Most Popular Data Security Articles

The most crucial and consumed PCI DSS and business security posts.

Most popular data security postsBecause of its complexity, technicality, and ever-changing nature, there’s never a shortage of questions about data security, PCI DSS compliance, and network security. That’s why we started this blog; to answer the most commonly asked questions about data security, and to offer educational assistance on how to get your business secure and compliant.

The following is a compilation of the most crucial and consumed data security content on the SecurityMetrics blog.

10. 5 Commonly Overlooked Security Errors

Starting in tenth place, this great article explains common mistakes security auditors, also known as Qualified Security Assessors, find when they go onsite to audit a company’s security practices. There may even be a few security practices in this post that you might be overlooking.
    Commonly overlooked PCI errors
  • Learn how not understanding your scope can seriously affect your security.
  • Why companies make the mistake of thinking policies are just annoying paperwork.
  • Don’t assume log monitoring is just for forensic investigators.

9. 7 Ways to Recognize a Phishing Email

Phishers are getting so good these days that even security professionals have a hard time discerning between real and fake emails. This article provides a great list (and examples!) of the most effective ways to recognize and avoid phishing emails in your personal and business email security strategy.
    Phishing example
  • Learn the subtle hints of phishing emails.
  • Understand that just because a link says it will send you to a URL, doesn’t mean it will.
  • Why domain emails are important when discerning a phishing email.

8. Infographic: 61% of Businesses Don’t Protect Customer Cards

PANscan InfographicSince 2011, SecurityMetrics has examined data from thousands of scans conducted on business networks. The scans were searching for unencrypted payment card data using a credit card data discovery tool called PANscan. This post examines the 2014’s scan results.
  • Understand the most common places credit card data hides.
  • Lean how easily payment card data leaks.
  • Why EMV won’t stop this trend, even after the October 1, 2015 deadline.

7. Visa PCI Enforcement Rules in 2015

Each card brand has different initiatives to help merchants understand the importance of securing customer card data. Visa’s PCI Validation Enforcement Plan places a risk-based focus on noncompliant merchants and third parties that may introduce increase risks into the already-fragile payments system.
    Visa Enforcement Rules
  • Learn the penalties for noncompliance after January 1, 2015.
  • What Visa actually meant by noncompliance assessments and risk reduction measures.
  • What the new enforcement plan actually means for noncompliant merchants.

6. Which PCI DSS SAQ Is Right For Me?

The way you process customer credit cards might change which Self-Assessment Questionnaire you are required to fill out to maintain PCI DSS compliance. Now that the PCI standard has recently changed (versions 3.0 and 3.1), merchants are having a hard time identifying which SAQ is right for their particular business.
    PCI SAQ
  • Determine which SAQ is appropriate for you.
  • See an entire list of PCI SAQs updated to reflect the most recent PCI 3.0 changes.
  • Learn why accurately filling out an SAQ is a PCI requirement.

5. PCI FAQ

PCI DSS MythsWhen small to medium merchants call in to SecurityMetrics to get help with their data security, these are the questions we hear and answer most often.
  • Learn the difference between compliance and validation.
  • Answer the question: who is required to be PCI compliant?
  • Understand why PCI DSS is not a federal law.

4. Shellshock: Be Wary But Don’t Panic

A handful of big vulnerabilities were publicly exposed in 2014, but one of the biggest was Shellshock. Many people were panicking without fully understanding the situation. We wrote this post to expose the truth about the bug, and what you can do to secure your systems.
    Shellshock
  • Why bugs like Shellshock exist.
  • Who is affected by Shellshock?
  • How do you fix this vulnerability?


Tweet these top PCI articles.

3. PCI 3.1: Stop Using SSL and Outdated TLS Immediately

Just months after merchants felt comfortable with PCI 3.0’s changes, now there’s something new to understand. According to the PCI Council’s newest version of the PCI DSS (PCI DSS 3.1), SSL has been removed as an example of strong cryptography. This blog post explains exactly what PCI 3.1’s newest changes mean, and what you should know to accurately comply.
    PCI 3.1
  • How will PCI 3.1 affect you?
  • How to tell if you’re using SSL or outdated TLS protocols.
  • Advice for complying with this new version of PCI DSS.

