Why do you think is important to talk about PCI and Ransomware together?
(starts at 1:47)
PCI Compliance is a standard that companies that accept credit card payments for goods and services are required to adhere to. However as often as not, companies will deploy and adhere to PCI practices when it comes to that specific aspect of their operations, but no further. As explained in the webinar however, PCI – properly understood – can be used as the basis for improving and tightening security across different networks within an organization as a means of reducing the likelihood of being the victim of a ransomware attack (or if you nonetheless do become a victim, at least limiting its severity).
Talking about PCI in the context of a discussion regarding combating ransomware actually makes a great deal of sense. While PCI is specifically a set of standards and regulations regarding payment security, a broader interpretation is that it can double as simply a collection of best practices and security control. The fact that it is a widely known standard makes it easy to adapt – at least in part – to other, non-payment related security practices as well.
How can businesses who are implementing PCI can use this framework to protect themselves against ransomware?
(starts at 3:13)
Using a framework like PCI & HIPPA is a good guideline or starting point when comes to improving an organizations security across the board. For those that already have a mature security model it’s a good way to look at the checklist and ask some pertinent questions such as – Are we following everything on the PCI checklist? Should we be doing this across the organization or just that part or those parts that are required to adhere to PCI guidelines? Should we be using PCI controls – for e.g. advance endpoint security, web filtering, email filtering – for the entire organization or just those parts that are required to be PCI compliant?
What would you say are the most obvious and useful aspects of PCI that can be transposed to the everyday corporate environment?
(Starts at 5:38)
To do so need not be nearly as daunting as it might appear on the surface. Currently, the PCI DSS consists of approximately 360 or so requirements (PCI 4.0 which is slated to appear in early 2022 may contain more). Applying all of these to an entire business is likely not necessary however, just the ones that make sense in the context of the nature of the rest of the business’s activities.
A good example for illustrating this point is PCI DSS #5 (the requirement to protect all systems against malware and regularly update anti-virus software or programs). Endpoint security can and should be a priority in all aspects of one’s business, not just those that are required to be PCI compliant. Does your endpoint protection plan have advanced ransomware protection features built in? If the product you are using is more than 3-5 years old then it probably needs an update because it may not detect the latest forms of ransomware. If you are already doing this for your regular PCI environment then why not the rest of the business? Likewise, if you already deploy web and email filtering on the PCI side, it does not require all that much in the way of extra effort to leverage most of these controls across your entire network in most cases.
Some of the more obvious and useful aspects of PCI that can be transposed to the everyday corporate environment include enhanced training that stresses the human factor involved in PCI practices as well as those modelled on PCI. It’s important that employee training is mirrored across the organization, otherwise combatting ransomware will remain a hit and miss proposition.
Training needs to continuous and kept up to date without it becoming repetitive and boring. Keep in mind as well that there are departments that will either by necessity or common practice more vulnerable than others when it comes to employee-enabled security breaches. For example, HR departments would find it hard to do their jobs if they weren’t able to open files containing resumes and other related attachments.
When deciding on what kind of training to implement you may want to look at current trends in phishing as a means of determining what the common campaigns are, as these are the sorts of things that can be used to test and train staff – for example, within the past year there have been a lot of Covid-related phishing scams. One way is to copy typical campaigns that phishers use, however don’t overdo it – once a year training may be too little, once a month may be too much – it depends on the organization.
When it comes to security there are multiple layers. If hackers get through the 1st couple of layers it can cause some inconveniences and disruptions in varying degrees. However, if they get through more than that though the level of damage increases. In addition to good endpoint security and phishing protections, policies and procedures that look for anomalies in your system activities are an effective way to detect suspicious activity. For example, ransomware will typically attempt to encrypt ALL of your sensitive files in a very short period of time. This is not normal activity as your staff is not typically doing this sort of thing as part of their day-to-day activities. Endpoint security blocks people from innocently opening what may be suspicious files until a more senior administrator has had a chance to examine and determine that it is ok.
