RCR 031: PCI-DSS (Part II)

Apr 01, 2019

SubscribeiTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from ReduceCyberRisk.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: Insurance Companies-Cybersecurity Ratings; Microsoft finds “NSA-Style Backdoor” in Huawei Laptops; NDSU – Nations First Ph.D. in Cybersecurity.

Our Cybersecurity Training for the Week is:  PCI-DSS Training – Part II

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

ReduceCyberRisk.com – https://reducecyberrisk.com/

Facebook – https://www.facebook.com/CyberRiskRed…

Transcript:

What can reduce cyber risk podcast April 1st 2019 episode 31 welcome to the reduce cyber risk podcast for we provide you the training and tools you need for your cybersecurity career hi my name is Sean Gerber and I’m your host of the action-packed informative podcast join me each week and I provide you the information you need to grow your cybersecurity knowledge while taking practical and actionable steps to protect your business from the evil hacker horn all right real Sean Gerber game reproduce cyber risk and broadcast we have some awesome things going into the cyber-security news along with our part two of our pci-dss training that originally started in episode 30 of last week we got some great things that are in the newspaper and I think it’s kind of interesting as a relates to a helping your cybersecurity career or helping you as a company understand some of the risks that you may have to deal with as a relates to this whole world of cyber security the first news at article that I have out there right now is around an article that came out through SC magazine Gaston was the cyborg ratings for insurance companies start a business and you are considering what do you do as a relates to cybersecurity Insurance what are the trends that I’m seeing is that more and more companies are wanting this level of protection and I’ve also seen it from a large Enterprise aspects where if you are dealing with third-party vendors and we’ve talked about this on the podcast numerous times is that if you’re dealing with third-party vendors you as a company may want to require them to have some level of cybersecurity insurance and as a result that would provide and level of a hedging your reducing your risk as a company in the event that they would be breached and this does force them to follow some level of Frameworks well what’s happened is that the insurance companies now or kind of team in together and working with a company with Marsh & McLennan Marsh & McLennan the point of it is that they these products that are coming out people are a little confused on what is the best product and I’ll be honest I am to the most people are confused on what is the best product for them so what they’re saying is they’re going to go through and look at all the services in product offerings that are out there and they’re going to rank and rate them based on how they best going to protect you as a consumer and then from there it will be a situation where you have to decide which one you want to go with now they had bring us some interesting points around this and what I think it’s a good idea made this point is that Gartner enough you’re not familiar with Gartner it say how to explain other than a probably just totally goof this up but they are company that you can go and get information from they do research for you they have all the stuff available for you and they also Rank and rate products and they have their products are called the Gartner’s magic quadrant which puts them in different vendors and products in various quadrant based on what they feel is the capability of that product and service they do this from Hardware to software to the insurance as well so they the one Jonathan to both point was that there’s already programs and rate different insurance companies why create another one cuz I don’t know if that how well the Gartner magic quadrant works for this the basics on this is that does a really good job of providing information on the magic quadrant but I still think it’s important to have multiple streams or multiple inputs that would give you that guidance and Direction not just one tit to rely upon but it was the cool part about that is then you as a business owner or as a security professional who’s Consulting to a business owner you may want to ask the questions around these that they were going to rank this for you so that allows you to use these terms a ways that will help you understand a little bit better the whole Insurance landscape I’ve I’ve noticed that as I look at Insurance language yeah I struggle a bit with understanding what does it all mean and so I think the ranking and ratings will be helpful in my personal opinion so it’ll be too soon to see how this plays out the one thing that the that a lot of these insurance companies are restarting to require is some level of Frameworks or regulations that will help you guide you in misdirection and that was Jonathan’s whole premise as well was that these Frameworks are already in place so why don’t need to reinvent the wheel as it relates to these product so it will be interesting that is in the article from SC magazine that was going to make me think just a little bit was okay so they’re here and this is quote what if the company follows the system and still suffers a data incident which fails to meet gdpr requirements okay info so the point of that is that now you have it a breach so you buy these Insurance stuff the rating comes out these are awesome yeah this is the best one to do and you should not take care of all this now all of a sudden you get breached and you follow the framework but you still get breached which I guess what he still will you’ll get breech but now the