Here are some mistakes your business might be making with firewalls. 

firewall maintenance
Read the white paper, How to Implement and Maintain PCI Compliant Firewalls.

When’s the last time you thought about your firewall? If it’s been a while, you may have a problem.

While PCI 3.2 has minimal changes to firewalls themselves, it’s important that businesses are compliant and up to date with the PCI DSS’s requirements for firewalls.

Unfortunately, many businesses’ firewalls aren’t PCI compliant.
Here are 5 things businesses are doing wrong in getting their firewalls PCI compliant.

1. Lack of proper configuration

Many businesses think firewalls are plug-and-play technology and don’t think about them once they’re installed.  However, most firewalls need to be configured to your unique business environment.

If you don’t think this is important, think again. In the breached merchants SecurityMetrics has investigated, over 76% of organizations didn’t have their firewalls correctly configured. It’s through this vulnerability that a hacker was able to gain access to and steal sensitive data.

You need to establish and maintain rules as to what can go in and out of your network with your firewall. If you don’t, it can negate the entire effect of your firewall on your network.

SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

2. Not using network segmentation 

PCI compliant firewalls
You can use firewalls to separate your card environment separate from the rest of your network. This helps reduce your PCI scope and simplifies your security efforts.

It’s true that segmenting your network is technically not required by PCI, but it really does help your business secure your network better and more easily. If you want to get PCI compliant more efficiently, segmentation is a good method.

Segmenting your network can be extremely technical, so you may want to get a third party to help you set it up properly.

SEE ALSO: How Does Network Segmentation Affect PCI Scope?

3. Lack of log management

Firewall logs will do your business no good unless you have someone (or a monitoring software) that’s actually keeping track of those logs and noting when something seems off.

Think of log management as a guard on a watch tower. The security does you know good unless you have someone who can see a potential problem and tells you, “Hey, something is going on!”

It’s best to get a File Monitoring Software. It will keep track of your firewall logs and notify you if something suspicious happens, like someone trying to log into your network over 300 times at 2 in the morning. You’ll still need someone who is keep track of these notifications so that the software isn’t just pinging in an empty room.

Remember, you can’t stop a breach if you don’t know if it’s happening.

4. No documentation

PCI requirement 1 says you should document all firewall policies and procedures. This is often a requirement that many businesses may overlook.

Firewall documentation will help your team understand what’s been done, what needs to be done, and where the problems are in your environment. It basically helps keep your security efforts more organized, and makes things easier for future updates and changes.

Some things to consider documenting include:
  • Description of groups, roles, and responsibilities: make sure those involved are aware of their responsibilities. 
  • Business justification for allowed services, protocols and ports: If you need any ports open for your business, you’ll need to document why you need them. 
  • Network and cardholder data flow diagrams: You can’t protect your data if you don’t know where it goes. Having these diagrams helps you see where your data is received, stored, and transmitted and where to implement your firewalls. 

5. No reviewing and testing

In a recent survey we did of over 350 individuals responsible for compliance decisions, 32% of respondents didn’t know how often the firewall rules were reviewed in their businesses. No matter the size of your environment, things change over time. Firewall rules will need to be rewritten or tweaked.

The PCI DSS requires organizations to review firewall and router rule sets at least every six months. This helps you ensure there are no security weaknesses and gives you the chance to update your firewall strategy as needed.

SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

You also need to test the effectiveness of your firewall rules, such as scanning for rogue wireless access points. Two good ways to test your network are through vulnerability scans and penetration tests.
  • Vulnerability scans are a great weekly, monthly, or quarterly insight into your network. It scans for possible vulnerabilities in your network. 
  • Penetration tests are a more thorough way to deeply examine network security. In these tests, white hat hackers will try to find possible ways into your network. 
SEE ALSO: Pentesting vs Vulnerability Scanning: What’s the Difference?

Ask a QSA!

Firewalls can be rather technical, and if you’re not sure what you need to do, you’ll want to talk to an expert. Qualified Security Assessors (QSAs) can help you figure what types of firewalls you need, what your scope includes, and how you should handle log management.

Whatever your environment needs, make sure you’re properly setting up and maintaining your firewalls.

Your firewall is only as effective as you make it.

Need help with firewalls? Check out our managed firewall service!

SecurityMetrics Guide to PCI DSS Compliance

1 comment: