Perimeter Scan Vs. External Vulnerability Scan

See how Perimeter Scan simplifies the vulnerability scanning process for larger organizations. 

Perimeter ScanWhen it comes to finding security weaknesses in your business, vulnerability scanning is a great
place to start, and it’s required by both the PCI DSS and HIPAA. Vulnerability scans assess computers, systems, and networks for security weaknesses. These scans are usually automated, and give a first look at what weaknesses can be exploited in your organization.

External vulnerability scanning can take a lot of time, especially if your organization is large, or deals with a lot of IP addresses. For these kinds of companies, regular vulnerability scanning can get bogged down, take forever, and add to your management costs. This is why we created Perimeter Scan.

A question we often get is what’s the difference between SecurityMetrics External Vulnerability Scan and SecurityMetrics Perimeter Scan? We created this post to put those questions to rest.

What is Perimeter Scan?

Perimeter Scan is very similar to SecurityMetrics’ External Vulnerability Scan. Both scans can be used to meet compliance with financial (PCI DSS) and healthcare (HIPAA) mandates. The biggest difference between the two is Perimeter Scan is aimed specifically for larger organizations that have more complex network configurations and IP ranges that require a simplified form of scan management.

Adding/Removing IP Addresses

With the Vulnerability Scan, adding or removing IP addresses goes through our support team. This was because businesses paid for the Vulnerability Scan per IP address.
With Perimeter Scan, customers can add or remove IP addresses inside Perimeter Scan’s portal, instantly.
This feature is particularly helpful for organizations that have dynamic IP addresses that change a lot. It’s also helpful for growing businesses that are adding many IP addresses quickly.

Adding/Removing Target Groups

With Vulnerability Scan, users are limited to managing large quantities of IPs and groups of IPs to their own methods. If you wanted to scan all of your IP addresses, you had to manually turn on the scans for all those addresses. This can take a long time for a business with a long list of IP addresses.

With Perimeter Scan, you can add groups of IP addresses, labels and descriptions to the groups, and initiate or stop scans at the group level. Our scan management tool scans as many targets as you have included in your group. All you do is click the “scan now” button and the scans activate. No need to do it manually on an individual level.
vulnerability scanning

Payment Methods

Using our traditional service, you pay for the Vulnerability Scan per IP address. This works great for smaller businesses that only have a few addresses to scan, but can quickly get expensive and cumbersome for larger companies.

You pay for Perimeter Scan through credits. This gives you the ability to scan what you want on whatever schedule you want. You can choose which groups to use more credits on and scan more frequently, and leave others to scan less. For example, you may want to scan your networks that deal with card data daily more often than those that only deal with it occasionally. Using credits helps you customize your scanning schedule without having to pay for each individual IP address.

Perimeter Scan is a great way for large organizations to get the most out of external vulnerability scanning. It simplifies the process, by relieving the management work. With Perimeter Scan, vulnerability scanning is now easier, faster, and less of a headache.

Interested in Perimeter Scan? Get a quote from our experts!

SecurityMetrics Guide to PCI DSS
PA-DSS 3.2: the What, the Why, and the When

See what changes your payment application vendor should make.  

By: David Page
If you’re a payment application vendor, then you’re mandated to follow the PA-DSS. The PCI Security Council has released version 3.2 of the Payment Application Data Security Standard (PA-DSS).

Applications vendors are encouraged to review and incorporate these changes into their payment applications and implementation guides as soon as possible. Version 3.2 is effective June 1, 2016 and PA-DSS version 3.1 retires on August 31, 2016.

Most of the changes in PA DSS 3.2 will reflect the changes in PCI DSS 3.2.

PA-DSS 3.2 What is the PA-DSS?

The Payment Application Data Security Standard is similar to the PCI DSS, but it’s addressed to payment application vendors. Put simply, it’s the data security standard for vendors that sell POS machines and other payment applications.

PA-DSS version 3.2 includes a set of changes that all payment application vendors will be required to make.
Here is a list of the biggest changes to PA-DSS 3.2.

