Posts Tagged ‘IT security’

Then And Now: Data Security In America Since The Target Breach

Wednesday, December 16th, 2015
Data Breach - Ohio CPA Firm

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen.

It’s hard to remember a time when reports of data breaches, ransomware attacks and business email compromises (BEC) weren’t part of our daily lives. In fact, not so long ago we were pretty content to believe that the controls companies had in place were enough to protect us from the invisible threat of hackers and cyber criminals. But that was just a dream – and it wasn’t long before that dream manifested into a nightmarish scenario for one of the nation’s largest retailers.

Read Also: Businesses Beware: Sloppy Data Security Could Cost You

Two years ago, cyber criminals gained access to the point-of-sale systems belonging to Target. Authorities later learned that the hacker(s) gained access to about 11 GB worth of data (including highly-sensitive personal and credit card information). When the dust settled, about 70 million consumers nationwide were left vulnerable to identity theft and credit card fraud. This magnitude of this breach was huge and, as a result, companies everywhere made an effort to buckle down and implement a slew of “best practices.” But what has really changed since December 2013?

What Have We Learned From Target?

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen. But instead of becoming more vigilant about data security practices, it appears as though consumers have chosen a more desensitized reaction. These days we are content with trusting the credit card companies to notify us of any suspicious activity occurring on our account rather than implementing safer payment practices in our daily lives.

Retailers and credit card companies, on the other hand, have worked hard to make it more difficult for hackers to access their customer data. Since the breach, Target has:

  • Installed EMV compliant point-of-sale (POS) terminals in all stores to allow for transactions to be processed using a token instead of actual credit card numbers.
  • Joined two cybersecurity threat-sharing organizations in order to share and retrieve valuable information concerning data breaches and the source of those breaches.
  • Implemented more stringent firewall rules and governance procedures.
  • Constantly monitors and logs system activity.
  • Applied whitelisting technology, an administrative process that allows only preapproved applications to execute in a system, on the store’s POS systems.
  • Disabled or placed limited access on vendor accounts.
  • Deployed 2-factor authentication.
  • Established password vaults and required the use of more complex passwords.
  • Thoroughly reviewed and revised its process on how to determine which employees and contractors would have access to consumer data.

With the exception of the first two points, the measures Target has taken since its 2013 data breach are considered best practices, which means that if your business doesn’t have these security measures in place, you shouldn’t wait any longer. And, with regard to EMV technology, most businesses were expected to install and activate the new technology before Oct. 1, 2015 to avoid liability for losses resulting from fraudulent transactions.

A Moving Target

As long as there are fraudsters willing to pay for stolen names, addresses, credit card numbers and expiration dates, phone numbers, email addresses, dates of birth, Social Security numbers, etc., there will be cyber criminals looking for a way to hack into your company’s system to gain access to your consumer data or intellectual property. But if you are really serious about keeping your data safe, there are additional measures you can take.

1. Reinforce Your Firewall

Firewalls should be securely configured and continuously monitored. There are many providers that perform 24-7 firewall monitoring services to protect your company from attacks and or to alert you to signs of a possible breach. Moreover, providers are also coupling these services with the use of whitelists or blacklists, which triggers an immediate response if a potential threat is identified. Another great reinforcement for companies with experienced IT staff, would be the implementation of SIEM (Security Information and Event Management) or IDS (Intrusion Detection System) software.

2. Take Your VIP List Seriously

Not everybody should have access to your company’s domain – especially outside groups, and you should take care to review your employee and vendor access accounts routinely. The 2013 Target breach was a result of a breach that was intended for one of Target’s vendors. But, once in, the hacker was able to work his way into the Target Vendor Portal and infiltrate the Target POS systems.

3. Don’t Take Your Passwords For Granted

While doing so, be sure to verify that these credentials, in particular, require complex passwords, a limit on the number of attempts allowed before automatically disabling the account, and that they are required to be changed regularly. (Believe it or not, the most common password continues to be “123456” – proving that we are still not learning from past mistakes.)

By: Joe Welker, CISA (New Philadelphia office)

Check out these articles for more data security best practices

Malware Threat Spreads To Smart Phones

Who Is That Email Really From?

Could Your Company Be Ransomware’s Next Victim?

Share Button

Don’t Turn A Blind Eye To PCI Compliance

Thursday, July 2nd, 2015
PCI Compliance and Data Security - Rea & Associates - Ohio CPA Firm

Although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.

You probably don’t have a lot of spare time on your hands. Between managing your business and employees, to ensuring your clients’ needs are being met. The last thing you might be concerned about is adhering to Payment Card Industry (PCI) Data Security compliance standards. But hold up. If your business (or any of your vendors) deals with client cardholder data or stores this information anywhere in your business’s IT systems, PCI standards are not something to ignore. It could be the difference between your business surviving and thriving or going down the drain.

PCI Data Security Best Practices

In November 2013, the Payment Card Industry (PCI) Data Security Standard version 3 was released. There were five requirements defined as “best practices.” And as of June 30, 2015, these requirements are mandatory and may affect your organization.

The Payment Card Industry (PCI) Data Security Standard v3.0 data sheet describes the need for compliance as: “All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.”