2. Crucial Security Advisory: Patch Windows Immediately Against WinShock

Pretty much every Microsoft Windows system was affected by the WinShock vulnerability publicly released in November 2014. There are over 1 billion Windows PCs in the world today, so this vulnerability came as a shock. This post explains the who, what, when, where, and why.
    Winshock
  • Exactly which systems are affected?
  • How does the vulnerability work?
  • What you can do to protect against this vulnerability in your Windows systems.

1. The Ultimate Guide to PCI DSS 3.0

Each of our PCI 3.0 blog posts were in the top 10, so we just combined them into our #1 most read blog post: our ultimate guide to PCI DSS 3.0. PCI DSS 3.0 brought about some big changes (and confusion) for merchants. This compilation post includes each of SecurityMetrics’ best PCI DSS 3.0 blog posts.
Ultimate guide to PCI DSS 3.0
  • An ebook explaining the ecommerce merchant’s guide to PCI DSS 3.0.
  • Webinars explaining key PCI 3.0 requirements.
  • FAQ about PCI DSS 3.0.

Subscribe to blog.securitymetrics.com
Infographic: Cybercriminals Love When You Use Remote Access

To attack, all hackers need are your credentials.

Gary Glover, CISSP, QSA, Director of Security Assessments
By: Gary Glover
Check out the infographic below for a quick overview of the remote access security problem. 

remote computer access, remote accessRemote computer access is one of the best ways to access work files from home, an airplane, a customer service center, an outside IT consultant, or abroad. Remote access allows a user to access a corporation’s network, and all the files, information, and sensitive data on that main corporate network, computer, or local area network.

It allows a user on one computer to see and interact with the remote system and sometimes even see the actual desktop interface of another computer without being physically present. Sometimes remote access is implemented using an organization’s virtual private network (VPN).

Common remote access applications include:

  • Windows Remote Desktop
  • Apple Remote Desktop
  • pcAnywhere (Symantec)
  • Laplink Gold
  • GoToMyPc
  • LogMeIn
  • TeamViewer
  • Join Me
  • UltraVNC
  • TightVCN
Remote access is a fantastic and very convenient technology, especially in our digital age. But there’s a problem.
Remote access technology has been turned against us by cybercriminals.
The technology we use to provide authorized access to sensitive data held by corporations has become one of the most exploited IT resources of all time.

Hackers can easily hack remote access

It’s common knowledge that the remote access applications listed above usually use these ports: 3389, 5631, 5632, 443, 80, 5900. To find a target, all a hacker has to do is scan for those specific ports to see if they’re open. An open port means remote access is used on that network.

All remote access applications are vulnerable to cyber attack, mostly because of the way they were configured by default. If hackers already know which ports you are using to connect with remote access, all that’s left to attack are your individual credentials. All too often, these individual credentials are weak and easily guessable. Even worse, some system default passwords weren’t changed at the time of install.

I’m sure you’ve seen news stories about hackers stealing usernames and passwords to create massive libraries of billions of username/password combinations. (Did you hear about the Russian hackers who have over a billion Internet passwords?)

All it takes is a free brute force tool to automatically try each combination for them on your remote access connection. There are lists published on the Internet that contain common default passwords for many types of applications, network hardware, and operating systems.

Once the hacker has successfully found the correct password/username combination, he opens the remote access application, logs in, and uses your computer as a starting point to move throughout the entire organization.

How to secure remote computer access

As you can see, the remote access problem starts with weak identity validation and authentication.

There are multiple ways to secure remote computer access applications, but the best way (by far) is implementing two-factor authentication. This means two different forms of authentication are necessary to access an application, to make sure you (and only you) get access.

Subscribe for more posts from SecurityMetrics

Two-factor authentication must contain two of the following:

  • Something only the user knows (e.g., a password) (your username doesn’t count)
  • Something only the user has (e.g., a cell phone or RSA token)
  • Something the user is (e.g. a fingerprint)

Here are a few great examples of two-factor authentication in practice:

  • You enter your username and password to a third party remote access service and call in to the onsite location IT department to have them also login and grant you one time access (often requires them to give you a PIN verbally to receive access). They verify your identity, and you are authorized for access.
  • You enter a password and then the remote access application sends your cell phone a unique PIN that expires in 60 seconds. You enter the PIN into the remote access application and gain access.
  • You enter your username and password, and the system prompts you for a unique dynamic number found on an electronic device in your possession (Key fob, Google authenticator on smart phone, etc.)
  • You enter your username and password, and the system prompts you for a biometric value (like a fingerprint), and you touch the fingerprint reader
Check out the infographic below for more ways to secure remote access.

