June 5, 2012

Defense in Depth

Back in March we published an article called Quick and Dirty IT Security, in which we introduced you to four easy steps you can take to drastically reduce your chances of being breached. As that has been one of our most-read articles to date, we’ve decided to follow it up today with a few more things you should know about securing your systems.
Many of our customers use TrueTokenization® and 4Go® to completely eliminate sensitive cardholder data (CHD) from their system and are left with no card data environment to protect. This is great. It means you’re not at risk of a card breach because there’s no CHD to steal (as we like to say, They can’t steal what you don’t have®). But, it doesn’t mean you shouldn’t still protect your system to safeguard your business data and your customers’ personal information that may also be stored in your system.

“Defense in Depth” is what the InfoSec/IT security crowd is calling the current approach of layered IT security. What do we mean by layered security? We literally mean that you should have layers of security. Running antivirus software and having strong passwords are both good practices but alone they’re simply not enough. You need to stack security methods on top of each other to create the best fortress possible for your environment.

Here are a few things that should be included in your security layers:

Network Segmentation:
If your company has to maintain CHD or any other sensitive information, the computers with access to this data should be segmented from the rest of your network. This means the computers with access to CHD should be separate from your network – preferably running on their own, access-controlled network with no remote-access or wireless-access capabilities. Machines on your “sensitive” network should not be used to surf the Web, nor should they be used for checking your e-mail.

A quick side note on e-mail: please be aware that hackers are getting much better at phishing e-mails. They are no longer sending plain-text messages with terrible grammar. In many current “spear-fishing” attempts, research is done through social media sites, or news releases to specifically find out information on you and your business. These e-mails look exactly like something you would see from a colleague or your bank. The only difference you’ll see is that the links don’t go where they should (always hover over the link and see where it is going to take you before clicking).

Anti-Virus/Malware Detection:
For most tech-savvy people, having antivirus software running at all times has become a matter of habit. Too many of us have seen the effects of viruses and the havoc they can unleash on businesses or individuals. If you’re already running anti-virus and malware detection, great; if not, please start now.

Also, remember that (contrary to the rumors) Apple Macintosh computers are not immune to malware. In the past month we have seen major media coverage of the Flashback Trojan, which is affecting Macs at an alarming rate. You should also consider adding malware and virus monitoring software on your smart phones if they are connected to your corporate e-mail server or are ever used to review sensitive data – especially if you use any sort of password manager to store passwords on these devices and/or use them to remotely connect to your network.

Insider Threat Mitigation:
You already have access to our Fraud Sentry® solution to monitor for and block payment card fraud by your employees but your vigilance shouldn’t stop there. Employees with access to your sensitive data need to be monitored. For larger organizations, consider adding an InfoSec team specifically to handle security. They can monitor the logs and activities of your IT staff. Smaller organizations often don’t have this luxury, but if you ever suspect something may be happening with an IT contractor or a member of your staff, it is a worthwhile investment to have a specialist come in and review your logs to look for suspicious activity. As we said back in June, “the fewer people who have access to a system, the less likely the system is to be compromised,” so be sure to limit admin privileges to only those with legitimate reasons for that access.

Change the Default Passwords:
You’ve heard this from us before but it can’t be reiterated too many times. Failure to change your default passwords is like buying a heavy-duty lock for your safe and then leaving the key in it. Some of the largest breaches in our industry have reportedly come from organizations failing to change the default login information on their routers or firewalls. It takes 30 seconds in most cases and it makes an enormous difference in terms of bang-for-your-buck security.

Most breaches are crimes of convenience. Hackers write programs that run repeated scripts and send messages to thousands of computers. Those with virus protection, strong passwords, and properly secured networks don’t respond to these malicious scripts, so the crooks move on. If you leave a door open, they’ll find it – and then they’ll find a way to get inside and wreak havoc. If you take the time to shut all the doors and windows (take the easy steps) the vast majority of hackers will pass you right by.

We do our best to keep you safe and secure. You can rest assured that we employ all of these methods (and many, many more) to protect the CHD in our data centers. Unfortunately, we can’t do it all for you. But, these simple steps should go a long way in keeping you off the hackers’ radar and out of harm’s way. Be vigilant!