The two requirements that could most affect your organization are Requirements 12.9 and 9.9.

  • Requirement 12.9 – Additional requirements for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
  • Requirement: 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

So what exactly do these requirements mean for you (and your vendor)? In essence, Requirement 12.9 requires third parties to provide in writing the details of its role in providing PCI compliancy, as well as any requirements of your organization. Requirement 12.9 is relevant to Requirement 9.9 as it relates to devices used to scan or input credit card information. The vendor’s compliancy requirements could require the entity to adhere to Requirement 9.9 by protecting and monitoring devices used by the entity to scan or input credit card information. And because it’s ultimately the responsibility of your organization to protect client credit card information, it is important that your business obtain the PCI requirements of any vendors you work with and adhere to the requirements of their PCI Compliancy Standards.  It is always best practice to document in detail when testing for PCI or communicating with your vendor.

Remaining Three Best Practice PCI Compliance Requirements

The other three PCI compliance “best practice” requirements are listed below. These may or may not be items to be addressed by your organization depending on your current PCI classification. It’s best to review and determine if your entity needs to add to your current PCI testing procedures.

  • Requirement: 6.5.10 – Broken authentication and session management. Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
  • Requirement: 8.5.1 – Service providers with remote access to customer premises (for example,  for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
  • Requirement: P. 93 11.3 P. 55 6.5 – Implement a methodology for Penetration testing.  See P. 93 of the Payment Card Industry (PCI) Data Security Standard v3.0 data sheet for details.

The End of Outdated Secure Sockets Layer Encryption Protocol

Finally, in April 2015 the PCI Security Standards Council published a new version of the Payment Card Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol. The new standard requires that the use of SSL be discontinued and replaced by the use of the more secure Transport Layer Security (TLS) protocol. The deadline for this change has been set at June 2016.

Remember, although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.

We hear of new breaches daily, so it’s in the best interest of your organization to know the responsibilities of your organization for PCI Compliancy.  Don’t assume that all the responsibility is on a third party vendor because it is all of our responsibility to maintain security and keep the integrity of our data secure.

By Joe Welker, CISA (New Philadelphia office)

 

Related Articles

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

How Much Is Your Data Worth To Criminals?

Share Button

How Can Heartbleed Affect You and Your Business’s Online Identity?

Friday, April 11th, 2014

The Internet is a powerful tool – something that can make our lives (and businesses) easier. But it also can be our worst nightmare at times. If you keep up on the news, you may recall within the past few days hearing something about “Heartbleed.” No, this isn’t the name of a new rock-n-roll band. It’s the latest threat to your security on the Internet. News sites started reporting on this newest Internet threat earlier this week. But as more and more has become known about this Internet defect, it’s becoming clear that everyone with an online identity needs to be concerned about it.

Heartbleed is an exploit that basically allows malicious users to run a tool that will gain them access to a Web server and provide them with usernames and password from that server. What can this defect potentially affect? Every website on the Internet. Bank websites, social media sites, online merchant sites … the list goes on.

Within the past couple days, a Heartbleed defect was discovered that allows hackers to access chunks of a server’s memory that could contain Personally Identifiable Information (PII). Sites that integrate a Secure-Socket Layer (SSL) encryption certificate are now at risk of this new defect.

Steps For Protecting Your Online Identity

So what should you do to protect you and your business from this risk? Follow these steps:

  1. Take inventory of all of your online accounts and make a list of your accounts.
  2. Before changing your online passwords, contact the businesses of any accounts that may have SSL certificates to ensure that the company has issued new certificates. To check the “grade” of an SSL-secured site, you can visit Qualys SSL Labs website and input the URL of the site you’re checking. Sites are graded (A through F) on how secure they actual are.
  3. Change your passwords for each of your online accounts.
  4. Clear your Web browsers’ cache, cookies and history. Check out this ZDNet article for step-by-step instructions on how to do this.
  5. Closely monitor your bank and credit card statements to make sure there’s no unusual or suspect activity.
  6. If you receive emails or other online communication that promises a solution to your Heartbleed woes, don’t buy it. These communications are more than likely spam connected to dangerous malware or pointing you to malware. Heartbleed is a very complex online security threat, and there’s not a simple, quick fix for it.

Need Advice On Protecting Your Online Identity?

Following the steps outlined above will hopefully help lessen your chances of becoming a victim of identity theft and fraud. If you have questions or need additional guidance on how to protect your business, contact our IT audit professionals at Rea & Associates.

Author: Joe Welker, CISA (New Philadelphia office)

 

Looking for other blog posts about protecting your business’s online identity? Check these posts out:

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

How Can You Prepare For The Retirement of Microsoft Windows XP?

 

Share Button

Do You Know Who Has Access To Your IT Network?

Thursday, March 20th, 2014

You may find that your business relies heavily on the technical support provided by third-party hardware and software providers. But have you ever considered whether your vendors have direct access to your business’s internal IT network without having to gain permission from someone within your business? If you’re not positive about how to answer, then it’s probably time to do some digging to see if that’s the case or not. It’s possible that your vendor(s) has access to your business’s sensitive data and devices.  (more…)

Share Button