How Working From Home Makes You More Hackable

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.
Cyber Breach Insurance: How Much Does it Cost?

Cost of cyber breach insurance

Simple financial protection from data compromise.

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
There are three types of businesses.
  1. Those that have been hacked
  2. Those that don’t know they’ve been hacked
  3. Those about to be hacked
Cost of cyber breach insurance
Many organizations don’t think a data breach can happen to them. They believe data thieves are only interested in giant corporations with hundreds of thousands of customers. However, according to Raytheon, 97% of networks will experience a security compromise over any given six-month period.

Regardless of how they’re breached, I guarantee a business doesn’t walk away from their breach without financial suffering and/or brand degradation. A breach impacts your day-to-day operations, it often hits when you least expect it, and it’s extremely inconvenient.

We have to face a hard truth: no business is immune to compromise, no matter how small or large. That’s where cyber breach insurances, paired with excellent security practices, can help.

SEE ALSO: 10 Tips to Keep Security In the Budget

What does a data breach cost?

I can’t discuss cyber insurance without laying out just how much a breach could cost. Obviously, the financial examples presented below will change based on your size, how many customer cards were stolen, how hackers got into your organization, if you were willfully aware of your vulnerabilities, etc.

If breached, you may only be liable for a few of these fines … or you could be expected to pay even more than I’ve listed. It all depends on the size of your breach.
  • Merchant processor compromise fine: $5,000 – $50,000
  • Card brand compromise fees: $5,000 – $500,000
  • Forensic investigation: $12,000 – $100,000
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10 – 30/card
  • Card re-issuance penalties: $3 – $10 per card
  • Security updates: $15,000+
  • Lawyer fees: $5,000+
  • Breach notification costs: $1,000+
  • Technology repairs: $2,000+
  • An increase in monthly card processing fees: +
  • Federal/municipal fines: +
  • Legal fines: +
Estimates by SecurityMetrics QSAs

SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches

Now that you understand just how important cyber insurance is to the financial stability of your organization, what should you expect to pay for it?

How much is cyber breach insurance?

Depending on how much financial assistance you would like to receive after a breach, your size, your annual revenue, and your industry, cyber insurance premiums can cost from $650 to $120,000 annually.

But you might not need cyber insurance.

When you might not need cyber insurance

Cyber insurance can be awfully expensive, especially for small to medium businesses. Is there any way you can get around it and still be protected in a data breach?
You might not need cyber insurance if you are already protected under your Payment Card Industry Data Security Standard (PCI DSS) vendor. Let me explain.

Most PCI vendors have a limited guarantee on their PCI compliance services. If their services don’t help protect you from data breach, you may be reimbursed up to $100,000 per Merchant Identification Number (MID). This breach protection is like a lifeboat that will keep you and your crew afloat after your ship starts to sink.
Data breach insurance cost
If you are paying a PCI vendor for data security and PCI compliance services and they don’t have a guarantee … do you really trust their products to keep you safe from data breach? Are they really looking out for your best interests?

Looking for a PCI vendor with an award-winning PCI service guarantee? Check this PCI product out.

What can you spend service guarantee finances on?

Most companies offering this protection won’t limit you to what you can be reimbursed for, as long as pertains to your breach. Here’s an example list:
  • Forensic investigations
  • Payment Card Industry Data Security Standard (PCI DSS) fines
  • Payment card brand fines
  • Health Insurance Portability and Accountability Act (HIPAA) fines
  • Customer payment card replacement fees
  • Customer notification costs
  • Regulatory fines/penalties
  • Upgraded device for future security
  • Gramm-Leach-Bliley Act (GLBA) fines
  • Post-event consultation
Subscribe to blog.securitymetrics.com

Which is better? Cyber insurance or breach protection?

For extremely large organizations handling large quantities of sensitive data, it makes sense to pay the premium for cyber insurance. But, remember, you might already be protected. For small, medium, and large businesses already fulfilling their PCI DSS requirements, it makes financial sense to make sure your vendor has PCI services guarantee.

Remember, your security matters.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Networked Medical Devices: a Data Breach Time Bomb

Networked medical devices

Are your medjacked medical devices preventing true HIPAA compliance?

