Ron Kuriscak
- Executive Summary – Project objectives, scope and timeframe, summary of results, and a summary of recommendations.
- Technical Detail – A list of constraints if any are present, and the approach the penetration testers took to create the results.
- Vulnerability Details – Relevant vulnerability findings in order of priority based on risk to the business. Clients can access a list of all the report findings at any time, but the true value comes with NetSPI’s security consultants categorizing the findings into critical, high, medium, and low severity for focused remediation efforts.
- Contact Information – This is a no-brainer if you want additional support or need to pass along the report to other parties for validation.
- Environment and Systems in Scope – A list of all assets included in testing for this specific engagement.
- Penetration Testing Methodology – The steps penetration testers take when undergoing an engagement, typically covering everything from information gathering on the current network architecture, to presenting the penetration testing report.
- Risk Management Approach Overview – Communication is key to avoid unnecessary actions that could arise when undergoing a penetration test. This section overviews the steps the penetration testing company takes to proactively avoid potential emergency reactions in response to testing activities.
- Security Toolkit Reference – A list of primary tools used in the engagement. Check out this roundup of the must-have Burp extensions according to our penetration testers.
- Revision History – Finally, you’ll find a list of the people behind the engagement who helped analyze findings to create the report alongside any dates they made changes.
The level of detail and terminology varies from report to report, but the above sections make up a comprehensive penetration testing report.
Penetration Testing Report Examples
Want to get your hands on a sample penetration testing report? Access examples from NetSPI for reference. Be sure to bookmark these sample reports to keep them on hand when you need to compare the quality of a report you receive — or connect with our team anytime for a gut check.
Now What? Steps to Take after Receiving a Penetration Testing Report
Consider a penetration test to be a baseline of what you’re doing well and where you can find areas to improve. Conduct a post-mortem after a penetration test to review the findings and discuss a remediation plan with your team. Prioritize high-severity vulnerability findings, while tackling the subsequent categories over time.
While this report is the final deliverable following a penetration test, companies that follow a Penetration Testing as a Service (PTaaS) methodology, like NetSPI, factor these key reporting components into their pentesting platforms to track performance over time.
This leads to the growing area of continuous pentesting, which uses Attack Surface Management (ASM) to proactively monitor changes to the attack surface, paired with External Network Penetration Testing to bring a highly targeted approach to the most relevant exposures.
Whether you received your hundredth penetration test report, or you’re just starting to review your first one, benchmarking your report against NetSPI’s sample reports will give you greater context into the quality of the report in front of you. Access NetSPI’s penetration testing report examples anytime for reference.
[post_title] => Gut Check: Are You Getting the Most Value out of Your Penetration Testing Report? [post_excerpt] => Use this article and the penetration testing report example included to gut check any penetration test report you receive. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => gut-check-are-you-getting-the-most-value-out-of-your-penetration-testing-report [to_ping] => [pinged] => [post_modified] => 2024-01-15 09:31:26 [post_modified_gmt] => 2024-01-15 15:31:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31451 [menu_order] => 41 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 31582 [post_author] => 53 [post_date] => 2023-10-20 09:44:44 [post_date_gmt] => 2023-10-20 14:44:44 [post_content] =>Medical device security takes center stage with the passing of the Consolidated Appropriations Act of 2023 (Omnibus). The Act outlines new requirements of medical device manufacturers to submit a detailed plan for addressing cybersecurity as part of their software development lifecycle.
But you don’t have to navigate these changes alone. NetSPI Managing Director Ron Kuriscak and Abbott Senior Director of Cybersecurity Operations Steve Currie took an in-depth look at the new requirements and pulled together a clear and actionable summary of what you need to know to stay agile while preparing for compliance.
Attendees will leave this session with a better understanding of:
- Key Omnibus milestones and a summary of updates in Section 3305 "Ensuring Cybersecurity of Medical Devices" — and how to prepare
- The requirements of submitting a medical device security plan to the FDA
- An overview of how the U.S. Department of Health and Human Safety is assisting hospitals and healthcare systems with implementing the NIST Cybersecurity Framework
- Details on enforcement and compliance, zooming in on post-market guidance, vulnerability management best practices, and breach notification guidelines
Gain support on your path to enhancing device security. Watch Ron and Steve’s talk now to get started on solid footing!
[wonderplugin_video iframe="https://youtu.be/zCmVFy2bCwM" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => What You Need to Know to Start Implementing the FDA’s New Medical Device Security Requirements [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => what-you-need-to-know-to-start-implementing-the-fdas-new-medical-device-security-requirements [to_ping] => [pinged] => [post_modified] => 2023-12-08 14:15:42 [post_modified_gmt] => 2023-12-08 20:15:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=31582 [menu_order] => 6 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 31255 [post_author] => 146 [post_date] => 2023-10-17 09:00:00 [post_date_gmt] => 2023-10-17 14:00:00 [post_content] =>Table of Contents
- TL;DR
- Key Milestones in the Consolidated Appropriations Act of 2023 (Omnibus)
- Summary of Updates Relevant to Medical Device Security
- What to Include in the Plan for the FDA
- Breach Notification Guidelines and Incident Reporting
- Key Considerations when Implementing Omnibus Requirements
- Updated Definition of a Cyber Device
- How the U.S. Department of Health and Human Safety is Assisting
TL;DR
The Consolidated Appropriations Act of 2023 brings a substantial change to the regulation of medical device cybersecurity. Section 3305 mandates that medical device manufacturers must submit comprehensive plans to the FDA, focusing on monitoring, identifying, and proactively addressing medical device vulnerabilities. This shift aims to enhance the safety and integrity of medical devices, emphasizing the importance of cybersecurity in healthcare.
The Consolidated Appropriations Act of 2023 (Omnibus), which was enacted on December 29, 2022, has introduced a significant shift in the regulation of medical devices, particularly in cybersecurity. This legislation mandates that medical device manufacturers must submit comprehensive plans to the Food and Drug Administration (FDA) for monitoring, identifying, and addressing cybersecurity vulnerabilities within their products.
Notably, the law is characterized by its foundational correctness and forward-looking approach, ensuring adaptability to evolving cyber threats. Moreover, the FDA receives specific funding, totaling $5 million, to bolster its efforts in the field of cybersecurity. This new legal framework requires a thorough understanding of its intricacies to prepare for compliance.
We conducted a detailed analysis of the updated requirements and compiled a clear and actionable summary to help navigate the changing landscape effectively.
Key Milestones in the Consolidated Appropriations Act of 2023 (Omnibus)
- December 29, 2022: Consolidated Appropriations Act, 2023 (Omnibus) was signed into law
- March 29, 2023: Changes detailed in the Omnibus go into effect
- October 1, 2023: FDA issued guidance that it does not intend to issue “refuse to accept” decisions based solely on the new cyber requirements
Summary of Updates Relevant to Medical Device Security
Section 3305 of the Consolidated Appropriations Act, titled "Ensuring Cybersecurity of Medical Devices," represents a pivotal development in the regulatory landscape. Under this section, medical device manufacturers are now required to submit comprehensive plans to the Food and Drug Administration (FDA) designed to ensure the cybersecurity of their products. These plans must encompass a range of considerations, including the monitoring, identification, and proactive addressing of vulnerabilities within medical devices.
The requirements include aspects such as vulnerability disclosures, encouraging information sharing within the industry, and the establishment of incident response protocols. By focusing on these critical security elements, Section 3305 not only bolsters the safety and integrity of medical devices but also emphasizes the importance of collaboration and transparency in combating cyber threats within the healthcare sector.
What to Include in the Plan for the FDA
The medical device security plan submitted to the FDA encompasses several critical components designed to enhance the cybersecurity of medical devices. Manufacturers are mandated to develop strategies for monitoring, identifying, and addressing cybersecurity vulnerabilities and potential exploits, with a focus on coordinated vulnerability disclosure and related procedures.
Moreover, manufacturers must establish and maintain processes to ensure that the device and associated systems are sufficiently cyber-secure. This includes the provision of post-market updates and patches, addressing known unacceptable vulnerabilities on a reasonable schedule and addressing critical vulnerabilities that could pose uncontrolled risks as soon as they are discovered.
Additionally, the requirements expand government involvement in this sector. They task the Government Accountability Office (GAO) with preparing reports and conducting reviews. Furthermore, there's a mandate to publish guidance on the content of premarket submissions to manage cybersecurity in medical devices and make public resources available to improve the cybersecurity of these devices.
The Comptroller General of the U.S. is also directed to produce a report assessing the challenges faced by stakeholders in accessing federal support for addressing vulnerabilities across federal agencies. It’s important to note that non-compliance with these cyber device submission elements is prohibited under Section 301 of the Federal Food, Drug, and Cosmetic (FD&C) Act, underscoring the gravity of these updates.
