Network Security for Small Businesses

Small businesses are the primary target for data breaches. Most do not have the time, money, knowledge, or patience to secure their business network. In the black hat hacker community, these facts are well known and provide the incentive to steal important data from the unprotected small business.

Mainstream media does not publish small-scale breaches nearly as often as large corporate breaches such as Sony or Citigroup, but they still happen. Hundreds of businesses go under every year because the fines are too much for a small business to handle.

Until recently, most network security solutions for small businesses were produced for large corporations with big budgets, data centers, and full time IT staff.

In May, 2011, SecurityMetrics released a new product for small businesses that provides internal network security called SecurityMetrics Vision. This Network Threat Sensor installs on the inside of a business network and searches for threats through internal scanning, wireless Internet detection, event log management, and an industry-leading firewall.

Once threats are identified, warning alerts are delivered to a business’ secure account at the SecurityMetrics website and by email so threats can be eliminated. For all businesses that need assistance with threat remediation, SecurityMetrics 24/7 technical support is available to help.

If a small business purchased all these features from other sources, they would spend thousands of dollars, SecurityMetrics Vision is made and priced for small businesses. Click here for more information.

Portfolio Compliance: A Custom Approach

A successful PCI program doesn't come in a can. Every portfolio is unique and has different needs. PCI compliance programs can be as successful as you want them to be. SecurityMetrics provides solutions to match your definition of a successful program. 

When you use SecurityMetrics as your PCI vendor you are able to customize your program, produce successful program results, and keep your merchants happy. Tell us your goals, and we'll do everything we can to make them happen. Whether it be a hands-on, full-service, or online approach, SecurityMetrics will create a custom PCI solution for your portfolio needs.

PCI compliance can easily frustrate merchants. Over the years, we've developed methods that greatly simplify the compliance process. You never have to worry about how your merchants are treated. SecurityMetrics has helped over 1 million merchants with PCI compliance and prides itself on its ability to interact positively with merchants.

Is Your Printer an Informant?

In recent security conferences, network printers have been revealed to be potential doorways into a secure network. How can this be? They just receive print jobs from inside your network and create hard copies...right? Nowadays, multifunction printer devices have many avenues for receiving and sending communication and may inadvertently be storing sensitive information about your network. Here are some things you should know about your potential “informant.”

I need to secure a printer?!

Often printer security is neglected or ignored. ”It’s just a printer. Why do I need to secure it?” Commonly, printers are plugged into the corporate network, integrated with business systems, and given Local Area Network (LAN) authentication. New passwords aren’t generated to replace factory defaults and neither are passwords for administrative function access. Since they are considered hardware, printers are bypassed on the regular system update/patch management schedule. Unsecure setup of these devices can lead to serious exposure of sensitive data.

Dangerous printer capabilities

Many of these features, if not secured, could result in sensitive data or password harvesting.

• Document scanning to a file. The printer allows access to a scanned file via File Transfer Protocol (FTP) or may copy the file to a network file server. Authentication credentials to that file server are stored by the printer. 
• Document scanning to email. Credentials are required to access the local mail server. A local printer may also store email and user addresses. 
• Email notification. An address book of internal e-mails may be stored by the printer to enable various types of notification (fax, print job finished, etc.). If this information can be gleaned from the printer, the attacker now knows more than he should about internal e-mails.
• A remote administration portal, usually an embedded web server, can be reached from the network where the printer resides or even from the Internet. Often system administrators are not changing the default access password to this administration page.

How are printers being attacked?

One of the most common and simple attacks hackers use on these devices is leveraging the default password set by the manufacturer to gain access to the administrative portal on the printer. Even if defaults have been changed, a simple attack against this administrative portal may allow someone to bypass the authentication layer of the device. (There are known attacks of this sort on some HP and Toshiba devices using a well-placed extra character in the administrative portal’s URL.) With access to the portal, it can be very easy to glean network access information. 

IT personnel often use directory service administrator level username/passwords when setting up the printer to access shared resources. This login information might be visible from the printer’s administrative interface or accessible directly from the printer’s password settings page by viewing hidden HTML variables kept right in the page HTML source. Not securely protecting password information allows the hacker to collect this information from the printer and then “become” an administrator of the network or other sensitive systems.

Some printer attacks allow an attacker to enumerate all email addresses stored in the address book and maybe even file share credentials that allow the printer to deposit scanned files direct to specific file servers. This data would then allow the attacker to gain authenticated access to many systems within the network environment, and from there direct his attacks to systems where financial or other sensitive company information may be stored or processed.

Other types of attacks trick the printer into communicating with an attacker rather than a standard configured service like Lightweight Directory Access Protocol (LDAP) and Simple Mail Transfer protocol (SMTP). The results of these types of attacks can allow an attacker to gather internal IP addresses, communication port information, and usernames/passwords.