Multi-factor authentication is required

Similar to the PCI DSS, PA-DSS 3.2 now requires multi-factor authentication for all non-console access within and outside the network. Basically, if you use remote access, inside and outside your business’s network, you’re now required to use multi-factor authentication to access it. It’s now also clarified as multi-factor authentication instead of just two-factor authentication.

Changes to the Implementation Guide

Some changes have been made to requirements for the Implementation Guide. The guide must now include instructions that any debugging logs that include PAN data must be protected and securely deleted when no longer needed.

Testing procedures have also been updated to include the identification of all roles and default accounts in the payment application.

One final change to the guide is a new requirement has been added to include instructions to securely install patches and updates.

Other changes

A couple of additional changes include:
  • Training for developers must be up to date and occur at least annually
  • A legitimate business need is required for full PAN display
Whether you’re a payment application vendor or you work with one, make sure you or your third party vendors are up to date with the PA DSS.

If you don’t, you could be held liable should a data breach hit you or one of the businesses you work with.

Need a PA DSS audit? Talk to us!

David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.

SecurityMetrics Guide to PCI DSS Compliance

5 Tips to HIPAA Compliant Mobile Devices

Learn how to make your organization’s mobile devices secure and compliant.  

mobile device security
Read the white paper 5 Tips for HIPAA Compliant Mobile Devices.

The rise of mobile devices in healthcare organizations generally means more convenience in the workplace. Mobile devices can help doctors work more quickly, process information faster, and simplify paperwork.
Unfortunately, mobile devices can present problems in data security for healthcare organizations.
If not secured properly, data can easily be stolen from mobile devices. Without proper security protocols, you could lose sensitive data from your employees’ phones and tablets.

Does that mean you should not use mobile devices? Not necessarily. You just need to take the right security precautions when introducing mobile devices into your organization.

Mobile devices risks to healthcare

What’s so risky about using mobile devices in healthcare? Well, they generally don’t have as many security protocols in place as computers, such as firewalls, encryption, or antivirus software.

Some other reasons mobile devices can be a risk include:
  • Mobile devices are easily misplaced 
  • Mobile devices are often easier to steal than regular desktop computers
  • Passwords aren’t often used to protect access
  • Many organizations don’t encrypt emails they send or receive on mobile devices
  • Data could be accidentally disclosed when a mobile device is shared with friends and family 
  • Employees could use unsecured Wi-Fi networks
  • Mobile devices could contract mobile malware
SEE ALSO: 5 Ways Your Mobile Device Can Get Malware

Fortunately, these risks can be addressed; it just takes a few procedures and policies.  Here are some tips to securing your mobile devices.

Follow basic mobile security practices 

Just like your computer has basic security practices, your mobile devices should have these same practices. Here are some practices to consider:
  • Enable passcode protection
  • Use role-based access
  • Never connect to unsecured Wi-Fi
  • Don’t jailbreak devices
  • Encrypt data
  • Use mobile vulnerability scanning
  • Establish and train employees on mobile device policies
These practices can keep your mobile devices from getting infected by malware and prevent possible breaches as long as your employees are trained on these subjects from your policies and procedures.

Implement mobile encryption 

HIPAA requires healthcare entities to encrypt electronic protected health information (PHI). All PHI that’s sorted or transmitted in systems and work devices must be encrypted. This includes mobile devices as well.

If you backup your mobile device on your hard drive, make sure the backups are encrypted as well.

Keep in mind that most mobile encryption services aren’t as secure as other devices because most mobile devices aren’t equipped with the most secure encryption. Mobile technology is only as secure as a device’s passcode.

SEE ALSO: Medical Data Encryption: Keeping Your PHI Secure

Enable lengthier passcodes

A four-digit passcode can be easily cracked with the right tools. Choosing a passcode with at least 8 characters and having the device lock out after a number of attempts will help you make breaking into your phone a little trickier.

The ideal passcode has eight characters or more, contains alphanumeric and special characters, and doesn’t contain dictionary words (e.g., Ilovefootball1 is no good).

SEE ALSO: Healthcare's Password Security is Embarrassing

Do regular software and application updates 

Older operating systems and app versions tend to have errors that make them vulnerable to possible data attacks. Just like computers, mobile devices need to be patched often to eliminate vulnerabilities.

