Give Vendors Access to the Data They Need NOT Access to Your Network
|
|
- Reginald Morgan
- 8 years ago
- Views:
Transcription
1 Give Vendors Access to the Data They Need NOT Access to Your Network Acumera AirGap Architecture By the year 2020 just five years from now it is estimated that 25 billion devices will be connected to the Internet of Things. While each of these Things transmits valuable data and information that can help businesses reduce costs, improve operations and enhance marketing programs, they also introduce new security challenges to the C-store environment. One important Thing found in many C-Stores is an Automated Tank Gauge (ATG). It gathers and provides operational data such as inventory levels to enable better, more accurate business and operational decisions. Another important Thing that provides key operational functions are the Point of Sale (POS) systems. In order for vendors and stakeholders to access and utilize the data generated by the devices and equipment in C-stores, these Things need to be connected to the Internet. Once the devices are connected, vendors can remotely manage their devices and gather the information they need to do their jobs. However, giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By 2020, as many as 25 billion devices will be connected to the Internet of Things. Even large, highly sophisticated retailers have proven vulnerable to breaches associated with connecting devices to the Internet of Things. One of the important things many of the highest profile network security breaches have in common is that intruders gained access to the retailers networks through security holes in their vendors networks. According to KrebsOnSecurity.com, some of the largest retail breaches over the past year started with a hacked vendor. In several cases, thieves used a vendor s username and password to enter the network and remotely access the company s point-of-sale devices, opening the door to the theft of credit card numbers and other personal information from millions of customers. Even though many of the retailers were certified to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), they were not immune to this type of threat. So, how can this type of vulnerability be mitigated? Giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By: Tom Yemington, Vice President of Sales and Marketing tom.yemington@acumera.net Be PCI Compliant AND Be Secure It is important to understand that PCI compliance is only part of the security equation. The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. Unfortunately, because threats are continuously evolving and compliance is evaluated periodically, not
2 Use network segmentation to isolate the part of your network that contains cardholder data so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in your network. continuously, compliance doesn t necessarily equate to security. PCI Compliance PCI compliance is evaluated on an annual basis with different levels of requirements according to the volume of credit card transactions processed by a merchant each year. However, a vulnerability scan or PCI DSS assessment is only a snapshot in time. Security efforts are non-stop and must get stronger every day, which is why PCI DSS compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Network Security Best Practices Beyond rigorously maintaining PCI compliance, Acumera recommends C-stores follow network security best practices to protect themselves against security breaches, including: 1. AGGRESSIVELY SEGMENT YOUR NETWORK Many merchants are already aware of the benefits of segmentation, or putting different components in different network segments. As a baseline, isolate the part of a network that contains cardholder data and put it in a separate network segment so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in the network. In light of the recent, highly publicized network breaches that exposed millions of people s credit card data, one large regional C-store operator now has a network segment for each vendor. There is even a segment named HVAC in each of their stores. Network segmentation can be achieved through a number of means, such as properly configured internal network firewalls, routers with strong access control lists, segmenting networks switches, or other technologies that restrict access to a particular segment of a network. Many merchants have been reluctant to segment their in-store networks because of a belief that segmentation is difficult, complex, or expensive, but there are many simple, cost-effective options available today. 2. CONDUCT EXTENSIVE PENETRATION TESTING Internal and external penetration testing is required for all merchants, regardless of size, according to the PCI DSS. The objective of penetration testing is to identify areas of potential weakness in an environment by simulating the methods performed by an attacker. Don t just do the minimum of testing penetration from the outside or inter-segment penetration: come up with new and creative ingress paths to test such as trying to penetrate sensitive data from a user account that is specifically denied access to that data. Because penetration testing is a manual process, it can be expensive, especially if there are many different or non-standard store configurations to be penetration-tested. So, the new pen-test requirement is a big motivation for merchants to do something that is a good idea anyway - to standardize the configuration across multiple stores. This requirement, as well as the recent highly publicized breaches of networks that Conduct penetration testing on your network before someone else does.
3 did not employ good segmentation and isolation techniques, is motivating progressive merchants not only to segment their networks, but also to eliminate as many persistent connections to vendors as possible. 3. DEVELOP AND MAINTAIN CONSISTENT POLICIES AND PROCEDURES It is important that security practices and policies be developed and maintained throughout the year, not just for the purposes of PCI compliance. Continuously maintain dataflow diagrams and network inventories to ensure no part of an environment is overlooked to become a breach vector, especially as changes are made over time. Create specific access rules and user guidelines to prevent outside personnel from unintentionally becoming the source of a breach. Keep internal users informed about potential threats and trends, such as social hacks, which leverage impersonation or manipulation tactics to gain access. Implementing a disciplined system of change-management that tracks modification of devices, connections and users strengthens and preserves the integrity of information security. 4. USE TWO-FACTOR AUTHENTICATION AND REQUIRE YOUR VENDORS TO USE TWO-FACTOR AUTHENTICATION According to the Verizon 2014 Data Breach Investigations Report, Stronger passwords would cut out a huge chunk of the problem, but larger organizations should also consider multiple factors to authenticate third-party and internal users. The use of two-factor authentication has two primary benefits. First, brute-force password guessing and dictionary attacks (looking for simple passwords that are in list of passwords stolen in previous breaches) are increasingly common. Second, two-factor authentication reduces the threat posed by phishing and social hacks (where a user is tricked into disclosing their credentials) because second factor techniques depend on something you have such as a mobile phone or authentication token that isn t easily stolen, replicated, or transferable even if a password has been electronically stolen. 5. DE-VALUE YOUR DATA Encrypting data reduces the value of your data to cyber-criminals. If they can t sell it, they are less likely to want to steal it. Section 3 and 4 of the PCI:DSS give clear requirements regarding using encryption to protect stored and transmitted cardholder data. Why not apply these same standards to other sensitive or proprietary data? Use the strongest encryption methods available to encrypt data Have and enforce robust policy procedures for cryptographic key access and management 6. LIMIT NETWORK ACCESS GRANTED TO VENDORS AND SERVICE PROVIDERS It is important to keep in mind that your network security is only as strong as your weakest measure. Your company carefully selects vendors and service providers to maximize the value those partners provide. In today s environment it would be nearly impossible to develop all hardware and services in house. QUICK REFERENCE: Network Security Best Practices 1. Aggressively segment your network 2. Conduct extensive penetration testing 3. Develop and maintain consistent policies and procedures 4. Use two-factor authentication and require your vendors to use two-factor authentication 5. De-value your data 6. Limit network access granted to vendors and service providers
4 Imagine running a large C-store chain with no accounting system, fuel inventory management system, or POS hardware and support. Even if you have mostly internal/proprietary systems, vendors and stakeholders are going to be most valuable when they have access to- and can get the data generated by- the devices and equipment in C-stores; these Things need to be connected to the Internet. But, you can t possibly manage your vendor s security or their adherence to the best practices outlined above unless you strictly reduce their access to unnecessary parts of your network. Isolate Your Store Network In network security, an air gap is the idea that a secure network is most safe from attack when it is physically separate and isolated from unsecure networks. Having absolutely no connection is the maximum level of protection between two or more systems. Essentially, an air gap creates a closed system for highly sensitive information or equipment, so that it is completely inaccessible to outside threats. Military and government systems and networks with sensitive data are often airgapped. Other examples include: financial and banking systems, such as stock exchanges, nuclear power plant controls, computerized medical equipment, and flight and aircraft control systems. Minimize third-party access One of the major benefits of creating an air gap in a network is to prevent direct network access by outside sources that may be trusted to do business with a company, but are not necessarily trustworthy when it comes to network security. Many third-party vendors aren t required to follow the same stringent security policies as retailers because, on the surface, they aren t dealing directly with sensitive information, such as credit card or social security numbers. However, if a vendor has direct access to any device that is operating on your network, your network (and the sensitive information on it) can become vulnerable to an attack made on that vendor. Ask all of your vendors about their security and compliance practices to get a better understanding of the potential risks to your network. Avoid Persistent Connections Another benefit of creating an isolated network is that it limits the threat surface that must be monitored for attacks and intrusion. A persistent connection to your network creates a larger and quite likely un-knowable scope for attack. In addition, persistent connections leave the door open to potential intruders around the clock. By enabling and allowing access only when it is required you are reducing the time during which the network is vulnerable to attack. Questions to Ask Your Vendors and Service Providers Are your services PCI DSS compliant? What do you do to protect your systems from malware and other security breaches? How often do you check your systems for malicious activity? Do you access my infrastructure over the network connections that you use for other C-store operators/ competitors? Is it necessary to have a persistent connection to my sites to provide systems support/ business intelligence? What are you doing to limit the time of support or data transfer connections? What are you doing to validate that only authorized employees from your company are accessing my data or my systems? Are you using strong passwords and two-factor authentication, and logging support and access events? Do you really need access to my network at all, or do you just need data from the site?
