting data processing activities, implementing GDPR-compliant practices, and regularly reviewing these practices. Integrating GDPR Criteria into SMB Engineering Practices Understanding GDPR criteria is one thing, but translating them into actionable engineering practices is where many SMBs face challenges. This section aims to bridge that gap, offering practical

ISO-27001 Compliance Simplified for SMBs
Compliance Simplified

ISO-27001 Compliance Simplified for SMBs

Demystifying ISO-27001 for Small and Medium-sized Businesses In today’s digital landscape, where data breaches and cyber threats are increasingly prevalent, safeguarding sensitive information has never been more crucial for Small and Medium-sized Businesses (SMBs). ISO-27001 offers a robust framework for managing and protecting data. But what exactly is ISO-27001, and why is it a game-changer for SMBs? ISO-27001 is an internationally recognized standard for information security management. It provides a comprehensive set of guidelines and best practices for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Compliance with ISO-27001 demonstrates a commitment to data security, which can be a significant differentiator in the marketplace. However, the journey to ISO-27001 compliance can seem daunting, especially for SMBs. This is where our blog steps in. Our goal is to demystify ISO-27001 for SMBs, breaking down the standard into digestible, actionable steps. We aim to simplify the compliance process while ensuring that the depth and integrity of the standard are not compromised. Through this blog series, we will navigate each section of ISO-27001, offering practical insights and tips tailored for SMBs. What Can You Expect Understanding the Core Criteria of ISO-27001: A Deep Dive for SMBs Annex A: Understanding the Security Controls in ISO-27001 for SMBs Integrating ISO-27001 into Engineering Practices for Compliance When to Start Your Journey Towards ISO-27001 Compliance Embracing ISO-27001 for a Secure Future FAQs: ISO-27001 Compliance for SMBs Understanding the Core Criteria of ISO-27001: A Deep Dive for SMBs ISO-27001 is structured around several key criteria, each playing a pivotal role in establishing a robust Information Security Management System (ISMS). For Small and Medium-sized Businesses (SMBs), understanding these criteria will help embed a culture of security and resilience at the heart of their operations. In this section, we’ll explore each ISO-27001 criterion in detail, providing SMBs with the knowledge and tools to implement these standards effectively. Context of the Organization This criterion involves understanding the external and internal factors that can impact your ISMS. For SMBs, this means identifying the specific needs of your business, including legal, regulatory, and contractual requirements. It’s about understanding your organizational context and how it shapes your approach to information security. Tailoring the ISMS to your unique business environment is crucial for effective implementation. Leadership and Commitment Leadership plays a critical role in the success of an ISMS. This criterion focuses on the need for top management to demonstrate leadership and commitment to the ISMS. For SMBs, this could mean allocating resources, establishing clear policies, and leading by example. A strong commitment from leadership not only drives the implementation process but also embeds a culture of security throughout the organization. Planning This involves identifying information security risks and opportunities, and establishing clear objectives for the ISMS. SMBs must conduct thorough risk assessments to understand their specific security vulnerabilities and develop plans to address them. This step is crucial in creating a proactive, rather than reactive, approach to information security. Support Ensuring adequate resources, training, and awareness are crucial for the effective functioning of an ISMS. SMBs need to ensure that their employees are well-trained and aware of their roles in maintaining information security. This also includes maintaining proper communication channels and ensuring the availability of necessary resources. Operation This criterion is about the actual implementation and operation of the ISMS processes. For SMBs, it involves putting the plans into action, managing information security risks, and ensuring that the ISMS is integrated into the business processes. Performance Evaluation Regularly evaluating the performance of the ISMS is essential. This includes monitoring, measurement, analysis, and evaluation. For SMBs, this could mean regular audits, reviews, and continuous improvement processes to ensure the ISMS remains effective and aligned with business objectives. Improvement The final criterion focuses on continually improving the ISMS. For SMBs, this means taking corrective actions when needed and continually updating the ISMS to cope with changes in the business environment or the threat landscape. Each of these criteria is a building block in creating a comprehensive and effective ISMS. In the following sections, we will delve deeper into each of these criteria, offering practical guidance and insights tailored for SMBs. Annex A: Understanding the Security Controls in ISO-27001 for SMBs nnex A of ISO-27001 is a comprehensive framework comprising various security control sets. These controls are not mandatory but are recommended for organizations to address specific information security risks identified during their risk assessment process. For SMBs, selecting and implementing the right controls from Annex A is vital for effective risk management and compliance. Let’s explore the core requirements under each category of Annex A: A.5 Information Security Policies (2 controls) This section deals with establishing and reviewing the policies for information security. The core requirement is to ensure that policies are aligned with business objectives, clearly articulate the organization’s commitment to security, and are regularly reviewed and updated. A.6 Organization of Information Security (7 controls) These controls focus on the internal organization and the management of information security. They include aspects like defining roles and responsibilities, segregating duties to reduce the risk of unauthorized activity, and coordinating information security across the organization. A.7 Human Resource Security (6 controls) This category emphasizes security aspects related to employees and contractors. Core requirements include conducting background checks, ensuring employees understand their security responsibilities, and managing changes in employment. A.8 Asset Management (10 controls) These controls are about identifying information assets and defining appropriate protection responsibilities. Key requirements include classifying information to indicate the level of protection needed and handling assets securely. A.9 Access Control (14 controls) This section addresses the limitation and control of access to information. Core requirements include managing user access, ensuring users are aware of their responsibilities, and managing access rights, especially in the case of employee turnover. A.10 Cryptography (2 controls) The controls under this section deal with the use of cryptographic solutions to protect the confidentiality, authenticity, and integrity of information. The primary requirement is to use cryptography appropriately and effectively. A.11 Physical and Environmental Security (15 controls)

