• No results found

SecurityMetrics Vision whitepaper

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SecurityMetrics Vision whitepaper"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)
(2)

SecurityMetrics Vision:

Network Threat Sensor for Small Businesses

Small Businesses at Risk for Data Theft

Small businesses are the primary target for card data theft, accounting for 85% of card data compromises*. Although less lucrative than individual large corporations, small businesses offer more opportunities for criminals to steal payment card data.

Many small businesses overlook payment card security because it can be time consuming and expensive. The purpose of this paper is to inform merchants of threats facing small businesses and to introduce a network security solution called SecurityMetrics Vision.

Varied Network Vulnerabilities

Mainstream media rarely publicizes anything other than large-scale data breaches where millions of credit cards are stolen. This creates a deception that criminals do not target small businesses and decreases the urgency of merchants to implement network security. Because small businesses are at great risk for card data compromise, network security is essential.

Consider the following:

• How many employees have access to read, write, or modify sensitive employee information or confidential business data on business computers?

• What controls are in place to protect sensitive customer information, employee information, or confidential business data?

• When and how often are employees given training to securely handle cardholder data?

These questions only scratch the surface of security measures businesses should evaluate. Not effectively addressing important issues like these has led many businesses to card data compromise, fines and fees, and sometimes closure.

(3)

System vulnerabilities come from many sources−weak wireless security, an improperly configured firewall, or an unauthorized employee browsing confidential files. There are thousands of potential system weaknesses and ways criminals gain network access to retrieve payment card data. The following table lists some common methods criminals use to gain unauthorized access to networks.

The hacking community increases in numbers daily because these attacks are simple. Instructions to perform these and numerous other attacks are easily accessible online.

Successful Compromise Prevention

Businesses must understand that prevention of data theft is not a single action or step, but a series of actions and steps implemented daily. Important portions of these steps include monitoring for system threats and blocking unauthorized network communication.

System Monitoring

The following section provides four methods businesses can use to monitor for network security threats. Each method discusses sections of requirements from the Payment Card Industry (PCI) Data Security Standard (DSS). These PCI DSS requirements help merchants monitor for network weaknesses.

Threat

Method

Password Cracking Using password generators, criminals identify passwords from databases.

SQL Injection Adding code to a web form to make data changes.

Cross-site Scripting Exploiting weak user input validation, criminals collect sensitive information such as login credentials.

Man-in-the-Middle Attack Intercepting communications between two parties usually between a website and the end user.

Phishing Gathering sensitive information through apparently trustworthy sources via email.

(4)

1. Monitor Computer Activity

Like a security guard watches security cameras to search for criminal behavior, businesses need to monitor network computer activity for malicious actions. Monitoring network computer activity, also known as event log monitoring, is part of PCI DSS Requirement 10. By storing and monitoring system event logs, businesses discover possible abuses from employees such as data tampering. Most importantly, monitoring event logs provides warning against current hacks in a network.

2. Monitor Internal Network Weakness

If an internal network is unsecure, it may be just as dangerous as an unsecured external network. Think of external and internal network security like a security guard who locks all the doors and windows leading into a building then manually checks the doors and locks inside the building. Internal network security checks for thousands of weaknesses on the inside of a business’ network that could result in compromise. Quarterly internal vulnerability assessment scans (PCI DSS Requirement 11) are required to check for these weaknesses.

3. Monitor Wireless Security

In 2007, TJX Corporation experienced one of the largest hacks in history. The cause was an unsecured wireless network. Tracking wireless access points and testing wireless security on networks also fulfills PCI DSS Requirement 11 and reduces compromise. If wireless security measures such as secure encryption settings are not in place, criminals can more easily gain network access.

4. Blocking Unauthorized Network Communication

In addition to network monitoring, restricting network communication to only those with permission is essential to prevent card data theft.

(5)

Network Security Options

Research shows that 53% of small businesses do not secure their business networks because of the high cost in both time and money*. Additionally, SecurityMetrics has discovered many merchants find it difficult to implement monitoring and blocking network security solutions.

Many available security solutions are designed for larger organizations and make implementation cumbersome for small businesses due to their size and noise level. Solutions are found in multiple products across the security industry− making management difficult and purchasing expensive. For example, some security businesses specialize in firewalls, some specialize in wireless security, and others only offer PCI approved scans.

