Following the launch of PCI DSS 3.0 in January, I’ve been faced with questions from many businesses about changes they should implement within the next year to remain or become compliant with the updated mandate.
In a recent 30 minute webinar, I highlighted 7 simple steps to achieving compliance, which have been featured recently by Windows security expert and author Russell Smith.
It’s important to state that the steps outlined below are relevant to any security policy, and improving overall IT security should be the primary goal when conducting any compliance review.
1. Maintain an IT Policy
This is the most logical starting point but I continue to be surprised at how many IT departments don’t start with a clear IT security strategy. Too often it can come as an afterthought, once new projects or systems have been implemented.
PCI 3.0 reinforces the importance of a clear and well-maintained policy documentation including rules on strong passwords, protecting credentials and changing passwords on suspicion of compromise.
2. Maintain Secure Systems
Admin access to all systems must be controlled to ensure they remain free from internal and external security threats. I can’t stress enough how important it is to have a solution in place for managing privileged access at an individual level. I’ve spoken to so many businesses that still have generic admin accounts or shared passwords.
3. Protect Data
Deploying up to date antivirus and firewalls is a great start to stop infection getting in, but best practice is to remove admin rights and implement application whitelisting to ensure that only approved software, tasks and scripts can be run by users on the inside.
In fact, 51% of organizations believe a cyber-attacker is currently in their corporate network or has been in the past year (CyberArk 2013).
Recent data breaches experienced by the US retailer Target and in South Korea have highlighted once again the huge threat caused by malware and the insider. With admin privileges, your users effectively have the key to the back door and could walk out with your most precious data.
4. Defend Against Threats and Vulnerabilities
The rules of antivirus deployment in 3.0 have changed. As well as being fully operational, any software must be configured so that users cannot disable or uninstall it. Did you know that advanced malware, or admin users, could have access to disable antivirus policies, even with their inbuilt tampering features? It’s impossible for standard users to gain access to do this and another example of how unchecked admin rights can be so dangerous. This leads me nicely to point 5...
5. Controlling Privileges
PCI 3.0 states that user privileges must be restricted to those who require them to perform their job role. In order to remove admin rights from users, most businesses will need more granular control over privileges than UAC in Windows environments can provide. I always recommend that any approach to changing user privileges should be meticulously planned, and fully communicated internally. Without a rich end-user experience, the whole security project is at risk.
6. Monitor Privilege Use
PCI 3.0 has a specific requirement to log activity of privileged users. This is about more than just session recording. Session recording is not a proactive approach to security. It’s effectively like filming someone robbing a bank - you can trace who committed the crime, but the money has still gone. Many CISOs still overlook the importance of removing admin privileges, which prevents access in the first place. Any security layer or session recording solution can be disabled if the user has administrator access, though admittedly, some are easier to disable than others!
7. Defense in Depth
A layered approach to security is crucial. The key is to combine multiple solutions such as antivirus, firewalls, patching, application whitelisting and privilege management. Be aware of all your attack vectors and build your defense layers from the ground up. The “egg shell” approach to security, where the external perimeter is hard but the internal security is soft, just does not work.
In summary, compliance should never be an exercise of ticking the box; it should be about making your systems as secure as they can possibly be. If you follow these basic standards in IT security and maintain effective IT policies, you should achieve the relevant compliance AND protect your most valuable business assets.
For more information on this topic, download our whitepaper on achieving compliance.