Learn how your business is making itself vulnerable.   

By: Chase Palmer
Senior Program Manager
Did you know that over 400 million records were compromised in the USA in 2015 alone? What’s worse is all the breached businesses SecurityMetrics has investigated had preventable vulnerabilities.
If merchants are consistent in one thing, they’re consistent in losing data.
The big problem is many businesses don’t even know they’re vulnerable until it’s too late. Here are the top 5 practices that make businesses vulnerable.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

5. Storing unencrypted data

data security vulnerabilitiesDid you know that according to our latest  PANscan study, 67% of merchants store unencrypted card data, and 5% store magnetic stripe data? This is data that’s just waiting around to be stolen.

Why should you encrypt your card data? Well, it essentially makes it useless to hackers should it get stolen. Encrypting card data ensures it can’t be used if stolen.

SEE ALSO: PCI DSS Requirement 3: What You Need to be Compliant

Some other things you can do to protect your card data include:
  • Limit access to data: the fewer employees that have access to your card data, the less likely your data could be leaked or exposed
  • Use P2PE validation: point-to-point encryption ensures your data is encrypted at the point of swipe until it’s received by the processor, so unencrypted data is never in your system
  • Consider tokenization: if you can, don’t store card data by using technology like tokenization. Getting a third party to handle and store your card data can eliminate many potential security problems
  • Use network segmentation: keeping the part of your network that deals with card data separate from other networks helps make securing your data easier

4. Not reviewing firewall logs

It’s likely your business has a firewall, but do you have someone reviewing the firewall logs?

Think of reviewing logs as having a watchman on a tower. He’s pretty useless if he isn’t looking for threats and letting everyone know when there’s danger. Having your firewall is useless if you aren’t paying attention to it when it notifies you something is off.

I recommend you install log monitoring software to aide in the log review process.  Log monitoring software can look through the log entries on your firewall much faster than a person can and will notify you if something fishy happens (eg. someone tries to log onto your network 300 times at 2 am.) Remember though, you still need someone review any alerts that are flagged by the system.

 I would also recommend installing a file integrity monitoring software on all your critical system which will alert you when changes to important files have been made.

3. Not configuring firewalls

SecurityMetrics forensic investigators found that over 65% of breached merchants didn’t have a properly configured firewall in place. A lack of configuration often weakens and even negates the effects of a firewall.

Many businesses think they can just plug in their firewall and be done with it, but there’s more. Very rarely, if ever, do you have a firewall that comes out of the box pre-configured to your system. Most firewalls are programed by default to either not let any traffic in at all, or to let all traffic in.  You will need to spend some time to determine what kind of traffic is allowed for your network and what rules need to be configured on your firewall.

Less reliable firewalls will come with factory defaults allowing most or all traffic in and out.  This creates a lot of work for the user to figure out what needs to be closed, and it often leaves vulnerabilities in the firewall that can be exploited.  A good firewall will be set, by default, to block most traffic.  The user will then need to start opening up the firewall to start allowing specific types of traffic in and out.  This is a much more controlled method of setting up a firewall as it minimizes the possibilities of leaving vulnerable paths into your network.

It’s also important to review firewall rules on a regular basis.  Leaving old rules in place when systems or users have been removed can not only cause conflict with other rules but can also leave gaping holes in the security of the network.

SEE ALSO: PCI Compliant Firewalls: 5 Things You’re Doing Wrong

2. Lack of password management/ lack of software updates

A lot of businesses don’t have adequate password management policies in place, if they have them at all.  In most cases employees use predictable usernames and simple passwords for the sake of convenience, and about half of employees are using passwords that are at least 5 years old. Unfortunately, this makes it really easy for hackers to gain access to your data through your employees.

security vulnerabilitiesMake sure you and your employees are using unique passwords. It’s also important to avoid using dictionary words and keyboard patterns passwords (eg. 123qwe).

Here are 10 of the most common passwords:
  • 123456
  • password
  • qwerty
  • football
  • baseball
  • welcome
  • abc123
  • 111111
  • 1qaz2wsx
  • dragon
Additionally, many businesses don’t regularly update their software. By doing this, they’re leaving their networks open to vulnerabilities that would’ve been patched up in those updates.

SEE ALSO: PCI Requirement 6: Updating Your Systems

Establish a schedule where you update your software and technology regularly. If a big patch comes out, make sure to update the affected technology within 30 days of the patches release.

Occasionally software will no longer be supported by its developer, meaning that vulnerabilities won’t ever be fixed.  This is called software sunset.  Any software that’s no longer supported by its developers should be replaced as soon as possible.

SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1

1.  Unsecured remote access

Of all the breaches investigated by SecurityMetrics last year, 29% were breached as a result of unsecured remote access. Remote access is still the #1 pathway hackers use to gain data.

While remote access can be useful to your business and convenient, it can also open up a pathway for a hacker if it’s not properly secured.

If you use remote access, you’ll need to secure it properly. Some tips to secure your remote access include:
  • Restrict access: if you need to use remote access, only give it to employees that require it. Don’t let every employee have access to it
  • Use a VPN: a virtual private network (VPN) will add an additional layer to security to your remote access and makes sure hackers can’t gain access into your network
  • Use multi-factor authentication: this includes something you have, something you are, or something you know. This extra security layer helps prevent hackers from easily getting into your remote access guessing a username and password by brute force attacks
SEE ALSO: Configuring Your Remote Desktop Connection: What You’re Doing Wrong

Protecting your data

Remember that while there are many ways your business can be vulnerable to attacks, there are many ways to prevent these attacks. Examine your business and make sure these vulnerabilities aren’t present.

Need help in securing your data? Talk with one of our consultants!

Chase Palmer is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.
SecurityMetrics Guide to PCI DSS Compliance