By Rob Chapman, Director of Security Architecture, Cybera (www.cybera.com)
When I look back on the various PCI programs that I’ve run, three key items always stand out. Why? Because they can quickly deliver outsized benefits to pretty much any business that’s subject to PCI compliance.Going beyond the scope of PCI, the following three tips also represent some of the most important IT security changes you can make to protect your business and your customers. Let’s dive a bit deeper into each one.
Tip 1: Turn on MFA for Everything
My first recommendation is to find a multi-factor authentication (MFA) solution and turn on MFA for everything. And, yes, I mean EVERYTHING. I can’t think of a single solution that will make a bigger impact on your overall security posture. MFA is simply too easy, cheap, and security-impacting to ignore.
If you’re not overly familiar with MFA (sometimes called 2FA), it’s simply an extra authentication step during a login process. MFA often involves a one-time use code or similar time-sensitive task. There’s a good chance you’ve personally experienced MFA when accessing anonline financial or shopping account.
Any effective MFA solution should combine two of these three options:
- What you know, such as a password
- What you have, such as your phone or similar security fob
- Who you are, such as biometrics like a thumbprint
There aremany matureoptions in the MFA arena. I’ve personally used free options built into platforms, one-time codes with Google Authenticator, and both Duo and Okta. Some options are definitely better than others, and I tend to prefer time-based codes rather than text messages. Push notifications are also nice for end users.
I once spoke with an FBI agent whose team had handled several business-impacting cybersecurity cases. He said if it were up to him to create the laws, he’d make the lack of MFA on email a criminal offense for company executives. He was adamant about how effective MFAis at stopping crime, and he explained that there’s simply no catch-all security fix that packs as much punch as MFA. I completely agree with him.
Unfortunately, executive and user pushback are often be the biggest obstacles in deploying MFA. Most people simply don’t like disruptions in their routines and MFA is purposely designed to change routines. You can always attempt to make MFA easier for users, but be careful about making it too easy.
Criminals have learned that in certain cases they can quickly annoy people to the point that they’ll readily hand over MFA tokens or push acceptance buttons just to get through the process. That’s why I always recommend being extremely thoughtful about your entire MFA process. And don’t forget: The critical part of any MFA option (and a common mistake I see) is just remembering to actually turn it on!
Tip 2: Log Everything
If you’re not already doing so, I implore you to turn on logging and track everything in a central location. I’m a huge fan of managed SIEM/SOC services that ingest, monitor, and provide alerting for logs. I’m also a big believer that unless you’re collecting and examining your logs regularly, you don’t truly know what’s happening in your environment.
You’ll see two primary benefits by generating and reviewing your logs. The first is the obvious security benefit. If someone’s trying to loginto systems they shouldn’t—or systems are exhibiting unusual traffic or behavior—there’s a good chance you’ll catch it in the logs.
The second benefit is being able to identify broken systems. For example, I’ve inherited servers that “appeared” to be working but were essentially running wild. Turning on logging and looking at those logs often revealed easily fixable configuration issues. Suddenly, systems that had been problem childrensimply began behaving great again. Like MFA, logging is simply too easy not to do.
Tip 3: Change Your Password Policy
Most people are working with outdated information when it comes to passwords. Prevailing convention for years was to change passwords often and arbitrarily. We thought adding a symbol or number to the mix helped. Sadly, we discovered that too many people just wrote down their passwords in plaintext somewhere, “hid” them under their keyboard, or taped them directlyto their monitor.
While having more possible options for characters can help,password length matters more than anything else. Here are two examples to illustrate that point:
- Example 1:I choose a random 7-character password with letters, numbers, and symbols. With a relatively modern computer, it takes about a minute and a half to crack the password.
- Example 2:I create a 15-character password with only lowercase letters. Using the same computer, it now takes approximately 500 years to crack the password.
Which option sounds more secure to you? The next time you’re working on password policies, makeyour passwords long (literally 15 characters or longer). Change them only after a phishing type of attack or similar compromise, and that’s it. (BTW, I tried a variety of online calculators to generate my password examples above. Although your particular results might vary, the key takeaway is the magnitude of the difference: longer=stronger.)
Unfortunately, password policy is one area where PCIguidance lags behind. They still want password changes every 90 days. So, talk with your QSA about how to manage exceptions and look at NIST for supporting evidence. You might be stuck changing passwords more often that you prefer, but using longer passwords is still better. Andif your passwords are longer, you don’t have to worry as much about password complexity.
About The Author
As Director of Security Architecture at Cybera, Rob Chapman is responsible for the company’s overall cybersecurity architecture and PCI compliance initiatives. During his career, he has focused on areas ranging from academic and enterprise technologies to big data and audiovisual systems. Chapman has a Masters in Educational Leadership and Instructional Technology from Tennessee Technological University. He currently resides in Columbia, TN.
Connect with Rob on LinkedIn: https://www.linkedin.com/in/rschapman/. (Cybera Twitter: @CyberaInc and website: www.cybera.com)