What can I do?

• Change default passwords on printers. 

• Develop an update management process to keep printer software and firmware up–to-date. 
• Avoid using administrator level usernames and passwords when granting the printer access to network resources. 
• Tools like Praeda are used by security professionals to help secure printers. (Note: these same tools are also available to attackers). You can follow Praeda’s progress at www.foofus.net 

Multifunction and network enabled printers may contain very sensitive information about your internal network and may be a “weak link” in your overall security strategy. Do not neglect them.

--The SecurityMetrics Audit Team

IRS TIN Validation- Explained

What is IRS TIN validation? Where did it come from? What does this government mandate mean for you and your business? Phyllis Richards, VP of Merchant Services Product Management for SunTrust Merchant Services explains IRS TIN validation.

For more details on IRS TIN Matching, visit:
http://blog.securitymetrics.com/2011/07/not-validating-irs-tin-records-may-mean.html

Maintain Safe Harbor: Check Your Compliance Status

When a business is financially safe from fines and penalties that a business would normally incur from a card data breach, they are said to be in Safe Harbor. To attain Safe Harbor status a business must validate and maintain full PCI compliance at all times.

Visa defines Safe Harbor as the following:

“Safe Harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise.”

Computer network and software application weaknesses are discovered by criminals daily. Last October, the PCI standard changed from PCI DSS 1.2 to PCI DSS 2.0 to clarify, expound, and evolve certain requirements in effort to protect against emerging criminal trends.

Many PCI compliant businesses may not realize PCI validation needs to take place either quarterly, or yearly, depending on how payment cards are processed. Staying current with the PCI standard must be part of a business’ culture to continually prevent theft and fraud. See if your business maintains Safe Harbor by checking your PCI compliance status at your SecurityMetrics account. Visit www.securitymetrics.com/login.adp to sign in.

Not Validating IRS TIN Records May Mean 28% Revenue Withholding

When you receive a letter from your merchant processor asking you to validate your Tax Identification Number (TIN) and legal business name with your merchant processor, it's important that you do it. If you don’t, the law requires 28% of your credit card transactions to be withheld immediately beginning January 1, 2012.

TIN Matching is a new program set in place by the IRS to ensure merchant tax and business information match IRS records. TIN Matching originated from the Housing and Economic Recovery Act of 2008. The act includes a section that requires acquiring banks to report the gross amount paid to merchants in settlement of payment card transactions to the IRS.

The law also requires the merchant acquiring entity to collect and annually verify the Tax Identification Number (TIN) and the legal business name associated with each number held by their merchants.

SecurityMetrics has established many programs with acquiring banks to streamline the TIN validation process for their merchants. You may be contacted in the future by your merchant processor asking you to validate TIN information at the SecurityMetrics website. The process will take less than 5 minutes to complete, and if you have any questions, SecurityMetrics representatives are available 24/7 at 801.705.5665.

Want more information? Check out our TIN Matching Service website.

Successful Merchant Portfolios Do Exist

An Interview with Sean Fuery, Director, Business Development

Why do merchants say they’re compliant, even when they’re not?

Most vendors in the merchant security industry offer a technology that gives a merchant the opportunity to go online, register, find out how they’re handling card data, fill out the proper PCI Self-Assessment

Questionnaire (SAQ) and if necessary, schedule a scan. What that technology doesn’t take into account is the fact that most merchants just don’t understand the surrounding complexities of PCI. They don’t understand how their card handling practices impact which SAQ they fill out, or whether or not their business must be scanned. In most cases, regardless of the security vendor they’re using, a merchant will begin filling out the SAQ and get to a point where they don’t understand what they’re reading. They can’t give an informed answer because they don’t have the technological expertise.

How does SecurityMetrics remedy merchant PCI confusion?

Our phone representatives take those merchants by the hand and explain what the SAQ questions mean in layman’s terms and how those questions apply to their business. We make sure they understand what their business’ handling practices should be based on the SAQ criteria.

When is a portfolio on the right track?

It’s not enough to get a merchant enrolled in a PCI program. Our ultimate goal is to validate their PCI compliance. The current industry average for PCI penetration within any given portfolio is between 10 and 20 percent. Quite honestly, we consider anything under 50 percent a catastrophic failure. We want a merchant to successfully become PCI compliant because a merchant that fills out an SAQ and passes a scan is going to be less of a target to a hacker. Hackers go after easy targets. Our merchants aren’t easy targets.

What is the secret to merchant portfolio success?

90% compliance. We have partners who have achieved this goal. We honor and support the PCI council in the SAQ questions they have offered; we just make it easier for merchants to understand. The PCI council has set the bar high to ensure merchants are safe. We feel it is our job to help merchants over the bar.