SlideShare a Scribd company logo
WINDOW OF
COMPROMISE
White Paper
Limit damage caused to your
cardholder data environment
© 2015 SecurityMetrics
Window of Compromise - 1
CYBER ATTACK PROCESS
The cyber attack process is simple. First, the business has
a vulnerability, a flaw or weakness that can be exploited.
Second, the attacker exploits the vulnerability and accesses
the system. Third, the attacker sets up a way to capture
cardholder data. Finally, the attacker exfiltrates the data for
illegal use.
Decreasing the window of compromise time decreases the
amount of cardholder data captured and exfiltrated, hope-
fully avoiding compromise all together.
In recent years data breaches have been highly publicized,
especially with so many big brands involved. However, data
breaches were by no means limited to the well-publicized large
industries. In fact, the Ponemon Institute reported that 43% of
all US companies experienced a data breach of some sort in
the past year. Based on 2014 data collected by SecurityMet-
rics Forensic Investigators, the average breached merchant
was vulnerable for 618 days. That’s a lot of time for attackers
to find vulnerabilities and exploit them to their benefit.
Nearly every business in America is going to experience
cyber attacks from a variety of sources. Many merchants
are vulnerable (meaning there is a system, environment,
software, or website weakness that can be exploited by at-
tackers) from the day their environment was set up. In other
cases, a merchant becomes vulnerable because they fail to
apply a security patch or update, or they make modifications
to their systems without also properly updating related
security protocols.
On average, it took 470 days from a time the merchant had
a vulnerability in their environment, to the time an attacker
was able to compromise the system (the beginning of the
window of compromise). Attackers were then able to capture
cardholder data for an average of 176 days. That is plenty of
time for an attacker to damage your brand.
WINDOW OF COMPROMISE
LIMIT DAMAGE CAUSED TO YOUR CARDHOLDER DATA ENVIRONMENT
When we refer to the window of compromise, it starts
from the date an intruder accesses a business network
and ends when the breach is contained by some act of
security remediation on part of the merchant.
Window of Compromise - 2
HACKER TRENDS:
CARD DATA AGGREGATION
The seemingly high number of days that card data
was compromised in 2014 (average 176 days) may be
attributed to an aggregation method often employed by
card data thieves.
The aggregation method prevents card brands from
flagging Common Points of Purchase (CPP, a method
used by card brands and banks to identify potential mali-
cious account activity) too early, which would expose the
data breach much sooner, thus bringing a quicker end to
the card data loss and greatly limiting the use of stolen
credit card accounts.
Attackers have been known to aggregate card data
from scraping or other tools without using or sell-
ing the data for four to six months (after six months,
some payment card data begins expiring).
Window of Compromise - 3
DECREASE YOUR
WINDOW OF COMPROMISE
When an environment isn’t actively monitored, breaches
are more likely to go undetected for longer periods of
time. As such, an ounce of protection really is worth more
than a pound of cure. The sooner a breach is detected, the
less damage an attacker can do to a business. The goal of
each business should be to create and practice the neces-
sary procedures to protect against and warn of abnormal
behavior in an environment.
LOGGING/AUDIT TRAILS
AND SUSPICIOUS ACTIVITY
From a forensic point of view, logs and audit trails are
crucial to proving how, or if an organization was compro-
mised. Keeping track of critical actions (e.g., access to files,
login attempts, etc.) can help identify key elements of an
attack. Logs can track actions to an individual user and can
help determine suspicious activity. Assigning unique user
identification also helps create an atmosphere of account-
ability and can help deter internal system abuse.
Once suspicious activity has been defined within an envi-
ronment, intrusion detection systems (IDS) and intrusion
prevention systems (IPS) can be configured to give notifi-
cation of suspicious activity that might indicate an attack.
Change detection programs, like file integrity monitoring
(FIM) are especially useful for ecommerce environments
because they track the original state of a file and report
any changes, such as when an attacker hides malware
within an otherwise legitimate file or application.
WINDOW OF COMPROMISE DATA
0
200
400
600
800
1000
Averagenumberofdays
Vulnerable Cardholder data
was captured
Data was exfiltrated
2013
2014
Window of Compromise - 4
Sadly, in a few instances, SecurityMetrics Forensic Inves-
tigators have discovered that the investigated merchant
previously knew of the vulnerabilities that led to a breach.
However, the merchant did not give sufficient priority to
enhancing their IT security by spending the necessary
time and money to correct it as soon as the weakness
was identified. In the end, the merchant paid for the cost
of a mandated forensic investigation, fines from their
bank, fees from credit card issuers and card brands, as
well as paying to bring their IT security up to par. Their
failure to correct the weak link in their system when they
first learned of it cost them vastly more than if they had
made a proactive correction.
SECURITY TESTING
The two major types of vulnerability testing that should
be performed to reduce the window of compromise are
penetration testing and vulnerability scans.
In the case of custom, in-house applications, code testing
and independent internal penetration testing can expose
many of the weaknesses commonly found in application
code (especially the home-grown varieties) and is the
best first line of defense in identifying vulnerabilities
before the application is put into use. Having code and
function tested by objective third parties helps find vul-
nerabilities that otherwise might have been missed.
Vulnerability scans are automated, affordable, high-level
tests that identify certain weaknesses in network struc-
tures. Robust vulnerability scans can identify more than
50,000 unique external weaknesses. In addition to locating
and reporting vulnerabilities, typical vulnerability scans
also encourage a recurring and reliable process for repair-
ing discovered problems. After a scan completes, the need
to repair located vulnerabilities goes without saying.
DocumentsDocuments
Window of Compromise - 5
SECURITY POLICY AND
EMPLOYEE TRAINING
One pitfall, of even the most protected environment,
involves the introduction of malicious content by human
error. Activities as simple as employee email access or
unauthorized Internet browsing can allow paths to and
from untrusted networks.
Merchants often inadvertently introduce malware into
their systems through email attachments, downloads, or
USB drives by simply opening them; unaware of the threat
they just allowed into their system. Creating, instructing
on, and enforcing a sound security policy is the best way
to secure an environment from employee error that could
negate the effectiveness of security measures that might
already be in place.
RISK-ASSESSMENT AND MANAGEMENT:
VULNERABILITY VS. EXPLOITABILITY
Creating a vulnerability management plan is central to
decreasing the window of compromise. This process
will help identify, classify, remediate, and lessen future
instances of vulnerabilities.
However, just because a system is vulnerable does not
mean it is exploitable, or even likely to be exploited. Some
vulnerabilities may require such a large number of pre-
conditions that the chance of a successful attack occur-
ring is virtually none. Identifying (per the guidelines of PCI
DSS Requirement 6) the differing levels of exploitability
should help an organization prioritize the actions they will
take in enhancing their IT security based on each vulnera-
bility’s perceived threat and risk level.
“No matter the advances in security technology and re-
gardless of increased government cyber security initia-
tives and regulations, attackers are not going to abandon
their pursuit for unprotected payment card data.”
–David Ellis, SecurityMetrics Director of Forensic Investigations
Window of Compromise - 6
TAKEAWAYS
EARLY DETECTION AND
CONTINUAL PROTECTION
Carefully tracking and managing an environment will help
with early detection of a breach and has the potential to
decrease the window of compromise and thereby mitigate
damage caused to your environment. To decrease your
window of compromise, make sure to:
•	 Perform security testing on environments to identify
vulnerabilities.
•	 Develop well-crafted IT security policies to ensure
all employees are aware of their responsibilities with
respect to the security policy.
•	 Practice a process to address security vulnerabilities
by order of importance.
•	 Take the time to maintain detailed logs that can be
tracked back to individual users to help identify suspi-
cious activity.
•	 Once you’ve collected logs, regularly review them
and configure IDS/IPS and FIM to help keep watch
over your environment.
Remember, if you are actively meeting the Payment
Card Industry Data Security Standard requirements
you will already be implementing these important
security measures.
Window of Compromise - 7
ABOUT SECURITYMETRICS
SecurityMetrics has tested over one million payment systems for
data security and compliance mandates. Its solutions combine
innovative technology that streamlines validation with the personal
support you need to fully understand compliance requirements.
You focus on the business stuff—we’ve got compliance covered.
For questions about your PCI DSS compliance situation, please
contact SecurityMetrics:
CONSULTING@SECURITYMETRICS.COM OR 801.705.5656

