As we ring in the New Year, I think it’s important to take a moment to reflect upon and analyze some of the changes or updates to the Payment Card Industry Data Security Standard, commonly referred to as PCI DSS. Version 3.0 is effective and although Version 2.0 will remain active until December 31, 2014, organizations looking to remain compliant with the regulation should definitely take notice of the new changes, as it will help to mitigate their risk exposure.
The changes, outlined below, are requiring organizations who deal with sensitive cardholder data to increase their current security model of governing access to sensitive data. Per the norm, PCI DSS wants to know how access to sensitive data is being granted and changed, but PCI DSS 3.0 wants to know of changes to identification and authentication mechanisms, as well all changes made to accounts with elevated rights, like Local Administrators on servers and desktops. In addition, PCI DSS 3.0 wants to be notified on anomalies or suspicious activity of individuals accessing sensitive data.
PCI DSS Requirement Change
10.2.5 – Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions and deletions to accounts with root or administrative access.
10.6 – Clarified the intent of log reviews is to identify anomalies or suspicious activity, and provided more guidance about scope of daily log reviews. Also allowed more flexibility for review of security events and critical system logs daily and other logs events periodically, as defined by the entity’s risk management strategy.
Why it’s important?
One of the largest and fastest growing threats to organizations is the rogue Local Administrator, and the fear of what his or her elevated access rights can do to the organization.
The Local Administrator job title made international headlines in 2013 due to the Edward Snowden/NSA case. Edward Snowden was a NSA contractor who was able to access extremely sensitive information due to his elevated access rights. Recall when Snowden was asked how he was able to access the sensitive NSA data, he said, “Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets.”
Improper security protocols for governing access to sensitive data leaves organizations open to these types of security breaches. And the damages caused to brand, reputation, revenue, and in the NSA’s case, National Security, can be severe.
Both anomalies in activity patterns and suspicious activity by users in an organization can be the first signs of an Insider Threat Attack.
When Joe Smith from Product Development is accessing the company’s customer sales sheets and Mary Johnson from Marketing, who has never accessed the Finance File Share, is viewing and copying numerous documents to her own desktop, red flags and sirens should be going off, not only in IT, but also the business.
Not knowing about these scenarios taking place, or finding out too late, can expose your organization to major risks such as Insider Threat Attacks, which have been the leading cause of security breaches over the last 12 months (CSO Online)
How STEALTHbits can help?
The StealthAUDIT Management Platform for Data Access Governance features Local Administrator Auditing & Reporting which enables organizations to:
- Ensure only the necessary accounts have administrative rights
- Identify ways users can gain administrative access to systems
- Track changes made to administrative access and identify which users are taking advantage of this access
- Review administrative access
- Revoke unnecessary privileges
Watch our Video – Local Administrator Auditing & Reporting
Read our White Paper – Reducing the Security Threat Surface (Best Practices for Controlling Administrative Access)
Request a Free Assessment to find out Who Has Local Admin Access
The StealthAUDIT Management Platform for Data Access Governance features Sensitive Data Discovery and Anomalous Activity Reporting & Auditing so organizations can identify deviations from a user’s normal behavior using file-level activity forensics.
Contact us to see these capabilities first-hand.
I waited to publish this blog post to let more unfold of the Target Corporation data breach. For about a 2-week period in late November to mid-December, Target Point of Sale (POS) devices and store credit card information was hacked by cyber criminals. Approximately 40 million payment card numbers were breached, making it the second-largest data breach in the U.S. retail history, behind only the 2007 data breach experienced by TJX Companies Inc. (NBC) What’s made the Target breach stay front-and-center in the media, and in the general public’s mind, is the fact that cardholder PINs were stolen as well. And although the PINs were encrypted, we learned that doesn’t mean too much in the world of cyber-attacks.
Data breaches have costly effects on any organization. It doesn’t matter if the attack was perpetrated by an organizational insider or an external individual, the consequences, both monetary and non-monetary (brand reputation, customer loyalty, etc.) are severe. Estimates put the cost of the Target breach well over $600 million. (Reuters)
- CSO Online – http://www.csoonline.com/article/741148/report-indicates-insider-threats-leading-cause-of-data-breaches-in-last-12-months
- NBC – http://www.nbcnews.com/business/target-confirms-encrypted-pins-were-stolen-recent-data-breach-2D11811618
- Reuters – http://www.reuters.com/article/2013/12/20/target-breach-expenses-idUSL2N0JZ03I20131220