question is will the insurance pay the 4% of the GDP are fine and so the interesting aspect on that will be 4% of a company especially Global large Enterprise the interesting part will be what will happen of it and I just really don’t know what they’ll do it did I think it’s just still going to be all played out in overtime and we just don’t know which way it’s going to go but I think you’re going to see more of this as company start to get into the cybersphere space and they start requiring it so then so therefore if demand increases so will the the attention to this stop sharing users at Microsoft find freestyle back door in laptops now we talked about already cyber-risk couple times about Huawei and some of the challenges that they have been seeing throughout the world as it relates to their technology many will argue that their technology has is riddled with situation or with back doors with malware and so forth when I was going nowhere but the spyware based on the Chinese government and their access into your environment did the u.s. government has stated numerous times that they will not buy Hue software or Hardware because of this back doors that they believe are in the system now I will say that we have seen numerous occasions where the Chinese have in imported some level of software within Hardware devices especially manufactured within China so whether or not that is state-sponsored or whether it’s just individuals that are acting on behalf of somebody I don’t know bottom line is is that the NSA find something within a Huawei laptop and it’s similar to what the US and so the interesting part about this is going to be so you have you have governments that are positioning themselves with Trojan type horses it within hardware and software that are now becoming interconnected how soccer play out and in reality coming from my background military background I consider a Pearl Harbor type of vent where are the fuses example where it is that the US was sleeping was not aware and the train or the Chinese the Japanese government attack Pearl Harbor in United States so is the Chinese government going to put all these Trojans and back doors in systems and then pop them out in the event of a military action I don’t know but all I can say though is that if there’s a military person and as a person who it would deal in the space be smart play out and it’ll just be interesting to see where it goes they would happen was Microsoft Defenders Advanced threat protection is what triggered on it and what it found is it found a the driver within the the ring zero which is basically in the colonel was able to give them access and you were able to basically escalate your access through that now if you can get two rings Arrow it’s game over right you already you own that system so the interesting part about that is Microsoft products are being able to detect that’s why when you’re talking about is a for protecting your company having these pieces of where are very good now I will know from my background that typically the things that get discovered our systems are vulnerability that have been around for a while so that the really good stuff they probably hiding off in a little boat somewhere and so it’ll be interesting to see where this goes and if it’ll affect anything now cording to the article that was in SC magazine the way responded quickly and professionally we probably won’t ever know and inside anyway that’s that doesn’t nursing part about the NSA style back door article was that 27th the the US government basically said we are not going to use 5G systems from way and there was a bad head back in a podcast couple weeks ago where the UK was still mulling over whether or not there any use 5G systems within their their environment and well that UK decided that they were going to continue moving forward with Huawei 5G systems and this has happened in March 27th of 2019 is when they said at end of their premise was in the article at least the US government failed to produce in evidence to support their claim quote-unquote okay so bottom line is that they didn’t think that the US provide a strong enough case for them to not stay with the boys 5G I thought another part of that it was that they talked about the EU as a whole that if one member state is affected their all affected so does that just basically mean because of the they’re tied in with the EU and the EU was going to 5G that the UK really couldn’t say they didn’t want to do it which also rolls into this whole brexit thing and how that’s all going to play out so it’s just a lot of moving parts that are happening behind consternation and some questioning soap with it again but it’s always been ongoing drama we will see how it plays out in the future but there’s there’s something new everyday it seems like okay and this one is the ndsu’s nation’s first PhD in cyber-security not the one thing that they brought that was thought that was interesting as this article is through dark reading and they talks about the focus of training the university level Educators and the focus on training university-level Educators is that they are going to be teaching people that already have computer science degrees I might be teaching in a college graduate level right now and they the point of it is that they would provide the education for and a training for these people the additional ones and I think it’s a really good option on the one thing I will say is that it as the world is changing the one thing I’ve noticed is especially in the college level is that sometimes they don’t change real quickly with as it relates to education I’ve seen Professor still teaching very old technology because mainly because I’m really do be honest that they might be struggling