Tod Ferran, Security Analyst at SecurityMetrics
By: Tod Ferran
According to Gartner, 26 billion objects will be connected to the Internet by 2020. Hundreds of thousands, if not millions of those will be networked medical devices. Recent studies show that hackers can easily compromise a healthcare organization through one of these devices. In fact, it’s been a method used by hackers for years.
Networked medical devices

It’s called medjacking, or medical device hijacking.

A networked medical device includes any medical device that has the capability of connecting to the Internet, which are generally separated into four groups:
  1. Consumer health monitoring (e.g., FitBit)
  2. Wearable (e.g., portable insulin pumps)
  3. Embedded (e.g., pacemakers)
  4. Stationary (e.g., chemotherapy dispensing stations)

Stationary medical devices are targeted

Although it’s scary to think about internally embedded medical devices hacked and altered, the large majority of hackers aren’t terrorists, they’re thieves. They want to make money by stealing mass amounts of patient data, and that’s why stationary medical devices are the group most at risk from cybercriminals.

Hackers are acutely aware that medical data (insurance information, social security numbers, etc.) is worth 20-50 times more than credit card data. If a hacker can somehow gain complete access to a networked medical device, they are only steps away from accessing valuable patient health data.

The HHS reported that 78% of physician practices have electronic medical records (EMR/EHR) systems, which are interconnected with the rest of the ecosystem. EMR systems are a hacker’s Holy Grail.

Here’s what I mean by stationary medical devices:
  • Medical x-ray scanner
  • Chemotherapy dispensing stations
  • Homecare cardio-monitoring
  • MRI machine
  • Bedside infusion pump
  • Anesthesia apparatuses
  • Medical ventilators
  • LASIK surgical machines
  • CT scanners
  • Picture archiving and communication system
  • Blood gas analyzer
  • Dialysis machines
  • Etc.
These devices are typically connected via hospital and healthcare facility Ethernet or Wi-Fi, but can also be connected to a business associate on a private network. The fact that they are connected to the network and potentially the Internet (or have the ability to connect to the Internet) means they are exposed to a giant ecosystem of hacker-influenced risks.

According to the FDA, “Medical devices…can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.” Not only do these vulnerabilities exist, but will increasingly worsen as more and more devices become interconnected.

Should you get an onsite HIPAA audit?

How do hackers hack medical devices?

A medjacking attack is designed to rapidly penetrate medical devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution.

Once an attacker gets into the network and bypasses existing security, he can infect a medical device and establish a backdoor within the device for later access.

Why does this problem exist? Medical devices have vulnerabilities. These vulnerabilities all boil down to a lack of security priority.

Medical device manufacturers own the security process, but don’t place priority on security

Joshua Corman, CTO at Sonatye says that some medical device manufacturers, especially those with low budgets for cybersecurity, turn to open source code and libraries for security solutions. The problem is, they’re using “very old, known-vulnerable, highly exploitable code in their products.”
Medical devices hacking, also known as medjacking
According to the FDA, manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks to cybersecurity…but most don’t take that responsibility seriously.

Trapx Security found that most medical devices are managed solely by the manufacturer’s external technicians, and healthcare IT teams don’t have access to the system at all. That means healthcare providers are totally dependent on manufacturers to maintain security within the device. That’s why they are viewed as medical black boxes by healthcare IT and security teams.

According to The Healthcare Internet of Things: Rewards and Risks, some device manufacturers favor hard-coded passwords built into the system that can’t be changed. These passwords will be listed in the devices user manual, and can easily be found by hackers!

The medical device manufacturer isn’t the one who will have serious brand degradation if they get hacked – the hospital will. Have you heard of Fazio Mechanical Services? Probably not, and they were the vendor for Target that led to Target’s big credit card breach that we’ve all read about.

Subscribe to SecurityMetrics' blog

Cyber defense tools don’t work with medical devices

Trapx Security also found that users can’t install further security on network connected medical device systems because most security tools do not run within medical devices. Not to mention, any software applied by the entity might be considered tampering with the device, and have a negative impact on FDA approval. It’s worth noting that the FDA has been very vocal about the manufacturer installing proper security tools.

The government isn’t cracking down on manufacturers or security

According to an article by Infosecurity-Magazine, a security researcher found and reported several vulnerabilities found in drug pumps to the Department of Homeland Security and eventually the FDA. He said, “over 400 days later, we have yet to see a single fix for the issues.”