What is a Path Traversal Attack?
How-To

What is a Path Traversal Attack?

Path Traversal is one of the most prevalent attack techniques against web applications and is also part of the OWASP Top 10 list of web-based attacks. It is also very common and simple to exploit, with consequences ranging from file system access, information disclosure and Remote Code Execution. What is a Path Traversal attack? It is an attack technique that is intended towards accessing file system locations (files, directories) that are outside of the container on which the web application is running in. It can lead to leaking information about the system hosting the web application, such as sensitive files (config files, environment variables, files hidden from the web application etc), information (such as application source code) and even Remote Code Execution. Impact of a Path Traversal attack A Path traversal attack can have serious implications, if exploited: Leak of sensitive files and information on the filesystem Remote-code execution Creation of backdoors into the affected server How does an application become susceptible to a Path Traversal attack? Path Traversal is a consequence of improper input sanitization (at the application level) when dealing with flows that access the filesystem (such as reading of files, images and scripts). Creative constructs of payloads for those parameters can allow for traversing different locations across the filesystem, that are outside the location of the web server root. At its core, Path Traversal payloads involve parameters denoting paths to locations away from the root web application directory. The simplest payload is as below: http:///?file=../ This denotes access to one level above the base web application directory. Different types of Payloads for a Path Traversal attack Regular payloads http:///?file=../ -> Nix environmentshttp:///?file=/etc/passwd -> Absolute pathhttp:///?file=.. -> Windows environments For exploits, variations of the relative and absolute path can be picked up and can work way up the levels to reach to different areas of the filesystem.Another technique can be to fuzz the directory names in a scan to see if they exist or not. Stripped payloads http:///?file=….//….//etc/passwd This is a non-recursive traversal payload that is stripped to ../../etc/passwd Encoded payloads http:///?file=..%2F..%2F..%2Fetc%2Fpasswd%20 The above example has a URL-encoded parameter that translates to ../../../etc/passwd In addition to a single encoding level, multiple encodings can be made for more creative exploits. Payload starting from expected path http:///?file=/var/www/images/../../../etc/passwd In this case, the web application has validation in the input parameter that mandates input file to be present in the /var/www/images directory. The above payload bypasses that validation. Null-byte character These payloads are used to bypass specific file restrictions for input file (such as a requirement for the file being a PNG file). http:///?file=../../../etc/passwd%00.png The null byte at the end is discarded after validation. Basic Vulnerable App Exploit and Impact $file = $_GET[‘file’];include($file); Accessing through the following exploit GET /dirtraversal.php?file=../../../../etc/passwd Similar payloads to get the same result /dirtraversal.php?file=/etc/passwd ..%2F..%2F..%2F..%2Fetc%2Fpasswd /etc/passwd How do you prevent a Path Traversal attack? Path Traversal is a fairly simple thing to solve. At its core involves proper sanitization of user input. Preferably, do not have user input for calls to the filesystem. Check user input -> Should contain only allowed values and input containing traversal characters should be stripped off. Accept the known good input. Canonicalize user input to verify it starts with an expected base directory. A simple way to do accomplish this is to compare actual paths on the file system and determine whether there is a traversal mechanism in place. This can be done by resolving to an actual path on the filesystem and then comparing with the resolution of the actual file path. $base_path = “/opt/homebrew/var/www”;$file_path = $base_path . $file;$real_path = realpath($file_path);if($real_path === false || strpos($real_path, realpath($base_path) !== 0))echo “File not found!”;elseinclude($file_path); The above code ensures that the file path of the parameter exists in the /opt/homebrew/var/www folder, which is not the case if there is path traversal in place, resulting in the following output. Conclusion As shown, Path Traversal is a fairly common attack, being part of the OWASP Top 10 list of attacks. It is mostly caused due to developer ignorance and can cause a whole world of pain if exploited, with sensitive information disclosure and remote code execution being fairly common results of such attacks. It is fairly easy to solve and can be done with checks and balances for user input and ensuring whether filesystem access for user-input is even needed in the first place. If those measures are taken, we will be one step further in securing our web applications. At BUZZ, we have found various applications susceptible to Path Traversal attacks, which can lead to serious implications for the organizations business and reputation, if exploited. Check once or contact BUZZ experts for securing your applications and systems.

