Time Is Not On Our Side!

Similar documents
Logging In: Auditing Cybersecurity in an Unsecure World

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Cisco Security Optimization Service

Big Data, Big Risk, Big Rewards. Hussein Syed

How to complete the Secure Internet Site Declaration (SISD) form

Nine Network Considerations in the New HIPAA Landscape

Cybersecurity: What CFO s Need to Know

Defending Against Data Beaches: Internal Controls for Cybersecurity

PCI Compliance for Cloud Applications

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

PCI Compliance in Multi-Site Retail Environments

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

PCI Requirements Coverage Summary Table

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Five keys to a more secure data environment

SANS Top 20 Critical Controls for Effective Cyber Defense

The Business Case for Security Information Management

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

FIVE PRACTICAL STEPS

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Overcoming PCI Compliance Challenges

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Data Breach Lessons Learned. June 11, 2015

FINRA Publishes its 2015 Report on Cybersecurity Practices

Cybersecurity The role of Internal Audit

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

SecurityMetrics Vision whitepaper

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

THE FIVE NEW PCI COMPLIANCE RULES YOU NEED TO KNOW

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

Cyberprivacy and Cybersecurity for Health Data

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cybersecurity: A View from the Boardroom

2012 Data Breach Investigations Report

Net Report s PCI DSS Version 1.1 Compliance Suite

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Information Security Services

Healthcare Information Security Today

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Data Breaches and Cyber Risks

Defending the Database Techniques and best practices

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Critical Controls for Cyber Security.

Two Approaches to PCI-DSS Compliance

Rising to the Challenge

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Technology Risk Management

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Perspectives on Cybersecurity in Healthcare June 2015

IT Security Strategy and Priorities. Stefan Lager CTO Services

White Paper. Managing Risk to Sensitive Data with SecureSphere

Western Australian Auditor General s Report. Information Systems Audit Report

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

What You Need to Know About PCI SSC Guiding open standards for global payment card security

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Altius IT Policy Collection Compliance and Standards Matrix

How To Protect Your Credit Card Information From Being Stolen

Increase insight. Reduce risk. Feel confident.

Securing OS Legacy Systems Alexander Rau

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Data Security for the Hospitality

IBM Security Strategy

PACB One-Day Cybersecurity Workshop

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

Cybersecurity Enhancement Account. FY 2017 President s Budget

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

CYBER SECURITY SERVICES PWNED

The Education Fellowship Finance Centralisation IT Security Strategy

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

IT Security & Compliance. On Time. On Budget. On Demand.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

How To Secure An Extended Enterprise

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

CYBER SECURITY INFORMATION SHARING & COLLABORATION

McAfee Security Architectures for the Public Sector

PCI DSS Investing wisely...

Transcription:

An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting credit card information. Research for the paper that VIMRO just published about the Dark Net(1), yielded numerous sites on the Dark Market dedicated to selling stolen credit card information. Trade in stolen credit card data is booming! Time Is Not On Our Side! Don t be surprised that recent breaches include even organizations that have passed PCI DSS audits by a PCI Qualified Security Assessor (QSA). It is a sobering reminder that, while the PCI assessment is an essential component in your cyber security risk management program, it cannot be the only component. VIMRO is a PCI QSA(2) This paper outlines VIMRO s observations during security assessments, and provides recommendations for being both PCI-compliant and secure. 96% of breaches related to credit card theft fall into Nine Basic Patterns, as relayed in the Verizon 2015 Data Breach Investigations Report(3) (illustrated in Figure 1). The key takeaway is that with proper controls, these common patterns should fail. Consider also that the PCI standard has 12 requirement categories and, according to the Verizon report, just over half of companies can fully meet only seven of the requirements. Furthermore, only about 11% of companies meet all 12 requirements (as depicted in Figure 2). VIMRO s goal is to help you meet all 12. 1 - https://www.vimro.com/wp-content/uploads/2015/09/darknet-devil-in-the-details-vimro-150925.pdf 2 - https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php 3 - Verizon 2015 Data Breach Investigation Report: http://www.verizonenterprise.com/dbir/2015/ 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191

