SecurityMetrics Vision whitepaper

Transcription

1 SecurityMetrics Vision whitepaper 1

2 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft, accounting for 85% of card data compromises*. Although less lucrative than individual large corporations, small businesses offer more opportunities for criminals to steal payment card data. Many small businesses overlook payment card security because it can be time consuming and expensive. The purpose of this paper is to inform merchants of threats facing small businesses and to introduce a network security solution called SecurityMetrics Vision. Varied Network Vulnerabilities Mainstream media rarely publicizes anything other than large-scale data breaches where millions of credit cards are stolen. This creates a deception that criminals do not target small businesses and decreases the urgency of merchants to implement network security. Because small businesses are at great risk for card data compromise, network security is essential. Consider the following: How many employees have access to read, write, or modify sensitive employee information or confidential business data on business computers? What controls are in place to protect sensitive customer information, employee information, or confidential business data? When and how often are employees given training to securely handle cardholder data? These questions only scratch the surface of security measures businesses should evaluate. Not effectively addressing important issues like these has led many businesses to card data compromise, fines and fees, and sometimes closure. * Visa/National Federation of Independent Business 2

3 System vulnerabilities come from many sources weak wireless security, an improperly configured firewall, or an unauthorized employee browsing confidential files. There are thousands of potential system weaknesses and ways criminals gain network access to retrieve payment card data. The following table lists some common methods criminals use to gain unauthorized access to networks. Threat Password Cracking SQL Injection Cross-site Scripting Man-in-the-Middle Attack Phishing Social Engineering Method Using password generators, criminals identify passwords from databases. Adding code to a web form to make data changes. Exploiting weak user input validation, criminals collect sensitive information such as login credentials. Intercepting communications between two parties usually between a website and the end user. Gathering sensitive information through apparently trustworthy sources via . Contacting businesses directly to gather sensitive information that allows network access. The hacking community increases in numbers daily because these attacks are simple. Instructions to perform these and numerous other attacks are easily accessible online. Successful Compromise Prevention Businesses must understand that prevention of data theft is not a single action or step, but a series of actions and steps implemented daily. Important portions of these steps include monitoring for system threats and blocking unauthorized network communication. System Monitoring The following section provides four methods businesses can use to monitor for network security threats. Each method discusses sections of requirements from the Payment Card Industry (PCI) Data Security Standard (DSS). These PCI DSS requirements help merchants monitor for network weaknesses. 3

4 1. Monitor Computer Activity Like a security guard watches security cameras to search for criminal behavior, businesses need to monitor network computer activity for malicious actions. Monitoring network computer activity, also known as event log monitoring, is part of PCI DSS Requirement 10. By storing and monitoring system event logs, businesses discover possible abuses from employees such as data tampering. Most importantly, monitoring event logs provides warning against current hacks in a network. 2. Monitor Internal Network Weakness If an internal network is unsecure, it may be just as dangerous as an unsecured external network. Think of external and internal network security like a security guard who locks all the doors and windows leading into a building then manually checks the doors and locks inside the building. Internal network security checks for thousands of weaknesses on the inside of a business network that could result in compromise. Quarterly internal vulnerability assessment scans (PCI DSS Requirement 11) are required to check for these weaknesses. 3. Monitor Wireless Security In 2007, TJX Corporation experienced one of the largest hacks in history. The cause was an unsecured wireless network. Tracking wireless access points and testing wireless security on networks also fulfills PCI DSS Requirement 11 and reduces compromise. If wireless security measures such as secure encryption settings are not in place, criminals can more easily gain network access. 4. Blocking Unauthorized Network Communication In addition to network monitoring, restricting network communication to only those with permission is essential to prevent card data theft. Just as a lock prevents uninvited people from entering a house, your computer network needs locks that only allow passage to those with permission. PCI DSS Requirement 1, Install and maintain a firewall configuration, prevents unauthorized business network communication. 4

5 Network Security Options Research shows that 53% of small businesses do not secure their business networks because of the high cost in both time and money*. Additionally, SecurityMetrics has discovered many merchants find it difficult to implement monitoring and blocking network security solutions. Many available security solutions are designed for larger organizations and make implementation cumbersome for small businesses due to their size and noise level. Solutions are found in multiple products across the security industry making management difficult and purchasing expensive. For example, some security businesses specialize in firewalls, some specialize in wireless security, and others only offer PCI approved scans. SecurityMetrics Vision Because current network security solutions that address PCI DSS requirements 1, 10, and 11 are: Addressed with multiple products Not designed for small businesses Expensive Difficult to manage Time consuming SecurityMetrics created a tool for small businesses called SecurityMetrics Vision. It is small, quiet, installs inside business networks, addresses all of the three monitoring solutions listed above, and includes an industry-leading firewall at a quarter of the price merchants now pay to get similar features. SecurityMetrics Vision provides a solid foundation to help merchants comply with PCI DSS requirements 1, 10, and 11. The following table demonstrates how SecurityMetrics Vision addresses security issues these requirements answer. * Visa/National Cyber Security Alliance 5

6 Security Issue PCI Standard SecurityMetrics Vision Provides Block unauthorized network communication Discover malicious activity on an internal network Remain up to date with internal vulnerabilities that may allow compromise Detect rogue access points and weak wireless authentication/ encryption Requirement 1: Install and maintain a firewall configuration Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 11: Regularly test security systems and processes Industry-leading firewall/router Event log repository, log monitoring, threat notification Internal vulnerability scanning Wireless detection SecurityMetrics Vision: Above Base Security Requirements In addition to providing solutions to PCI DSS monitoring and firewall requirements, SecurityMetrics Vision includes other helpful tools for merchants to manage their network security and avoid card data theft. These additional tools are found in the table below. Additional Security Features Auto populate PCI Self Assessment Questionnaire (SAQ) Immediate threat notification Password strength analyzer Secure file transfer Vulnerability reports 24/7 technical support Benefits Save time with PCI validation Keep up to date with vulnerabilities Ensure passwords are unique and secure Ensure files aren t intercepted by a third party Make remediation as simple as possible with easy to read reports and recommendations Get help resolving discovered weaknesses 24/7, free 6

7 SecurityMetrics Vision is simple to install and maintain. SecurityMetrics Vision helps small businesses to: Achieve and maintain PCI DSS compliance with PCI requirements 1, 10, and 11 Detect security weaknesses inside networks with internal vulnerability scanning Discover malicious activity with computer event log storage and analysis Block unauthorized network communication with an industry leading firewall Locate rogue wireless devices with wireless security tools Keep informed of current threats with immediate online threat notification Avoid non-compliance fees by automating key PCI requirements Reduce risk of password cracking with a password strength analyzer Keep safe against new threats with constantly updating scan technology Understand how to resolve weaknesses with free, 24/7 technical support Conclusion Small businesses are targeted by criminals because many fail to secure and monitor their business network. Industry options to secure small business networks are expensive and difficult to implement. SecurityMetrics Vision is designed for small businesses. It protects networks by monitoring for threats and blocking unauthorized business network communication. SecurityMetrics Vision simplifies network security management and helps small businesses achieve and maintain PCI DSS compliance with key requirements, at an affordable price SecurityMetrics