More Related Content

What's hot

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
Netpluz Asia Pte Ltd
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
ARUN REDDY M
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012   what happens in vegas goes on youtube using social networks...Rothke rsa 2012   what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Ben Rothke
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
Quick Heal Technologies Ltd.
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
UthsoNandy
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
David Mai, MBA
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
CMR WORLD TECH
 
You will be breached
You will be breachedYou will be breached
You will be breached
Mike Saunders
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Cybersecurity a short business guide
Cybersecurity   a short business guideCybersecurity   a short business guide
Cybersecurity a short business guide
larry1401
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
banerjeea
 
Information security
Information securityInformation security
Information security
Onkar Sule
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
CSNP
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
Netpluz Asia Pte Ltd
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
Brian Honan
 

What's hot (20)

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012   what happens in vegas goes on youtube using social networks...Rothke rsa 2012   what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
You will be breached
You will be breachedYou will be breached
You will be breached
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Cybersecurity a short business guide
Cybersecurity   a short business guideCybersecurity   a short business guide
Cybersecurity a short business guide
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Information security
Information securityInformation security
Information security
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 

Viewers also liked

Conflict and Compromise in History
Conflict and Compromise in HistoryConflict and Compromise in History
Conflict and Compromise in History
jonathankettel
 
How to write effectively about encountering conflict
How to write effectively about encountering conflictHow to write effectively about encountering conflict
How to write effectively about encountering conflict
jpinnuck
 
Phenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave AldridgePhenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave Aldridge
The Higher Education Academy
 
Compromise Of 1850
Compromise Of 1850Compromise Of 1850
Compromise Of 1850
eben_cooke
 
Conflict management
Conflict managementConflict management
Conflict management
Frank Calberg
 
Phenomenology
PhenomenologyPhenomenology
Phenomenology
Dr. Cupid Lucid
 

Viewers also liked (6)

Conflict and Compromise in History
Conflict and Compromise in HistoryConflict and Compromise in History
Conflict and Compromise in History
 
How to write effectively about encountering conflict
How to write effectively about encountering conflictHow to write effectively about encountering conflict
How to write effectively about encountering conflict
 
Phenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave AldridgePhenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave Aldridge
 
Compromise Of 1850
Compromise Of 1850Compromise Of 1850
Compromise Of 1850
 
Conflict management
Conflict managementConflict management
Conflict management
 
Phenomenology
PhenomenologyPhenomenology
Phenomenology
 

Similar to Window of Compromise

What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
Andreanne Clarke
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
CyberPro Magazine
 
The challenges of Retail Security
The challenges of Retail SecurityThe challenges of Retail Security
The challenges of Retail Security
IBM Software India
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
Ban Selvakumar
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SecurityGen1
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
GFI Software
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
thinkASG
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
ijctet
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Education & Training Boards
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
Cognizant
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 

Similar to Window of Compromise (20)

What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
The challenges of Retail Security
The challenges of Retail SecurityThe challenges of Retail Security
The challenges of Retail Security
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 

More from SecurityMetrics

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
SecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
SecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
SecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
SecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
SecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
SecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
SecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
SecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
SecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
SecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
SecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
SecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
SecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
SecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 

Recently uploaded

Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...
Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...
Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...
Rajesh Math
 
Cryptocurrency KYC Policies: Comparing Binance KYC Bypass with Rivals
Cryptocurrency KYC Policies: Comparing Binance KYC Bypass with RivalsCryptocurrency KYC Policies: Comparing Binance KYC Bypass with Rivals
Cryptocurrency KYC Policies: Comparing Binance KYC Bypass with Rivals
Any kyc Account
 
Entrepreneurial mindset: An Introduction to Entrepreneurship
Entrepreneurial mindset: An Introduction to EntrepreneurshipEntrepreneurial mindset: An Introduction to Entrepreneurship
Entrepreneurial mindset: An Introduction to Entrepreneurship
Sanjay Joshi
 
WAM Corporate Presentation July 2024.pdf
WAM Corporate Presentation July 2024.pdfWAM Corporate Presentation July 2024.pdf
WAM Corporate Presentation July 2024.pdf
Western Alaska Minerals Corp.
 
Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...
Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...
Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...
Philip M Caputo
 
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
maigasapphire
 
Pricing sophistication - auto insurance telematics
Pricing sophistication - auto insurance telematicsPricing sophistication - auto insurance telematics
Pricing sophistication - auto insurance telematics
Matteo Carbone
 
Discover who your target audience is and reach them
Discover who your target audience is and reach themDiscover who your target audience is and reach them
Discover who your target audience is and reach them
Quibble
 
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptxThe-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
Jindal Global University, Sonipat Haryana 131001
 
AI at Work​ The demystification of AI and real-world stories on how to apply ...
AI at Work​ The demystification of AI and real-world stories on how to apply ...AI at Work​ The demystification of AI and real-world stories on how to apply ...
AI at Work​ The demystification of AI and real-world stories on how to apply ...
Auxis Consulting & Outsourcing
 
NewBase 05 July 2024 Energy News issue - 1736 by Khaled Al Awadi_compresse...
NewBase   05 July 2024  Energy News issue - 1736 by Khaled Al Awadi_compresse...NewBase   05 July 2024  Energy News issue - 1736 by Khaled Al Awadi_compresse...
NewBase 05 July 2024 Energy News issue - 1736 by Khaled Al Awadi_compresse...
Khaled Al Awadi
 
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Aggregage
 
1234567891011121314151617181920212223242
12345678910111213141516171819202122232421234567891011121314151617181920212223242
1234567891011121314151617181920212223242
fauzanal343
 
Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...
Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...
Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...
Lynch Creek Farm
 
High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...
High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...
High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...
dimplekumaridk322
 
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdfA STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
rsonics22
 
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
APKs Pure
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
projectseasy
 
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
Growth Buyouts - The  Dawn of the GBO (Slow Ventures)Growth Buyouts - The  Dawn of the GBO (Slow Ventures)
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
Razin Mustafiz
 
United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...
United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...
United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...
Newman George Leech
 

Recently uploaded (20)

Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...
Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...
Travel Tech Pitch Deck | ByeByeCity,com - Short Breaks Discovery & Booking Pl...
 
Cryptocurrency KYC Policies: Comparing Binance KYC Bypass with Rivals
Cryptocurrency KYC Policies: Comparing Binance KYC Bypass with RivalsCryptocurrency KYC Policies: Comparing Binance KYC Bypass with Rivals
Cryptocurrency KYC Policies: Comparing Binance KYC Bypass with Rivals
 
Entrepreneurial mindset: An Introduction to Entrepreneurship
Entrepreneurial mindset: An Introduction to EntrepreneurshipEntrepreneurial mindset: An Introduction to Entrepreneurship
Entrepreneurial mindset: An Introduction to Entrepreneurship
 
WAM Corporate Presentation July 2024.pdf
WAM Corporate Presentation July 2024.pdfWAM Corporate Presentation July 2024.pdf
WAM Corporate Presentation July 2024.pdf
 
Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...
Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...
Innovation Hub_ Spotlight on Toms River's Role as a Beacon for Entrepreneuria...
 
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
 
Pricing sophistication - auto insurance telematics
Pricing sophistication - auto insurance telematicsPricing sophistication - auto insurance telematics
Pricing sophistication - auto insurance telematics
 
Discover who your target audience is and reach them
Discover who your target audience is and reach themDiscover who your target audience is and reach them
Discover who your target audience is and reach them
 
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptxThe-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
 
AI at Work​ The demystification of AI and real-world stories on how to apply ...
AI at Work​ The demystification of AI and real-world stories on how to apply ...AI at Work​ The demystification of AI and real-world stories on how to apply ...
AI at Work​ The demystification of AI and real-world stories on how to apply ...
 
NewBase 05 July 2024 Energy News issue - 1736 by Khaled Al Awadi_compresse...
NewBase   05 July 2024  Energy News issue - 1736 by Khaled Al Awadi_compresse...NewBase   05 July 2024  Energy News issue - 1736 by Khaled Al Awadi_compresse...
NewBase 05 July 2024 Energy News issue - 1736 by Khaled Al Awadi_compresse...
 
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
 
1234567891011121314151617181920212223242
12345678910111213141516171819202122232421234567891011121314151617181920212223242
1234567891011121314151617181920212223242
 
Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...
Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...
Christmas Decorations_ A Guide to Small Christmas Trees, Candle Centerpieces,...
 