Can you state that you have controls in place to reduce the risks from the top challenges? VIMRO has identified ten major challenges facing our clients on a regular basis. Read them, and ask yourself, Can I confidently declare that my company has put in place the controls to reduce the risks that arise from the following challenges? 1. Patches are missing for both operating systems and applications. 2. Logs and audit trails do not capture the data necessary to conduct forensics to identify and respond to a breach. 3. Developed applications are implemented into production with weaknesses in code (SQL, XSS, etc.). 4. Users are not trained properly and regularly to protect passwords and reduce the risk of being socially engineered. 5. Systems are implemented into (or changed in) production with out being validated for secure configurations (weak configuration and change management controls). 6. Anti-malware is missing or not up to date. 7. Sensitive data is not encrypted in transit (email, ftp, etc.) or at rest (on local drives, portable media, etc.). 8. Networks are not segmented; that is, cardholder data is in non-cardholder-data environments. 9. Data is not monitored to detect sensitive data loss (data exfiltration). 10. There is no trained staff, or insufficient trained staff, devoted to maintaining security controls and keeping up with recent PCI DSS standards. Authored by VIMRO s Cybersecurity Leaders

Companies that can answer yes to the above questions, share similar traits: 1. They each have a strong information security risk management program. Refer to VIMRO s Cyber Enabling Methodology described in our Dark Net paper.(1) 2. They keep up with the latest PCI DSS requirements. If you consider the breaches that occurred in the last 12 to 18 months, you will notice a correlation between the types of breaches reported in the media and the updates to the PCI DSS standards. For example, many of the new additions in Version 3 of the PCI DSS address change management, service provider management, and secure application development practices. 3. They separate the cardholder environment from all other environments, thus limiting the scope of where cardholder data is stored, processed, or transmitted. This practice creates a smaller attack surface, making it at once more difficult for the attacker and more manageable for the information security team. 4. They have instituted automated controls that monitor activity on data and distinguish normal behavior from what may be a compromise (such as the instance of a user logged in at 3:00 a.m., transmitting cardholder data to a server on the Internet). Some examples of automated controls are: a) Patching for both OS and applications b) Log collection and correlation systems (SIEMs and Threat Intelligence) c) Change and configuration monitoring controls d) Data loss / exfiltration prevention controls e) Anti-malware and intrusion prevention controls on both host systems and the cardholder data environment network perimeters f) Critical system File Integrity Monitoring (FIM) controls 5. They incorporate vulnerability assessments and penetration tests: a) as systems and applications are tested before production release b) as part of change management c) regularly through each system s and application s lifecycle 6. They implement multi-factor controls. Weak credentials are the main reason for breaches. With multi-factor controls, shared accounts or accounts stolen via social engineering attacks pose significantly less risk because the user must posses something in order to gain access.

The security methodology empowers you to consistently obtain the best ROI. It s important to both be PCI-compliant and secure, and to identify possible gaps in your security controls. VIMRO has two primary roles in working with our clients: 1. Our first goal is to become a part of your team as we implement and maintain our Cyber Security Enabling Methodology (Addendum A). This methodology begins with identifying areas for improvement for people, processes, and technology in order to prevent, detect and respond to breaches, and maintain compliance. This keeps your other team members focused on their primary job duties. 2. As a PCI Qualified Security Assessor, VIMRO s second goal is to conduct your annual PCI assessment, which includes: a) Validating the scope of the assessment b) Conducting PCI Data Security Standard assessments according to the PCI Standard Council s requirements(4) c) Producing a formal Report on Compliance (5) Contact VIMRO for a consultation to discuss any questions or concerns about your PCI compliance and cyber security initiatives. 4 - https://www.pcisecuritystandards.org/security_standards/documents.php?category=supporting&document=pci_dss_saq_navigating_dss#pci_dss_saq_navigating_dss 5 - https://www.pcisecuritystandards.org/documents/pci_dss_v3_1_roc_reporting_template.pdf