a little bit in dealing with all of the change and keeping up to speed with it I deal with this on a daily basis it is overwhelming how much information is out there and so how do you keep up with it and I’m in this space living it and then let alone trying to be an educator in the space would be very challenging so I the focus here is that the nation’s Ph.D program is there going to focus on educator specifically so I think it’s a really good move I think it’s going to hit is very helpful as far as for the overall goal but software development databases algorithms and AI artificial intelligence is artificial intelligence peace as a relates to cybersecurity things really good piece of this and where that goes I think it’s the future so having an understanding of cybersecurity especially having a way to teach the new people around that will be very very valuable and it would also be interesting to see educators cybersecurity how do they roll into the high schools as well so I think that could be a possibility for this for this college to be able to provide something for a high schools as a supplement does your teaching comp sci and all the aspects of that to your your instructor so that they can teach their students having ability for a high-school teacher to be able to teach the coconut cybersecurity as a way to lead in dear to your curriculum I think it’s a really good program so very sharp I just kind of reading their back with their bios and I’m like hell yeah my third grade education just won’t go very far with them but the bottom line is that this thing is dr. Kendall Nygard and dr. Jeremy Straub are the key people within that that group but I looked at their founding members and that they’re just they’re very very large as far as what their capabilities are so they have a lot of background from all over the world globe and said it was very cool the desotech dissertations are on cybersecurity Cyber education technology and cyber education research so there again that spin is mostly on the Cyber education piece of it which I think is really truly needed rather than having these really big people with super powerful brains thinking the stuff up versus which is good witch understanding that is they dare not try to get it at The Graduate level because most cases to graduate-level people are way smarter than me and so then it gets confusing so this is a great way to bridge around 4 for the North Dakota State University special was really cold all the time and it’s like really cold so cold grantfork which is 60 miles north of Fargo that I had to take the battery out of my car at in the winter cuz I got 280 below and then on top of that pulling the battery out I didn’t get to it fast enough and the battery case cracked and then blood all this all over my clothes that was a bad day so it’s cold up there so that’s good to study cyber security in Fargo North Dakota because guess what I can’t get out so that’s the interesting as we move onto our training it was going to have put out there about pci-dss ones I want to put a plug out for is reduce cyber-risk go check it out a reduce cyber risk, I got gobs of free stuff for you there’s also some free training that you can have and if you were working on your certification does it really is potentially even to cissp Webster certified Information Systems security professional is also domain 1 videos of the eight domains I’ve got the main one videos out there that are free for you guys to check out and look at download ducha need to do with them along with that there’s also some other great content as we have for cyber security for businesses and keep things need to consider as you’re looking at that from a cybersecurity point of view awesome great stuff at reduce cyber-risk. Com check it out more training Dennis Sean Gerber with reduce cyber risk and now ACI DSS all right part of the cissp supplement of the stuff that I put out there for reduce cyber risk of helping you and your security company at your businesses be more secure a wall with helping Security Professionals understand security and a cyst in the cissp so we talked about in the previous part of the PCI DSS aspects what are the key components were around that was Potter we get there how we secure a network we build our Network we secure our Network all of those aspects that go into protecting it and then as we went through the different pieces and how you’d assess and how you remediate and how you had to go and comply with these different pieces with the PCI security standards a one of the aspects that came around this was to include security control and building a secure network well of that the key aspect around that is his the what are some points that you need to put in place for your company. The first one is where I kind of get into his workers going to roll through some of these security controls about 12 of them that if you put these in place this is kind of the Crotched of what you going to need to do within your company from a business standpoint and from a security professional standpoint to ensure that you are meeting the PCI security standards in these security controls there’s there’s a Litany of things you need to do besides just going hey I got a firewall I’m good I know there’s there’s more to it than just that but at the end of the day this is where you begin this process at so their first don’t want to get into his firewall protections to include Wireless now you need to understand that if you have the PCI DSS payment cars that you’re accepting PCI DSS security standards require you to have a firewall that are protecting to include Wireless that you would have a segregation of your network so basically you have an untrusted Network segregated from your PCI