Latest news
PCI pitfalls for retailers
Posted on 17 January 2012.
Businesses that process, transmit or store cardholder data must implement security controls as defined by the latest PCI DSS standard.
The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.
1. Faulty firewall installation or configuration
Many DIY projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls.
Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change.
2. Relying on vendor supplied defaults for system passwords
Not only is it critical to change vendor supplied default passwords, be sure to use something other than "password" as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567, 8) letmein, 9) trustno1, and 10) dragon.
Best practice: Change vendor settings and utilize strong passwords.
3. Failing to utilize IPS to protect stored cardholder data
There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe.
Best practice: Make sure intrusion prevention systems (IPS) are up and running.
4. Not encrypting transmission of cardholder data across open, public networks
Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email.
Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted.
5. Failing to use and regularly update anti-virus software or programs
Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer.
Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth.
6. Not maintaining secure systems and applications
Many businesses do a good job at maintaining secure systems, however what is often overlooked in today's social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data.
Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control.
7. Providing access to cardholder data to those who do not need to know
About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the "least privilege rule," which parallels the same concept of "need to know." Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result.
Best practice: Use RBAC (role based access controls), separation of duties and other forms of "least privilege" to make sure data is restricted to those who absolutely must have access to it.
8. Forgetting to track and monitor all access to network resources and cardholder data
Unfortunately, many businesses take a "fire and forget" approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis.
Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news.
9. Not having an information security policy
In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies.
Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.
The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.
1. Faulty firewall installation or configuration
Many DIY projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls.
Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change.
2. Relying on vendor supplied defaults for system passwords
Not only is it critical to change vendor supplied default passwords, be sure to use something other than "password" as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567, 8) letmein, 9) trustno1, and 10) dragon.
Best practice: Change vendor settings and utilize strong passwords.
3. Failing to utilize IPS to protect stored cardholder data
There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe.
Best practice: Make sure intrusion prevention systems (IPS) are up and running.
4. Not encrypting transmission of cardholder data across open, public networks
Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email.
Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted.
5. Failing to use and regularly update anti-virus software or programs
Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer.
Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth.
6. Not maintaining secure systems and applications
Many businesses do a good job at maintaining secure systems, however what is often overlooked in today's social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data.
Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control.
7. Providing access to cardholder data to those who do not need to know
About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the "least privilege rule," which parallels the same concept of "need to know." Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result.
Best practice: Use RBAC (role based access controls), separation of duties and other forms of "least privilege" to make sure data is restricted to those who absolutely must have access to it.
8. Forgetting to track and monitor all access to network resources and cardholder data
Unfortunately, many businesses take a "fire and forget" approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis.
Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news.
9. Not having an information security policy
In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies.
Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.
Spotlight
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
