There are many vulnerabilities to deal with in most PCI compliance audits, however these top 5 are some of the most common and costly risks to address first.
Storage of full track, CVV2, and PIN block credit card data
You know the little number on the back of your credit card? We’ll the bad guys would sure like to know. While a merchant requires your 16 digit credit card number and expiration date to process your purchase under no circumstance is full track data to be stored. In many cases this is done accidentally by poorly created, or out of date point of sale software. Quick Tip: Audit the credit card data you must store (or better yet, come up with a way to never store this information)
Vendor default accounts and passwords
Hardware and Software typically comes with a default password, the classics include Admin/Password and cisco/cisco. Audit all of your networking and systems end ensure you have a strong password set at all times.
Insecure remote access by software vendors
While remote access is necessary tool to support and run your IT shop, it can be a common focus of attack for the bad guys. Ensure you have SSL or other encryption turned on, and set VERY strong passwords for any remote access software. It would also be helpful if users get locked out for a certain amount of time when several bad password attempts are made. You don’t want anyone guessing your password, by using a brute force password cracking tool.
Compatibility issues with anti-virus and encryption
Tools like anti-virus and encryption are strong – when they are setup correctly and up to date. Double check that these tools are working as planned before someone else notices.
Poorly coded web-facing applications prone to SQL injection attacks
Writing software code is tricky business, and developers who are not trained in secure methods can leave rather large holes in your software. Talk to your team about what training they have gone through and organize lunch and learn events if you have a in-house development team. If you only use vendor supplied software, ask them to provide evidence they understand secure coding principles and practices.
Ineffective Patch Management
You know why Grandma’s computer runs so slow and has all of those pop-ups and browser plugins? I’m 99.998% certain it’s because she’s running an old version of Windows that hasn’t been patched…. Ever. Next time your over for a visit, do her a favor and help her get up to speed. If you run a IT organization make certain all of your devices have a automated patch management tool in place. Most operating systems have a way to turn this on, so you don’t have to worry every time a microsoft patch comes out; oh the joys of patch tuesday.
No Security Scanning
Weak Network Security
When is the last time you did an audit on your external firewall rules? You should know what ports and applications you allow in, and be sure that there are no any/any rules that render your firewall useless.
Lack of Retal Time Monitoring
Stopping the bad events is the best idea, but don’t you at least want to know what happened, and the extent of the damage if an incident does happen? Without monitoring tools you can be left with no idea how to fix your problems and how much theft occurred. If you are on a shoestring budget you can setup syslog to capture log events in a central place, and if you have a moderate budget i’d recommend a fantastic tool called splunk.