Many organizations perform little or no regular testing on the adequacy of the security controls governing their network and Internet-facing Web site applications. Failure to periodically run internal and external network scans to identify weaknesses can prove costly when back doors are left open to hackers and malicious code. Organizations may be protected at a given moment, but new vulnerabilities appear daily, which is why networks should be consistently patched and hardened. According to the
One good example of the need for the regular testing of systems and processes is the recent data security breach at TJX Companies Inc. The TJX breach was ultimately caused by an insecure wireless network. According to a Wall Street Journal report, investigators believe that the hacker was able to use a laptop and a telescope-shaped antenna to bypass older security technology and penetrate the WLAN network. The $17.4-billion retailer's wireless network had less security than many people have on their home networks. For 18 months, TJX had no knowledge that it had been compromised, allowing malicious hackers to download at least 45.7 million credit and debit card numbers.
How to pass PCI requirement 11:
When it comes to scanning your information systems for vulnerabilities, make certain to use tools and techniques that expose vulnerabilities in devices on wired or wireless networks. There are an enormous number of security risks linked to wireless protocols, weak encryption methods and the lack of employee security awareness. Cracking methods have become much more advanced and can be carried out with open source tools freely available on the Web.
A substantial number of successful attacks are carried out against systems that do not get patched with the latest security updates. In addition to a systematic patching process, the greatest protection against network and application security threats is the consistent use of vulnerability scanners that can see all of the applications and devices on a network, identify vulnerabilities and supply remediation information. Nevertheless, scanning the corporate network for vulnerabilities will not reveal everything and may only uncover issues that have already been confronted or at least discovered. Scanning, though helpful, may not necessarily offer what a real, attack-like penetration testing program provides.
In order to be aware of its readiness, it is imperative (and required by the PCI DSS) that an organization perform an annual penetration test on its information systems, measuring how well the systems can endure an attack. This type of test actually exploits vulnerabilities to better quantify the true risk of any particular finding. According to a report found in The Retail Data Security 2005 Benchmark Study, only 51% of retailers perform network penetration testing. A frightening 14% of the survey respondents indicated that they had suffered a customer data security breach. Vulnerability scanning provides a look into known weaknesses, but does not address the elements of a successful intrusion. Your testing should include a deeper dive that will bring to light the real threats to your organization's assets.
Furthermore, when it comes to testing processes, all changes that could affect ingress and egress filter rules should go through a formal process before adjustments are made to firewalls, routers, VPNs and WLAN devices. These changes should be reviewed carefully for proper justification, and management must be made aware of any newly discovered security risks. Information systems environments will always have to change in order to help the business obtain its objectives; therefore, all changes must continually be reviewed and fully documented.
A GUIDE TO PASSING PCI'S FIVE TOUGHEST REQUIREMENTS
Requirement 3: Protecting stored data
Requirement 11: Regularly test systems and processes
Requirement 8: Assign a unique ID to users
Requirement 10: Monitor access to network resources and data
Requirement 1: Install and maintain a firewall configuration
|Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via email@example.com.|
This was first published in September 2007