Leveraging Penetration Testing to Meet PCI DSS Compliance Standards
Learn how pentesting for PCI DSS allows you to meet compliance standards, identify vulnerabilities, and protect against data breaches.
TL;DR:
To have a secure organization requires deliberate planning and strategy. It’s not good enough to simply focus on systems. A good company strategy for security includes technology, processes, and people as the three cornerstones of a good company security strategy. In this article, we’re going to discuss how to develop an effective organizational security strategy that promotes a good security culture.
An effective security strategy must align closely with the organization's business goals and incorporate relevant drivers specific to the company. The security program should establish clear objectives and policies that support the overall aims of the business. These objectives should be realistic, measurable, and communicated effectively to all stakeholders. A well-defined security policy serves as the foundation for the strategy, outlining rules, procedures, and guidelines for employees and stakeholders to follow. The implementation plan should break down the program into manageable phases with clear timelines, milestones, and resource requirements. This approach demonstrates that security leaders have carefully considered the steps needed to execute the program successfully while remaining flexible and aligned with broader organizational goals.
The single biggest weakness in any organization’s security strategy is the “human element” of security. Systems and technology are generally very secure once it is configured correctly, this is because technology doesn’t make its own decisions. This means that it’s typically much easier to create secure systems than it is to create secure employees. Social engineering is the process of using psychological manipulation to cause people to perform actions that can be used against an organization. It’s estimated that between 70-90% of all data breaches involve social engineering. This means that to create a truly secure environment you must have security at all levels of your business, not simply the security team or the IT staff. Non-security related employees represent one of your biggest threat vectors as a business and it cannot be overlooked. We like to describe this as having an “all in” mentality, this simply means that every area of your business needs to be trained and conditioned to be secure. Otherwise, hackers will simply attack your weakest area to gain access to your company. As the old saying goes “you are only as strong as your weakest link”.
In this section, we will discuss some of the basic organizational strategies you can use as your first steps to implementing security and building a security roadmap. This will include simple solutions that will drastically reduce the likelihood of your company falling victim to a cyber attack.
This is the practice of identifying the risks and threats associated with the different areas of your business. You must understand the most likely threats to your organization so that you can plan to implement security controls that will help to mitigate those risks. Threat modelling should be routine for the entire network and whenever new technology such as a new web application is being developed as part of the Software Development Lifecycle (SDLC).
Having a secure password is one of the first lines of defence for your organization. With modern password-cracking software, weak passwords can be cracked in a matter of minutes, making it an easy entry point for hackers. To prevent this the best thing to do is to create a mandatory password policy, which will dictate the type of passwords that your users must create. Industry standards vary but generally, a strong password should be at least 8 characters in length, contain at least 1 upper and lowercase letter, 1 number, and at least one special character. This should be the minimum standard for your organization when it comes to password complexity for your user accounts and we recommend that you increase the length to at least 10 characters for special accounts such as administrator accounts. You can use free tools like the secure password checker to see how strong your password is and roughly how long it would take a hacker to crack that password.
Software updates are one of the simplest ways to reduce vulnerabilities in your organization. Whenever security vulnerabilities are found in software the vendor typically releases patches to fix those issues, you must have a process for detecting and implementing these patches to keep your systems as secure as possible. If you would like further guidance on how to properly implement patch management the National Institute of Standards and Technology wrote a guide to patch management for businesses to follow.
There are three forms of authentication: 1) What you know 2) What you have 3) What you are (biometrics. 2-factor authentication is the use of at least two of these forms of authentication to make it more difficult for someone to compromise your account. This usually means adding either option 2 or 3 alongside your traditional username and password to prevent hackers from compromising your accounts. This is commonly in the form of a software token generated from a software app like Microsoft authenticator but it can also be a hardware device, biometrics, or other methods.
Information sharing refers to taking care to limit how sensitive information is shared within your company or with third parties. When dealing with sensitive information it’s important to implement the principle of least privilege that mandates that you only share information with people who need that information to do their job. This is important from both a security and compliance perspective. To do this effectively you need to have a consistent means of classifying data to understand its level of sensitivity.
