Steve Levinson
Steve Levinson – Online Business Systems – VP, Risk, Security, and Privacy & CISO As the Vice President of Online Business Systems’ Risk, Security, and Privacy Consulting Practice, and Online’s Chief Security Officer, Steve leads a vibrant, pragmatic, risk-based, business-minded security consulting practice that focuses on right-sized security, including advisory services, governance/program management and risk assessments (PCI, HIPAA, ISO, NIST, FedRAMP and preparation for SOC2) technical security services (vulnerability scanning, penetration testing, red teaming, and secure code development), data protection and privacy, cloud security, and specialized security services for the healthcare and financial industries. Steve is considered a thought leader in the cybersecurity community, delivering captivating presentations and webinars, and having penned dozens of insights for many publications. Steve is an active CISSP, CISA, and QSA with an MBA from Emory Business School and has over twenty years of IT security experience, and over 25 years of IT experience. Steve’s strong technical and client management skills combined with his holistic approach to risk management resonates with clients and employees alike. He has performed or participated in hundreds of risk assessments and compliance assessments, starting his consulting career with Verisign and AT&T Consulting, where he provided cybersecurity consulting leadership. Since then, Steve has served as a key strategic advisor for hundreds of clients and has gained the trust of many industry partners and affiliates, earning him a seat as a respected voice around the PCI SCC’s Global Assessors Round Table. In addition to serving as virtual CISO for several clients, Steve has also performed security architecture reviews, network and systems reviews, security policy development, vulnerability assessments, and served as cybersecurity subject matter expert to client and partner stakeholders globally. Wherever Steve’s travels take him – and he travels a lot – he makes friends and finds time in his busy calendar to gather as many local like-minded security professionals, colleagues old and new, to share ideas, foster connections, and build on ideas. His true professionalism and his earnest nature, together, make up the ‘magic’ that fuels the passion of those he leads. It was exactly this combination of Steve’s vision, passion, and his connections around the world that recently helped form Online’s EMEA division, expanding the organization’s security and digital transformation footprint internationally. Keeping up with the latest security trends and threats is easier than keeping up with Steve; when he’s not connecting with clients or fighting cybercrime, Steve is making meaningful memories with his family, keeping pace with his beloved pups, catching the early surf just after sunrise, or charging down a mountain slope. “Where’s Stev0?” is a common phrase jested amongst colleagues around the virtual Online office. But not to worry, if you miss him, he will circle back again soon.
In the course of performing hundreds of risk and PCI assessments, we occasionally come
across a client who is running an obsolete version of a system, application, or device. Normally, when a system has reached “end-of-life,” it is no longer supported. On the surface, this would appear to be a security risk and also a violation of PCI DSS requirement 6.1: “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” Organizations must determine the ideal strategy to address risk associated with using obsolete systems/applications. Short of replacing/upgrading the offending system, there may be more creative means to offset this risk.
There is no one-size-fits-all solution, but here are some potential arrows for your risk-based-approach quiver:
- Are there any compensating controls that would effectively eliminate risk associated by not patching (since systems can no longer be patched)? This may include host-based intrusion prevention, white-listing, real time monitoring of processes and critical files, etc.
- Are there any Third Parties who provide extended support for the end-of-life product?
- What risks are associated with the end-of-life product? Are there any publicly known vulnerabilities? If there are no known vulnerabilities associated with an end-of-life product, it may still be “reasonably secure” …. today. But, unlike supported systems/applications which will provide you with a ‘fix’ once a vulnerability is known, the unsupported systems force you to walk the tightrope without a net. What is secure today may have a vulnerability tomorrow. Consider:
- What can be done to monitor/search for recently disclosed vulnerabilities pertaining to the end-of-life platform. You will need to be extremely diligent in keeping an ear to the track to watch for vulnerabilities associated with that product/system/application and have established processes in place to stay on top of this.
- If possible, risk can be mitigated by segregating unpatchable systems from other critical systems through firewalls and access control lists (ACLs) to strictly control traffic.
- Consider implementing host-based intrusion prevention (HIPS), in-line IPS, in-line proxies, or security gateways.
- Understand what entities can access the system or application in question and lock down those that require access. Also consider beefing up the access controls (such as multi-factor authentication) in general.
- Lock down what the system can do to allow only critical processes needed for running the system and security controls.
- Monitor, monitor, monitor – in addition to file integrity monitoring (FIM), consider implementing controls to monitor all running processes to prevent or alert your team on any unauthorized ones. Also make sure that the system/application is effectively monitored by your centralized monitoring systems.
- Consider performing additional testing to demonstrate that the overall risk associated with a particular vulnerability/obsolete platform has been mitigated (a penetration test for example).
If you do find yourself in a situation where part of your critical environment has reached its end-of-life and your organization may be in violation of PCI DSS requirement 6.1, do the legwork to understand the risk associated with the end-of-life system/application as well as evolving threat landscape. It is possible to prolong the ‘afterlife’ of these systems/applications if you take a thorough, pragmatic, risk-based approach which, in turn, may dramatically reduce risk, alleviate headaches, and help save time and money. If you are unsure whether you are running the most current versions of a system, application, or device, feel free to contact me directly.
To learn more about how Online can help ensure your security program is addressing the most critical threats to your organization, visit our Cyber Risk Resource Center.
Submit a Comment