SecurityMetrics Vision

Because current network security solutions that address PCI DSS requirements 1, 10, and 11 are:

• Addressed with multiple products

• Not designed for small businesses

• Expensive

• Difficult to manage

• Time consuming

SecurityMetrics created a tool for small businesses called SecurityMetrics Vision™. It is small, quiet, installs inside business networks, addresses all of the three monitoring solutions listed above, and includes an industry-leading firewall at a quarter of the price merchants now pay to get similar features.

SecurityMetrics Vision provides a solid foundation to help merchants comply with PCI DSS requirements 1, 10, and 11. The following table demonstrates how SecurityMetrics Vision addresses security issues these requirements answer.

(6)

SecurityMetrics Vision: Above Base Security Requirements

In addition to providing solutions to PCI DSS monitoring and firewall requirements, SecurityMetrics Vision includes other helpful tools for merchants to manage their network security and avoid card data theft. These additional tools are found in the table below.

Security Issue

PCI Standard

SecurityMetrics Vision Provides

Block unauthorized network

communication Requirement 1: Install and maintain a firewall configuration Industry-leading firewall/router

Discover malicious activity on an internal network

Requirement 10: Track and monitor all access to network resources and cardholder data

Event log repository, log monitoring, threat notification

Remain up to date with internal vulnerabilities that may allow compromise

Requirement 11: Regularly test

security systems and processes Internal vulnerability scanning

Detect rogue access points and weak wireless authentication/ encryption

Requirement 11: Regularly test

security systems and processes Wireless detection

Additional Security

Features

Benefits

Auto populate PCI Self Assessment

Questionnaire (SAQ) Save time with PCI validation

Immediate threat notification Keep up to date with vulnerabilities

Password strength analyzer Ensure passwords are unique and secure

Secure file transfer Ensure files aren’t intercepted by a third party

Vulnerability reports Make remediation as simple as possible with easy to read reports and recommendations

(7)

SecurityMetrics Vision is simple to install and maintain. SecurityMetrics Vision helps small businesses to:

• Achieve and maintain PCI DSS compliance with PCI requirements 1, 10, and 11

• Detect security weaknesses inside networks with internal vulnerability scanning

• Discover malicious activity with computer event log storage and analysis

• Block unauthorized network communication with an industry leading firewall

• Locate rogue wireless devices with wireless security tools

• Keep informed of current threats with immediate online threat notification

• Avoid non-compliance fees by automating key PCI requirements

• Reduce risk of password cracking with a password strength analyzer

• Keep safe against new threats with constantly updating scan technology

• Understand how to resolve weaknesses with free, 24/7 technical support

Conclusion

Small businesses are targeted by criminals because many fail to secure and monitor their business network. Industry options to secure small business networks are expensive and difficult to implement.

References

Download now ( PDF - 7 Page - 263.41 KB )

Related documents

White Paper. Securing Web Applications and Databases for PCI Compliance. The Most Challenging Aspects of PCI Compliance

Meet the intent and rigor of the original PCI DSS requirement – The SecureSphere Database Firewall, a dedicated database security and monitoring appliance, can be used as

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Those who have public IP addresses can evaluate the SecurityMetrics Vulnerability Assessment service by running the Free Server Firewall Test found at

Guided HIPAA Compliance

SecurityMetrics provides customizable Privacy Rule (29), Security Rule (16), and Breach Notification policies and related procedures?. SecurityMetrics’ policies and

PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

All Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; therefore, all processors are required by the

PCI DSS in Essence Through practical examples. September, 2016 Septia Academy

The “PCI DSS in Essence” training course is designed for IT/IS Professionals, Security Officers, IT/IS Managers, who, in any capacity, deal with the PCI DSS

SecurityMetrics. PCI Starter Kit

SecurityMetrics is a global leader in merchant data security and compliance for all business sizes and mer- chant levels, and has helped over 1 million organizations manage PCI

Payment Card Industry Data Security Standard (PCI DSS) Compliance Guide for Merchants

We have a focus on the Payment Card Industry Data Security Standard (PCI DSS), since Requirement #12 of the PCI DSS requires all Merchants to “maintain a policy that

Payment Card Industry Data Security Standards.

PCI DSS comprises 12 basic requirements that aim to ensure merchants utilise secure systems, such as restricting access to cardholder data, using a firewall and antivirus