High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...
High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...
High Profile Girls Call Bhubaneswar 🎈🔥000XX00000 🔥💋🎈 Provide Best And Top Gir...
 
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdfA STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
 
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
 
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
Growth Buyouts - The  Dawn of the GBO (Slow Ventures)Growth Buyouts - The  Dawn of the GBO (Slow Ventures)
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
 
United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...
United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...
United Kingdom's Real Estate Mogul: Newman George Leech's Impact on the Swiss...
 

Window of Compromise

  • 1. WINDOW OF COMPROMISE White Paper Limit damage caused to your cardholder data environment © 2015 SecurityMetrics
  • 2. Window of Compromise - 1 CYBER ATTACK PROCESS The cyber attack process is simple. First, the business has a vulnerability, a flaw or weakness that can be exploited. Second, the attacker exploits the vulnerability and accesses the system. Third, the attacker sets up a way to capture cardholder data. Finally, the attacker exfiltrates the data for illegal use. Decreasing the window of compromise time decreases the amount of cardholder data captured and exfiltrated, hope- fully avoiding compromise all together. In recent years data breaches have been highly publicized, especially with so many big brands involved. However, data breaches were by no means limited to the well-publicized large industries. In fact, the Ponemon Institute reported that 43% of all US companies experienced a data breach of some sort in the past year. Based on 2014 data collected by SecurityMet- rics Forensic Investigators, the average breached merchant was vulnerable for 618 days. That’s a lot of time for attackers to find vulnerabilities and exploit them to their benefit. Nearly every business in America is going to experience cyber attacks from a variety of sources. Many merchants are vulnerable (meaning there is a system, environment, software, or website weakness that can be exploited by at- tackers) from the day their environment was set up. In other cases, a merchant becomes vulnerable because they fail to apply a security patch or update, or they make modifications to their systems without also properly updating related security protocols. On average, it took 470 days from a time the merchant had a vulnerability in their environment, to the time an attacker was able to compromise the system (the beginning of the window of compromise). Attackers were then able to capture cardholder data for an average of 176 days. That is plenty of time for an attacker to damage your brand. WINDOW OF COMPROMISE LIMIT DAMAGE CAUSED TO YOUR CARDHOLDER DATA ENVIRONMENT When we refer to the window of compromise, it starts from the date an intruder accesses a business network and ends when the breach is contained by some act of security remediation on part of the merchant.
  • 3. Window of Compromise - 2 HACKER TRENDS: CARD DATA AGGREGATION The seemingly high number of days that card data was compromised in 2014 (average 176 days) may be attributed to an aggregation method often employed by card data thieves. The aggregation method prevents card brands from flagging Common Points of Purchase (CPP, a method used by card brands and banks to identify potential mali- cious account activity) too early, which would expose the data breach much sooner, thus bringing a quicker end to the card data loss and greatly limiting the use of stolen credit card accounts. Attackers have been known to aggregate card data from scraping or other tools without using or sell- ing the data for four to six months (after six months, some payment card data begins expiring).
  • 4. Window of Compromise - 3 DECREASE YOUR WINDOW OF COMPROMISE When an environment isn’t actively monitored, breaches are more likely to go undetected for longer periods of time. As such, an ounce of protection really is worth more than a pound of cure. The sooner a breach is detected, the less damage an attacker can do to a business. The goal of each business should be to create and practice the neces- sary procedures to protect against and warn of abnormal behavior in an environment. LOGGING/AUDIT TRAILS AND SUSPICIOUS ACTIVITY From a forensic point of view, logs and audit trails are crucial to proving how, or if an organization was compro- mised. Keeping track of critical actions (e.g., access to files, login attempts, etc.) can help identify key elements of an attack. Logs can track actions to an individual user and can help determine suspicious activity. Assigning unique user identification also helps create an atmosphere of account- ability and can help deter internal system abuse. Once suspicious activity has been defined within an envi- ronment, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be configured to give notifi- cation of suspicious activity that might indicate an attack. Change detection programs, like file integrity monitoring (FIM) are especially useful for ecommerce environments because they track the original state of a file and report any changes, such as when an attacker hides malware within an otherwise legitimate file or application. WINDOW OF COMPROMISE DATA 0 200 400 600 800 1000 Averagenumberofdays Vulnerable Cardholder data was captured Data was exfiltrated 2013 2014
