Attackers' Tools Work Day and Night: Who Can Sleep?
A security manager I was speaking with recently described some applicants for a Network Administrator position he was looking to fill. Most of them were well-qualified with backgrounds in IT and network management and had a long stream of credentials following their names.
All excellent candidates, but he didn't hire any of them.
I asked what the problem was, and he responded wryly that "they all required sleep."
The dilemma was this: In order to ensure 24/7/365 security coverage for the company network, the security manager would need to hire two applicants, yet there was only one person budgeted. He simply couldn't address that level of responsibility with just one hire, no matter how experienced and qualified.
And he was right—effectively defending a company network from intruders is a round-the-clock endeavor, because data thieves are continuously bombarding Internet-facing systems with automated tools and programs designed to exploit security holes. The PCI Data Security Standard (DSS) has a full requirement (out of the twelve) dedicated to the design, deployment and management of network firewalls. This is because firewalls are the first line of defense against network attacks and are a highly effective, preventative measure—but only if they are designed, deployed and managed correctly. An incorrectly configured firewall is universally loved by attackers, who will take advantage of it as long as you'll let them.
Requirement 1 of the PCI DSS focuses on ensuring that firewalls are placed at all perimeters of your network as well as between Demilitarized Zones (DMZs)—where external-facing applications and systems are placed so any individual may access them—and your internal network. The PCI requirement also states that firewalls need to be placed in front of databases storing cardholder data. Essentially, you are creating barriers between non-sensitive and sensitive environments and systems.
In order to permit authorized users through those barriers, you need to define who those users are and how they are permitted to gain access. For example, when a customer swipes their credit card at the POS in one of your stores and the cardholder data is transmitted to your back-of-house server in preparation for transmittal to your processor and acquiring bank, that back-of-house server is considered part of your internal network. Once the cardholder data is transmitted from your back-of-house server to the processor, the data is considered to have entered the external network. Only authorized traffic should be able to be transmitted out to the processor for this purpose, and only authorized return traffic from the processor authorizing the transaction should be permitted back in. If you permit other traffic through the firewall, it needs to be over secured ports and transmissions as well, or else that traffic can penetrate your internal network and breach your card data environment.
Network access is established through firewall rule sets, which are official rules programmed into the firewall(s) dictating who can gain access and how. The PCI DSS has several requirements surrounding the definition and management of firewall rule sets, including what kind of traffic can be permitted to and from the card data environments (only that required for business reasons), whether insecure ports and services are permitted (never, unless specifically stated and security controls defined and deployed) and how often they are to be reviewed (at least every six months).
According to the PCI DSS, firewalls are individual systems, each of which must be assessed for PCI compliance unless it can be validated that they are identical through a sampling process. Therefore, multiply all the PCI requirements by how many firewalls you have, and you can see how much work is involved to just meet the PCI requirements, not to mention all the other day-to-day activities that accompany firewall management.
This is where a Managed Security Services Provider (MSSP) can help. If you simply don't have the time, personnel or skill sets to manage your firewall(s), you may want to outsource the task to an MSSP that specializes in delivering the technical expertise and security know-how required to secure your business and meet PCI compliance requirements. A single MSSP agreement can be a simple, cost-effective solution for implementing enterprise-grade security, no matter the size of your business. And you don't have to hire a team to do it. The security manager I spoke with opted to outsource the management of his network firewalls to an MSSP, so he could get himself some sleep.
Click here to learn how ControlScan's managed security services, including our ProTect Managed Network Firewall and ProTect Web Application Firewall, can help your business simply and affordably address security and PCI compliance. Or, if you'd like to just ask questions about your business's security in general, give ControlScan a call at 1-800-825-3301 x 3. We'd be happy to help.