5 The Acumera AirGap Architecture The more isolated a network is the more secure it is. On the other hand, the more isolated a network, the less useful the data and Things connected to it. In practice, a completely air-gapped solution is impractical so Acumera developed a highly secure system for providing access to data while virtually eliminating persistent access. The Acumera AirGap Architecture provides the benefits of an isolated network while getting vendors and service providers the data and access they need to help you run your business. PDI WEX Telapoint Intellifuel POS MG 'Things' Stores Internet Acumera AirGap Architecture: How It Works The Acumera AirGap Architecture enables in-store devices to communicate and share data with analysts, operations professionals and third-party service providers, without giving third-parties access to the store s network. Instead, valuable information from devices, such as automatic tank gauges, is collected and sent to a secure location in the cloud, where it can then be picked up, used and stored by the vendor. Unlike the traditional model, the Acumera AirGap Architecture does not create a linear, persistent connection between in-store devices and third parties, keeping the store network and sensitive customer information (such as cardholder data) isolated from potential breaches. This highly secure design reduces the scope of requirements for PCI compliance and mitigates the threat of C-stores falling victim to the types of breaches that are affecting major retail chains today. Convenience stores can give vendors access to the data they need and reap the benefits of being connected to the Internet of Things, without sacrificing network security and customer information. The Acumera AirGap Architecture Minimizes Persistent Connections Acumera uses the AirGap architecture for our own management systems. Acumera has no persistent access to the Acumera Merchant Gateways (MGs) at our customer sites, inverting the typical network monitoring model for enhanced security and reliability. Frequently, network monitoring tools use SNMP, ping, or some other tool to centrally check remote network device status, which creates network traffic and potential vulnerabilities. So, Acumera flips the flow of site data so that the site initiates contact. The Acumera MG frequently checks the status of connected site systems and pushes site status
6 to secure cloud storage. The site status and enterprise reports can be displayed in a browser without any direct connection to the site. Only when Acumera s network operations group needs to check an Acumera MG or upgrade MG firmware does Acumera make a direct, limited time connection to the Acumera MG. The access and changes are logged in a PCI compliant fashion, and access is terminated when the support or upgrade is complete. Acumera s Acumera Apps for Your Network services and Acumera management tools can help satisfy PCI DSS control with respect to minimizing persistent connections: Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Secure Networks AcuVigil Dashboard Visibility and Management Merchant Gateway Reliable Operational Data Apps for Your Network Services Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use When it is absolutely necessary to allow vendors direct access to store networks, such as when a POS vendor needs to access a POS to provide updates or support, Acumera Apps for Your Network services and Acumera management tools have controls that require administrators to actively grant access. To reduce and minimize the vulnerability, access is automatically cut off after a specific time period and access must be re-granted. Summary From maintaining PCI compliance to keeping up with best practices, such as segmentation, penetration testing and security policies and procedures, there s a lot to consider when it comes to network security. It is important not to overlook the role that vendors and service providers play in your security equation. Protect your business by avoiding the use of persistent connections and isolating your network from vendor access. In the end, you will not only preserve your reputation, you will keep your customers data safe from harm s way. About Acumera Founded in 2002, Acumera provides Trusted Connection Services to multisite merchants, specializing in the reduction of headaches caused by network management and security issues. Customers are free to focus on running their businesses because Acumera actively manages their networks and provides unparalleled visibility and remote management capability. Acumera gets customers stores, network clients and devices securely connected and keeps them connected. In addition to network status, merchants have real-time insight into key operational measures, such as fuel inventory levels and environmental and food safety temperatures. As a result, Acumera customers say they love their network. Further Reading Verifone Data Breach Investigations Report Payment Card Industry Digital Security Standard (Version 3.0)
7 Critical Services for Convenience Stores Broadband Qualification, Provisioning & Support Secure Network Development & Management Network/Device Monitoring & Alert Messaging Apps for C-store Operations (ATG, Temperature Monitoring, etc.) Virtual Private Network Management PCI Tools & Support Whitepapers Available from Acumera Improving C-Store Operations with Network Automation A New Era of Security in Convenience Stores Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Improving Store Support and Revenue with Proactive Support Methodology Business Considerations for Leveraging Wi-Fi at C-Stores Technicial Considerations for Implementing Wi-Fi in C-Stores Getting Your C-Store Connected Improving Network Uptime PCI-DSS Compliance Support Our goal is to reduce the headaches our customers experience maintaining their Payment Card Industry Data Security Standard (PCI DSS) compliance. To that end, we are constantly improving our systems and services to provide the most secure networks and to support our customers compliance audits. Acumera is a fully PCI compliant service provider, which means we have taken the steps to complete our own PCI compliance assessment and obtain an annual Report on Compliance (ROC). Acumera is fully compliant with ALL applicable requirements and controls. Uniquely, we won t promote that our compliance will ensure our customers compliance because it can t. There is no 3rd party service that completely removes merchant responsibility for PCI DSS compliance. Tom Yemington Vice President of Sales and Marketing thomas.yemington@acumera.net Nick Franco Senior Director of Sales (512) nick.franco@acumera.net Dennis Jensen Senior Director of Sales (952) dennis.jensen@acumera.net
Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network
Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Overview This white paper, based on a technology interview with PDI, presents some of the key technical and operation advantages
More informationImproving Network Uptime
Improving Network Uptime Protecting transactions, critical data transfers, and/or operational visibility from outages Convenience stores sell various combinations of food, fuel and groceries, but the most
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationNACS/PCATS WeCare Data Security Program Overview
NACS/PCATS WeCare Data Security Program Overview March 27, 2012 Abstract This document describes the WeCare Program, discusses common data security threats, outlines an 8-point plan to improve data security,
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationGetting your C-Store Connected
Getting your C-Store Connected Understanding uptime performance and return on broadband investments Operating multiple convenience stores across a geographically disperse area presents many challenges.
