Give Vendors Access to the Data They Need NOT Access to Your Network



Similar documents
Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network

Improving Network Uptime

PCI Compliance: Protection Against Data Breaches

NACS/PCATS WeCare Data Security Program Overview

Franchise Data Compromise Trends and Cardholder. December, 2010

Getting your C-Store Connected

New PCI Standards Enhance Security of Cardholder Data

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Two Approaches to PCI-DSS Compliance

PCI Requirements Coverage Summary Table

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Is the PCI Data Security Standard Enough?

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

SecurityMetrics Vision whitepaper

Case Study: Fast Food Security Breach (Multiple Locations)

PCI Compliance in Multi-Site Retail Environments

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Global Partner Management Notice

Conquering PCI DSS Compliance

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Becoming PCI Compliant

Introduction. PCI DSS Overview

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

End-user Security Analytics Strengthens Protection with ArcSight

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

PCI v2.0 Compliance for Wireless LAN

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

Securing Remote Vendor Access with Privileged Account Security

Security Management. Keeping the IT Security Administrator Busy

PCI DSS 3.1 and the Impact on Wi-Fi Security

SECURING YOUR REMOTE DESKTOP CONNECTION

Best Practices for PCI DSS V3.0 Network Security Compliance

Five PCI Security Deficiencies of Retail Merchants and Restaurants

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

PCI Self-Assessment: PCI DSS 3.0

Seven Things To Consider When Evaluating Privileged Account Security Solutions

PCI Requirements Coverage Summary Table

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

The PCI Dilemma. COPYRIGHT TecForte

Overcoming PCI Compliance Challenges

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Five PCI Security Deficiencies of Restaurants

How To Test For Security On A Network Without Being Hacked

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Achieving Compliance with the PCI Data Security Standard

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

PCI Compliance for Cloud Applications

Five PCI Security Deficiencies of Restaurants

How To Secure Your Store Data With Fortinet

What is Penetration Testing?

PCI DSS Overview and Solutions. Anwar McEntee

Target Security Breach

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

MITIGATING SECURITY RISKS AT THE NETWORK S EDGE

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

PCI DSS Reporting WHITEPAPER

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Application Security in the Software Development Lifecycle

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

You Can Survive a PCI-DSS Assessment

Time Is Not On Our Side!

How To Protect Your Data From Being Stolen

Managing IT Security with Penetration Testing

Welcome to the Protecting Your Identity. Training Module

PCI Compliance. Top 10 Questions & Answers

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI Compliance Top 10 Questions and Answers

Closing Wireless Loopholes for PCI Compliance and Security

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Teradata and Protegrity High-Value Protection for High-Value Data

I D C A N A L Y S T C O N N E C T I O N

White Paper: Are there Payment Threats Lurking in Your Hospital?

How To Protect Your Credit Card Information From Being Stolen

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

FIVE PRACTICAL STEPS

Frequently Asked Questions

Payment Card Industry Data Security Standard

Why Is Compliance with PCI DSS Important?

Projectplace: A Secure Project Collaboration Solution

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Cisco Security Optimization Service

Miami University. Payment Card Data Security Policy

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Transcription:

Give Vendors Access to the Data They Need NOT Access to Your Network Acumera AirGap Architecture By the year 2020 just five years from now it is estimated that 25 billion devices will be connected to the Internet of Things. While each of these Things transmits valuable data and information that can help businesses reduce costs, improve operations and enhance marketing programs, they also introduce new security challenges to the C-store environment. One important Thing found in many C-Stores is an Automated Tank Gauge (ATG). It gathers and provides operational data such as inventory levels to enable better, more accurate business and operational decisions. Another important Thing that provides key operational functions are the Point of Sale (POS) systems. In order for vendors and stakeholders to access and utilize the data generated by the devices and equipment in C-stores, these Things need to be connected to the Internet. Once the devices are connected, vendors can remotely manage their devices and gather the information they need to do their jobs. However, giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By 2020, as many as 25 billion devices will be connected to the Internet of Things. Even large, highly sophisticated retailers have proven vulnerable to breaches associated with connecting devices to the Internet of Things. One of the important things many of the highest profile network security breaches have in common is that intruders gained access to the retailers networks through security holes in their vendors networks. According to KrebsOnSecurity.com, some of the largest retail breaches over the past year started with a hacked vendor. In several cases, thieves used a vendor s username and password to enter the network and remotely access the company s point-of-sale devices, opening the door to the theft of credit card numbers and other personal information from millions of customers. Even though many of the retailers were certified to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), they were not immune to this type of threat. So, how can this type of vulnerability be mitigated? Giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By: Tom Yemington, Vice President of Sales and Marketing tom.yemington@acumera.net Be PCI Compliant AND Be Secure It is important to understand that PCI compliance is only part of the security equation. The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. Unfortunately, because threats are continuously evolving and compliance is evaluated periodically, not