It’s important to update each app installed on devices. It only takes one faulty app to introduce malware to your device, putting your data at risk.

Fortunately, updating mobile device software is fairly simple and doesn’t take much time.

Train employees frequently on policies

Even the best security policies aren’t that helpful if your employees aren’t following them. It’s important to train your employees in your mobile security policies. Some things to help employees remember are:
  • Avoid suspicious emails: phishing email scams are big gateways to malware and data breaches. Make sure your employees can recognize phishing email scams. 
  • Be careful with internet usage: going onto non-secure websites and using non-secure Wi-Fi could download malware into your mobile devices. 
  • Be careful with texting: phishing scams often target texting and phoning. Train your employees to recognize phishing texts. 
Need help in training your workforce? Talk with us! 

It’s up to you to make sure your mobile devices aren’t responsible for a data breach. By following basic security practices and policies, you can make your devices HIPAA compliant and keep your data safe.

Want to know more about securing your organization’s mobile devices? Read our white paper 5 Tips for HIPAA Compliant Mobile Devices.

SecurityMetrics HIPAA learning center
How to Manage a Data Breach: 5 Steps to Keep Your Business Safe

Learn how you can minimize data breach damage.  

data breach, SecurityMetricsCheck out the infographic 5 Steps to Manage a Data Breach.

No one wants to deal with a data breach, but unfortunately with the rise of malware and hackers, a data breach is more likely to hit your business than you may think.
In any case, it’s smart to be prepared for data breaches, which includes having a plan.
If you suspect a data breach in your business, your goal is clear: stop information from being stolen and repair the damage so it won’t happen again.

Here are some steps to take to stop information from being stolen, prevent further damage and restore operations as quickly as possible.

SEE ALSO: What To Do When You Get Hacked, Step-By-Step

1. Start your incidence response plan

You should already have one in place, which lays out what your company, employees, and third parties should do in the event of a data breach.

Make sure your employees know about the plan and are trained on what to do. Often, the ones that do the most damage in a data breach are employees who panicked and made mistakes. Having an incident response plan will help reduce confusion and panic in a data breach.

2. Preserve evidence

In a breach, your first impulse may be to delete everything. Don’t do it! You’ll need to make sure any evidence of the breach is preserved. This can help you find out what happened and who was responsible.

Make sure to document everything that’s happening, since it will make things easier for upcoming forensic investigations.

3. Contain the breach 

While you shouldn’t delete your infected systems, you do need to contain them. You need to isolate the affected areas so the rest of your business isn’t affected. Some things you can do are:
  • Disconnect from the internet
  • Disable remote access capability
  • Preserve firewall settings
  • Restrict internet traffic 
  • Change access control credentials

4. Handle public communications

Get advice from your legal counsel to figure out the best way to notify the public and your customers of the breach. It’s also important to know the legislated mandatory time frames; you don’t want to get a fine on top of everything just because you didn’t tell the public on time.

It’s best the public finds out about the data breach from you. If you delay telling them, it will seem like you have something to hide. Decide when to let your customers know, and remember that sooner is better than later. Don’t let employees announce the breach.

5. Investigate and restore systems

You’ll need to find out how you were breached in order to prevent it from happening again. A forensic investigation commissioned by a third party provides insight into the problem. Getting forensic services is often required by your acquiring bank and they are helpful in not only discovering the source of breach but also in helping you understand how to prevent the same thing from happening again. Be prepared because this may take time.

Once you’ve found and secured the source of the breach you’ll be able bring all affected systems back online. Make sure they are secure against future attacks by reaching full compliance with the PCI DSS.

Need a forensic investigation? Talk to us!

Additional tips

Some other things to think about in preparing for a data breach are:
  • Train and test employees: your employees should be aware of the policies regarding data breaches. It may be a good idea to test them and have them practice containing a data breach. 
  • Get breach protection: breach protection can help reimburse you for the general costs associated with a breach (regulatory fees, card replacements, hardware, etc.)  
  • Delegate responsibilities: you should have a team that carries out your incident response plan. Putting it all on one person won’t be helpful. 
Dealing with a data breach can be a difficult experience, but if you take the right steps, you can minimize the damage done to your business. Being prepared can save you in the long run.

