Learn why you should include scans and pen tests in your info security program.
Whether you’re aware of it or not, your network likely has vulnerabilities hackers could exploit.
Defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces can allow attackers to gain access to an environment. Installing security updates and patches for systems in the cardholder or sensitive data environments can help correct many of the newly found defects and vulnerabilities before attackers have the opportunity to leverage them.
But in order to patch these vulnerabilities, you need to find them first. For that you need to implement vulnerability scanning and penetration testing.
The basics of vulnerability scanning
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.
PCI DSS requires two independent methods of PCI scanning: internal and external scanning. An external vulnerability scan is performed outside of your network, and it identifies known weaknesses in network structures. An internal vulnerability scan is performed within your network, behind the firewall and other perimeter security devices in place, to search for vulnerabilities on internal hosts that could be exploited in a pivot attack.
Typically, these vulnerability scans generate an extensive report of vulnerabilities found and provides references for further research on the vulnerability. Some even offer directions to fix the problem.
Remember, regular scanning is just the first step. Act quickly on any vulnerabilities discovered to ensure security holes are plugged and then re-scan to validate that the vulnerabilities have been successfully addressed. Often times organizations that have the best process have the best security.
The basics of penetration testing
Just like a hacker, penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). In simple terms, analysts attempt to break into your company’s network to find security holes.
PCI DSS Requirement 11.3 (applicable to SAQ C and SAQ D) requires internal and external penetration testing of both the network and application layers of the CDE. But penetration testing isn’t limited to the PCI DSS. Any company that would like an unbiased look at their information security posture, should consider having a penetration test performed.
The time it takes to conduct a penetration test varies based on network size, network complexity, and the number of penetration test staff members assigned. A small environment can be completed in a few days, but a large environment can take several weeks.
Typically, penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation.
Defining a significant change
In addition to annual penetration tests and quarterly vulnerability scans, you’ll want to perform these vulnerability assessments whenever significant infrastructure or application changes occur to determine if the changes made introduced any new vulnerabilities in the environment.
PCI DSS Requirement 11.3 requires that penetration testing be performed after any ‘significant change’ to the CDE. Due to the cost and time required to perform a penetration test, organizations often claim no significant changes have been made to their PCI environment.
How do you know when a change to the CDE is considered significant? What might be considered a major change to a smaller organization may only be a minor change in a large environment. While this should be an internal risk-based decision, here are some examples of changes that would be considered significant: OS upgrade for CDE system, replacing firewall or critical security device, adding a new payment acceptance process, moving portions or all of the environment to a cloud-hosted environment. The process your organization follows to determine if a change to the CDE is significant should be documented in internal policy and procedure documents
Penetration testing can be performed internally, if an organization has staff who are qualified to perform penetration tests and who are also independent from the systems being tested. Someone who is actively involved in the management and configuration of systems in the CDE shouldn’t also perform the penetration test, as they would not be considered independent. If a company lacks either the skills necessary to perform a test or the organizational independence, tests should be performed by a third-party penetration tester.
Difference between penetration tests and vulnerability scans
As a review, vulnerability scanning, whether internal or external, is not the same as penetration testing.
Here are two big differences:
Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough assessment of your overall information security posture.
This content is from the Security Metrics Blog (http://bit.ly/2yNypbz). Thank you to Michael Simpson for his excellent article. We thought it needed to be repurposed and shared!
On October 31, 2016, PCI DSS 3.1 will be retired, and organizations are required use PCI 3.2 and to be compliant with PCI DSS version 3.2 by February 1, 2018. With the recent release of PCI DSS 3.2, many businesses are preparing to update their security and compliance efforts again. Other businesses still aren’t compliant with the previous version of the PCI DSS, which makes them vulnerable to attackers.
Whether you’re new to PCI or a veteran, take time to review your past PCI compliance efforts and plan future PCI DSS 3.2 efforts.
Here are five basic practices to help you become PCI compliant.
1. Document everything
Documenting your policies and actions is important since it helps employees understand what has been done, what needs to be done, and where problems still exist in your business environment. It also helps keep your security efforts organized and legitimate.
Documentation simplifies the PCI process and provides a great baseline for security training materials. By writing your policies down, you solidify plans for implementing security and for training employees. Use your plan to educate employees on your policies and procedures.
Whenever you make changes in your business’s security, have your employees document the change. It’s also good to review the documentation often (quarterly, if not monthly) to make sure no errors have been made.
If you document everything throughout your PCI DSS process, you’ll save time and be more secure.
2. Determine your scope
It’s vital for businesses to determine what is ‘in-scope,’ which means if a particular person/process/technology/component stores, processes, or transmits payment card data. If they do, or are connected to systems that do, they must be PCI DSS compliant.
Some system components that may be in scope for your environment include:
You can’t protect what you don’t know. If you don’t know where your credit card data is, it’s impossible to secure it and get compliant. Create a cardholder data flow diagram for all in-scope networks. This will help you to properly understand the scope of your business by documenting where your card data is received, stored, and transmitted.
3. Segment your network
While network segmentation is not required by PCI DSS 3.2, it’s a good idea if you’re looking for the easiest way to reduce cost, effort, and time on getting compliant.
Network segmentation is done by physically or virtually separating environment systems that store, process, or transmit card data from those that don’t. This can be done through firewalls or physical gaps.
