Skip to content

What does it mean to be PCI compliant? Are You Secure if you passed compliance standards?

If you update your software as you are supposed to be PCI compliant what happens if the update breaks your environment or is actually not secure?

Do you need an example? How about from our blogpost¹:

donttrustandverifyallplugins

In our blogpost we mention a plugin that was hijacked by a criminal then he installed his own malicious code in the plugin.

Now he said "Upgrade your plugin" to WordPress which caused WordPress program organization through it's upgrade mechanism tells all the users of the plugin to upgrade.

If the unsuspecting users upgrade then they are automatically hacked - Upgrading is normally good, but there has to be a reason for an upgrade and it has to be tested.  But for "PCI compliance" you have to upgrade and keep your systems patched for example requirement 6.2 in the latest v3.2 PCI standard²:

pci6.2-3

Requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

So the Requirement has no mention of fake upgrades only to upgrade your software that is necessary for the systems that need it.

This is why one has to test the upgrade first, make sure it is what it claims to be before placing it in production.

 

Another problem can be if you are compliant for all "Known" vulnerabilities that means unknown vulnerabilities can hack you even if you are compliant³.

As in the post from Dec 10, 2015 new exploits are found which cause you to get hacked and then you still lose a lot of money even though you have the latest patches. Even in the latest firewalls (like in the post mentioned) certain NGFW Next Generation FireWalls can get hacked with a specific method.

nextgenfirewallflawdiagram

 

fixvirussystemengineering

 

So to answer the question above (are you secure if PCI compliant) not necessarily. In the end PCI compliance is a specific standard for the credit card numbers.  You can be compliant for the credit card numbers  or Primary Account Numbers(PAN). And still fail to provide security on other systems. Or you can claim to pass the PCI compliance online while not actually performing all the functions.

Testing your network for security vulnerabilities should be done by a separate pair of eyes.

  1. http://oversitesentry.com/new-pci-compliance-v3-2-now-published/
  2. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
  3. http://oversitesentry.com/nextgen-firewall-flaw-uncovered/

Contact me at 314-504-3974 Tony Zafiropoulos to discuss

 

Why do Cybersecurity? Can you take a chance on your Info Technology being  attacked by nefarious actors?

There are a lot of attackers looking for a way into your computers:

allyourbasesbelongtous Including Alias "little Japanese"

These criminals have honed their skills.  "All Your Bases belong to Us" is a video gaming term - where 2 gamers are fighting each other and attempt to take over their opponent's bases, the term mean that when it was first used but it has morphed as many other things have on the net.

In this case I take it to mean in broken English how Criminals in other countries will take over your computers. They are crafty and have learned their way around computer weaknesses. The hackers are getting better all the time.

So if you decide yes we _will_ improve our security situation ... now what?

How much time and resources should be spent on Cybersecurity prevention?

Is it about 10%? For simplicity let's say 10% is the  minimum amount of time and resources that should be spent.

So out of 2000 work hours spent in a year - (i.e. not including all the time sleeping and taking time off) 200 hours per year should be spent on various activities to save your personal and business data from calamity.

Now the big question is what to do with the time and resources to be spent on Cybersecurity?  200 hours is not a lot for the year and it should not be used up all at once as there are other things to do.  So if we divide 200 by 12 it equals 16 2/3 hours per month. we can round it to 17 hours per month. it can be about 4 hours per week.

The interesting item as Anthony Christie¹ says:  “Our security people spend 60% of their time optimizing documentation and 40% of their time doing the work,” said Anthony Christie, chief marketing officer for Level 3 Communications (a networking company).

So let's say 2.4 hours on documentation and 1.6 on actual security work.

Documentation is important that is why 60% of time should be spent on it.

This is where Fixvirus.com can help you we are familiar with compliance standards including HIPAA, PCI, NASD, Sarbanes Oxley, GLBA and more.

But what should your IT department actually do? Update your systems - make sure they have the latest patches. Updating your systems is not easy peasy.

Before doing an update one has to test the patch to make sure it will not harm the rest of your software that is run in your standard environment.