  • 5. Window of Compromise - 4 Sadly, in a few instances, SecurityMetrics Forensic Inves- tigators have discovered that the investigated merchant previously knew of the vulnerabilities that led to a breach. However, the merchant did not give sufficient priority to enhancing their IT security by spending the necessary time and money to correct it as soon as the weakness was identified. In the end, the merchant paid for the cost of a mandated forensic investigation, fines from their bank, fees from credit card issuers and card brands, as well as paying to bring their IT security up to par. Their failure to correct the weak link in their system when they first learned of it cost them vastly more than if they had made a proactive correction. SECURITY TESTING The two major types of vulnerability testing that should be performed to reduce the window of compromise are penetration testing and vulnerability scans. In the case of custom, in-house applications, code testing and independent internal penetration testing can expose many of the weaknesses commonly found in application code (especially the home-grown varieties) and is the best first line of defense in identifying vulnerabilities before the application is put into use. Having code and function tested by objective third parties helps find vul- nerabilities that otherwise might have been missed. Vulnerability scans are automated, affordable, high-level tests that identify certain weaknesses in network struc- tures. Robust vulnerability scans can identify more than 50,000 unique external weaknesses. In addition to locating and reporting vulnerabilities, typical vulnerability scans also encourage a recurring and reliable process for repair- ing discovered problems. After a scan completes, the need to repair located vulnerabilities goes without saying. DocumentsDocuments
  • 6. Window of Compromise - 5 SECURITY POLICY AND EMPLOYEE TRAINING One pitfall, of even the most protected environment, involves the introduction of malicious content by human error. Activities as simple as employee email access or unauthorized Internet browsing can allow paths to and from untrusted networks. Merchants often inadvertently introduce malware into their systems through email attachments, downloads, or USB drives by simply opening them; unaware of the threat they just allowed into their system. Creating, instructing on, and enforcing a sound security policy is the best way to secure an environment from employee error that could negate the effectiveness of security measures that might already be in place. RISK-ASSESSMENT AND MANAGEMENT: VULNERABILITY VS. EXPLOITABILITY Creating a vulnerability management plan is central to decreasing the window of compromise. This process will help identify, classify, remediate, and lessen future instances of vulnerabilities. However, just because a system is vulnerable does not mean it is exploitable, or even likely to be exploited. Some vulnerabilities may require such a large number of pre- conditions that the chance of a successful attack occur- ring is virtually none. Identifying (per the guidelines of PCI DSS Requirement 6) the differing levels of exploitability should help an organization prioritize the actions they will take in enhancing their IT security based on each vulnera- bility’s perceived threat and risk level. “No matter the advances in security technology and re- gardless of increased government cyber security initia- tives and regulations, attackers are not going to abandon their pursuit for unprotected payment card data.” –David Ellis, SecurityMetrics Director of Forensic Investigations
  • 7. Window of Compromise - 6 TAKEAWAYS EARLY DETECTION AND CONTINUAL PROTECTION Carefully tracking and managing an environment will help with early detection of a breach and has the potential to decrease the window of compromise and thereby mitigate damage caused to your environment. To decrease your window of compromise, make sure to: • Perform security testing on environments to identify vulnerabilities. • Develop well-crafted IT security policies to ensure all employees are aware of their responsibilities with respect to the security policy. • Practice a process to address security vulnerabilities by order of importance. • Take the time to maintain detailed logs that can be tracked back to individual users to help identify suspi- cious activity. • Once you’ve collected logs, regularly review them and configure IDS/IPS and FIM to help keep watch over your environment. Remember, if you are actively meeting the Payment Card Industry Data Security Standard requirements you will already be implementing these important security measures.
  • 8. Window of Compromise - 7 ABOUT SECURITYMETRICS SecurityMetrics has tested over one million payment systems for data security and compliance mandates. Its solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff—we’ve got compliance covered. For questions about your PCI DSS compliance situation, please contact SecurityMetrics: CONSULTING@SECURITYMETRICS.COM OR 801.705.5656