Information security courses teach data security professionals to incorporate multiple layers of security to secure their systems. This is the right advice. A four foot fence might keep some criminals out, but an athlete would have no problem jumping the fence. The dog, locked door, and security system are examples of additional layers of security that reduce the risk of a break-in. The more layers of security, lesser the chances of a breach. Yet there is always a risk of a zero-day attack, that no one has seen before, that may find its way past multiple layers of security.
A firewall that is not configured properly is a major security leak.
In the above analogy, the four foot fence is the firewall. A firewall can also be an eight foot fence when properly managed. To be sure your firewall is properly configured, make sure it is managed by security professionals who know how to harden it. Ask for a screenshot of the firewall configuration and make sure the deny-all is in place. Deny-all ensures only those on your whitelist for authorized access are allowed through, all others are denied. But if we deny all others at the firewall, do we still need more security? Absolutely. The firewall is a key component of security, but, breaches have happened with firewalls in place. This is why it is important to secure your network multiple ways, not just one or even a few.
Strong security measures are outlined in PCI DSS 3.2 compliance requirements.
- Manage your inventory – If you don’t know what is authorized you won’t know when an unauthorized device is added to your network. Document your device serial numbers, alert on new devices added, and ensure your procedure to check devices for replacement includes serial number checks. Test your cashiers to see if they are performing periodic checks. A checkmark on a page is not as conclusive as knowing a serial number they look at daily, or reporting a broken security sticker.
- Change vendor defaults – New devices commonly come from the vendor set up to allow access with the vendor defaults. This enables the vendor to access the device to assist with setting it up. Once the device is implemented change the defaults immediately. Vendor default lists can be googled and are akin to leaving the door open. Close the door by changing the account password to a long password or removing the account all together. Test for vendor defaults by seeing if you can log in with them.
- Encrypt stored data – This is the best way to reduce risk should any kind of breach happen, including a zero-day. If the data is encrypted a criminal cannot leverage it.
- Encrypt data in transit – One of the very first case studies you learn in cybersecurity management training is the case in which cyber criminals sat in a parking lot with a long range antennae, scraping card data in flight between the portable point-of-sale systems and the rest of the network. Encryption in transit is also important.
- Anti-malware and anti-virus – It’s not enough to install the product, be sure to keep it up to date, enabled, and running scans on a regular schedule.
- Develop and maintain secure systems and applications – If you develop software, be sure to train the developers in software security best practices, hold code reviews, and test application security before putting it in production. If you don’t develop software, make sure you document software authorized for your company use, obtain payment application attestation of PCI DSS validation for point-of-sale systems, update and patch all software regularly, and test everything before putting it into production. Also maintain proper change control procedures. Being able to see what just changed, or hasn’t changed in a long time, goes a long way toward isolating where problems might be lurking.
- Establish strong password policies, and remember that longer passwords are more secure than shorter ones. Adding special characters and capital letters and numbers to a password are common requirements, none of which strengthen your password as much as making it a longer password. To help you remember your password use a passphrase made up of more than one word. For example, mymotherthecar is far more secure than mymom. Password managers are another effective way for managing passwords.
- Run scans and tests to identify vulnerabilities – Internal and external vulnerability scans, and penetration tests, fall under PCI DSS requirement 11. This should be one of the highest priority items in your cybersecurity bag of tools. These scans and tests are how you determine if you have security gaps. The age old saying, out of sight, out of mind, holds true with cybersecurity. The scanners and pen tests bring issues into sight, and until you know they are there you can’t fix them. Once you do know they are there though, fix them promptly. Every minute a vulnerability exists is another minute of risk. And the longer data leaks, the more people are impacted, and greater the losses.
Finally, since new attacks are constantly surfacing, secure with multiple layers, encrypt, scan and test. The more layers of security, the lesser the chances of a breach. But don’t be overwhelmed. Cover the bases first; you will make it less easy for the criminals. You don’t have to do it all yourself. Omega is here to guide you from the beginning to continuous compliance.