Breach Notification Guidelines and Incident Reporting
Should a data breach occur, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) details information required for reporting. Although, these requirements do not go into effect until late 2024 or 2025 when final rulemaking is expected, reporting requirements will include:
- Report certain cyber events to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after a substantial incident
- Report ransomware payments within 24 hours
Key Considerations when Implementing Omnibus Requirements
For individuals on the frontline of executing the updated requirements, these four considerations are helpful to keep in mind:
- Network Status
It’s often parroted that you cannot protect what you cannot see, but you also cannot investigate any mishap or accident to understand the root cause of a cyber incident without a dynamic, real-time status map of the inventory of machines and computers communicating in your environment. This is an area in which Attack Surface Management is extremely beneficial to help organizations with continuous, real-time asset discovery and monitoring. - Product Vulnerabilities
Not all vulnerabilities carry the same weight. The degree to which vulnerabilities impact integrity and availability of systems varies. Some vulnerabilities have limited scope in that they only apply to a few types of software features or interfaces, while others may have additional compensating controls that can mitigate their severity. - Threat Actor Capabilities
For many medical devices, the primary attack surface is their default credentials over Secure Shell (SSH). Once the attacker has gained entry, they will check to determine the underlying operating system to decide which payload to install on the system, often to deploy a botnet attack. - Data Rich, Information Poor
Behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Continuous monitoring and analytics help security leaders diagnose the root cause of unexpected operational changes and deviations from baseline behavior.
By addressing these areas, organizations will be better positioned to protect their medical device systems and data.
Updated Definition of a Cyber Device
In the Omnibus legislation, a "cyber device" is defined by three key attributes:
- It includes software validated, installed, or authorized by the sponsor, indicating its integral role in device functionality.
- It must possess the ability to connect to the internet.
- It encompasses any technological characteristics that have been validated, installed, or authorized by the sponsor, which could potentially be susceptible to cybersecurity threats.
This definition extends its reach to the Internet of Medical Devices (IoMT), covering an array of healthcare innovations, from smart diagnostics to wearable devices, insulin pumps, and even pacemakers. By focusing on these criteria, the legislation aims to ensure the security and responsible use of these connected devices.
How the U.S. Department of Health and Human Safety is Assisting
In March 2023, the U.S. Department of Health and Human Services (HHS) introduced the "Health Care and Public Health Sector Cybersecurity Framework Implementation Guide." This non-binding resource aids hospitals and healthcare facilities in adopting the NIST Cybersecurity Framework by covering five concepts for boards to follow:
- Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
- Understand the legal implications of cyber risk as they apply to the company's specific circumstances
- Ensure they have adequate access to cybersecurity expertise and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
- Set the expectation that management will establish an enterprise-wide cyber-risk management framework
- Include identification of which risks to either avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach, in discussions of cyber risks between the Board and organizational management
Visit the guide for more information, Health Care and Public Health Sector Cybersecurity Framework Implementation Guide.
At NetSPI, our goal is to equip our clients to maintain the security of their systems and avoid potential breaches. Our healthcare-specific expertise helps organizations plan for updated requirements and achieve compliance to create secure medical devices. Learn more about our healthcare security or contact us today for a consultation.
[post_title] => Deciphering the Omnibus for Medical Device Security [post_excerpt] => Gain support enhancing medical device security with NetSPI’s explanation of key omnibus milestones for the cybersecurity of medical devices. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => deciphering-the-omnibus-for-medical-device-security [to_ping] => [pinged] => [post_modified] => 2023-10-17 13:02:15 [post_modified_gmt] => 2023-10-17 18:02:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31255 [menu_order] => 53 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 30280 [post_author] => 146 [post_date] => 2023-06-06 09:00:00 [post_date_gmt] => 2023-06-06 14:00:00 [post_content] =>Cyber insurance has become the standard by which organizations remediate the ever-increasing risk of ransomware by providing companies with a failsafe to recoup their losses. However, industry chatter around cyber insurance premiums increased in the last year as the cost of paying for insurance has shifted to outweigh the potential benefit of receiving a payout in the event of a ransomware event. Insurance premiums and deductibles rose to meet the high cost of ransomware attacks, while coverage from insurance plans shrank, putting more responsibility for proactive security measures on companies in order to qualify for coverage in the first place.