One of the business sectors that has seen significant uptick in ransomware cases recently is the healthcare sector. Notwithstanding the fact that these organizations typically pay close attention to PCI, there are specific other factors that are unique to healthcare providers that makes them especially vulnerable to cyber-attacks.
Healthcare: We have seen significant uptick in the Ransomware cases in the healthcare sector, and typically these are organizations that pay close attention to PCI. What’s unique about the healthcare providers that makes them so vulnerable?
(Starts at 16:49)
One of the challenges that healthcare providers face is that many of them have very flat or unsegmented networks – i.e. all devices are connected with few boundaries or controls. Some of this is deliberate because when it comes to patient care, efficiency and speed in accessing data is important (and often life-saving), as well as the ability to remote monitor medical devices such as pacemakers, glucose meters, CPAP machines and so on. However when multiple people need to be able to access this information it also makes these devices vulnerable to hacks.
When it comes to their specific PCI environments, healthcare providers tend to do a better job and this is where they focus their controls, however such controls are often not duplicated elsewhere. Typically healthcare industrial control devices are old and can’t be adapted to modern controls and this renders them exceptionally vulnerable. The larger the organization, the more devices are always being added to the network and healthcare organizations can’t always control for security at the device level. Those healthcare organizations that have been ransomware victims recently were likely missing patching, end-point security was not up to date, there was excessive permissions and access between servers, and not a great deal of visibility re: what is happening in their networks.
For organizations who have taken the approach of managing PCI by shifting risk to a third party. What would you recommend is a good starting point?
(Starts at 29:09)
If you have outsourced your network security –payment or otherwise – to a 3rd party it’s still crucial that regular risk reviews are being conducted. More and more organizations are starting to take security more seriously and that includes scrutinizing vendors more closely. Whether you outsource your security or do it in-house, cyber insurance companies will ask you for details as to your security policy and what is currently being done to prevent security breaches.
When using PCI as a framework that doesn’t mean using PCI literally – for example, where it references
cardholder data you can simply replace with
sensitive data or some similar phrase and figure out what that means for your environment. Looking at the requirements in that light and applying them to whatever blocks of sensitive data that you don’t want to be compromised by ransomware is an effective way of adapting PCI standards to those areas not subject to PCI compliance requirements. If you’re looking for a simple catchphrase that sums up this approach, then
PCI for PII (Personal Identifiable Information) embodies the relevant principle very effectively.
One thing that is certain is that ransomware is here to stay for the foreseeable future. Ransomware is really not all that different from old-school viruses and malware that have been around for many years. The big difference is in the payload. In the past, malware was just looking for specific pieces of data (like passwords). What today’s ransomware seeks to do however is encrypt ALL of your sensitive files within a very short period of time. However, there are steps that can be taken right away if you are a new business and/or are just becoming more focused than before on cyber-security.
For organizations who are just getting services started with PCI Where is a good place to start for next steps?
(Starts at 33:47)
If not already doing so, start with Gap Assessments – have an independent 3rd party do a security assessment that focuses on both the technology currently being used as well as the policies that are in place and provides recommendations for both. Think big picture – for example if you already deploy PCI in some areas then see how can they can be applied elsewhere.
PCI gives you an edge because it really does focus on sensitive data – though PCI is focused on credit-card data the basic principles can be applied to data of all kinds. If you are doing PCI already in those areas within your organization that require it then it’s easier to apply it elsewhere.
As part of the process, ensure that you partner any outside security team with your internal team. It’s VERY important to do an independent assessment even if you have an experienced internal security team, as the more input the better and more thorough will be the results. Moreover, even really large companies often have very small internal security departments that find it hard to keep track of everything that is happening across the various networks and could benefit from outside assistance.
Make no mistake, in today’s environment EVERYONE is susceptible to being the responsible for a security breach, from an entry level employee all the way up to the CEO. Protecting against ransomware requires a partnership among all stakeholders within in an organization not just IT/IT security. As already mentioned, security is not exclusively an IT issue anymore and everyone needs to be aware of what the dangers are and how they can do their part to combat malfeasance. PCI provides a framework for doing so and its key precepts are easy to explain, understand and adapt, even for people without a tech or IT background.