environment from your your credit card information that is to basically not have the blending of data I saw one situation where I was went out for dinner one time and went to a merchant to have dinner and and was eating my food and I looked in the back they had a door that went all the way to the back and you can see to the individual through the kitchen and there was a computer and his computer was it was a person that was sitting on their playing solitaire I said so what idea rights to all those things are just fraught with danger now can you do that we have you had you there’s other ways to work around segregating those environments that they’re protected but bottom line is that just a really bad way of doing business its if you can’t segregate this information you now run the risk that you have all these 18 year olds that I don’t know 18 year olds that really don’t know much about because they’re just getting started right they know a lot about their world but when it comes to security most of them don’t have a clue and so what’s happening as you get these 18 year olds that are utilizing this information and they’re exposing your company if your business owner to risk and so therefore you need to put things in place to mitigate that risk now again if you decide it’s not a big deal you’re not too worried about it you just make money as fast as you can great but there’s a good chance you could bring yourself into some issues down the road where one you end up having a breech you don’t know what to do with it and how do you handle that so again no direct public access to cardholder environment the fall that one tenant that I said where they had internet access personal firewalls on computers next coming down to is do you have protections that are on those computers that are tied to the credit card information that are segregating this data from everybody else in the old days when they had a personal firewall on the system and how many cases Windows 10 has already built into it that’s all automatic you but you need to have some level of segregation from those systems and that that’s what they’re wanting their wanting each individual device has it is separated from another device in the donut lot do not allow an attacker or someone to get on the network to didn’t then just go pivot and move sideways within your environment there’s restrictions that are holding them back so that’s the purpose of that bottom line is that you need to look at what are some of the aspects around the the firewalls and the individual protection cease to be Hardware firewalls as could be software firewall but do you have your Network Center gated and do you not have wireless connected to it from a payment card standpoint cycling has no default passwords Now default passwords are commonly searched for and would we run into his most vendors I’ve seen this in multiple places right vendors will come and when they’re setting up a product to ship it out the door they will set up a default password in the past you’d have routers that would go out to the world wireless routers and they would have the default password would typically be admin admin or something like that and that the goal is to allow the individual the ability to go in and configure these systems in a in a timely and easy manner right you would go in with admin admin make your changes and then the goals that you would change the username and password to something different are looking for the easiest way because they’re always so time sack I mean I don’t really give a crazy person most of the time what is happening is it’s like okay admin admin I’ll get back to that okay I’ll get back to that and they never get back to it so the thing is is you need to look for no default password if you get a product that comes in hopefully the vendor has created a way that that it would not allow a default password it’s a maybe a situation where the the admin and maybe a Madman with a password is a randomly generated number that is not one in the same we used to go online to when we are looking at how to break in a wireless routers we would search online of what are the default password for a certain router or certain switch and you’d find those in their online everywhere and then the default router was admin monkey to something like that and then you would do you use those why the default passwords is so important that you don’t keep those so is your getting a zero security professional and you’re bringing in equipment or your business owner and you’re bringing in equipment and you’re looking at what do I do what you need to make sure that whatever password is there you change it to not leave a default even if they say it’s a randomly generated password highly recommended you change it to something that you need to you if you can change the username to something different I would recommend that as well the other thing to consider is storing all of these in some sort of password Vault I would recommend that not just necessarily an Excel spreadsheet of sometime they don’t want those offer within any device that you have and it allows basically allows for quick access into the network well now it’s what we talked about that a bit but bottom line don’t use default password security control number 2 stop protecting stored cardholder data that this is something that’s very valuable that you must go do a special agent me all these yet some of these consider but if you were keeping store data this is imperative that you do this because once it opens you up for liability if you don’t too it’s just good business sense to do it the first one is a tier encrypt using industry algorithms queso don’t go out and find the newest algorithm that Billy Bob Thornton but anyway Billy Bob comes