Demystifying Error based SQL Injection attacks
How-To

Demystifying Error based SQL Injection attacks

If you have detected that an application is vulnerable to SQL Injection vulnerability, then the next step to exploit the vulnerability is to know which type of SQL Injection it is. This will help you craft your SQL injection payloads as per the type. In this article, we are going to look at Error based SQL Injection which is a type of in-band SQL Injection attack. We will also provide a live demo of an error-based SQL Injection attack using Acunetix. So, let’s get started. The article will encompass the below sections. You can jump directly to any section if you want. What is error based SQL Injection? Definition of Error based SQL injection Live example of Error based SQL Injection on Acunetix Error based SQL Injection payloads How to prevent Error based SQL Injection attacks? Validate input parameters properly Use Prepared Statements Conclusion What is error based SQL Injection? An Error based SQL Injection is an in-band type of SQL Injection attack in which attackers use a single channel to fire the SQL Injection payloads and also extract the results from the same channel. An example of an in-band attack is when an attacker hits any REST API request and immediately sees the desired results in the API response. In error based SQL Injection, the attacker relies on error messages returned by the database server. The error messages help provide information about the structure of the schema and where exactly the error has occurred in the SQL query. Let’s look at the formal definition. Definition of Error based SQL injection Error based SQL Injection definition is as follows- “Error based SQL Injection is a type of SQL Injection in which the attacker can see error messages thrown by the database server when any SQL Injection payloads are fired.” The error messages contain sensitive information about the database schema, the vulnerable SQL query, and the database type. The attacker uses error information so as to accurately craft the SQL injection payloads for further penetration into the victim’s database system. It will be clearer to you when you see some live examples of error based SQL Injection in the next section. Live example of Error based SQL Injection on Acunetix Acunetix hosts a vulnerable web application online for testing purposes. It is freely accessible to all. The aim of the application is to demonstrate some of the severe web application vulnerabilities. You can access the Acunetix vulnerable web application here. There are many vulnerabilities in this application. However, we will only demonstrate the Error based SQL Injection. To do this, you need to navigate as below : Click on the Categories menu -> Click on any category displayed -> You will see posters in the category. Now observe the URL in the address bar. It accepts a category ID as an input parameter as highlighted below. http://testphp.vulnweb.com/listproducts.php?cat=1 This parameter is vulnerable to Error-based SQL Injection. Now, to test for SQL Injection on this parameter, just append a single quote (‘) in the URL right after the value of the category ID. The resulting URL may be as below (You can copy and paste in address bar): http://testphp.vulnweb.com/listproducts.php?cat=1′ Now as soon as you hit enter, instead of posters in the category you will see an Error message. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74 This error message is thrown by the MySQL database server. This database-side error message is a first clue to an attacker that the entered parameter value is reaching to query as it is entered (along with possibly any junk characters entered). We have highlighted the sensitive information in the above log. It clearly shows the underlying database is of type MySQL and there is an error at line 1. You can now play around with parameter values and try to inject different variants of SQL Injection payloads from the payload list in the next section. Error based SQL Injection payloads Now we know the parameter named ‘cat‘ is vulnerable to Error based SQL Injection, we can now embed various SQLi payloads. Let’s inject the payloads now – SQLi Payload Direct link to hit (Including payload) 1 OR 1=1 Link – Shows posters from all categories 1 AND (SELECT 2839 FROM (SELECT(SLEEP(10)))DtDN) Link – Make database thread to sleep for 10 seconds For a full list of thousands of Error-based SQL Injection payloads, visit this GitHub repository. How to prevent Error based SQL Injection? As with any SQL Injection attack, the attacker tries to exploit the input parameters in the application and injects the SQLi payload into the same. This is also applicable to error based SQL Injection attacks. Below we list down the 2 important prevention techniques. Validate input parameters properly As in the above Acunetix application’s example, the vulnerable parameter is ‘cat‘. It is a numeric field representing the category ID. Hence, on the server side we need to put a validation to check whether provided category ID is really an integer or not. Use PreparedStatements Do not create the SQL query using the string concatenation technique. You need to use PreparedStatements so that the query parameters do not alter the structure of the query being fired. Conclusion Out of all types of SQL Injection attacks, the error based SQL Injection is the most severe. It is severe because of the reduced turnaround time in seeing the results. And hence in a few minutes of time, the attacker will be able to download the entire database of victim applications. BUZZ is an expert player in doing security assessments of SMBs and startups. We have found many instances of Error-based SQL Injection vulnerability in SMB’s internet-facing systems. Remember, a single vulnerable parameter is a doorway for an attacker to download the entire database. The endpoints look safe to the open eyes but upon security assessment, the full database gets exposed. Do your application’s endpoints also look

What is SQL Injection Attack ?
How-To

What is SQL Injection Attack ?

