| |
|
|
by Andrew Brooker, CISSP @ http://www.secureconnect.com . February 9, 2010 . 3:18PM
“Maintain a Vulnerability Management Program – What in the world is that?!?” No doubt many have said that to themselves and even if the words are defined the meaning is still unclear. Interestingly enough, the concept of “managing” vulnerabilities can be an effort in herding cats.
The difficulty lies in the defective software and operating systems – we have accepted the defects to be normal and without ability to change. However, if it were a defective car or television, we would return it, call the headquarters to complain, and phone the BBB in an effort to curb future problems. Without much uproar from buyers, the software companies have no motivation to change. So here we are with the problem; keeping a handle on these vulnerabilities isn’t difficult because the landscape is changing, but instead, because more defects are being found. In most cases it is nearly the same vulnerability being exploited in a slightly different fashion or better yet, a technique used on one application, then ported to another vendor’s product. What are we to do?
Avoid. So the major payment card brands (Visa, Mastercard, Discover, JCB, and American Express) and the Security Standards Council do understand the importance of getting to the source – avoiding defects in manufacturing. A good portion of Requirement 6 (6.3, 6.4, 6.5) is about avoiding vulnerabilities by having quality (I mean secure) development. It underscores initial avoidance by ensuring systems and applications are up-to-date before going into production. And it underscores ongoing avoidance by adhering to set policies, standards, testing, and change control to preserve the environment.
Know. Vendors are reactive when it comes to vulnerability discovery and remediation. They wait for someone to bring a problem to their attention. Then they prioritize what they will create a “patch” for. Considering this is the general approach, from a security standpoint, it is too late. Staying in the loop is crucial to ensure we can stay as forward as possible in this lagging process. Enrolling in Internet weather, vendor, and industry alerts is must. Though you may find redundancy in notifications, what you derive is a better determination of risk. Understand that vendor rating systems are skewed and often don’t accurately portray the impact a vulnerability may have. Balancing the volume of patches to be applied and the downtime you need is a real challenge; having the right information to make the right decisions is required. (Requirement 6.1, 6.2)
Apply. Now you know and half the battle is won. The other half: Acting on what you know. Requirement 6.1 sets the standard at a one month cycle. Keep in mind that this is your cycle; however it is defined in your policy. The goal is to stay on top of all the critical patches and ensure they are applied quickly. In reality, this standard is not stringent enough for most organizations, as many of the recent vulnerabilities require immediate response, and one month is merely academic. Remember, we are discussing vulnerabilities, not patching; as such, we can’t forget about anti-malware (or application white-listing). With an estimated one-million new pieces of malware each year, it would be irresponsible not to have some malware mitigation in place. Not only can anti-malware assist with the “defects”, it provides the much needed protection from users. Clicking the wrong pop-up, the wrong hyper-link, or opening the wrong attachment in an email can provide a whole host of issues, you don’t want to deal with! Do the right thing; use a widely accepted anti-malware or true application white-list. Make sure it is running and the signatures/policies are up-to-date. Often, even if the mitigation software can stop or remediate the rogue software, it can serve to alert of the activity taking place allowing you to take action.
I gave the indication that this process is a battle that can be won. Maybe that is true, but it is the war that cannot. With all things security related it is about posing “best-effort”. Specifically with “managing vulnerabilities,” it is the notion of containment not control that should come to mind. Follow good practice, stay informed, and act quickly – this is the best that can be done until the root problems are addressed.
Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SSC, Payment Processing | Tags: Avoiding vulnerabilities, Network Security, Patches, PCI Compliance, PCI DSS, PCI requirements, PCI SSC, Security, Security and compliance, viruses, Vulnerabilities, Vulnerability discovery, Vulnerability Management, Vulnerability Remediation
by Kristyan Mjolsnes @ http://www.secureconnect.com . February 3, 2010 . 9:50PM
Unique user IDs and passwords are an important aspect of information security. They are the front line of protection for user accounts. A list recently released after a hacking incident on photo-sharing and slideshow site, RockYou.com provides insight into some of the most commonly used passwords including:
These twenty are good examples of poor password choices. Notice, many people simply chose their first name, or common number groupings. Good password policy, however, includes much more than simply avoiding the passwords listed above. A poorly chosen password can result in the compromise of a company’s entire network. Requirement 2 of the PCI DSS states, “Do not use vendor supplied defaults for system passwords and other security parameters.” Our PCI experts at BHI SecureConnect® recommend that companies enforce strong password policies throughout their organization.
By following some simple guidelines, you can help to minimize the chance of a password breach:
- Change user passwords at least every 90 days
- Have a minimum password length of at least seven characters
- Contain both upper and lower case characters (e.g., a-z, A-Z)
- Contain at least one number
- Contain at least one punctuation character (i.e.,!,@,#,$,%,^,&,*)
Although creating a strong password is essential, maintaining its security is just as important. Never reveal passwords in messages, phone conversations, written documents, or on computer systems. Your organization should have an Information Security Policy that outlines a standard for protection of passwords.
Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SSC, Payment Processing | Tags: identity theft, Identity theft prevention, information security, Information security practices, internal breach, internal threats, Internet Security, Network Security, Outsourcing PCI compliance services, Password protection, password security, Passwords, Payment Card Industry, PCI, PCI and QSR, PCI Compliance, PCI DSS, PCI fraud prevention, PCI requirements, PCI SSC, Security, Security and compliance, security awareness, Security best practices, Security Breaches
by Kristyan Mjolsnes @ http://www.secureconnect.com . January 28, 2010 . 12:44AM
Protecting your PIN number is important if you want to protect the contents of your debit or credit card. If you lose your card it can still be used online but this will take time – time in which you can phone your bank and cancel that card. However if the thief also has your PIN number, then they will be able to use the card at bank machines and in shops and do considerably more damage before the card is canceled or the culprit is caught. It’s not just having your card stolen you need to worry about either, but people using your card details in conjunction with your PIN in order to withdraw money using dial up swipe machines and cloned cards.
To protect your PIN number then, the first and most obvious call is to use your spare hand to cover the keypad when you enter it. It’s not rude, it’s common sense, and any vendor should understand. This is particularly important at ATM machines where smart criminals are known to mount small cameras to capture your digits. You should also be very careful at ATMs to ensure that they are what they appear to be, as in some instances clever covers can be used to clone you card or steal your details that look similar to the front of the ATM underneath. Check for anything unusual and try pushing on the surface to ensure it’s not lose.
by Kristyan Mjolsnes @ http://www.secureconnect.com . January 20, 2010 . 12:25AM
To be PCI compliant you will need to ensure the security of all your data streams that handle financial information. This will mean installing firewalls, testing hardware and software, monitoring data streams etc and all this will help keep your connections secure and prevent your data streams being breached which will help keep both your details and your customers’ details safe. However this isn’t the only way to keep details safe, and you also need to be just as careful with your physical documents and signatures.
The first and most obvious way to do this is to ensure that all documents with private data – either of the company’s or of the clients, is completely destroyed once it’s finished with. Just throwing away such documents isn’t enough and many a smart thief will look through dustbins outside offices to secure this information. All offices should employ a shredder then and instruct all members of staff to use it for important documents – even papers only containing clients’ names should be destroyed as these can be used in conjunction with other data that can be found elsewhere; if a customer has entrusted you with your data then this is a great responsibility and should be treated as such.
Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SAQ, PCI SSC, Payment Processing | Tags: Destroy, Destroying documents, Documents, Informatin Security Policy, information security, Information security practices, Payment Card Industry, payment cards, PCI, PCI Compliance, PCI DSS, PCI fraud prevention, PCI misconceptions, PCI requirements, PCI SSC, Security, Security and compliance, Security best practices
|
|
|