in and says I have created his new super duper algorithm on how to encrypt using chicken level 4 6-7 2 and a quantum mechanics and yeah it’s awesome that if you use that your set yourself up for failure don’t do that just just utilize known algorithms why they’ve been beat on and beat on over and over to the point where they found it there are vulnerabilities with those algorithms they’ve been known and they’ve been fixed if you go to pick something else out there that maybe the best thing in the world and it might be the most newest thing that’s coming out as our highest going to have issues stick with what is known and most of the stuff is already built into the application that you may have purchased if your company but just know that don’t go with something that’s got a we got a s56 that’s a bad idea you need to understand the most current is around aes-256 something along those lines of most current so stick with those do not go with something that is fly-by-night restoring primary account numbers must not be stored on and you need to understand your environment of how they’re being stored do not just go and grab the date of this machine Network all right I’m good and you’re assuming that the vendor that you’re buying it from is going to take care of you and I did see recently how others companies that you know you see people using iPads and they have my instead of a register a full up register they have these iPads that are collecting this credit card I mean I’ll be honest and Milwaukee and their work they work just fine but they did seem walkie now there’s companies out there that were providing these that are built in more solid more secure and they just look better the same Concepts and Technology but they are providing this for you what it comes down to if you get this as a fender as a merchant and you say okay well I’m going to put this in my business don’t just assume that it’s correct ask the right questions that they do this for a living however one thing I have learned is that the more times I asked questions about this the better off I am so I always ask questions as a relates to protect you just have to do it to to do it their way it’s if it’s your business and something goes bad and the credit card company comes out and says you know what you can no longer have this credit card data well that’s bad right but if it takes you out of business they lost business but you lose your business do not just make assumptions based on what either the vendor saying yeah this is good we’re good to go ask the right questions know the information yourself just to be properly prepared especially if it’s all if it’s your lifestyle and your livelihood yet so wise idea to do okay so is where deal with encrypted Transmissions now this is typical you need anything that is transmitted it’s that was that was one of the controls write-protected Store card data anything that’s up an encrypted the other one is encrypted Transmissions that this is examples where data is sent so if you’re having data that shift away from you and sent someplace else you need to make sure that it is encrypted when it sent there this is processors their parties backup servers you name it so if the data is being left from yours you’re collecting it at your location at your at your hardware store and as you collect it at your hardware store and your gear shipping it to somewhere in Kansas right that you need to make sure that that data transmission is encrypted yes this data is encrypted while it’s being transmitted if it doesn’t state that you need to ask the vendor specifically and say is this data encrypted if your security professional you need to understand how is it being protected and why was it being encrypted that that is important aspect and if you are having to file a report with the businesses they’re going to ask you specifically are with the credit card companies is the data transmission encrypted and you have to be able to say yes it is and you have to know why it is so those are pieces that are in place that you must consider not the one thing that I’ve got on there is processors and third-party so sometimes you’ll have the same you may have a processor backups well if you backing up to the cloud and let’s just say it’s using Google drive or something like that that that transmission is encrypted however if you have one that’s local within your environment and you’re just backing up to a server that sit in your network are you actually encrypting that transmission across the wire so I have a box that I’m working on and you know what my backup server this wouldn’t be good you’d wanted the different location in the same building you know what that’s the computer over there in the corner that’s my backup server the data going from that computer is that encrypted it did better be so those are pieces around from it security controls you need to be aware of an egg in this is just a small subset I highly recommend you get in I don’t recommend you need to especially if you are a security professional doing this you need to understand what are the network architecture what are the minimum requirements but bottom line is you need to encrypt your Transmissions that are being sent from that device other security controls with antivirus software that this may be required to be installed on all systems connected to the network so if you decide that you don’t want to run a v by anyway then this should not be connected to the same network that you’re running your credit card information from have any sort of credit card information running on any system it needs to have antivirus installed there’s many vendors out there that provide this there’s also if you’re dealing with Windows 10 it’s already built into it