In almost all cyber-attacks, hackers exploit the security bugs (aka. vulnerability) in the victim’s networks, machines, or software installed. One such particularly severe vulnerability is “SQL Injection”. This vulnerability is of such significance that attackers can dump entire databases of victims. This might lead to the forced closure of the organization. In this article, you will understand what is SQL Injection attack and what causes SQL Injection attacks to happen. We will also explain a few of the basic prevention techniques for SQL Injection attacks. So, let’s get started. This article is divided into below sections. You can jump directly to any section. Definition of SQL Injection attack How does SQL Injection attack work? Demonstration of SQL Injection Prevention of SQL Injection attack Prevention Technique 1: Use PreparedStatement with parameters Prevention Technique 2: Validate input parameters Does SQL injection still work in 2023? Conclusion Definition of SQL Injection attack SQL Injection attack is an injection type of attack in which an attacker injects malicious SQL statements (aka payloads) in the user-provided input fields of the application. These input fields are then used as is to prepare SQL statements that will be executed on the database server. In other words, in an SQL Injection attack, an attacker can execute unauthorized SQL statements on the victim’s database through the application’s input fields. Using this attack, an attacker can get a complete hold of the victim’s database. The database under attack has no way of knowing whether the SQL statement being executed is a normal SQL statement triggered by the application or is a manipulated SQL statement executed as a part of an SQL injection attack by hackers. Let’s now understand how this attack works internally and what are the main causes of the attack. How does an SQL Injection attack work? Now, we will explain how SQL injection attack works with an example that you can relate to your often, daily required action i.e. a Login form. Consider the below example of a “Login Form” SQL Injection attack. As can be seen, the user needs to enter his username and password in order to log in. Below are the contents of the users table containing the username and password to be checked (Although it’s a bad table design where passwords are kept in unencrypted form, let’s keep the table super simple to understand the SQLi attack) Once the user clicks on the “LOG IN” button, an API call to the backend server will be made with a payload containing the entered username & password. We directly look at server-side logic that validates entered credentials with the credentials in the database table. public static void main(String[] args) { String username = “john”; String password = “John@123”; //password = “John@1231′ OR ‘1’=’1”; // SQLi payload input try { int userid = validateCredentialsAndFetchUserId(username, password); System.out.println(“User is found. User Id is :” + userid); } catch (InvalidUserException e) { System.out.println(“Wrong username or password entered. No user found.”); } } private static int validateCredentialsAndFetchUserId(String username, String password) { Connection con = null; Statement st = null; ResultSet resultSet = null; try { Class.forName(“com.mysql.cj.jdbc.Driver”); con = DriverManager.getConnection(“jdbc:mysql://localhost:3306/mydb”, “mydbuser”, “Mydbpassword@123”); st = con.createStatement(); // Below SQL fetches the user with given username and password combination String sql = “select * from users where username='” + username + “‘ and password='” + password + “‘”; System.out.println(“SQL to be fired :”+sql); resultSet = st.executeQuery(sql); if (resultSet.next()) { // We got the results. This means the user with given userid and password exist. // There can be max 1 record with given combination. // Now just return user id of the first result. return resultSet.getInt(“userid”); } else { throw new InvalidUserException(“Invalid user with username :” + username); } In the above code, we are building an SQL query in the below form. select * from users where username=’john’ and password=’John@123′ If this query returns at least 1 result, then it means entered credentials exist in the database and the user is valid. The query is built using the string concatenation technique as below- String sql = “select * from users where username='” + username + “‘ and password='” + password + “‘”; This code snippet is vulnerable to SQL Injection attacks. It is an example of Error based SQL Injection. Here, the user-provided input fields are passed as is to build a database query using the string concatenation technique. An attacker can embed an actual SQL statement in any of the input fields and our code will concatenate the user’s input as is to the final SQL query to be executed on the database server. Let’s understand with some example input test cases. Note, that we have added some debug logs (using system.out). Demonstration of SQL Injection The test case with valid credentials For username=”john” and password=”John@123″, below is the output. SQL to be fired:- select * from users where username=’john’ and password=’John@123′ User is found. User Id is: 100 The test case with “invalid” credentials For username=”john” and password=”John@123456″, below is the output. SQL to be fired:- select * from users where username=’john’ and password=’John@123456′ Wrong username or password entered. No user found. This is working well. As a developer, you will be happy that the program is working well as you have checked both positive and negative test cases. Now, the time is for some impressive part, the hacker’s test case – The hacker’s test case For username=”john” and password=”John@1231′ OR ‘1’=’1″, below is the output. Observe the quotes in the password. They are important so that a valid SQL statement is generated in the backend. SQL to be fired:- select * from users where username=’john’ and password=’John@1231′ OR ‘1’=’1′ User is found. User Id is: 100 As you can see, the hacker has entered the wrong password of the user (but injected the SQL injection payload in the password field) and is able to fetch the user ID (i.e. bypassed authentication). The SQLi payload used in the above test case is John@1231′ OR ‘1’=’1. Prevention of SQL Injection attack As you have