PCI Compliance² is important if you take credit card payments.

HIPAA compliance is important if you handle or are near patient data.

Sarbanes Oxley if a public company (Or thinking of becoming one)

Various Financial Regulations require cybersecurity as well for any financial institution.

The consumer rights division is getting more aggressive so needless to say there are many government entities regulating more and more Cyber activities, and _when_ there are more attacks there will be more regulations not less (when have you seen less regulations from the government?).  The Federal Trade Commission got a ruling in the Wyndham case³ data security:

"The FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. According to the complaint, those failures resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards – and the transfer of hundreds of thousands of consumers’ account information to a website registered in Russia."

You can see that as an executive overseeing an IT department one can look at the budget and spend in many directions, including technology.

Remember that technology is just one piece of the puzzle:

Security-privacy-balance

Privacy and civil liberties versus Security needs to be taken into account, your risk assessment must be done by qualified individuals.  There is no such thing as 100% security, only "more secure" and "less secure"

riskanalysis

The likelihood of an attack and the impact of the attack (what would happen if criminals are successful) should set your risk and then you can gauge your "Risk appetite" to decide where to spend your budget.

As I have discussed in my blog Website Oversitesentry.com(4)

1000gunbarrels

Here is another way of looking at risk management:

Imagine playing Russian roulette with a 1000 or 500 barrel gun (depends on circumstances)

Every day we are revolving the barrels (1 has a bullet) so we have a 1 in 500 chance(or 1 in a 1000) for something bad to happen. Hopefully the odds are 1 in 500 or 1 in 1000.  But imagine the worst possible experience - your customer data is now in the hands of a criminal. Now what?

Whether you know it or not, there are risks just for using your computers and being connected to the Internet. So unless you want to disconnect there will be risks. So what will you do to reduce your risks?

Contact us to discuss

 

 

  1. http://fortune.com/2016/05/20/no-cure-for-cybersecurity-threats/
  2. https://fixvirus.com/security-and-pci-compliance/
  3. https://www.ftc.gov/news-events/blogs/business-blog/2015/08/third-circuit-rules-ftc-v-wyndham-case
  4. http://oversitesentry.com/do-you-have-a-500barrel-riskgun-or-a-1000barrel-riskgun/

What Do I mean when I say "Start With Some Cybersecurity"?

At Fixvirus.com we will help you design your own Cybersecurity department, or help you with just enough Cybersecurity.

What do i mean 'with just enough Cybersecurity'?

 

I think it is safe to say that most of us do not think about the security of our phones, computers and tablets. As a whole people want their electronic devices to work.

Is this indicative of what we want in our companies? Do we expect the IT department to keep us safe and secure?  We don't want to think about this we just want it to happen.

So what to do? Why does the IT department need oversight? Because testing their abilities in a nice way tells them they are doing a good job and tells you the IT job is being done well.

You can still get hacked, but at least the i's were dotted and T's crossed.

The key in our environments anyway is what happens after the hacker is in. You don't want them to steal anything and get away with it. You have to set up methods to track down when a hacker is doing their work and shut down the exfiltration (or stealing of data to an external machine).

 

So to start we have to audit the environment and count all the computers before doing the next steps.

  1. audit environment - count the computers, find out what is running on the computers. (count computers = find them all and review what is running on them)
  2. Audit the software since just knowing what hardware or in virtual machines, the instances of servers is not enough. We must know the type and version of software running, since a vulnerability alert can cause PCI compliance to be in jeopardy. The criminal hacker is looking for your software, so you should know what is in your environment as well.
  3. Doing vulnerability assessments means trying to uncover unpatched software in your environment. ( just like the criminal hacker would do and like you are supposed to do for PCI compliance - HIPAA compliance and all other governance) as it only makes sense.
  4. What about the Zero-day attacks? the attacks that cannot be patched? Since the hackers found a problem that can be exploited. Well for these situation we have to have a detect and monitor program. Check the logs, check the network traffic (which means a SIEM - Security Information Event Manager) and IPS (Intrusion Prevention System).
    1. Although  the SIEM-IPS systems will not prevent all attacks, they will prevent a lot and with vigilance we can keep up with attacks on our environment with enough resources.

 

riskmanagamentframework

[Image from NIST(National Institute of Standards and Technology) 800-37 documents¹]

If risk management is to work properly in an entity it must be assessed given enough time to review all your data and usage of computers.

So yes the first thing one must do is to find out what and how your Info tech is being used. so don't just learn what is running on each computer, but rate each item to its risk factor:

You must classify data from High importance, to Low importance.

riskmanagmentmatrix

High Importance data can then be properly classified in Cyber Risk categories.

We will review each step of the path to better Cybersecurity again and again as that is what we are all about.

Contact us to discuss Contact me Tony Zafiropoulos 314-504-3974

 

Our hashtag #testYourSecurity should be everyone's hashtag that wants more Cybersecurity.

cropped-cropped-Header-logowordpress1600x320.png

 

 

 

 

  1. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

There are a lot of compliance Standards to keep up on:

HIPAA¹ - Health Insurance Portability Accountability Act

PCI DSS² - Payment Card Industry Digital Security Solutions

ISO 27000³ - International Organization for Standardization (HQ in Geneva, Switzerland)   I discussed ISO before : http://oversitesentry.com/ngfw-tech-half-battle-in-orgs/

Among others (Sarbanes Oxley)

 

But what if you don't even know what you have?

Have you spent the time to look at all of your digital data?

What do you use every day? Excel and Word files?

Have you had a 3rd person look at your data and review the outcome with you?

Did you set up a Risk management matrix? Likelihood -- Consequences

Maybe you don't really know what database is the most important?

riskmanagmentmatrix

This is a framework diagram from NIST document :

riskmanagamentframework

It is important to set a number from 1 to 5 to the importance of different digital properties.

Set an importance to impact to your business (low-medium-high

the ensuing matrix will tell you in a glance what you need to know for business risk and what resources you should spend and why.

Contact me Tony Zafiropoulos 314-504-3974 and I will be happy to discuss this with you as I have done this with clients.

It is good to know what you have and how to protect it.

cybersecurityloganalysis

  1. http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  2. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
  3. https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en

 

 

1

HIPAA compliance documents do not tell you exactly what to do in your network.

Instead they are a framework to fulfill, here is a link to the HHS information in case you are interested:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html   

HHS is the U.S. Department of Health & Human Services

But unfortunately the details of what should be done is opaque at best.

It is better to review the SANS website as it is a Teaching of Security organization. One of their documents has a good review of HIPAA compliance

hospitalshacked

An interesting sidenote (The Criminals do not care about compliance or security, just whether they can hack your network resources) check our blogpost: http://oversitesentry.com/website-files-ransomed-not-just-personal-files/ )

In the following standard review (from the SANS document) wireless devices were discussed:
HIPAA Standards
While the Final HIPAA rules do not necessarily deal directly with wireless or any specific network device, the regulations cover many separate areas that deal with PHI (Personal Health Information). In summary the document deals with 3 major areas:
1.  Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards.
The Administrative Safeguards section (164.308) provides regulation for the
management of healthcare organizations. Secondly, Physical safeguards
(section 164.310) regulate how physically secure the facility should be.
Finally Technical Safeguards (section 164.312) provide regulations for access control to the network, security and integrity of data/transmissions, auditing and authentication.
This section is most relevant to our situation.
In order to provide the highest
security to a wireless network, the relevant regulations need to be extracted from the HIPAA document and interpreted for use in the scenario presented. The following is a brief summary of the standards
that relate to our wireless scenario.
1. Access control (164.312(a)(1)) is simply what the name implies,
controlling who is granted access to the organization’s resources.
2. Auditing (164.312(b)) is maintaining logs of who accessed
a given resource at what time and where so that in the event of a security
compromise there will be an audit trail.
3. Integrity (164.312(c)(1)) consists of making sure that PHI is not
modified in any way by an unauthorized user during transmission
or storage.
4. Person authentication (164.312(d)) is authenticating that the person
the computer says they are is really the correct person. This could
be argued that it should be done at the server, but I think we can take it a step further and authorize the user when they transition from the wireless to the wired network.
5. Transmission security (164.312(e)(1)) is ensuring that the network
transmissions are kept private and since the media is the air this is
a high priority in wireless environments.

 

So in essence to protect PHI (Personal Health Information) as in medical data, one has to perform basic security practices. And this has to be documented for any potential audits.

Contact Us  as we help with compliance or documentation details.

Blogpost on HIPAA compliance from my blog:

http://oversitesentry.com/hipaa-enforcement-10-of-any-covered-entity-will-be-audited-says-office-for-civil-rights/  blogpost from June 2015

Notice the tidbit of 10% of all organizations will be audited by Office of Civil Rights and if they so choose they will do some serious social engineering on your org.

Always better to be pro-active. make sure you have a good security policy in place. Set up a methodology of security  not just a compliance checkbox policy.

 

Updated 01/31/2016

 

If you are not 100% certain?

Are you 95.5%?  that is 2 sigma(σ) if you want 99.9999% then that is 6 sigma(σ)

The attackers are coming

check this link:

http://oversitesentry.com/i-want-my-internet-247hackersknowthat/

The link explains what is obvious to all - we need the Internet and the criminal knows that so they will find any mistakes that you made/ are making.

evgeniybogachevfbimostwanted    Mr. Bogachev has a $3mil bounty on his head - why do you think that is?

 

The Criminals are working when you are sleeping in relatively lawless environments trying to find a way to make more money - your money.

Here is a link if you dare to check about the "Russian Carders Army"

http://carderinfo.nm.ru/cr1.swf

A video by McAfee and FBI explaining background of Russian attackers(criminals) http://bcove.me/vchfpcni

I don't know if you understand yet, if you have any problems in your defenses, the hackers will find it, and it is only a matter of time before your company will be hacked, your company will be extorted, your equipment will be used for the criminal ends.

This phenomenon is not new and will not stop.

riskmanagmenthackedmatrix

Risk management failed us - because the system that is not important may have mistakes, and once hacked allows the more important machines to be hacked as well. So risk management failed.

We can no longer make judgements with risk and say this machine is more important and can have less problems than others. ALL machines are important

 

We can help you MAKE sure that you are as close to 100% certain as possible.

 

I believe companies need to run a minimal set of vulnerability analysis

Which I explain here:

http://oversitesentry.com/tonyz/pubhtml/fixvirus/svapec/

The idea is to at least cover your basic vulnerabilities with a regular scan, because one has to be perfect, there are too many attacks heading our way for you not to test your defenses with outside help.

Of course you can (and should have a layered defense strategy) like in this link:

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

 

Or with Six Sigma (σ)

we need Six Sigma Security

Six-Sigma-Certified-Image-4 (image from www.simplilearn.com)

 

And the only way to achieve it is with testing testing testing.

We perform the  (A – Σ – Ω) Solution

 

 

In QA that is how six sigma is performed to 99.9999% error free.

1

Good Security means doing good basic IT.

And sometimes it also means keeping up with new compliance initiatives by industry or government.

This year October 1, 2015 there is a new Payment Card Industry(PCI) rule going into effect. On October 1st the liability of a security breach will go to the merchant not the bank or processor.

Here is an article that discusses certain aspects of the http://news.investors.com/technology/032015-744412-latest-point-of-sale-endpoint-security-tackles-expensive-breaches.htm Point Of Sale system.

EMV (the Europay MasterCard Visa credit card standard) will come to the US by October 1st as well. And if you will get new machines anyway get ones which have point-to-point  encryption.

cardpresentvulnerabilitiesImage from visa.com
the problems in most small merchants are basic in nature. the PCI Industry has created a standard:
which is located in the following location: https://www.pcisecuritystandards.org/
  • Insecure remote access used by attackers
  • Weak or Default passwords and setting commonly used
  • Lack of network segmentation
  • Malware deployed to capture t card data.
  • Absence of antivirus tools to detect malware

 

If you add a firewall and Intrusion Prevention Systems  you will protect yourself even further.

http://oversitesentry.com/cyberwar-you-aint-seen-nothin-yet/

Then  add the Polliwall, now it will be almost impossible for the standard criminals to take your systems. None of us can defend against the nation states, but if we can defend against everyone else then we have created the defensive system for 2015.