Use network segmentation to isolate the part of your network that contains cardholder data so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in your network. continuously, compliance doesn t necessarily equate to security. PCI Compliance PCI compliance is evaluated on an annual basis with different levels of requirements according to the volume of credit card transactions processed by a merchant each year. However, a vulnerability scan or PCI DSS assessment is only a snapshot in time. Security efforts are non-stop and must get stronger every day, which is why PCI DSS compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Network Security Best Practices Beyond rigorously maintaining PCI compliance, Acumera recommends C-stores follow network security best practices to protect themselves against security breaches, including: 1. AGGRESSIVELY SEGMENT YOUR NETWORK Many merchants are already aware of the benefits of segmentation, or putting different components in different network segments. As a baseline, isolate the part of a network that contains cardholder data and put it in a separate network segment so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in the network. In light of the recent, highly publicized network breaches that exposed millions of people s credit card data, one large regional C-store operator now has a network segment for each vendor. There is even a segment named HVAC in each of their stores. Network segmentation can be achieved through a number of means, such as properly configured internal network firewalls, routers with strong access control lists, segmenting networks switches, or other technologies that restrict access to a particular segment of a network. Many merchants have been reluctant to segment their in-store networks because of a belief that segmentation is difficult, complex, or expensive, but there are many simple, cost-effective options available today. 2. CONDUCT EXTENSIVE PENETRATION TESTING Internal and external penetration testing is required for all merchants, regardless of size, according to the PCI DSS. The objective of penetration testing is to identify areas of potential weakness in an environment by simulating the methods performed by an attacker. Don t just do the minimum of testing penetration from the outside or inter-segment penetration: come up with new and creative ingress paths to test such as trying to penetrate sensitive data from a user account that is specifically denied access to that data. Because penetration testing is a manual process, it can be expensive, especially if there are many different or non-standard store configurations to be penetration-tested. So, the new pen-test requirement is a big motivation for merchants to do something that is a good idea anyway - to standardize the configuration across multiple stores. This requirement, as well as the recent highly publicized breaches of networks that Conduct penetration testing on your network before someone else does.

did not employ good segmentation and isolation techniques, is motivating progressive merchants not only to segment their networks, but also to eliminate as many persistent connections to vendors as possible. 3. DEVELOP AND MAINTAIN CONSISTENT POLICIES AND PROCEDURES It is important that security practices and policies be developed and maintained throughout the year, not just for the purposes of PCI compliance. Continuously maintain dataflow diagrams and network inventories to ensure no part of an environment is overlooked to become a breach vector, especially as changes are made over time. Create specific access rules and user guidelines to prevent outside personnel from unintentionally becoming the source of a breach. Keep internal users informed about potential threats and trends, such as social hacks, which leverage impersonation or manipulation tactics to gain access. Implementing a disciplined system of change-management that tracks modification of devices, connections and users strengthens and preserves the integrity of information security. 4. USE TWO-FACTOR AUTHENTICATION AND REQUIRE YOUR VENDORS TO USE TWO-FACTOR AUTHENTICATION According to the Verizon 2014 Data Breach Investigations Report, Stronger passwords would cut out a huge chunk of the problem, but larger organizations should also consider multiple factors to authenticate third-party and internal users. The use of two-factor authentication has two primary benefits. First, brute-force password guessing and dictionary attacks (looking for simple passwords that are in list of passwords stolen in previous breaches) are increasingly common. Second, two-factor authentication reduces the threat posed by phishing and social hacks (where a user is tricked into disclosing their credentials) because second factor techniques depend on something you have such as a mobile phone or authentication token that isn t easily stolen, replicated, or transferable even if a password has been electronically stolen. 5. DE-VALUE YOUR DATA Encrypting data reduces the value of your data to cyber-criminals. If they can t sell it, they are less likely to want to steal it. Section 3 and 4 of the PCI:DSS give clear requirements regarding using encryption to protect stored and transmitted cardholder data. Why not apply these same standards to other sensitive or proprietary data? Use the strongest encryption methods available to encrypt data Have and enforce robust policy procedures for cryptographic key access and management 6. LIMIT NETWORK ACCESS GRANTED TO VENDORS AND SERVICE PROVIDERS It is important to keep in mind that your network security is only as strong as your weakest measure. Your company carefully selects vendors and service providers to maximize the value those partners provide. In today s environment it would be nearly impossible to develop all hardware and services in house. QUICK REFERENCE: Network Security Best Practices 1. Aggressively segment your network 2. Conduct extensive penetration testing 3. Develop and maintain consistent policies and procedures 4. Use two-factor authentication and require your vendors to use two-factor authentication 5. De-value your data 6. Limit network access granted to vendors and service providers

Imagine running a large C-store chain with no accounting system, fuel inventory management system, or POS hardware and support. Even if you have mostly internal/proprietary systems, vendors and stakeholders are going to be most valuable when they have access to- and can get the data generated by- the devices and equipment in C-stores; these Things need to be connected to the Internet. But, you can t possibly manage your vendor s security or their adherence to the best practices outlined above unless you strictly reduce their access to unnecessary parts of your network. Isolate Your Store Network In network security, an air gap is the idea that a secure network is most safe from attack when it is physically separate and isolated from unsecure networks. Having absolutely no connection is the maximum level of protection between two or more systems. Essentially, an air gap creates a closed system for highly sensitive information or equipment, so that it is completely inaccessible to outside threats. Military and government systems and networks with sensitive data are often airgapped. Other examples include: financial and banking systems, such as stock exchanges, nuclear power plant controls, computerized medical equipment, and flight and aircraft control systems. Minimize third-party access One of the major benefits of creating an air gap in a network is to prevent direct network access by outside sources that may be trusted to do business with a company, but are not necessarily trustworthy when it comes to network security. Many third-party vendors aren t required to follow the same stringent security policies as retailers because, on the surface, they aren t dealing directly with sensitive information, such as credit card or social security numbers. However, if a vendor has direct access to any device that is operating on your network, your network (and the sensitive information on it) can become vulnerable to an attack made on that vendor. Ask all of your vendors about their security and compliance practices to get a better understanding of the potential risks to your network. Avoid Persistent Connections Another benefit of creating an isolated network is that it limits the threat surface that must be monitored for attacks and intrusion. A persistent connection to your network creates a larger and quite likely un-knowable scope for attack. In addition, persistent connections leave the door open to potential intruders around the clock. By enabling and allowing access only when it is required you are reducing the time during which the network is vulnerable to attack. Questions to Ask Your Vendors and Service Providers Are your services PCI DSS compliant? What do you do to protect your systems from malware and other security breaches? How often do you check your systems for malicious activity? Do you access my infrastructure over the network connections that you use for other C-store operators/ competitors? Is it necessary to have a persistent connection to my sites to provide systems support/ business intelligence? What are you doing to limit the time of support or data transfer connections? What are you doing to validate that only authorized employees from your company are accessing my data or my systems? Are you using strong passwords and two-factor authentication, and logging support and access events? Do you really need access to my network at all, or do you just need data from the site?

The Acumera AirGap Architecture The more isolated a network is the more secure it is. On the other hand, the more isolated a network, the less useful the data and Things connected to it. In practice, a completely air-gapped solution is impractical so Acumera developed a highly secure system for providing access to data while virtually eliminating persistent access. The Acumera AirGap Architecture provides the benefits of an isolated network while getting vendors and service providers the data and access they need to help you run your business. PDI WEX Telapoint Intellifuel POS MG 'Things' Stores Internet Acumera AirGap Architecture: How It Works The Acumera AirGap Architecture enables in-store devices to communicate and share data with analysts, operations professionals and third-party service providers, without giving third-parties access to the store s network. Instead, valuable information from devices, such as automatic tank gauges, is collected and sent to a secure location in the cloud, where it can then be picked up, used and stored by the vendor. Unlike the traditional model, the Acumera AirGap Architecture does not create a linear, persistent connection between in-store devices and third parties, keeping the store network and sensitive customer information (such as cardholder data) isolated from potential breaches. This highly secure design reduces the scope of requirements for PCI compliance and mitigates the threat of C-stores falling victim to the types of breaches that are affecting major retail chains today. Convenience stores can give vendors access to the data they need and reap the benefits of being connected to the Internet of Things, without sacrificing network security and customer information. The Acumera AirGap Architecture Minimizes Persistent Connections Acumera uses the AirGap architecture for our own management systems. Acumera has no persistent access to the Acumera Merchant Gateways (MGs) at our customer sites, inverting the typical network monitoring model for enhanced security and reliability. Frequently, network monitoring tools use SNMP, ping, or some other tool to centrally check remote network device status, which creates network traffic and potential vulnerabilities. So, Acumera flips the flow of site data so that the site initiates contact. The Acumera MG frequently checks the status of connected site systems and pushes site status

