Achieving PCI-Data Security Standards compliance has been the subject of major headaches for thousands of companies across the UK of late, and will continue to remain so as the stakes are so high.
Compliance failure is hugely damaging, not to mention extremely expensive, for companies of all shape and size. Not only is there the huge financial impact of a data breach but there’s also the extensive reputational damage caused, with clients, prospects and peers likely to question the on going integrity of the affected business.
Much of the media focus on data breaches. The seemingly endless PCI breaches in retail & hospitality segments, e.g. Target stores, Neiman Marcos, PF Chang; has focused on the shady groups and individuals behind attacks. But equally, the ongoing ‘Heart bleed’ bug affecting many security vendor products and NSA revelations are of major concern.
Interestingly, recent figures from PwC revealed that nearly two in five compromises/attacks come from an internal source; while the Verizon 2014 PCI Compliance Report paints a bleak picture – that only 11% of companies audited for PCI compliance actual passed all 12 Requirements first time.
With this in mind it is vital that all companies carry out IT Health Checks on a regular basis. An effective Health Check will combine Vulnerability Assessment scanning and Penetration Testing activities to ensure that networks and systems are secure; and that the security systems and processes you have put in place are functioning as designed. This helps businesses to manage their risks and provides an overview of any vulnerabilities that could be exploited by rogue employees or hackers.
This ten-step guide will help a company ensure its security systems are fit and healthy.
Keep administrator/privilege accounts to a minimum
Every account with administrator privileges is a potential avenue of attack that could result in a full compromise of a business network and applications.
The first step in an IT Health Check is to ensure the business does not have an excessive amount of privileged accounts. From a hacker’s perspective, privileged accounts are very powerful as they could hold the keys to highly valuable corporate data. As a result, privileged accounts are regularly targeted – so they need to be strictly controlled and protected.
Organisations generally require a small number of privileged accounts. However, in our experience of testing networks and systems, we have seen companies operating in excess of 200 privileged accounts and service accounts, leaving these businesses highly at risk.
Keep passwords strong
Passwords are the Achilles heel of any network. Around 80% of all domain compromises carried out by our Penetration Testing team come from either a weak password being set, or a password being reused somewhere.
Although it is possible to create policies that include password history, password age, minimum password length and password complexity; we see many companies still using simple or default passwords, e.g. 'Password1'. Hackers have extensive dictionaries of vendor/device default account and passwords, and common names. The simple fact remains that the less complex a password, the easier it is for a hacker to guess it and break into a system.
Any company that takes its security seriously should either protect privileged accounts with strong two-factor authentication (2FA), or deploy a Privileged Account Management system. If the business cannot justify these measures, then privileged accounts password policy should include : minimum length, e.g. 15 characters; include upper & lower characters, numbers and special characters, e.g. ! % & $ <; password age; and password expiry.
Hint: Using a long memorable (to you) phrase is often easier to use than a shorter password with lots of complexity.
Don’t reuse passwords
Password reuse is an all too common issue that completely undermines security efforts. It also aids in speeding up any potential compromise of a system, helping hackers gain deeper, quicker access to the network.
It is not uncommon for IT staff to use the same local password on systems, which, could be discovered by an attacker. This case is of particular concern as ‘cached passwords’ can be captured and replayed to logon to multiple servers.
It’s therefore vital to have unique local administrator passwords for all hosts and to consider Privileged Account Management system that changes the password after use to minimise the chances of hackers uncovering/re-using ‘cached passwords’.
Power of patching
A lack of consistent patching is by far the greatest weakness we spot in systems and networks. Exploiting missing patches is a favoured attack by cybercriminals, as they know that at many organisation do not have sufficient ‘time-windows’ to test and patch critical systems as soon as vulnerability notifications are published by vendors.
The most common software vulnerabilities our testing teams find in systems are related to: Microsoft, HP System Manager, CA ARCServe, BackupExec, PHP and Apache Tomcat.
To avoid these problems, businesses should: build ‘hardened’ servers, using available tools like CIS Security Benchmarks; and run regular automated Vulnerability Assessment scans. This will provide extra security assurance over the lifetime of the system.
In situations where systems cannot be patched quickly, consideration should be given to ‘virtual-patching’ solutions that can protect your infrastructure until you find the time to patch.
Mountain of Malware
Malware will not go away. There are a variety of sources that analyse malware trends – all make sobering reading. It is essential that all systems have an anti-malware solution, that is kept up to date and that all systems are scanned on a regular basis for presence of malware.
Encouragingly, over 95% of companies audited by Verizon were compliant with PCI Requirement 5 (Protect systems from malware and keep anti-virus software up to date).
Get working practices in order
Logging on to line of business servers using ‘Domain Admin’ or ‘Domain Administrator’ accounts can create no end of security problems, e.g. Penetration tests will very commonly discover cached domain administrator credentials on servers that are not ‘logged onto ‘ by an administrator very often. Instead, companies using Windows systems should consider have a user account on these servers and then use the ‘Runas,’ command to enable that standard user to temporarily elevate their rights.
Outsourcing, e.g. for installation, provisioning, maintaining/supporting IT systems software or hardware; and cloud services, can be an effective way to cut costs; but recent breaches implicating ‘LogmeIn’ and other Remote Access systems should raise concerns. Similarly, the breach at Code Spaces that led to its demise is a cautionary tale.
Train your users on what not to do. Innocent looking links in emails could be maliciously targeted at your business. So it is essential that all users are trained, and regularly reminded about, security awareness and good practice in the workplace.
Tighten up wireless
Wireless devices are a huge cause for concern when it comes to corporate security. Many businesses use devices that have weak pre-shared keys and shared hosts between guest and corporate WLANs, while some still use WEP, which simple to break.
To avoid the privacy concerns surrounding Wi-Fi, a simple solutions is to consider treating wireless devices as untrusted, i.e. not part of the internal/trusted network, and utilise Remote Access system to control wireless access to corporate systems and data.
Mobile device security
With people increasingly working remotely, even just accessing email on a Smartphone, it’s more important than ever to ensure the devices they use are secure and aren’t leaking corporate data. Many businesses operate inadequate access controls for mobile devices, even those provided by the company, e.g. what Apps are allowed, whether its operating system has been ‘jail-broken’.
Before any device can be used to access/store corporate data, it needs to be assessed, and a strong environment created, e.g. Access to device, Control of Apps, App access to data, App data encryption; and the device management systems must enable Lock & Wipe if lost.
Limit and secure hosts
It makes logical sense that the greater the number of hosts being assessed during testing, the more issues and vulnerabilities that will need to be fixed. A particular nightmare is when businesses use ‘flat’ networks, which may be suitable for home or small office use, but have no place in today’s large business/enterprise where compliance and regulatory requirements can often only be met by segmenting the network to create security zones, e.g. PCI DSS, UK Public Services network (PSN) all require clearly segmented and protect networks.
Therefore businesses need to ensure they operate well-designed networks – Deny by Default is an excellent starting point.
Secure vulnerable applications
Application vulnerabilities are all too often overlooked, which can be critical for businesses as they often enable an attack to pivot into the corporate environment.
Particularly vulnerable are internal Content Management Systems, where sometimes it appears that ‘style’ has triumphed over security considerations. Our Penetration Testing team have found that software like: Jboss, Apache Tomcat and IIS are of particular concern.
To ensure all these steps are in place companies need to work with a trusted security provider that has been accredited to the ISO 27001 Information Security Management standards. This will provide them with advice throughout and ensure IT security is implemented from the very earliest stages of the network and system design phase and that compliance is met at all times, not just before the audit.
It’s also vital for businesses to get to grips with ever-evolving data protection requirements, to ensure that they don’t fall foul of the law. Achieving a secure environment takes time and effort, so the earlier you start the better chance you have of getting the result you want, when you need it.
Sourced from Graham Peat, PCI expert at MTI