Segmentation can be very difficult, especially for those who don’t have a technical security background. If you do segmentation, you’ll want to have a security professional double check your work. Also remember that some SAQ types require you to do penetration testing on segmentation controls every six months and after any changes.
4. Spend money and time to train all staff
Did you know that employees and corporate partners are responsible for 60% of data breaches? Your employees are your weakest security link, yet many businesses don’t spend enough time to properly train their employees in security.
Create tailored security training for individual employee roles. For example, your IT director will require different training than your front desk manager. Train your employees monthly instead of yearly. Everyone learns best through repetition, and your employees will retain the training better through constant reminders.
Remember to require policy documentation signatures annually, and consistently enforce the policy with strict sanctions. By holding your employees accountable, you can protect your business and customers more effectively.
5. Work with a security professional
Security experts and Qualified Security Assessors are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS (e.g., PCI DSS 3.2).
QSAs go through very intense training to understand everything about PCI DSS and data security. They have the technical expertise to help you through the PCI process.
If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance. While it does require money, it will save you in the long run.
Get compliant with PCI DSS 3.2
Getting compliant can be difficult, but if you take it one element at a time, you’ll soon be there. Start by creating and updating your PCI compliance program; don’t forget to add the new and revised requirements to your new/existing program.
Remember, you’re not only protecting your business, but also your customers, your employees, and your brand. The longer you wait, the longer your business could be vulnerable.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant
Hiring and keeping good employees is a challenge that most small businesses have, a challenge that is costing business owners more than you might realize. One study done by the Center for American Progress indicates that for low paying jobs (under $30,000 per year) the cost to hire is 16% of annual wages. That means that a $10 per hour position costs the employer $3,328! When put into the perspective of real hiring costs, it’s clear why improving hiring practices is good business. We spoke to an expert to learn some basic tips that can really help you to hire staff members that are the right fit for you.
Beth Smith, President at A-list Interviews and author of the new book, “Why Can’t I Hire Good People?” understands this pain all too well. A former longtime restaurant owner herself, she uses her professional interview training and past lessons learned to help businesses hire effectively. She shared some of her hiring tips with us:
Follow these guidelines, and you’ll be on your way to making better hires. PGF Consulting Partners Inc. is prepared to guide you through the point of sale system options that will be most effective in smoothly managing employee turnover as well. We’ll help you maximize the capability of your POS system so you can focus on growing your business. We're ready to help save you money and improve your business processes so they are no longer worries for you!
Thank you to SilverEdge for the great content! They are one of our preferred POS System recommendations!
Here to help,
Paul Freitag, Owner
Mindfulness, compassion, competition and joy.
These are the four core values upon which Steve Kerr, head coach of the two-time NBA champion Golden State Warriors, has built the team that has achieved unprecedented success over the past three years.
This team, which is widely considered to be one of the greatest teams ever, is notable for playing a brand of basketball that is remarkable for its teamwork, selflessness, ruthless efficiency and flat out exuberance.
The temptation is to chalk this success up to the collective talent of the players. However, Kerr and his players believe that their team's success, and compulsively watchable style of play, is largely a factor of the degree to which they all have embraced and bought into the culture defined by Kerr's four core values: mindfulness, compassion, competition and joy.
Have you thought about how you could incorporate these values into your sales culture to improve your results? It would be quite a change from the traditional sales rep focused, "what have you done for me lately" sales cultures favored by many sales managers.
Let’s take a quick look at how Kerr’s four values apply to sales.
Mindfulness. It’s about being present for the customer. It’s about eliminating distractions and being completely focused on the customer. It’s about being mindful of your obligations to invest in the continuous learning required to increase the value you can deliver to your buyers.
Competition. Sales is all about competition. First, you have to love battling tooth and nail with competitors (and inertia) for the right to serve your customers. Also, in many ways, sales is a competition against yourself. For most people, selling is not a natural act. Therefore, every day you have to compete against your instincts, as well as the fears that cause you to shrink from doing the hard, but necessary, things like picking up the phone and calling a prospect.
Compassion. Compassion starts with empathy for your customers. This is the ability to put yourself in their shoes and examine their questions, problems and goals from their point of view. It also requires that you have empathy for your colleagues. What are they struggling with and how could they use your help? How can you help them meet their goals?
Joy. Joy is fun. Actually it’s one step above fun. Joy is what you experience when you are in total command of your process, your products and your customers. Joy is the pleasure that comes from the confidence, competence and purpose you display in how you help your buyers.
It’s up to sales managers to cultivate these values in their team. It starts with modeling these behaviors with your salespeople. Are you completely mindful and distraction free when you meet with a sales rep? Have you invested the time to really understand the individuals on your team, their goals and aspirations? And, do you give your people the freedom to express themselves, to let them decide how to utilize their skills to best serve your customers?
As Steve Kerr said, "A lot of teams have talent, and obviously we have great talent. But when that talent is committed to the greater good and to each other and they actually genuinely care about each other and enjoy each other, that takes you over the top."
We share this information because sales has a direct impact on your business's credit card processing fees and bottom line. PGF Consulting Partners is here to not only help you save money on your credit card processing fees, but also understand your industry and all aspects of the sales process.
If you have any questions or would like guidance and advice, please reach out to me!
Here to Help,
Paul Freitag, Owner
Paul Freitag guides you through the world of credit card processing fees and cyber security. He is a industry expert and professional that will make sure your compliant with new laws and ready for the 21st century!