In my last post we discussed, the various data breaches that occurred this past year. Further, that using firewalls, intrusion detection, anti-virus, patch management, and related technologies may not be sufficient unless they’re used with the necessary operational controls. Here are a few best practices that can help you consistently achieve compliance while saving valuable time and money.
Network Segmentation: The best way to manage and monitor security for the entire network is to isolate sensitive areas that handle confidential data and control access to these sections. This can be achieved with internal partitioning using firewalls and routers. The same goes for parts of the network that deal with card holder data and sealing it off with access only to authorized users. The administrator can confine all card holder data into one network segment and restrict access with perimeter routers and firewalls. These network segments can then be easily monitored and audited regularly to check for compliance with established security policies. Ultimately, the scope of the audit becomes smaller and this means less effort, documentation, time, resources, and money are required to complete the audit process.
Network Security Basics: Eliminate fundamental network security weaknesses by ensuring the use of right protocols and basic best practices. Some of these include:
- Use of secure protocols, such as secure shell and SNMPv3 as they come built-in with basic security measures. When SSH is used, all communication between the client and server systems is encrypted. Similarly, by introducing proper message security, SNMPv3 provides Confidentiality, Integrity, and Authentication which are required to perform network management operations securely.
- Logging ACLs, which provides insight into network traffic as it traverses the network or is dropped by network devices. Additionally, ACL logs help detect anomalies in network traffic and determine if there has been an attack.
- Network devices with default settings and services enabled. If left such, a probing hacker might find them and gain access to the network. Therefore, make sure to change all default passwords and logins to prevent unwarranted access.
- Finally, regularly backup device configuration files. This ensures data is archived for disaster recovery purposes, especially for critical network devices.
Business-as-usual: Meeting PCI DSS is an ongoing process. Technical controls will eventually lose their affect as human errors occur, new vulnerabilities are discovered, and networks evolve. In order to ensure that technical controls remain effective, it’s important to implement supporting operational controls. Therefore, the following PCI DSS processes should be adopted:
- Inventory and manage network device lifecycles, especially those on critical routers and switches. Keep IOS and firmware updated, periodically review device configurations for compliance, and create configuration baselines so you can compare to ensure that regulatory standards are met. Maintain up-to-date device data and confirm that there are no obsolete devices that potentially open up security vulnerabilities.
- Properly configure and test new devices prior to deployment. Have the ‘last known good configuration’ ready so that, in case of an issue, you can restore the network to its previously stable state.
- All configuration changes must go through approval so that any missed or overseen aspect can be corrected. Reviewing device configurations ensures the necessary policy controls are met, which otherwise stand the chance of being bypassed intentionally or due to negligence.
- Automate repetitive tasks to save time and increase accuracy—for tasks such as bulk password changes, SNMP community string changes, VLAN changes, etc. In turn, administrators can invest time in other network management activities.
- Have all of your device configurations stored, catalogued, and backed up. In the event of a hardware failure or bad configuration you will be able to recover quickly.
- Compliance with internal and external controls should be assessed and monitored continuously. To stay protected it’s mandatory to assess policy effectiveness and compliance with security controls regularly and frequently.
To learn more best practices for building PCI DSS compliant networks, watch this Webcast featuring Eric Hodeen of CourtesyIT and SolarWinds® Technical Product Marketing Manager, Rob Johnson.
Well these are a just a few tips that can be utilized to save valuable time and money. However, to achieve optimal performance, it’s a good idea to use an automated solution to help meet the aforementioned best practices. C