there’s a lot of products that can do this for you that can be making at your job very seamless if you decide to go on Old work on old stuff well now you’re incurring more vulnerabilities but you’ll have to ensure that there’s antivirus running on those systems that we talked about in some cases been Antiquated the base of the old way of doing business however that all being said it’s still better than nothing and you will highly recommended you run new updated Windows 10 operating systems that will keep all that for you and have it all built inside you don’t have to worry about it also the nice they would like running Windows 10 BitLocker stop within your your computer so that helps reduce your risk as well so those are points you need to be concerned about as an anti-virus pieces the other thing that comes into any vendor that provides you software that are point-of-sale type of information they need to have some sort of anti-virus scanning as well now that needs to be in place you need that that easy to find in their documentation you need to ask him that question I’m going okay with your providing this software how do I know that it’s not having issues where is the antivirus does it need to be there and I’ll see some windows are directions to Windows these new registers that are utilizing Apple iPad and Apple has what does a really good job of segregating and keeping data secure so then some cases that may not be necessary because of the situation where they was partitioned a lot of that that risk off so that if there’s really not much of a way that it is some sort of Mauer can get into that environment however one of the questions you want to ask yourself though is is do they how do they update and it will be one of the things we have in our next bullet is how do they update those systems are patches pushed that device if I had this point-of-sale device how do I know it’s going to be updated from any more abilities that could be with the application that they created how do I make sure that someone doesn’t install apps on there that are not approved those are pieces that should be happening so back to the first bullet about antivirus you need to make sure that the point of sale around this what are they doing and ask those questions do not I repeat do you visit your livelihood do not assume that they are just going to take care of it that’s a bad assumption because losing you as a customer but you’ll end up losing your life not good place to be updating patch systems security control and you should look at auto-update can be useful but beware auto updates can cause issues within your environment you can patch the system and update the system but realistically that may be something you may or may not want to do right away you may not want to have it just do it automatically for you because sometimes those updates will break things and if they do break things then you have to ask yourself going then maybe takes you down so you have to understand how do you want to handle that now if it’s a point-of-sale system and they’re pushing update that’s one question you want to ask the vendor are they going to automatically do that because the one thing you don’t want to have happen is at 2 in the afternoon they pushing update that breaks your point of sale and now you can’t take orders how does that vendor handle that I would be very valuable to ask just do it to understand when do they push these updates about this is the last thing I want to deal with well if your small business owner you are the IT person so guess what sucks to be you better figure it out you don’t want to be going and getting mad at your point of sale ready cash register when it is not working because somebody pushed out of a patch to you and cause you to cause issues with you update in current operating systems we talked about this before don’t use Windows XP don’t use all stuff and now even Windows 7 is going end of life so don’t use them update your stuff to Windows 10 just do it right pay the money it’s not a lot and that you will keep you more secure and put you in a much better place in at the end of it it will keep your headaches a lot less all these little older systems trying to communicate with each other unless your geeky guy you like to do the RV gallon like to do that great but in most cases that that is if you’re running a business you don’t want to mess with that stuff I also they include any and all applications in devices so this comes into patching as well as firewalls your internet browser your applications that’s word excel all of those are they being updated and it’s imperative that you consider that as a point because everything from the device itself to the application all have updates at half and in many cases those are the ones that are most often forgotten and left about switch ends up causing more risk for you and your company also need to restrict cardholder data to only need to know this is role-based Access Control now this comes into is that if you get the eighteen-year-old who’s working environment that that person can only get access to this is the only dealing with that right so those are role-based Access Control they have administrators and user accounts these administrators in a case of the say you have a one person wants to get access to your payment card area that is the the administrator account then you have user account will you don’t want your 18 year old are your new hire to be accessing as administrator unless you have controls in place if you’re the business owner you’d probably want you or someone that you trust to be the administrator of that account now that’s what that’s what you really want to break this and you don’t want everybody to have administrative rights that just