Want to know more on handling a data breach? Check out our infographic 5 Steps to Manage a Data Breach.

SecurityMetrics Guide to PCI Compliance
Security Patches in Your Business: Complying with PCI Requirement 6.1

security patches

Learn why it’s important to update your software and install security patches. 

By: George Mateaki
When it comes to security, even the best and most secure software can have vulnerabilities, eventually. Hackers have a lot of time to try and find holes in security. Thankfully, when a vulnerability is discovered, researchers and developers of the affected software and/or code do their best to come up with security patches and updates to combat that vulnerability.

security patches
Unfortunately, many businesses don’t often update their software and applications when it’s needed. Why? Some reasons include:
  • It takes time
  • They aren’t aware of the update
  • They don’t see it as necessary
  • The equipment doesn’t support the update
But with the rise in data breaches, it’s important to your business’s security that you update your
software and applications regularly.

SEE ALSO: How Long are Businesses Vulnerable Before a Security Breach?

What are security patches?

Even the best software can eventually have a vulnerability show up.
This is where patching comes in. Security patches are pieces of software or code that help rectify a vulnerability the software/code may have.

For example, the DLL hijacking vulnerability allowed cybercriminals to include files that Microsoft automatically opened in the folder related to MS Office documents. This “feature” allowed the execution of malicious software. I used this as part of my penetration testing to check if users would open files on an unknown USB drive found in the parking lot. Microsoft eventually patched this flaw that affected all versions of windows.

Patches can be distributed two ways, as a source code, or as an executable file. Source code is a common way to apply updates, but requires a recompiling program, while patches for proprietary software are often distributed as executable files. Most systems and applications have a utility that facilitates checking for and applying updates.

Some companies regularly release security patches and updates for their software. Microsoft releases these patches every 2nd Tuesday of the month, coining the term, “Patch Tuesday.”

Why should I update software?

PCI requirement 6.1 states that merchants must “deploy critical patches within a month of release” to maintain compliance.
Compare your business to the human body. If your body has an open cut or scrape and isn’t covered up or disinfected, bacteria could get in. If they do get in your body, they can wreak havoc on your system. It’s the same with your business. Having a vulnerability in your software may not do much damage itself, but it could lead to something far worse.

Just like you should clean and cover your cuts, you’re responsible for patching your business’s security where needed.

Technology is constantly changing. And alongside it, data thieves are coming up with new techniques to find and exploit vulnerabilities in software. No matter how secure your software may be, over time, a vulnerability will arise that can be a cybercriminal’s gateway into your business.

SEE ALSO: A Hacking Scenario: How Hackers Choose Their Victims

Patch management tips

PCI Requirement 6.1 It can be difficult to keep track of what software needs updating and what patches have been released. Here are some basic steps you can use to perform patch management.
  1. Get the notification from vendors and third-party organizations on new updates and patches.
  2. Do a risk analysis to see if this update applies to your business.
  3. Come up with a plan to install the security patch.
  4. Test the security patch before you implement it. Make sure the patched software is working properly.
  5. Install the security patch in your business environment
  6. Make sure the patch is properly installed and the systems still perform properly. Sometimes patches can cause other systems to stop working, especially if they’re installed incorrectly.
  7. Update all your documents to include any changes made or patches installed.
Some additional tips to updating software include:
  • Get on your vendor’s patch/upgrade list: You can’t update anything if you don’t know about it. Most software vendors have a patch/upgrade email list. Ask them to put you on it to stay current on patches.
  • Establish a schedule: For some software, it may be easier to update it on a regular basis. Make a schedule that outlines when and how you’ll install updates.
  • Update within 24 hours of patch being released: the longer you wait to update, the longer your business is vulnerable.
  • Do vulnerability scanning to find security holes: by scanning your software regularly, you can find vulnerabilities that need to be patched.

Need an Approved Scanning Vendor? Talk to us!

No matter how you do it, you should be vigilant about updating the software associated with your system. Make sure your business doesn’t suffer a breach simply because your software wasn’t up to date.

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

SecurityMetrics Guide to PCI DSS Compliance