As organizations face double-digit increases to their insurance premiums, the current state of cyber insurance has security leaders questioning whether the investment is worth it. Instead of putting their budget toward insurance, companies may be better off spending their dollars on offensive security measures that create a stronger security posture from the start.
4 Stats that Show the Reality of the Cyber Insurance Market
The cost of cyber insurance is rising to meet the increased cost of data breaches. At the same time, threat actors are relentless in their pursuit of sensitive information, putting every company at risk for an attack. Interestingly, most of these attacks occur using common tactics such as social engineering, or exploiting a vulnerability between systems, as opposed to advanced methods of gaining entry.
Insurance carriers are increasingly requiring these offensive security measures to qualify for cyber insurance, or reduce the cost of insurance.
Because of this, companies need to prove they’ve done their due diligence in securing their environment with baseline measures such as multi-factor authentication, infrastructure access management, user identity and role governance, and training staff to recognize phishing attempts. Insurance carriers are increasingly requiring these offensive security measures to qualify for cyber insurance or reduce the cost of insurance.
The stats below help paint a picture of the reality of cyber insurance today.
- 85% of cyber insurance carriers reported premiums increasing year-over-year (Blackberry)
- $4.35 million is the average cost of a data breach in 2022 (IBM Security)
- 3.5 years is the average duration of a cyber insurance claim payout (Cyber Breach Insights)
- 61% is the increase in direct written premiums since 2021 (National Association of Insurance Commissioners)
In short, these stats tell the story of the increasing cost of data breaches paired with companies paying higher prices for cyber insurance.
How Much does Cyber Insurance Cost?
The cost of global insurance composite pricing rose sharply starting in Q2 of 2019 and continued a drastic increase through Q4 of 2020. Current data show the market may have stabilized, as composite pricing change is lowering quarter-over-quarter.
The stabilization we’re seeing today doesn’t discount the dramatic increase in costs companies have had to accommodate over the last couple of years. Trends like these may become commonplace as the economy continues to fluctuate.
Cyber insurance is a reactive security measure, meaning companies need to pair it with proactive security steps to establish a bulwark against breaches. Organizations can’t solely rely on cyber insurance as the means of their cybersecurity program. Paying insurance premiums means money spent on coverage may never come back to benefit your organization. However, investing in offensive security results in a compounded return on investment by reducing the potential for ransomware.
Achieve Defense in Depth by Implementing Offensive Security Controls
Offensive security testing, such as penetration testing or external attack surface management, addresses the preventative side of a multi-layer defense in depth security program. Contrary to the popular view of offensive security, it's not just about vulnerability discovery, but rather activities to help validate that the compensating controls are working as they’re intended to.
For example, if one control is bypassed, do you have a second layer of security to slow down the attacker? When issues are prevented in the first place, they have the potential for larger savings down the line, as opposed to when vulnerabilities are fixed after they become a problem or are exploited.
The steps to implement offensive security are simpler than you might think. With 88 percent of data breaches caused by human error, training staff to recognize phishing attempts is a great starting point. Shifting budget from cyber insurance premiums to offensive security measures puts organizations in a better position to prevent attacks and manage the cost of cyber insurance coverage.
Shifting budget from cyber insurance premiums to offensive security measures puts organizations in a better position to prevent attacks and manage the cost of cyber insurance coverage.
Offensive Security is for Everyone
At NetSPI, we’re seeing clients reinvest their cyber premium funds from reactive approaches to offensive security steps. As insurance costs continue to rise, it’s likely to become unbearable for organizations to continue paying these increasing amounts when they aren't guaranteed a return on their investment.
This budget adds up over time, and security leaders may realize they could have added immense value to their overall security posture if they had shifted that spend to offensive security measures only a couple years ago. Cybersecurity leaders must begin shifting to offensive rather than reactive Cybersecurity programs today!
Let us help you make the shift! NetSPI's offensive security consultants guide the steps toward a proactive security stance. Explore our full suite of penetration testing services.