kind of goes without saying but you need to consider that you put that in place so that these people can limit the access that they have is also required by PCI DSS bill is user and then Bill leaves in guy comes in you have to add make a change to your list to ensure that Fred is now annotated on that list as a user the purpose behind that is to have accountability if in the event something happens you now and have somebody that you can go back to and and say yeah bill is one that did that our friends one that did that and we know that because he was working at this time it was logs in place because of that we know that that’s the person who did it that you have to have some little accountability so that’s that’s what they want you to do is when restricting cardholder data to only need to know password to individuals with computer access it needs to be unique IDs and passwords to individuals who have access to the computer system that Guinness accountability it needs to be unique and complex you need to make sure that they are tied specifically to the individual and not to some random Rogue account again is comes back to maintaining ensuring that people are doing what they’re supposed to be doing and you have your will the audit Trail to go back and show that if something did happen bad who did it why do they do it where are they at when did they do it all of those pieces have to come into play no sticky notes don’t put passwords next to your systems that are on a sticky note utilize a again like an online storage like LastPass 1password there’s other ones out there as well that can store these passwords for you but in the case of that as well don’t let everybody have access to this password Vault or database because now you’re just setting yourself up for more problems professional pay attention to that this is not a joke you got to keep these things separate and secure you do it right the first time you and get people in a habit of using it the right way you will make your life so much easier long-term versus having that try to break bad habits that have been ingrained over time of having a sticky note underneath the keyboard and people just using that something consider again last security control there’s a sign ID and passwords dealing with security controls around restricting physical access so when you’re dealing with the workplace one thing to consider is that when you’re done with card holder data you need to ensure that you have restricted access of the data itself so you need to keep the location secure so if you have a credit card system that is sitting out there and it’s open you need to make sure that it’s behind a locked in an office it could be in a situation where it’s in a locked closet it’s running and it’s well-lit so to make sure that if anybody does have access to it that you’re watching what they’re doing and in avoiding anybody from potentially having access to the the system itself but be stored in open areas I can kind of talked about before where you had a lot of people that are coming and going and pushing employees I’ve seen it where that these things have sitting in a break room and these computers in the middle of the corner and then someone goes what’s what does that our payment data on that’s a bad idea right if there’s a lot of people have access to that computer or availability for you need to have that taken care of and and watch and monitor at 8 or so again don’t if it’s a NASA segregated system completely independent with medications on that box completely I mean if you really want to avoid it you may have a PDF viewer on there you may have some word on there but at the end of the day you really don’t want to have much for applications that are sitting on that actual system itself but again keeping it away from people keeping away from the from individuals that have access to it and limiting its access to very small subset of people monitor it and watch it along you monitoring there also need to be some level login monitoring enabled on these systems so in the event that someone potentially gets in their brakes in you are from a hacker standpoint or any sort of data loss you have some ability to go back and track that from an audit perspective you must have that in place since I’ve seen it where in audits that individual say yeah we have logging and monitoring we have the ability to it to determine if someone is working on it or not well it would end up happening is as they say you only have one day of laws that isn’t useful to help you any need to be enabled but you never look at them well what’s the point right so you have that just can’t be a checkbox and I’ve got logs were monitoring them yes but nobody’s looking at them know well then how would you know if he is suspicious activity or not you wouldn’t so it’s him it’s really important that you focus on keeping this data and having some way of generating report out of it the nice thing is is that if you if you have this you can come with up with just start off simple and straightforward it be a whole lot easier that you can work through it but keep it simple don’t get overly complex and it’ll work out for you but you’re logging and monitoring and some level of auditing operation test so modlily schedule look for issues externally to your website so if you have a website and you do e-commerce off of that website and you fall with him one of those quality of the security assessment right so if you’re looking at different assessment questionnaires essays look at that are the SATs I should say based on those that SAQ you may have to have an external scan done of your website at least can be done score delay by a scanning vendor which can do that for you and you pay for them to do that there’s