What does PCI compliance really mean?

There are similarities with ISO27001, PCI compliance is set up as an audit of the IT department with a specific emphasis of credit card security as well. Whereas ISO27001 is more of an audit of the processes of a company. This makes sense in a manufacturing environment where it is important that your processes show what occurs in the manufacturing and delivery of a product. A product that has to be created can have errors introduced in the creation step. And this is where Six Sigma(Quality Assurance standard) has come into place.

Our blogpost(at Oversitesentry.com) where we say Six Sigma security is needed.

But as the title mentions, the real reason for PCI compliance adherence are legal liabilities as will be proved.

The 106 page pdf (plus 6 pages in appendix) document of the latest PCI standards (DSS3.0) by pcistandards.org at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

 

The document outlines many aspects of the Payment Card Industry (PCI) expectations of security. Which are security practices made up of common sense:

1. Implement a firewall, with good access control in all connections to the Internet - including DMZ (DeMilitarized Zone). If you have a single connection and single location it is straight forward, but if it is not, then the standard still tries to keep in mind the additional complexity without losing security aspects.

2. The network defense is not complete without a discussion of a personal firewall on the desktop, and later in the document an antivirus solution. The Microsoft Global Policy should also be discussed. (where all aspects of the desktop can be controlled if so desired.

3. A lot of points are made about changing default configurations and passwords in all systems, this is another good common sense item.

4. Any protocols so deemed "insecure" should be shored up as best as possible (there is a lot of latitude here, since there can be many different potential issues)

5. Using proper logs is important

6. Encrypt where necessary, as the credit card numbers should be encrypted over the Internet or wireless access points. And this has to be "verified". Again this is due to legal concerns.

Later in document - use an intrusion detection system so as to know what is being attacked and how you are attacked. Keeping the logs is important not just for reasons like finding out what is going on in your network, but it is important to reconstruct in case of legal liability. Whenever the document says "Verify" it means if you do not, then a lawyer will make you pay for it in the future.

How do I say this with certainty?

http://www.bankinfosecurity.com/retail-breach-compromised-millions-cards-a-5688/op-1 has a sentence in here of note:

"The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard."

How about this link?

https://www.paylinedata.com/payments/schnuck-markets-files-sealed-lawsuit-two-payment-processors-data-breach/

" In St. Louis Missouri, Schnuck Grocery store recently sued two payment processing companies. Currently the details of the lawsuit have not been released, but many can speculate that this is due to the recent breach of credit card data that impacted millions of customers at the the large grocery chain."

How could Schnucks end up suing the payment processors? if they had not done their due diligence in the PCI compliance audits as required by the industry. I believe this does not require the knowledge of the outcome.

So that is why we are confident in saying: PCI compliance has to do with legal liability.

What are you waiting for?  The ambulance attorneys will chase you when(not if) a breach occurs.

 

Contact Us as we can help you with the future audit and legal liabilities beckon.

 

In the end it is the criminals versus the legal liabilities that you must wrestle with

Kmart-logowithscales of justice I post this doctored image of Kmart's logo, as they were hacked as well - although I am not sure of their PCI compliance.

pcibestpractices


To be PCI compliant means there is a Security policy in place.

We can help with a security policy or with the documentation for PCI compliance -

There are a lot of items to check and verify.

 

Don't forget to check cloud services that you may have.

 

Contact us with any concerns of security policies and PCI compliance issues

NewsofDay: On CMS systems review from this post: http://securityintelligence.com/cms-hacking-2014-by-the-numbers/

Also for TipofDay: PCI compliance the new page created at Oversitesentry (My blog)

http://oversitesentry.com/pci-compliance/