Despite the significant changes introduced with PCI DSS v4.0, there are many bedrock requirements that did not change. This article serves to highlight an often neglected, but extremely important facet of network security.
Recently I was attending a PCI information security conference, and I reserved a seat for a session titled, “Preventing Data Breaches: Insights from Real PFI Cases”. I caught a very “Mission Impossible” vibe and was giddy with excitement to learn about the crazy new techniques cyber-criminals are using to hack into corporate networks and managing to steal enough valuable data. These were to be stories from the actual PCI Forensic Investigators that did the investigations!
Are they physically breaching the data center and installing WIFI access points?
Are they social engineering administrator credentials?
Are they hiring an “Inside man”?
Oh, the Hemsworth Blackhat possibilities that played through my mind!
To say I was let down by the lack of actual Hollywood-style escapades is an understatement.
After the introductions, we were presented with a rather ordinary screen showing a rather ordinary pie chart offering a breakdown of the breach statistics. The climax of the presentation was that the vast majority of breaches share a disappointingly ordinary cause. To my momentary disappointment, cybercriminals aren’t innovating or traveling Neo-style through the Matrix to bring big business to its knees. They aren’t regularly stealing thumbs or dropping into server rooms on a tether between security beams.
It turns out that it is simply a lack of patching that has led to allowing hackers into 50% of the breached corporate networks.
This is not to say that we should not continue to appreciate and remain vigilant against the concerns brought to light by the “Mission Impossible” scenarios; all the scenarios I listed above have happened, but they aren’t the cause of most of the financial loss incurred by weaknesses in cyber security by far. It does bring an important fact to light: even though criminals ARE getting more sophisticated and capable, we must never forget the importance of the basics when it comes to network security.
Absolutely, encryption, network segmentation, physical security, and IPS are all essential components of your robust defense-in0-depth; but if your software AND hardware are not getting patched regularly, you are overlooking your highest risk and easiest-to-fix vulnerability.
A bored middle schooler with access to a computer doesn’t even have to leave the school library to access open-source step-by-step procedures outlining exactly how to use these known vulnerabilities to penetrate your network. And Netflix told them this is what the cool kids are doing these days.
Currently, Akamai tracks and reports 110 million global attacks daily. That’s an astronomical number that statistically should rule out the “it won’t happen to me” mentality. Check your firewall logs, there is a high probability you have been scanned in the last 24 hours. These network scans are done to root out vulnerable systems or services on a targeted network in an attempt to discover potential attack vectors. And, as discussed, the most common ones uncovered are unpatched systems.
While security engineers understand the importance of patching and maintaining the security of any system, it can be a challenge to relay this importance to managers, users, and administrators. After all, it isn’t their job to ensure the system is secure; that’s somebody else’s job, and it is overhead that doesn’t directly improve production. Without education for every user with system access, most users will assume that someone else is managing that part of the business and will overlook easy but necessary protocols to avoid vulnerabilities.
After all, everyone has their own job they are intently focused on. Respecting this, it might be worth considering adding system maintenance and patching as part of each user’s job description from the start.
So, understanding that everyone has their own focus in an organization, what can we do to ensure implementation of security protocols at every level? I always recommend providing regular education opportunities for users and administrators demonstrating the importance of patching. This can be done via webinars, tutorials, or the ever-popular ‘free lunch when you come to our brief security seminar’, which is my personal favorite.
Incentives for test completion of online courses can increase participation as well, and a Starbucks card for every user can be far more cost-effective than the cost to remedy a breach – not to mention the loss in customer confidence.
Unfortunately, this is not a set-it-and-forget-it kind of process. Because the vigilance of security is a daily and ever-evolving process, once users have been educated on the importance of regular patching through whatever combination of statistics, fear tactics, and Hollywood magic you choose, reminders need to be given regularly. You can employ e-mails, newsletters, and anything else creative; perhaps even some cute signs of kittens looking ecstatic to be applying patches? Don’t forget to provide easy instructions and a cheat sheet for what to do if anything goes wrong during the process.
In addition to sewing up your patching process (see what I did there?), making sure you have vulnerability scanning and penetration testing regularly performed by qualified professionals is key. Regular testing offers insight to what an outside adversary may see and of course, routinely checks for new vulnerabilities in the inevitable ongoing race between organization and hackers.
Remember, the winner is always the one who adapts the quickest. Having an organization whose entire focus is being ahead of every new threat, is a very important tool in your toolbox.
In this age of daily technological advancement, cybercriminals are also advancing their tactics and becoming more sophisticated. Security patching is your first and easiest preventative measure to a breach. There are many resources available to assist with patch management. Whether you handle your patches manually or with an automated system, it is important that you stay advised of available patches and make sure you can implement installation in a timely manner.
While the process of patching isn’t as exciting as the prospect of catching someone using a stolen appendage to thwart a biometric scanner, it is statistically far more likely to save your data, prevent a successful attack, and will certainly help you to satisfy requirement 6.2.
Feel free to reach out to us as you have questions or want to commiserate, strategize, or just share your thoughts.
Also, check out our resource center at: https://info.obsglobal.com/pci-4.0-resources