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationWHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationwhitepaper 4 Best Practices for Building PCI DSS Compliant Networks
4 Best Practices for Building PCI DSS Compliant Networks Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationPCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
More informationWAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales
WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales The Cost of Cybercrime Sony $171m PlayStation 3 data breach (April 2011) $3 trillion
More informationIs the PCI Data Security Standard Enough?
Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationSecurityMetrics Vision whitepaper
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
More informationCase Study: Fast Food Security Breach (Multiple Locations)
CASE STUDY Fast Food Security Breach (Multiple Locations) Case Study: Fast Food Security Breach (Multiple Locations) By Brad Cyprus, SSCP - Senior Security Architect, Netsurion Details Profile Case Study
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationRetail Security: Enabling Retail Business Innovation with Threat-Centric Security.
Retail Security: Enabling Retail Business Innovation with Threat-Centric Security. 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco public information. (1110R) 1 In the past
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationConquering PCI DSS Compliance
Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationHow Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER
WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and
More informationPCI v2.0 Compliance for Wireless LAN
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationThe Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard
The Impact of Wireless LAN Technology on to the PCI Data Security Standard 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Wireless LANs and PCI Retailers today use computers
More informationSecuring Remote Vendor Access with Privileged Account Security
Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationPCI DSS 3.1 and the Impact on Wi-Fi Security
PCI DSS 3.1 and the Impact on Wi-Fi Security 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved. Table of Contents PCI
More informationSECURING YOUR REMOTE DESKTOP CONNECTION
White Paper SECURING YOUR REMOTE DESKTOP CONNECTION HOW TO PROPERLY SECURE REMOTE ACCESS 2015 SecurityMetrics SECURING YOUR REMOTE DESKTOP CONNECTION 1 SECURING YOUR REMOTE DESKTOP CONNECTION HOW TO PROPERLY
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationFive PCI Security Deficiencies of Retail Merchants and Restaurants
Whitepaper January 2010 Five PCI Security Deficiencies of Retail Merchants and Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations by Brad Cyprus, SSCP - Senior Security Architect,
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationPCI Self-Assessment: PCI DSS 3.0
PCI Self-Assessment: PCI DSS 3.0 Achieving PCI DSS 3.0 Compliance with our PCI Self-Assessment tool (Author: Heinrich Van Der Westhuizen, Director) Requirement PCI DSS update Purpose/need Addressed 1 Have
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationThe PCI Dilemma. COPYRIGHT 2009. TecForte
The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse
More informationOvercoming PCI Compliance Challenges
Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationFive PCI Security Deficiencies of Restaurants
Whitepaper The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus- Senior Security Architect, Vendor Safe 2011 7324 Southwest Freeway, Suite 1700, Houston, TX 77074
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationBottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.
Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationFive PCI Security Deficiencies of Restaurants
WHITE PAPER Five PCI Security Deficiencies of Restaurants Five PCI Security Deficiencies of Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus - Chief
More informationHow To Secure Your Store Data With Fortinet
Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the
More informationWhat is Penetration Testing?
White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationMITIGATING SECURITY RISKS AT THE NETWORK S EDGE
MITIGATING SECURITY RISKS AT THE NETWORK S EDGE Best Practices for Distributed Enterprises Every year, the public relations specialists from at least one bluechip company invariably find themselves working
More informationSecurity. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities
One Connection - A World of Opportunities Security Tiffany Trent-Abram VP, Global Product Management November 6 th, 2015 2015 TNS Inc. All Rights Reserved. Bringing Global Credibility and History TNS Specializes
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationVoltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
More informationYou Can Survive a PCI-DSS Assessment
WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the
More informationTime Is Not On Our Side!
An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationWelcome to the Protecting Your Identity. Training Module
Welcome to the Training Module 1 Introduction Does loss of control over your online identities bother you? 2 Objective By the end of this module, you will be able to: Identify the challenges in protecting
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationClosing Wireless Loopholes for PCI Compliance and Security
Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop
More informationPractice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited
Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationI D C A N A L Y S T C O N N E C T I O N
I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)
More informationWhite Paper: Are there Payment Threats Lurking in Your Hospital?
White Paper: Are there Payment Threats Lurking in Your Hospital? With all the recent high profile stories about data breaches, payment security is a hot topic in healthcare today. There s been a steep
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationFIVE PRACTICAL STEPS
WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationSecuring Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
More information