If the government doesn’t crack down on medical device manufacturers, who will?

Medical devices are constantly in use

Many network-connected medical devices are used 24-7 by patients on life support. It’s difficult to arrange time to patch and fix devices when they’re in constant use. In addition to the reasons I’ve listed above, security problem resolution is delayed due to access to equipment, device scheduling, and access to manufacturer resources.

Keeping medical devices HIPAA compliant

If you have networked medical devices, you should probably prepare for the worst. You likely have HIPAA violations on your hands, stemming from your devices, which are potentially exfiltrating patient data right now.

According to PwC, the number of healthcare-related data breaches soared 60% from 2013 to 2014, almost double the increase seen in other industries. In March 2015, the Identify Theft Resource Center shows healthcare breach incidents as 33% of all total incidents.
If your medical devices aren’t safe, that means your organization isn’t HIPAA compliant either.

Preventing medjacking

In their report, TrapX Security concludes that, “The data stored within healthcare networks remains a primary target for attackers on a global basis. For all of these reasons we expect targeted attacks on hospitals to increase throughout 2015 and 2016. Our scientists believe that a large majority of hospitals are currently infected with malware that has remained undetected for months and in many cases years.”

They give some great recommendations on how to start to secure your networked medical devices from cybercriminals looking to jump into your system.

These are their seven most salient recommendations:
  • Remediate existing devices immediately. They are probably infected.
  • Strategize a way to quickly integrate and deploy software/hardware fixes provided by the medical device manufacturer.
  • Seek the advice of competent HIPAA consultants and bring them onsite to review your HIPAA compliance program. (Need a HIPAA audit quote?)
  • Only evaluate medical device vendors that value cybersecurity, allow you to modify your own passwords, offer frequent updates, and are willing to conduct quarterly reviews with you.
  • Manage access to your medical devices, especially through USB ports. Consider the use of one-way, new memory sticks to prevent medical devices from infecting similar devices.
  • Isolate medical devices inside a secure network zone and protect them with an internal firewall that allows access only to specific services and IP addresses.
  • Don’t forget medical device end-of-life. If devices are no longer receiving updates from their manufacturers, or are just too old to deal with malware, get rid of them, remembering of course to securely wipe or destroy patient data on the device.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Sending Credit Card Info Over Email

Are emailed credit card numbers in scope for PCI compliance?

Gary Glover, Director of Security Assessments
By: Gary Glover
The specific way credit card data is transmitted might just change your scope for PCI DSS compliance. (Learn more about reducing PCI scope.) A common and recurring question I get is, if you receive primary account numbers (PAN) via email, is your email server in scope of PCI?

Is it safe to email credit card informationYes, your email server is in scope for PCI security requirements.

PCI DSS Requirement 4.2 states credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email.) Here’s why: email leaves trails of credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.

According to the PCI DSS, e-mail, instant messaging, SMS, and chat can be easily intercepted by packet-sniffing during delivery across internal and public networks. (Learn more about packet-sniffers and other hacking techniques.) Even if your email server is configured to provide strong encryption when you connect to read your mail, you have no guarantee that the receiving end has the same level of encryption. Do not utilize these messaging tools to send PAN unless they are configured to provide strong entire message encryption (PGP, GPG, etc.) Even then, it’s probably just easier to find another way to transfer sensitive credit card data.

Similar requirements for sending and receiving protected health information over email are essential for HIPAA compliance.

Subscribe to blog.securitymetrics.com

If you don’t want your email server to be in scope of your PCI compliance, there are a few actions you must take.

If accepting or sending emailed credit cards is a normal business process:

  1. Understand your process must be changed. There is no way for you to be compliant if your normal process requires sending clear text credit cards via unencrypted email.
  2. Either decide to encrypt your email, or initiate training for employees to forbid the sending or receiving of customer card data.
  3. Ensure your written policies state unprotected PAN is never to be sent via email or other end-user technologies.

PCI compliance email credit card information If one or two credit cards come through email by accident:

  1. Inform the customer (or sales person, etc.) to stop. Educate them about the dangers of using email to send credit card information. Make sure you don’t respond by including the original email.
  2. Talk to your IT department about the best way to delete this message securely (it’s difficult to get rid of emails on Exchange servers because they journal messages in case they need to be restored someday).
  3. Be sure there is training for employees to know how to handle this situation.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.