Beyond PCI Compliance

481063297So you want to buy stuff? How are you going to do that? Most likely, you are not going to write a check or send a wad of cash to the retailer, you are going to use your credit card.  The convenience of using credit cards has all but replaced traditional payment methods like cash and checks.

But a string of data breaches has you worried that credit card transactions may not be safe.  To help secure your credit card information, the Payment Card Industry (PCI) developed the data security standards (DSS) in 2006 and required every merchant accepting debit and credit cards to comply.

This standard consists of 12 requirements that mandate how everything from securing the transaction, to the transmissions of data to the data center, to reporting the transaction to the credit card company, had to be secured.  The six main goals of DSS are:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Since then, retailers have had to follow new rules, and as every merchant knows, compliance can be costly and the consequences of non-compliance can be considerable.  Fines for noncompliance can range between $10,000 up to $200,0001. However, the fines are minimal when you consider the possible ramification of a data breach. The costs of disclosure, PR costs, credit monitoring for breached victims, and the loss of consumer confidence in your brand add up to significant costs for a breached organization. According to the Ponemon institute, for firms in the United States, the average cost of a data breach in 2014 is $3.5 million2.

PCI-DSS is aimed at helping firms secure their credit card data. PCI-DSS offers a great base line for organizations. However, the requirements should be considered as a baseline. In 214 there were 783 tracked data breaches, up 23% from 20133. The vast majority of these breached firms were PCI 2.0 compliant. The new version PCI-DSS (version 3.0) is aimed at helping firms raise the security bar. There are 96 new aspects to the standard, and while this will help, I would consider this to still be the minimum bar for your security policy. You need to extend your security policy beyond just PCI compliance.

It’s no longer a matter of fending off a periodic attack. In today’s environment, attacks are a constant. Cybercriminals are more organized and more persistent than ever before. Unfortunately the same cannot be said of most firm’s security implementations. One of the great ironies in the security world is the vast dollars being spent on perimeter security while all but completely ignoring the most prevalent, accessible, and vulnerable asset on a firms network—the endpoint.

5 Steps to Secure Your Endpoints

When consulting with clients, I recommend a 5-step process to secure your endpoints.

1-       Discover your assets

2-       Patch and update your software and OS’s

3-       Install and keep up-to-date AV

4-       Use application control

5-       Monitor and report on your endpoint security posture

PCI compliance

 

The majority of breaches leverage an existing vulnerability. Making sure your systems are patched is no longer a luxury but a requirement. And it’s not just about OS patches, it’s just as critical to patch third-party software. It is estimated that 86%4 of publicly disclosed vulnerabilities are found in third-party software.

Malware is still a significant threat to your organization. Ensuring you have an industry leading AV solution installed and running with up to date definitions is important.

While Anti-malware is critical, it is not a perfect solution. More and more malicious software is seeping into environments and going undiscovered. On average, malware leveraged in breached goes undiscovered for 243 days5.

It is true that AV does a great job at protecting us (yes, I said great) against things we know are bad. However, the problem is that in today’s cybercrime world we no longer know all of the bad actors. Hackers are becoming increasingly savvy. While AV will remain a critical piece of your endpoint security solutions, more advanced techniques are required.  Leveraging advanced endpoint technologies like Application Control is becoming an essential tool in the security toolbox. With Application Control you can whitelist files you know are safe, freeing up your security team to deal exceptions.  It’s changing the paradigm we have long held in the security industry, that we can leverage definitions to protect us against malicious software.  With whitelisting, you’re only allowing known-good software to run, keeping both bad and unknown software from running on your endpoints.

Tools will only get you so far. Maintaining visibility into your environment, in easy to interpret dashboards that allow you to drill into the data and take impactful actions, is essential. With the sheer volume of threats that enter enterprise security, analysts do not have the time to monitor every single threat that faces their organization. LANDESK provides tools to quickly show you what you need to pay attention to and what risk a given threat posses to your organization.

The bottom line is that bad guys are out there and they have strong financial incentives to get to your data. They aren’t going away. In fact, more and more breaches will occur. LANDESK Secure User Management can help you not only meet your compliance goals, but help you stay out of the security breach headlines.

 

Catch Gerald’s webinar on going beyond PCI compliance, as well as many others, here.

1http://www.pcistandard.com/card-association-fines/

2 http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

3http://www.informationsecuritybuzz.com/passing-pci-audit-nothing-celebrate/

4http://www.securitybistro.com/?p=5763

5 Mandiant 2013 Malware Report