A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security Addendum A Authored by VIMRO s Cybersecurity Leaders

A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security The financial and operational benefits of holistic customized cyber security solutions. VIMRO s Cyber Security Enabling Methodology In order to avoid exposing your company, its clients, your employees (not to mention yourself!) to cybercrime, it is vital to invest in a good cyber security program. VIMRO s approach to an effective cyber security program involves a holistic security methodology. Our methodology maximizes value and effectiveness because we have combined the most efficient tactics to include frameworks, best practice guides, and work papers from reputable security organizations such as NIST, ISO2700/27002 and MITRE. Combining vetted complementary frameworks yields a program that is effective and yet efficient; a program dynamic enough to anticipate new risks, yet iterative enough to become familiar. Equally important, a holistic methodology prevents oversights within your program. For example, while a cyber security framework alone equips you with the controls you must implement and manage, it leaves you without the metrics you need to validate those controls and the overall success of your cyber security system. A successful methodology is dynamic, adapting to ever-changing threats; and that can only happen if you treat it as an evolving process. For any methodology to work, you must adopt it in a controlled, systematic manner. Implementing a cyber security program too quickly or without the adequate resources reduces its effectiveness and demotivates the team members involved. Authored by VIMRO s Cybersecurity Leaders

A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security The following is an overview of a VIMRO cyber security system: The foundation of our security system first aligns your organization s business needs with your IT security, allowing you to focus on the critical business applications, systems, and processes that need strong security controls. For example, when you implement a new application, include a security representative in the development of the budget and project plan. This is how you ensure that time and resources are allocated for security controls throughout the project; and for support throughout the new application s lifecycle. If you overlook security requirements in the beginning stages of a project, the application and associated systems may require rework for failure to meet your company s approved security standards. And rework, delays, or budget excesses invariably reduce your new application s ROI. (See VIMRO s paper: Omitting Static Code Security Analysis Can Cost You. BIG!) The second layer of our foundation includes implementing a security framework. Many of VIMRO s clients have adopted either the NIST Cybersecurity Framework(1) or ISO27001/ISO27002(2). Along with the framework, organizations have adopted a cyber security Capability Maturity Model (CMM) that involves a strategy to optimize critical security controls, mechanisms, and processes (Level 5 in the CMM). The cyber security CMM includes: o Level 1 Initial: Processes are unpredictable, poorly controlled, and reactive o Level 2 Managed: Processes are characterized for projects and are still often reactive o Level 3 Defined: Processes are characterized for the organization and are proactive, taking their procedures from the organization s standards o Level 4 Quantitatively Managed: Processes are measured and controlled o Level 5 Optimizing: Focuses on process improvement To manage performance leading toward the optimal level (Level 5) in the security CMM, we recommend Key Performance Indicator (KPI) metrics. Many clients start with MITRE Cyber Resiliency Metrics(3). VIMRO policies, standards, and procedures include all of the verbiage necessary to raise your organization to the upper levels of the cyber security CMM. These are critical to success. Without these, your organization will not even surpass Level 2 in the security CMM. After writing your security policies, standards, and procedures, we implement technological mechanisms (these include IPS, DLP, SIEM, and so forth) to support your cyber security program, and train workforce members to apply the requirements of the formal documents to their practices VIMRO s risk management program includes continuous evaluation of your technological mechanisms and processes to validate them, and find areas, which need improvement, so that your company always maintains optimized security controls.

A Holistic Cyber Security Enabling Methodology Align Business with Sound Cyber Security The holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks... All layers of our Cyber Security Enabling Methodology are equally critical and require your steady dedication. Systematic attention to each level of the process yields a solid foundation today that is also dynamic enough to safeguard you going forward. VIMRO s holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks that threaten your business, clients, employees, or sensitive data. Contact VIMRO to learn more details about our approach and how we can help you build and maintain an Optimized Cybersecurity Risk Management Program. Authored by VIMRO s Cybersecurity Leaders

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information