to secure cloud storage. The site status and enterprise reports can be displayed in a browser without any direct connection to the site. Only when Acumera s network operations group needs to check an Acumera MG or upgrade MG firmware does Acumera make a direct, limited time connection to the Acumera MG. The access and changes are logged in a PCI compliant fashion, and access is terminated when the support or upgrade is complete. Acumera s Acumera Apps for Your Network services and Acumera management tools can help satisfy PCI DSS control 12.3.8 with respect to minimizing persistent connections: 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Secure Networks AcuVigil Dashboard Visibility and Management Merchant Gateway Reliable Operational Data Apps for Your Network Services 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use When it is absolutely necessary to allow vendors direct access to store networks, such as when a POS vendor needs to access a POS to provide updates or support, Acumera Apps for Your Network services and Acumera management tools have controls that require administrators to actively grant access. To reduce and minimize the vulnerability, access is automatically cut off after a specific time period and access must be re-granted. Summary From maintaining PCI compliance to keeping up with best practices, such as segmentation, penetration testing and security policies and procedures, there s a lot to consider when it comes to network security. It is important not to overlook the role that vendors and service providers play in your security equation. Protect your business by avoiding the use of persistent connections and isolating your network from vendor access. In the end, you will not only preserve your reputation, you will keep your customers data safe from harm s way. About Acumera Founded in 2002, Acumera provides Trusted Connection Services to multisite merchants, specializing in the reduction of headaches caused by network management and security issues. Customers are free to focus on running their businesses because Acumera actively manages their networks and provides unparalleled visibility and remote management capability. Acumera gets customers stores, network clients and devices securely connected and keeps them connected. In addition to network status, merchants have real-time insight into key operational measures, such as fuel inventory levels and environmental and food safety temperatures. As a result, Acumera customers say they love their network. Further Reading www.krebsonsecurity.com 2015 Verifone Data Breach Investigations Report Payment Card Industry Digital Security Standard (Version 3.0)

Critical Services for Convenience Stores Broadband Qualification, Provisioning & Support Secure Network Development & Management Network/Device Monitoring & Alert Messaging Apps for C-store Operations (ATG, Temperature Monitoring, etc.) Virtual Private Network Management PCI Tools & Support Whitepapers Available from Acumera Improving C-Store Operations with Network Automation A New Era of Security in Convenience Stores Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Improving Store Support and Revenue with Proactive Support Methodology Business Considerations for Leveraging Wi-Fi at C-Stores Technicial Considerations for Implementing Wi-Fi in C-Stores Getting Your C-Store Connected Improving Network Uptime PCI-DSS Compliance Support Our goal is to reduce the headaches our customers experience maintaining their Payment Card Industry Data Security Standard (PCI DSS) compliance. To that end, we are constantly improving our systems and services to provide the most secure networks and to support our customers compliance audits. Acumera is a fully PCI compliant service provider, which means we have taken the steps to complete our own PCI compliance assessment and obtain an annual Report on Compliance (ROC). Acumera is fully compliant with ALL applicable requirements and controls. Uniquely, we won t promote that our compliance will ensure our customers compliance because it can t. There is no 3rd party service that completely removes merchant responsibility for PCI DSS compliance. Tom Yemington Vice President of Sales and Marketing 512.658.2532 thomas.yemington@acumera.net Nick Franco Senior Director of Sales (512) 687-7412 nick.franco@acumera.net Dennis Jensen Senior Director of Sales (952) 368-0018 dennis.jensen@acumera.net

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information