PCI-DSS Compliance Simplified for SMBs
BUZZ Essentials

PCI-DSS Compliance Simplified for SMBs

Demystifying PCI-DSS for SMB SaaS Companies For businesses, especially Small and Medium-sized Business (SMB) Software as a Service (SaaS) companies, safeguarding customer data is not just a best practice—it’s a necessity. This is where the Payment Card Industry Data Security Standard (PCI-DSS) comes into play. PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. For SMB SaaS companies, adhering to these standards is crucial. Not only does it protect the sensitive data of their customers, but it also instills trust and credibility in the market. Non-compliance can lead to severe penalties and, more importantly, a tarnished reputation. At BUZZ, we recognize the challenges SMBs face in navigating the complex world of cybersecurity. In the subsequent sections, we’ll delve deeper into the intricacies of PCI-DSS, its criteria, and how SMB SaaS companies can seamlessly integrate these standards into their operations. What To Expect In The Following Sections Simplified Explanation of PCI-DSS Compliance Criteria Mapping PCI-DSS to Engineering Practices Understanding PCI Compliance Types and Choosing the Right Auditor Understanding PCI Compliance Levels and Their Implications Conclusion Frequently Asked Questions (FAQs) about PCI-DSS for SMB SaaS Companies Simplified Explanation of PCI-DSS Compliance Criteria For SMBs The 12 Core Requirements of PCI-DSS The Payment Card Industry Data Security Standard (PCI-DSS) is structured around 12 primary requirements. These requirements, while seemingly straightforward, have various sub-requirements that provide depth and specificity to the overarching criteria. Let’s delve into each of these requirements and their associated sub-requirements. 1. Install and maintain a firewall configuration to protect cardholder data Firewalls serve as the first line of defense, controlling traffic between networks and ensuring that only legitimate traffic is allowed. Properly configured firewalls prevent unauthorized access to cardholder data. Key Components Firewall and Router Configurations: Documented standards that specify how firewalls and routers should be set up and maintained. Connection Restrictions: Policies that dictate which external entities can access the cardholder data environment, ensuring only necessary connections are permitted. Acceptable Evidence Firewall configuration documentation. Change management logs. Practical Scenario: A SaaS company offering online booking services must ensure that only web traffic on ports 80 and 443 can access their servers, blocking all other ports. 2. Do not use vendor-supplied defaults for system passwords and other security parameters Manufacturers often ship systems with default settings for ease of setup. However, attackers are aware of these defaults, making systems vulnerable if unchanged. Key Components Change Defaults: All default passwords and settings should be altered before a system is brought online. System Hardening: Implementing security measures to reduce system vulnerabilities, including disabling unnecessary services and protocols. Acceptable Evidence System setup and configuration documentation. Account management records. Practical Scenario: Before deploying a new database server, the default ‘admin’ password is changed, and unused accounts are deactivated. 