An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting credit card information. Research for the paper that VIMRO just published about the Dark Net(1), yielded numerous sites on the Dark Market dedicated to selling stolen credit card information. Trade in stolen credit card data is booming! Time Is Not On Our Side! Don t be surprised that recent breaches include even organizations that have passed PCI DSS audits by a PCI Qualified Security Assessor (QSA). It is a sobering reminder that, while the PCI assessment is an essential component in your cyber security risk management program, it cannot be the only component. VIMRO is a PCI QSA(2) This paper outlines VIMRO s observations during security assessments, and provides recommendations for being both PCI-compliant and secure. 96% of breaches related to credit card theft fall into Nine Basic Patterns, as relayed in the Verizon 2015 Data Breach Investigations Report(3) (illustrated in Figure 1). The key takeaway is that with proper controls, these common patterns should fail. Consider also that the PCI standard has 12 requirement categories and, according to the Verizon report, just over half of companies can fully meet only seven of the requirements. Furthermore, only about 11% of companies meet all 12 requirements (as depicted in Figure 2). VIMRO s goal is to help you meet all 12. 1 - https://www.vimro.com/wp-content/uploads/2015/09/darknet-devil-in-the-details-vimro-150925.pdf 2 - https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php 3 - Verizon 2015 Data Breach Investigation Report: http://www.verizonenterprise.com/dbir/2015/ 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
Can you state that you have controls in place to reduce the risks from the top challenges? VIMRO has identified ten major challenges facing our clients on a regular basis. Read them, and ask yourself, Can I confidently declare that my company has put in place the controls to reduce the risks that arise from the following challenges? 1. Patches are missing for both operating systems and applications. 2. Logs and audit trails do not capture the data necessary to conduct forensics to identify and respond to a breach. 3. Developed applications are implemented into production with weaknesses in code (SQL, XSS, etc.). 4. Users are not trained properly and regularly to protect passwords and reduce the risk of being socially engineered. 5. Systems are implemented into (or changed in) production with out being validated for secure configurations (weak configuration and change management controls). 6. Anti-malware is missing or not up to date. 7. Sensitive data is not encrypted in transit (email, ftp, etc.) or at rest (on local drives, portable media, etc.). 8. Networks are not segmented; that is, cardholder data is in non-cardholder-data environments. 9. Data is not monitored to detect sensitive data loss (data exfiltration). 10. There is no trained staff, or insufficient trained staff, devoted to maintaining security controls and keeping up with recent PCI DSS standards. Authored by VIMRO s Cybersecurity Leaders
Companies that can answer yes to the above questions, share similar traits: 1. They each have a strong information security risk management program. Refer to VIMRO s Cyber Enabling Methodology described in our Dark Net paper.(1) 2. They keep up with the latest PCI DSS requirements. If you consider the breaches that occurred in the last 12 to 18 months, you will notice a correlation between the types of breaches reported in the media and the updates to the PCI DSS standards. For example, many of the new additions in Version 3 of the PCI DSS address change management, service provider management, and secure application development practices. 3. They separate the cardholder environment from all other environments, thus limiting the scope of where cardholder data is stored, processed, or transmitted. This practice creates a smaller attack surface, making it at once more difficult for the attacker and more manageable for the information security team. 4. They have instituted automated controls that monitor activity on data and distinguish normal behavior from what may be a compromise (such as the instance of a user logged in at 3:00 a.m., transmitting cardholder data to a server on the Internet). Some examples of automated controls are: a) Patching for both OS and applications b) Log collection and correlation systems (SIEMs and Threat Intelligence) c) Change and configuration monitoring controls d) Data loss / exfiltration prevention controls e) Anti-malware and intrusion prevention controls on both host systems and the cardholder data environment network perimeters f) Critical system File Integrity Monitoring (FIM) controls 5. They incorporate vulnerability assessments and penetration tests: a) as systems and applications are tested before production release b) as part of change management c) regularly through each system s and application s lifecycle 6. They implement multi-factor controls. Weak credentials are the main reason for breaches. With multi-factor controls, shared accounts or accounts stolen via social engineering attacks pose significantly less risk because the user must posses something in order to gain access.
The security methodology empowers you to consistently obtain the best ROI. It s important to both be PCI-compliant and secure, and to identify possible gaps in your security controls. VIMRO has two primary roles in working with our clients: 1. Our first goal is to become a part of your team as we implement and maintain our Cyber Security Enabling Methodology (Addendum A). This methodology begins with identifying areas for improvement for people, processes, and technology in order to prevent, detect and respond to breaches, and maintain compliance. This keeps your other team members focused on their primary job duties. 2. As a PCI Qualified Security Assessor, VIMRO s second goal is to conduct your annual PCI assessment, which includes: a) Validating the scope of the assessment b) Conducting PCI Data Security Standard assessments according to the PCI Standard Council s requirements(4) c) Producing a formal Report on Compliance (5) Contact VIMRO for a consultation to discuss any questions or concerns about your PCI compliance and cyber security initiatives. 4 - https://www.pcisecuritystandards.org/security_standards/documents.php?category=supporting&document=pci_dss_saq_navigating_dss#pci_dss_saq_navigating_dss 5 - https://www.pcisecuritystandards.org/documents/pci_dss_v3_1_roc_reporting_template.pdf
A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security Addendum A Authored by VIMRO s Cybersecurity Leaders
A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security The financial and operational benefits of holistic customized cyber security solutions. VIMRO s Cyber Security Enabling Methodology In order to avoid exposing your company, its clients, your employees (not to mention yourself!) to cybercrime, it is vital to invest in a good cyber security program. VIMRO s approach to an effective cyber security program involves a holistic security methodology. Our methodology maximizes value and effectiveness because we have combined the most efficient tactics to include frameworks, best practice guides, and work papers from reputable security organizations such as NIST, ISO2700/27002 and MITRE. Combining vetted complementary frameworks yields a program that is effective and yet efficient; a program dynamic enough to anticipate new risks, yet iterative enough to become familiar. Equally important, a holistic methodology prevents oversights within your program. For example, while a cyber security framework alone equips you with the controls you must implement and manage, it leaves you without the metrics you need to validate those controls and the overall success of your cyber security system. A successful methodology is dynamic, adapting to ever-changing threats; and that can only happen if you treat it as an evolving process. For any methodology to work, you must adopt it in a controlled, systematic manner. Implementing a cyber security program too quickly or without the adequate resources reduces its effectiveness and demotivates the team members involved. Authored by VIMRO s Cybersecurity Leaders
A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security The following is an overview of a VIMRO cyber security system: The foundation of our security system first aligns your organization s business needs with your IT security, allowing you to focus on the critical business applications, systems, and processes that need strong security controls. For example, when you implement a new application, include a security representative in the development of the budget and project plan. This is how you ensure that time and resources are allocated for security controls throughout the project; and for support throughout the new application s lifecycle. If you overlook security requirements in the beginning stages of a project, the application and associated systems may require rework for failure to meet your company s approved security standards. And rework, delays, or budget excesses invariably reduce your new application s ROI. (See VIMRO s paper: Omitting Static Code Security Analysis Can Cost You. BIG!) The second layer of our foundation includes implementing a security framework. Many of VIMRO s clients have adopted either the NIST Cybersecurity Framework(1) or ISO27001/ISO27002(2). Along with the framework, organizations have adopted a cyber security Capability Maturity Model (CMM) that involves a strategy to optimize critical security controls, mechanisms, and processes (Level 5 in the CMM). The cyber security CMM includes: o Level 1 Initial: Processes are unpredictable, poorly controlled, and reactive o Level 2 Managed: Processes are characterized for projects and are still often reactive o Level 3 Defined: Processes are characterized for the organization and are proactive, taking their procedures from the organization s standards o Level 4 Quantitatively Managed: Processes are measured and controlled o Level 5 Optimizing: Focuses on process improvement To manage performance leading toward the optimal level (Level 5) in the security CMM, we recommend Key Performance Indicator (KPI) metrics. Many clients start with MITRE Cyber Resiliency Metrics(3). VIMRO policies, standards, and procedures include all of the verbiage necessary to raise your organization to the upper levels of the cyber security CMM. These are critical to success. Without these, your organization will not even surpass Level 2 in the security CMM. After writing your security policies, standards, and procedures, we implement technological mechanisms (these include IPS, DLP, SIEM, and so forth) to support your cyber security program, and train workforce members to apply the requirements of the formal documents to their practices VIMRO s risk management program includes continuous evaluation of your technological mechanisms and processes to validate them, and find areas, which need improvement, so that your company always maintains optimized security controls.
A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security The holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks... All layers of our Cyber Security Enabling Methodology are equally critical and require your steady dedication. Systematic attention to each level of the process yields a solid foundation today that is also dynamic enough to safeguard you going forward. VIMRO s holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks that threaten your business, clients, employees, or sensitive data. Contact VIMRO to learn more details about our approach and how we can help you build and maintain an Optimized Cybersecurity Risk Management Program. Authored by VIMRO s Cybersecurity Leaders