[post_title] => Move from Passive to Proactive with Offensive Security over Cyber Insurance [post_excerpt] => As cyber insurance premiums increase, security leaders are considering offensive security as a more valuable use of their security resources. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => passive-to-proactive-with-offensive-security-vs-cyber-insurance [to_ping] => [pinged] => [post_modified] => 2023-10-03 13:10:37 [post_modified_gmt] => 2023-10-03 18:10:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=30280 [menu_order] => 107 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 4 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 31451 [post_author] => 146 [post_date] => 2023-11-14 09:00:00 [post_date_gmt] => 2023-11-14 15:00:00 [post_content] =>Not all penetration testing reports are created equal, so we summarized key sections to look for that build up to a comprehensive and actionable report. Quality vendors extend their reporting beyond a simple PDF and into custom software, such as NetSPI’s Resolve™, that aids ongoing vulnerability management. Over time, the results of penetration testing engagements can be tracked, along with their severity and remediation status for simpler insight into an enterprise's overall security performance.
Use this article and the penetration testing report examples below to make sure reports you receive speak to prioritized findings backed up with sound methodology.
Need to find a quality penetration testing company? We’ve got you covered with this Penetration Testing RFP template.
The Anatomy of a Sample Penetration Testing Report
What's the ultimate goal of a penetration testing report? According to our security consultants, penetration testing reports have three purposes:
- Identify network, system, and application layer vulnerabilities that exist in a client’s environment from the perspective of an unauthenticated attacker.
- Provide clients with an understanding of the potential impact vulnerabilities could have by leveraging them to gain access to critical resources.
- Provide clients with a prioritized remediation approach to address the identified vulnerabilities.
Here's a quick rundown of what's included in a penetration testing report.
Now diving into more detail on each section.
- Executive Summary – Project objectives, scope and timeframe, summary of results, and a summary of recommendations.
- Technical Detail – A list of constraints if any are present, and the approach the penetration testers took to create the results.
- Vulnerability Details – Relevant vulnerability findings in order of priority based on risk to the business. Clients can access a list of all the report findings at any time, but the true value comes with NetSPI’s security consultants categorizing the findings into critical, high, medium, and low severity for focused remediation efforts.
- Contact Information – This is a no-brainer if you want additional support or need to pass along the report to other parties for validation.
- Environment and Systems in Scope – A list of all assets included in testing for this specific engagement.
- Penetration Testing Methodology – The steps penetration testers take when undergoing an engagement, typically covering everything from information gathering on the current network architecture, to presenting the penetration testing report.
- Risk Management Approach Overview – Communication is key to avoid unnecessary actions that could arise when undergoing a penetration test. This section overviews the steps the penetration testing company takes to proactively avoid potential emergency reactions in response to testing activities.
- Security Toolkit Reference – A list of primary tools used in the engagement. Check out this roundup of the must-have Burp extensions according to our penetration testers.
- Revision History – Finally, you’ll find a list of the people behind the engagement who helped analyze findings to create the report alongside any dates they made changes.
The level of detail and terminology varies from report to report, but the above sections make up a comprehensive penetration testing report.
Penetration Testing Report Examples
Want to get your hands on a sample penetration testing report? Access examples from NetSPI for reference. Be sure to bookmark these sample reports to keep them on hand when you need to compare the quality of a report you receive — or connect with our team anytime for a gut check.
Now What? Steps to Take after Receiving a Penetration Testing Report
Consider a penetration test to be a baseline of what you’re doing well and where you can find areas to improve. Conduct a post-mortem after a penetration test to review the findings and discuss a remediation plan with your team. Prioritize high-severity vulnerability findings, while tackling the subsequent categories over time.
While this report is the final deliverable following a penetration test, companies that follow a Penetration Testing as a Service (PTaaS) methodology, like NetSPI, factor these key reporting components into their pentesting platforms to track performance over time.
This leads to the growing area of continuous pentesting, which uses Attack Surface Management (ASM) to proactively monitor changes to the attack surface, paired with External Network Penetration Testing to bring a highly targeted approach to the most relevant exposures.
Whether you received your hundredth penetration test report, or you’re just starting to review your first one, benchmarking your report against NetSPI’s sample reports will give you greater context into the quality of the report in front of you. Access NetSPI’s penetration testing report examples anytime for reference.
[post_title] => Gut Check: Are You Getting the Most Value out of Your Penetration Testing Report? [post_excerpt] => Use this article and the penetration testing report example included to gut check any penetration test report you receive. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => gut-check-are-you-getting-the-most-value-out-of-your-penetration-testing-report [to_ping] => [pinged] => [post_modified] => 2024-01-15 09:31:26 [post_modified_gmt] => 2024-01-15 15:31:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31451 [menu_order] => 41 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 4 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 09c7f03c14c6012cf523644d405e2588 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )