New PCI DSS Ecommerce Best Practices Replace Previous Guidelines Issued in 2013

Consumers love shopping online and are abandoning malls for mobile shopping apps in droves. However, online shopping environments offer multiple opportunities for hackers to steal payment card data. Even worse, as more brick-and-mortar stores implement card chip technology to defeat skimmers and other forms of POS system fraud, thieves are gravitating toward card-not-present (CNP) ecommerce environments, where the pickings are easier. In an effort to address the growing threat of ecommerce fraud and clear up confusion among merchants regarding encryption and digital certificates, the PCI Security Standards Council has just released a PCI DSS ecommerce information supplement with updated best practices for ecommerce cyber security, which replaces the previous PCI DSS ecommerce guidelines issued in 2013.

Previously, the PCI Council had mandated that all online merchants implement TLS 1.1 encryption or higher by the end of June 2016, then later extended the deadline to June 2018. However, the PCI Council recognized that many merchants did not fully understand their responsibilities and options regarding encryption and digital certificates. The new PCI DSS ecommerce guidelines include a primer on SSL and TLS that explains the difference between SSL and TLS and how to select a Certification Authority (CA) and a public key certificate. There is also a list of questions merchants commonly have about certificate types and TLS migration options; four case studies outlining ecommerce security solutions in different data environments; and a section devoted to best practices for securing ecommerce sites.

Understanding and Complying With the New PCI DSS Ecommerce Guidelines

As the PCI Council itself points out, the new guidelines “[do] not replace or supersede requirements in any PCI SSC Standard.” They “[contain] revised content to address changes in risk and supporting technologies” and are meant to help merchants protect themselves against emerging threats and prepare for migration to TLS 1.1+ encryption.

Although the TLS migration deadline is still over a year away, the PCI Council does not recommend waiting. There are numerous security vulnerabilities in SSL and early (pre-1.1) versions of TLS that are incapable of being fixed or patched. Any ecommerce site running SSL or early TLS is at serious reach of being breached and should upgrade as soon as possible. This is critical even for small ecommerce businesses. Hackers do not discriminate between sole proprietorships and multinational corporations, and a tiny startup may be less able to absorb the financial hit of a breach than a multinational.

In addition to extensive information on TLS 1.1+ migration, the guidelines contain a list of best practices for securing ecommerce stores, including:

• Know the location of all your cardholder data; use data flow diagrams to identify your systems, processes, and security controls.
• If you don’t need it, don’t store it; PCI DSS 3.1 requires that merchants store cardholder data for only as long as they need to, and not store sensitive authentication data at all after authorization.
• Evaluate the risks of your associated e-commerce technology; PCI DSS Requirement 12.2 mandates that organizations include their ecommerce environments in their annual risk-assessment process.
• Conduct ASV scanning and penetration testing of ecommerce environments; even if you are outsourcing your web hosting and management, it is still your responsibility under PCI DSS to ensure that your vendor is conducting these important tests.

The PCI Council also mandates comprehensive cyber security training for staff and recommends that merchants promote cyber security awareness among their customers. Although the latter is not a requirement for PCI DSS compliance, it is still an excellent idea. Security-aware customers are less likely to fall victim to credit card fraud, which benefits merchants by reducing fraud-related losses. Additionally, in our connected world, hacks no longer happen in a vacuum; cyber security is everyone’s responsibility.

The PCI DSS ecommerce best practices supplement is 64 pages long, and much of the content is quite technical. Many merchants, especially small companies, may feel overwhelmed by the information, advice, and requirements outlined in the document, as well as PCI DSS compliance in general. That’s why merchants should seek the help of a PCI DSS Qualified Security Assessor (QSA) such as Lazarus Alliance. As a QSA, Lazarus Alliance has been approved by the PCI Security Standards Council to measure organizations’ compliance with the PCI DSS audit standard. Our PCI DSS experts will walk your business through the compliance process, including your online store’s migration to TLS 1.1+, and ensure that your systems are compliant and secured against data breaches, DDoS attacks, ransomware, and other forms of abuse.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization successfully migrate to TLS 1.1 or higher, achieve and maintain PCI DSS compliance, and secure your systems.

Back to School: Education Cyber Security

K-12 school systems, colleges, and universities are being increasingly targeted by hackers, yet education cyber security is as woefully lacking as other industries, as these recent incidents illustrate:

• In November 2016, Columbia County School District in Georgia admitted to a breach of personal information belonging to its employees and their spouses, dependents and insurance beneficiaries, including their names, birth dates, and Social Security information.
• On New Year’s Eve, Los Angeles Valley College was hit by a ransomware attack that brought the school to its knees. In an echo of last year’s Hollywood Presbyterian Medical Center attack, the college finally paid a ransom of over $28,000 in Bitcoin to regain access to its systems.
• In early January, Northside Independent School District, the largest school system in San Antonio, disclosed that it had fallen victim to a data breach last August that exposed the personal data of over 23,000 current and former students and employees.
• Elsewhere in Texas, the Argyle Independent School District fell victim to a spear phishing scheme that resulted in all of its employees’ W2 data being released to hackers.
• In Minnesota, South Washington County Schools was hacked by one of its own students, compromising the personal data of over 3,200 employees.

Education Cyber Security Threats are Many and Varied

As the above incidents illustrate, K-12 schools and higher education institutions face threats on multiple fronts. Like healthcare facilities, school networks are a hacker’s treasure trove of identifying information on staff members, students, and students’ families, including names, birth dates, addresses, Social Security numbers, even medical information. Additionally, school networks are often connected to each other and to government agencies for information-sharing purposes, which means that in addition to data breaches, ransomware attacks, and other direct abuse, cyber criminals may infiltrate a school’s network for purposes of using it as a back door into another organization.

Further complicating education cyber security is the fact that K-12 schools, by their very nature, have a user base that includes minor children as well as adults. Not only are minor students potentially more vulnerable to social engineering schemes, they may also pose cyber threats themselves, as in the South Washington County Schools case. Students may also hack a school’s network to alter grades, cause general disruption, or even just to see if they can do it.

Third-party software applications also pose threats to education cyber security. Cash-strapped schools, under pressure from students and parents for more e-learning capabilities, often turn to free applications released by third parties. However, nothing is truly “free”; software developers must monetize their applications in some manner, and this could involve collecting personal data from teachers and students and selling it to other companies. Third-party developers may also practice poor data security. An independent audit of 1,200 education software applications by the nonprofit group Common Sense Education found that nearly half did not automatically encrypt students’ data.

How Schools Can Protect Themselves

Just as in every other industry, an education cyber security strategy must be proactive, not reactive. Teachers, other school staff, and students must all be trained on cyber security best practices, and schools must employ the same data security protection as organizations in other industries; for example, strong passwords that are changed regularly, two-factor authentication, and ensuring that software is kept up-to-date.

For generations, schools have taught students about “stranger danger” and how to stay safe in the real world; they should likewise be taught how to protect themselves from identity theft and other online crimes. Schools should also have specific policies regarding the use of third-party educational software in the classroom, and any software a teacher would like to use should be evaluated for data security before it is installed.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

Doxware Leaks Your Private Data if You Don’t Pay the Ransom

Ransomware began grabbing headlines about a year ago, after Hollywood Presbyterian Medical Center paid hackers thousands of dollars in ransom after it got locked out of its systems. This large payday apparently encouraged hackers to keep going; a recent survey showed that about half of all businesses reported being victimized by ransomware at least once in the previous 12 months, and a stunning 85% had been hit three or more times. Because ransomware is now ubiquitous, organizations have learned to fight back by restoring their systems from backup drives, thus avoiding having to pay a ransom. Unfortunately,

A doxware attack unfolds similarly to ransomware: Victims attempt to log on to their computers and are greeted by a screen notifying them that their system has been locked down and demanding that a ransom be paid, usually in Bitcoin, for the code to get back in. However, doxware goes a step further, not only locking the system down but also threatening to expose the user’s private or sensitive data. This renders restoring the system from a backup ineffective because it will solve only half the problem.

One known doxware strain notifies users that it has compromised all of their login credentials, contacts, and Skype history onto a server and threatens to forward it to all of the user’s contacts unless the ransom is paid. Other variants are programmed to search the user’s system for files containing keywords that might indicate embarrassing content, such as “nude” or “sex.” In a unique twist aimed at self-propagation, a variant called Popcorn Time gives victims an alternate to paying the ransom: Infecting two of their friends with the malware.

As both Sony Pictures and the Democratic National Committee learned the hard way after their corporate emails were hacked and published on WikiLeaks, having embarrassing information go public can ruin reputations and derail careers. Additionally, the release of scandalous material isn’t the only thing organizations need to worry about; doxware could be set up to target trade secrets, intellectual property, and other confidential information that could be ruinous to a business if it were released. For hackers, this represents the “value proposition” of doxware over ransomware: The fear of financial ruin makes it far more likely that doxware victims will cave in to hackers’ ransom demands or even agree to infect their friends in order to get off the hook. Of course, there is no guarantee that the criminals demanding the ransom will keep their word and not release the information, anyway.

How serious is the doxware threat?

Right now, doxware is a new threat, and attacks have been confined to Windows computers and laptops, but this particular attack vector is so potentially lucrative, there’s no reason to think that cyber criminals will stop there. Doxware would lend very well to mobile devices, where it could be set up to send photos, videos, and text messages to all of the user’s contacts.

The bright side is that since doxware isn’t yet at epidemic levels, organizations have a chance to get ahead of the game and take proactive cyber security measures before it becomes as common as ransomware. Methods to prevent a doxware attack are essentially the same as those used to fend off ransomware: training employees on how to spot phishing emails and other cyber security best practices, deploying antivirus packages that protect against ransomware strains, and maintaining regular system backups. Organizations should also air-gap intellectual property, employee tax data, and other highly sensitive information to make it more difficult for hackers to access, and encrypt the data so that it is useless even if they do manage to get at it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.