3. Protect stored cardholder data While it’s essential to limit the storage of sensitive data, any stored cardholder data must be securely protected to prevent unauthorized access. Key Components Data Retention Policy: Guidelines that dictate how long cardholder data is stored and when it should be purged. Data Encryption: Utilizing strong cryptographic measures to encrypt stored data, ensuring it’s unreadable without the necessary decryption key. Acceptable Evidence Data storage and retention policy. Encryption protocols and key management documentation. Practical Scenario: An e-commerce platform stores only the last four digits of a credit card, with the full number being encrypted and stored securely. 4. Encrypt transmission of cardholder data across open, public networks Data can be intercepted during transmission. Encrypting this data ensures it remains confidential and intact. Key Components Secure Transmission Protocols: Using protocols like TLS to encrypt data during transmission. Avoidance of Weak Encryption: Ensuring that outdated and vulnerable encryption methods are not in use. Acceptable Evidence Network transmission logs showing encrypted transmissions. SSL/TLS certificate records. Practical Scenario: A cloud-based CRM ensures that all data transfers between the client and server are encrypted using TLS 1.3. 5. Protect all systems against malware and regularly update anti-virus software or programs Malware, including viruses, worms, and trojans, can compromise system integrity and lead to data breaches. Key Components Regular Malware Scans: Scheduled scans to detect and remove any malware infections. Updated Anti-virus Definitions: Ensuring the anti-virus software is updated with the latest definitions to recognize new malware. Acceptable Evidence Anti-virus configuration and update logs. Malware scan reports. Practical Scenario: A SaaS-based accounting software runs daily malware scans during off-peak hours and updates its anti-virus definitions weekly. 6. Develop and maintain secure systems and applications Software vulnerabilities can be exploited by attackers. Regularly updating and patching systems and applications mitigates these risks. Key Components Vulnerability Management Process: A process to identify, rank, and address security vulnerabilities in systems and applications. Patch Management: Regularly updating systems and applications with the latest security patches. Acceptable Evidence Patch management logs. Vulnerability assessment reports. Practical Scenario: A project management tool has a dedicated team to monitor for any vulnerabilities and ensures patches are applied within a week of release. 7. Restrict access to cardholder data by business need-to-know Limiting access to data reduces the risk of unauthorized access or data breaches. Key Components Role-based Access Controls: Assigning access based on roles within the organization, ensuring employees only access data necessary for their job functions. Regular Access Reviews: Periodic reviews to ensure that access permissions are still appropriate for each user. Acceptable Evidence User access logs. Role and permission documentation. Practical Scenario: In a payroll software company, only the finance team can access full cardholder data, while the support team can only view masked data. 8. Identify and authenticate access to system components Ensuring that every individual accessing the system is uniquely identifiable helps in accountability and tracking. Key Components Unique User IDs: Every user should have a unique identifier. Multi-factor Authentication: Implementing additional authentication measures, such as tokens or biometrics, in addition to passwords. Acceptable Evidence User account records. Multi-factor authentication setup documentation. Practical Scenario: A digital marketing platform requires users to enter a

SOC-2 Compliance Simplified For SMBs
Compliance Simplified

SOC-2 Compliance Simplified For SMBs

In today’s digital age, trust is paramount. As businesses increasingly migrate to the cloud, customers demand assurance that their data is safe, secure, and handled with the utmost care. Enter SOC-2, or Service Organization Control 2, an auditing procedure developed by the American Institute of CPAs (AICPA). This framework evaluates and reports on the controls at a service organization related to the security, availability, processing integrity, confidentiality, and privacy of a system. So, why should SMB (Small and Medium-sized Business) SaaS (Software as a Service) companies take note? #1. SOC-2 compliance demonstrates to clients and stakeholders that data security is a top priority, and the company has established controls to ensure the confidentiality, integrity, and availability of their data. #2. In a competitive SaaS marketplace, having a SOC-2 certification can provide a distinct advantage, showcasing a company’s commitment to security and trustworthiness. As we delve deeper into the intricacies of SOC-2 in this article, we’ll explore how SMB businesses can navigate this complex landscape and build trust, foster customer relationships, and ensure sustainable business growth. SOC-2 Simplified For SMBs – What Can You Expect? SOC-2 Compliance Simplified for SMBs What Can SMBs Do to Fulfill Each SOC-2 Compliance Criteria? Mapping SOC-2 Compliance to SMB Engineering Practices When to Start Thinking About SOC-2 Compliance? Conclusion Frequently Asked Questions (FAQs) SOC-2 Compliance Simplified for SMBs SOC-2 compliance revolves around five trust criteria, each designed to address specific areas of operational and technological risks. Among these, the “Security” criterion is the only essential one that all organizations must meet. The other criteria—Availability, Processing Integrity, Confidentiality, and Privacy—are optional, allowing organizations to tailor their compliance efforts based on their unique operational needs and the specific demands of their clientele. a. Security (Essential) The Security criterion is foundational and ensures that systems are protected against unauthorized access, both physical and logical. This protection prevents data breaches, unauthorized changes, and system failures. Security Key Components Access Controls Mechanisms like multi-factor authentication ensure that only authorized individuals can access data. For example, a banking app might require both a password and a one-time code sent to the user’s phone. Network Security This involves tools like firewalls and intrusion detection systems that guard against both external attacks and internal breaches. Regular Security Assessments Just as a building undergoes safety inspections, systems should have routine checks to identify vulnerabilities. This includes periodic penetration testing and vulnerability assessments to ensure robustness against emerging threats. b. Availability (Optional) Availability focuses on the system’s accessibility and performance as promised in service agreements. While optional, it’s crucial for businesses that promise high uptime and reliability to their users. Availability Key Components Network Performance Monitoring Tools that ensure the system remains accessible and performs optimally, even under high demand. Infrastructure Maintenance Like ensuring a car is serviced regularly, hardware and software need updates and maintenance to run smoothly. Disaster Recovery Plans These are strategies, like data backups, to recover data and restore service after events such as natural disasters or cyberattacks. Performance Monitoring Using tools to monitor system health, akin to a heart rate monitor during physical activity, helps address issues before they escalate. c. Processing Integrity (Optional) This criterion ensures that a system achieves its purpose—delivering the right data to the right place at the right time. It’s optional but vital for businesses where data processing accuracy is paramount. Processing Integrity Key Components Data Verification Checks, like cross-referencing, ensure data is processed correctly. For instance, verifying credit card details before processing a transaction. Quality Assurance Regular testing, much like test-driving a car, ensures processes work as intended and that data integrity is maintained throughout its lifecycle. Process Monitoring Tools that act like surveillance cameras, watching for any deviations from expected processing, and alerting teams to anomalies. d. Confidentiality (Optional) Confidentiality ensures that data designated as confidential is adequately protected. While optional, it’s essential for businesses handling sensitive data like financial or health records. Confidentiality Key Components Encryption This is like converting a readable book into a secret code that only certain people can understand. Both data at rest and in transit should be encrypted to ensure its confidentiality. Access Restrictions Similar to having restricted areas in a facility, certain data is only viewable by specific roles, ensuring that only those with a legitimate need can access sensitive information. Data Classification This involves categorizing data, much like a library classifies books, and applying protection measures based on sensitivity. This helps in determining which data requires the highest levels of protection. e. Privacy (Optional) The Privacy criterion pertains to the collection, storage, processing, and sharing of personal information. It’s optional but becomes crucial for businesses that handle vast amounts of personal data or operate in regions with strict privacy regulations, such as the GDPR. Mishandling personal data, such as email addresses collected for newsletters, can lead to hefty fines. Privacy Key Components Consent Management This ensures data is used only with the individual’s permission, much like needing permission to enter someone’s house. It’s about being transparent with users about how their data will be used and ensuring that it’s used in ways they’ve agreed to. Data Minimization This principle is about collecting only necessary data, akin to a diner ordering just what they can eat. It’s essential to ensure that only the data needed for specific processes is collected and stored. Retention Policies Like not hoarding items indefinitely, data shouldn’t be kept longer than necessary and should be discarded securely. This involves having clear policies about how long data will be stored and the methods used to securely delete it when it’s no longer needed. Why Are Some Criteria Optional? The optional nature of certain criteria allows businesses to align their compliance efforts with their specific operational realities. Not all businesses will need to ensure high availability or process personal data, for instance. By making some criteria optional, SOC-2 provides flexibility, allowing organizations to focus on what’s most relevant to their operations and their customers’ needs. What Can SMBs Do to Fulfill Each SOC-2 Compliance Criteria?

Scroll to Top