Ethical hacking may seem like a fairly new-aged notion. However, it has actually been around for centuries. Humans may not have always had the technologies as we do now, but there have always been people, places and things that malicious individuals have attempted to get into. In order to best protect those assets, humans have brainstormed the ways in which individuals could gain access in order to fix and minimize those vulnerabilities, therefore reducing the chances of that asset from being accessed.
A prime example of this goes all the way back to 1812 when the concept of war gaming (or Kriegsspiel as it is known in Germany) was created. The game was used to help train military officers on possible scenarios of war and to help develop them strategically when faced with particular wartime situations. The game provided officers with exposure to critical situations and a way for them to see how the enemy may react to their various decisions. This in turn better prepared them to make the right decisions when out of the battlefield.
Check out our Infographic: A Brief History of Ethical Hacking. The infographic shows 15 key ethical hacking events in history and how it has progressed into the ethical hacking we know today. While it is a fun read, it also provides valuable insight and a fresh look into the development of ethical hacking.
A successful PCI DSS compliance strategy can be jump-started with an up-to-date, secure point-of-sale (POS) system, but there are many other factors you must consider when working towards PCI compliance. While cardholder data may enter your network through a POS, many businesses fail to realize that the scope of their environment also includes systems that have nothing to do with processing payment card transactions.
Even if you have addressed PCI DSS compliance in the past, you must continually readdress it as technology changes, new threats emerge and requirements change. To ease your approach to PCI compliance, the areas of focus can be divided up into three security categories: Operations, Point-of-Sale and Network.
Many people pigeonhole PCI as a technology-centric standard, such as, “Hey, let’s have our IT guy take care of this!” Roughly half of the standard is purely policy- and procedure-focused. Your tasks include:
Create an Information Security Policy for employees to follow
Create an Incident Response Plan to follow in case of a suspected data breach
Define access levels for the computers/internet within your network
Hold PCI compliance training on annual basis
Use a log to track all visitors who enter the back office
Small businesses face challenges when it comes to providing adequate resources in managing network security. Due to their size, it is not feasible to hire a full-time IT professional and given the findings from a recent study, that puts small businesses at an even greater disadvantage. The Ponemon Institute’s 2013 Cost of a Data Breach Study found that businesses that employ chief information security officers (CISO) or similar personnel endure lower costs if they suffer a data breach. When a business is able to dedicate one or more resources specifically to their information technology needs they are more likely to have the security parameters in place which will work in their favor in the event of a breach.
According to the study, organizations in the United States save on average $23 for each record breached if they have a CISO or similar personnel appointed. That is significant given that the average cost per breached record is $188. Even more so, having an experienced technology expert in place to manage your network infrastructure greatly reduces your risk of being breached.
Protecting a network is like trying to change a tire on a moving vehicle. Countless changing variables can affect the security status of your network. Updates to security patches or software changes can cause momentary weaknesses in your network that a hacker can take advantage of. You also need to consider the possibility of human error. That is why it is so important to have an experienced IT professional implement and manage the right security solution. (more…)
Network security and hacking techniques are constantly evolving. To help you stay on top of major changes Trustwave regularly hosts educational sessions at security events. There are upcoming sessions scheduled in Las Vegas during Black Hat USA, DEF CON 21 and BSidesLV.
These sessions include:
Security risks of using home consumer network devices like remote solutions that allow users to unlock their front door from anywhere
How to conduct a data breach investigation
Hands-on demonstrations of real life security scenarios
How to defend against attacks on point of sale systems
For information on the speaking and training sessions, please visit Trustwave’s website at:
Having an experienced information technology professional in charge of securing your business is a security best practice. However, recent findings have shown that the majority of IT professionals overestimate their ability to detect a data breach. McAfee released the study, “Needle in a Datastack: The Rise of Big Security Data,” earlier this week. The major finding from the study was that many organizations are unable to properly identify security threats as they happen. That finding leads to the realization that many IT professionals have an unrealistic sense of what it takes and how much time it takes to determine a breach has occurred.
The study found that security professionals believe that they can detect a breach on average within 10 hours of it occurring. Of those, 35 percent said they could detect it within minutes and another 22 percent saying within a day.
Compare that to research conducted on actual breach incidents. According to the 2013 Trustwave Global Security Report, the average breach in 2012 took 210 days to detect and only 5 percent of all breaches were identified in less than 10 days. Also consider that just 24 percent of all breaches were self-detected. The majority of breaches are found by regulatory entities like the major credit card brands, acquiring banks, processors and law enforcement.
What this boils down to is that many IT professionals do not have a realistic grasp on how easily a hacker can gain access to their network undetected. Many seem to assume that their technology is capable of doing more than it actually can when it comes to detecting (or preventing) a breach. It is important that IT professionals recognize the threat to their organization’s network based on the nature of the business and the type of data that is stored. (more…)