You must provide education for your employees on how to securely perform their job functions. At a minimum, each employee should be made aware of three key things. First, they should understand what a phishing email is and how to detect them. Second, they should understand the danger of downloading file attachments, enabling macros, and navigating suspicious websites on company machines. Third, employees need to be taught how to handle sensitive company information. Depending on the job of the employee, customer information may be subject to certain regulations and access to that information should be limited within the business.
To get the most out of your phishing simulations you need to have good metrics. You need to be able to measure how many emails were sent, who they were sent to, how many were opened, how many were reported and attachments downloaded. This will help you to get a good understanding of your organization's security awareness among its employees.
When it comes to building a phishing simulation you have two choices. You can outsource it to a company that performs that type of work and let them manage the campaign. Secondly, you can use specialized software that allows you to create these campaigns and manage them yourself. Once you’ve decided on a method for building your campaign you want to use your first simulation to establish a baseline of what percentage of users fell victim to the campaign. Once you have that number, you can implement a security awareness training program and then retest your employees to verify that the training was effective. If the training resulted in lower rates of emails being opened and attachments downloaded then the training was a success and if it doesn’t then you need to reevaluate the training that you are offering your employees.
Company security policies are things that mandate how the organization should function. This includes things like password policies, hiring procedures, termination procedures, data handling, and other security features. These are important for controlling how employees will implement security in your organization. Another important feature is to do proper security screening of employees during hiring to ensure that you hire the right people for your organization.
Personal Information Protection and Electronic Document Act (PIPEDA) is a compliance regulation that applies to all private sector organizations in Canada. To ensure compliance with PIPEDA you must uphold their 10 key principles:
1) Appoint a PIPEDA Compliance Officer
2) Have a clear purpose for all data that you collect
3) Obtain meaningful consent before collecting data
4) Limit Collection to what is necessary for business purposes
5) Limit use, disclosure, and retention to what is necessary for business purposes
6) Have processes for detecting and correcting inaccurate customer information
7) Have appropriate security safeguards
8) Be open about your information management practices
9) Allow individuals to access their information
10) Allow customers to challenge your compliance with PIPEDA practices
In addition to PIPEDA, you need to be wary of other provincial and international policies that can also affect your business. HIPAA is a compliance regulation that affects companies that collect healthcare information while GDPR affects companies that collect information from anyone living in the European Union. SOC 2 and ISO27001 are important accounting compliance standards that require the implementation of security controls, processes and procedures. It’s important to understand and adhere to these compliance standards.
Measuring the results of your cybersecurity program can be difficult but it is not impossible. As we discussed above for security awareness, phishing simulations allow you to measure how your training program has increased your employees' resilience to phishing emails. This is the best way to measure your company’s overall security awareness. In terms of general cybersecurity metrics, it’s good to measure your company’s mean time to detect security incidents, mean time to resolve security incidents, and have routine penetration tests to see how many vulnerabilities exist in the organization.
Regularly reviewing and updating your security strategy is crucial to maintaining an effective defence against evolving threats. This ongoing process involves tracking changes in the security landscape and making necessary adjustments to your plan. Conduct regular security drills to test the effectiveness of measures and identify areas for improvement. The strategy should be geared towards anticipating and reacting to frequent, unexpected changes in business, technology, and operating environments. Establish a quarterly cadence of reporting and communication on progress and challenges. Assess the current state of your information security program, identify capability gaps, and perform a gap analysis to map the current state against the vision statement, objectives, and key drivers. Prioritize projects based on criteria such as risk reduction potential, resources required, financial cost, and time to value. This approach ensures continuous improvement in the effectiveness and efficiency of security controls while adapting to external trends.
Having a good organizational security strategy means a commitment to both technical and human elements. It’s not good enough to secure your organization’s systems while neglecting the human element. In this blog post, we gave you practical tips on how to secure both your organization’s systems and human users and how to measure the results of your efforts so that you can demonstrate ROI to upper management and stakeholders.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
Compare OpenID Connect, SAML v2.0, and OAuth 2.0. Understand key differences, roles, and security risks in modern federated identity systems.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support