Learn why you should include scans and pen tests in your info security program.
Whether you’re aware of it or not, your network likely has vulnerabilities hackers could exploit.
Defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces can allow attackers to gain access to an environment. Installing security updates and patches for systems in the cardholder or sensitive data environments can help correct many of the newly found defects and vulnerabilities before attackers have the opportunity to leverage them.
But in order to patch these vulnerabilities, you need to find them first. For that you need to implement vulnerability scanning and penetration testing.
The basics of vulnerability scanning
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.
PCI DSS requires two independent methods of PCI scanning: internal and external scanning. An external vulnerability scan is performed outside of your network, and it identifies known weaknesses in network structures. An internal vulnerability scan is performed within your network, behind the firewall and other perimeter security devices in place, to search for vulnerabilities on internal hosts that could be exploited in a pivot attack.
Typically, these vulnerability scans generate an extensive report of vulnerabilities found and provides references for further research on the vulnerability. Some even offer directions to fix the problem.
Remember, regular scanning is just the first step. Act quickly on any vulnerabilities discovered to ensure security holes are plugged and then re-scan to validate that the vulnerabilities have been successfully addressed. Often times organizations that have the best process have the best security.
The basics of penetration testing
Just like a hacker, penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). In simple terms, analysts attempt to break into your company’s network to find security holes.
PCI DSS Requirement 11.3 (applicable to SAQ C and SAQ D) requires internal and external penetration testing of both the network and application layers of the CDE. But penetration testing isn’t limited to the PCI DSS. Any company that would like an unbiased look at their information security posture, should consider having a penetration test performed.
The time it takes to conduct a penetration test varies based on network size, network complexity, and the number of penetration test staff members assigned. A small environment can be completed in a few days, but a large environment can take several weeks.
Typically, penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation.
Defining a significant change
In addition to annual penetration tests and quarterly vulnerability scans, you’ll want to perform these vulnerability assessments whenever significant infrastructure or application changes occur to determine if the changes made introduced any new vulnerabilities in the environment.
PCI DSS Requirement 11.3 requires that penetration testing be performed after any ‘significant change’ to the CDE. Due to the cost and time required to perform a penetration test, organizations often claim no significant changes have been made to their PCI environment.
How do you know when a change to the CDE is considered significant? What might be considered a major change to a smaller organization may only be a minor change in a large environment. While this should be an internal risk-based decision, here are some examples of changes that would be considered significant: OS upgrade for CDE system, replacing firewall or critical security device, adding a new payment acceptance process, moving portions or all of the environment to a cloud-hosted environment. The process your organization follows to determine if a change to the CDE is significant should be documented in internal policy and procedure documents
Penetration testing can be performed internally, if an organization has staff who are qualified to perform penetration tests and who are also independent from the systems being tested. Someone who is actively involved in the management and configuration of systems in the CDE shouldn’t also perform the penetration test, as they would not be considered independent. If a company lacks either the skills necessary to perform a test or the organizational independence, tests should be performed by a third-party penetration tester.
Difference between penetration tests and vulnerability scans
As a review, vulnerability scanning, whether internal or external, is not the same as penetration testing.
Here are two big differences:
Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough assessment of your overall information security posture.
This content is from the Security Metrics Blog (http://bit.ly/2yNypbz). Thank you to Michael Simpson for his excellent article. We thought it needed to be repurposed and shared!
On October 31, 2016, PCI DSS 3.1 will be retired, and organizations are required use PCI 3.2 and to be compliant with PCI DSS version 3.2 by February 1, 2018. With the recent release of PCI DSS 3.2, many businesses are preparing to update their security and compliance efforts again. Other businesses still aren’t compliant with the previous version of the PCI DSS, which makes them vulnerable to attackers.
Whether you’re new to PCI or a veteran, take time to review your past PCI compliance efforts and plan future PCI DSS 3.2 efforts.
Here are five basic practices to help you become PCI compliant.
1. Document everything
Documenting your policies and actions is important since it helps employees understand what has been done, what needs to be done, and where problems still exist in your business environment. It also helps keep your security efforts organized and legitimate.
Documentation simplifies the PCI process and provides a great baseline for security training materials. By writing your policies down, you solidify plans for implementing security and for training employees. Use your plan to educate employees on your policies and procedures.
Whenever you make changes in your business’s security, have your employees document the change. It’s also good to review the documentation often (quarterly, if not monthly) to make sure no errors have been made.
If you document everything throughout your PCI DSS process, you’ll save time and be more secure.
2. Determine your scope
It’s vital for businesses to determine what is ‘in-scope,’ which means if a particular person/process/technology/component stores, processes, or transmits payment card data. If they do, or are connected to systems that do, they must be PCI DSS compliant.
Some system components that may be in scope for your environment include:
You can’t protect what you don’t know. If you don’t know where your credit card data is, it’s impossible to secure it and get compliant. Create a cardholder data flow diagram for all in-scope networks. This will help you to properly understand the scope of your business by documenting where your card data is received, stored, and transmitted.
3. Segment your network
While network segmentation is not required by PCI DSS 3.2, it’s a good idea if you’re looking for the easiest way to reduce cost, effort, and time on getting compliant.
Network segmentation is done by physically or virtually separating environment systems that store, process, or transmit card data from those that don’t. This can be done through firewalls or physical gaps.
Segmentation can be very difficult, especially for those who don’t have a technical security background. If you do segmentation, you’ll want to have a security professional double check your work. Also remember that some SAQ types require you to do penetration testing on segmentation controls every six months and after any changes.
4. Spend money and time to train all staff
Did you know that employees and corporate partners are responsible for 60% of data breaches? Your employees are your weakest security link, yet many businesses don’t spend enough time to properly train their employees in security.
Create tailored security training for individual employee roles. For example, your IT director will require different training than your front desk manager. Train your employees monthly instead of yearly. Everyone learns best through repetition, and your employees will retain the training better through constant reminders.
Remember to require policy documentation signatures annually, and consistently enforce the policy with strict sanctions. By holding your employees accountable, you can protect your business and customers more effectively.
5. Work with a security professional
Security experts and Qualified Security Assessors are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS (e.g., PCI DSS 3.2).
QSAs go through very intense training to understand everything about PCI DSS and data security. They have the technical expertise to help you through the PCI process.
If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance. While it does require money, it will save you in the long run.
Get compliant with PCI DSS 3.2
Getting compliant can be difficult, but if you take it one element at a time, you’ll soon be there. Start by creating and updating your PCI compliance program; don’t forget to add the new and revised requirements to your new/existing program.
Remember, you’re not only protecting your business, but also your customers, your employees, and your brand. The longer you wait, the longer your business could be vulnerable.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant
Paul Freitag guides you through the world of credit card processing fees and cyber security. He is a industry expert and professional that will make sure your compliant with new laws and ready for the 21st century!