Where does your average information security professional spend the majority of their time? If you guessed monitoring or compliance activities, you're unfortunately wrong.
Self-created security vulnerabilities are actually the biggest time commitment for today's security professionals, according to recent CSO research. While 73% believe their organizations are likely to fall victim to attack in the next year, almost a third feel like they are "completely underwater."
You've probably heard the credo that security programs should be proactive, not reactive. When it comes to threats, vulnerability assessments are a key tool to be prepared. In this blog, you'll learn how to improve your security assessments so you can swim instead of feeling like you're sinking.
What are Information Security Threat Vulnerability Assessments?
Threat and risk assessment are at the core of an information security program. Security pros are called upon to constantly assess threats and vulnerabilities, and implement safeguards against loss. SANs writes that risk assessment involves six key steps:
- Data collection
- Analysis of policies and procedures
- Threat analysis
- Vulnerability analysis
- Correlation and assessment of risk acceptability
Vulnerability assessments, by SANS' definition, are a component of risk management. It's the act of making decisions on the best steps to improve your safeguards using data-driven insights on your network.
Where Does Threat Assessment Fit into PCI Compliance?
PCI requirement #5 is dedicated specifically to vulnerability management across the entire "infrastructure", including:
- Security procedures
- System design
- Internal controls
This section has two specific activities which are detailed below:
- 5.1 Deploy anti-virus software on all systems affected by malicious software (particularly personal computers and servers).
- 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
In addition, PCI requirement #11 addresses the regular testing of security systems and processes. The five requirements are as follows:
- 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
- 11.4 Use network intrusion detection systems and/or intrusion prevention systems to monitor all traffic...[and] alert personnel to suspected compromises.
- 11.5 Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files. Configure the software to perform critical file comparisons at least weekly
For more insight into how to meet the requirements of PCI 5 and the other 11 requirements, we recommend The 2016 PCI Compliance Checklist.
Risk analysis was formally required by HIPAA [§ 164.308(a)(1)(ii)(A)] and is still mentioned in the NIST guidelines for FISMA. While specific compliance requirements may vary, vulnerability analysis is a security best practice for any organization.
For companies achieving or maintaining PCI compliance, following the specific requirements may not mitigate risks to an acceptable level. Join us as we analyze what's missing from compliance requirements and actions you might choose to take.
What's Missing from Your PCI-Compliant Threat Vulnerability Assessments
1. Antivirus May Not Yield Sufficient Control
While antivirus is an important component of complying with PCI and maintaining protection over vulnerable network elements, it's crucial for security pros to understand the role and limitations of this technology.
TrendMicro research has found that due to the dramatic increase in customized malware and social engineering tactics, many attacks are able to bypass the detection methods used by antivirus software.
The solution is never simple. However, a combination of education, policy, and layered technological safeguards is wise. With the help of sophisticated tools for detecting negative changes in real-time, security pros can compensate for potential vulnerabilities in antivirus programs.
2. Quarterly Scans are Not Very Frequent
Data retrieval by cyber criminals can begin and end in a matter of minutes. Small changes to your network can move your organization out of compliance at a similar speed. Quarterly vulnerability scans could reveal you've been wide-open attack for months, or worse, that you were long-ago targeted.
While risk acceptance criteria may vary, you may opt to implement a more frequent schedule of vulnerability scanning to avoid missing risks for potential months on end.
3. Organizations Rarely Know if a Significant Change has Occurred in Their Network
The 2016 Verizon Data Breach Investigations Report revealed a hard truth about the state of security. Laurence Dine, Verizon's managing principal for investigative response puts it succinctly "people don't know their environments 100 percent. They forget about the old machines in the corner that are not on any patch schedule."
This lack of environmental knowledge can be attributed to a number of factors. Budgetary and staffing restraints are common for security teams. Perhaps more importantly, networks are simply a lot more complex than they were a decade ago.
Unless your organization is aware of every significant change that occurs in your network, you could be vulnerable for months before an assessment if you follow PCI requirements to the letter of the law. For most organizations, using tools that note the time and nature of major changes in real-time will mitigate the most risks.
4. Alert Fatigue is Real--and Risky!
The term "alert fatigue" was coined in the healthcare industry, to describe the phenomenon of healthcare workers becoming desensitized to alarms and alerts. After extended periods of exposure to alerts, clinical workers began to override even "critical alerts," which can have a real impact on patient safety.
For information security workers, similar phenomena can occur. Target's security team dismissed technical data indicating early warning signs of a data breach. While that instance cannot definitively be connected to alert fatigue, it serves as a warning example for security professionals.
The solution is to be conscious of your response to alerts and the risks that your security software could desensitize you to warning signs by constantly blowing up the admin portal with unimportant notifications. By opting for a monitoring solution with built-in intelligence to distinguish between critical and unimportant warnings, you can avoid desensitization.
5. File Integrity Monitoring Requirements May Not Be Enough
File integrity monitoring software is one of the few technological safeguards specifically mentioned in the PCI-DSS guidelines. Based on the language of their requirements, organizations need to implement a tool that can:
- Monitor and track changes
- Identify which changes introduce risk
- Pinpoint which changes result in non-compliance
- Determine between high and low-risk changes
- Work with other security point solutions
However, exceeding these baseline requirements can vastly improve the quality and scope of your vulnerability assessments. You can significantly mitigate risks by selecting a solution that enables:
- Automated monitoring of system settings against PCI requirements
- Continual monitoring as opposed to once-weekly scans
- Intelligent reporting on compliant and non-compliant system settings
- The ability to achieve full remediation of noncompliance from the administrative portal
Why Exceeding PCI Requirements May Actually Be the Easiest Path
When it comes to PCI compliance requirements, exceeding the specifications for vulnerability management and assessment can enable organizations to remain ahead of threats. By reducing manual work and enabling real-time, automated intelligence, IT pros can gain better oversight of their network and identify real vulnerabilities.
CimTrak makes it easy for organizations to remain compliant with PCI requirements and exceed the basic recommendations for security's sake. To learn more, download our PCI compliance checklist today.
August 18, 2016