multiple companies out there that provide the service but they have to be certified by the security Council on how they’re going to handle that and they have to basically me to Criterion Hollywood Scandal what kind of report they provide and so forth what does vulnerability scans may need to be required depending upon your business and what your capabilities are not penetration tests are focused on finding websites dive into the weaknesses and we’ll try to exploit that weakness in previous life working was as I come out of the red team we would do penetration test of military facilities and Military asset and we are looking specifically for the deep-dive capability and what what can I export it wasn’t trying to go broad-brush it was trying to find one exploit that I could then peel back back and then drive deeper to what can I find out of it the very targeted approach on how you gonna handle exploit you you’re looking at a specific event a specific area specific server I’m not trying to find a large group and then try to just scan them in and see what I can find typically though it ends up happening as you may start with the scan to find a specific vulnerable system and then you would a penetration test within Drive deeper into that actual system there are requirements based on the SAQ that you may have to do and so based on that SAQ you may have to have penetration test done every so often I know service providers have to do this they have to have it done at the Expo frequency if it’s twice a year once a year typically penetration test event they’re kind of pricey so I would be willing to bet that as long as you’re doing your the rest of the scans the penetration tester probably an annual the type of event where you would do one a year on targeted system so you probably have most likely these vendors are having to have a and annual quarterly scans that are done by a scanning vendor but then have to do a penetration test that’s done on a yearly basis documentation of risk assessments we talked about before it’s not just keeping some pieces of paper hanging out there you must keep the documentation on your security practices in place what are you doing for that this includes policies procedures and evidence as well the purpose of it is is that in the event that something happens you have to have the ability that you are taking this stuff seriously and that you’re following what you say that they require you to do this is policies procedures evidence all of that that that provides that capability to or the understanding that you are paying attention to what the the companies are the car holders the card issuers are requiring you to do as part of the PCI DSS standards you need to have examples of documentation employee manuals I have you just played to your or informed your employees that they have to do this that the other than required to the you are a user or you’re an administrator these are the rules for administrator these are the processes that administrator must do this is how often that you must have this done so on and so forth now their policies in place at all employees know about that are aware of them other third-party agreements in place that you have talked about and do you have documentation in place with you or your vendors especially as you deal with a security scans do they have that in place do you have your third payment third-party payment processors do you have that in place where you talk to to them about their security standards and understanding that a lot of people do you have an incident response plan ready to go what does that mean while it is a response plan is do they have something in the event that there’s a Aristo you have a break you have a hack and you can afford maybe if there’s been a hack do you have a process in place to deal with that hat do you know who the other right people to contact you have a lawyers that you have that you can communicate with is if you’re not the owner of the company do you have the owner’s phone number on speed-dial do you have public affairs all of those aspects how would you handle that all those aspects are detailed out in an incident-response plan and so therefore it’s imperative that you had that kind of predefined and done already and then you also recommended you work through that with your employees or it at a minimum with the officers of your company to ensure that everybody is connected with an incident in the event that something bad would happen finally you have a risk assessment that you can do that you do and this would identify any critical assets threats that you may be experiencing some that must be accomplished as well these these can be very simple they can be very straightforward and they don’t have any complex depending upon the size of your company or organization but they they help you. Kind of structure your brain around what are the actual risk to my company what is critical to me and how do I best protect myself against any sort of threat that might be out there and pose against my individual business and especially the relates to the Predator the credit card industry in the PCI DSS standards I hear some the references that we brought up from this it’s a PCI security standards and a whole bunch of great stuff out there on those security metrics and also these clients links for each of the credit card companies is included all right that’s all I have for the PCI DSS hope you enjoyed this training a lot of great stuff for you on reduce cyber risk of check me out there you going to check me out online at Twitter and also on LinkedIn hope you enjoyed this training and this is a more great stuff will be coming from reduce cyber-risk have a great day

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .