Best Practices to Limit Risk & Simplify Security
At a recent industry conference, one of the guest speakers stated that his company dealt with 84 different security vendors, a fact that was not altogether surprising. Amid the ongoing current Digital Transformation, many companies are adding service upon service, which can become very difficult to monitor and manage.
While many of these security tools are useful and necessary, even more important is ensuring the network’s architecture is simple and scalable, and that basic best practices are being implemented with 100 percent compliance.
One area that organizations may want to revisit is their hardware practices. Here are a few hardware-related requirements of PCI DSS, as well as important best practices for meeting these requirements.
1. Keep an inventory of system components.
PCI DSS requires companies to keep an inventory of system components that are subject to PCI requirements. Here are a few key strategies for enforcing device visibility and therefore enabling an accurate inventory of system components:
• Use several criteria to identify devices in addition to MAC and IP addresses, such as device IDs and system identifiers that use specific naming conventions.
• Enable alerting and enforcement actions for devices attempting to plug into the network.
• Regularly audit and maintain up-to-date and accurate network topologies (both logical and physical).
2. Ensure routers stay updated with the latest firmware.
PCI DSS requires merchants to use the latest firmware for all of their system components, including network routers. Keeping firmware up to date on network hardware can prove challenging for organizations — especially distributed enterprises with dozens, hundreds, or thousands of routers positioned over a large geographic area. Organizations that need to send someone on site to update router firmware expend enormous resources doing so and cannot quickly deploy new firmware when vulnerabilities are discovered.
Conversely, organizations that use Cradlepoint’s cloud-delivered network management platform, can easily group routers and deploy firmware uniformly across an entire router group in minutes, with just a few clicks, and without the cost and delays associated with sending a professional on site.
3. Physically secure devices and networks.
Restricted physical access is a key, and sometimes overlooked, element of network security — regardless of PCI compliance requirements. According to current PCI Data Security Standards, any networking equipment, servers, or other hardware that are in scope or connected to the cardholder data environment must be kept in a locked, access-controlled room.
Restricting physical access to the network is a particularly important security practice for distributed enterprises. Consider, for example, a retail chain. At any individual store, the on-site employees are typically unfamiliar with security best practices, and may very well never have met any of the company’s IT personnel. It is easy to see how a hacker could walk in with an official-looking uniform and an authoritative attitude and quickly gain physical access to the network.
4. Configure the network firewall for PCI compliance.
PCI DSS Requirement 1 states that the organization should install and maintain a firewall configuration to protect cardholder data. Here are a few important rules for ensuring the firewall is configured to support PCI compliance:
• Disable Universal Plug and Play (UPnP), which is a set of networking protocols that enable clients to allow traffic through the firewall without direct user interaction, which can allow unprivileged users to manipulate network configuration.
• Implement Stateful Packet Inspection (SPI) to monitor incoming and outgoing traffic and ensure that only valid responses to outgoing requests are allowed to pass through the firewall.
• Configure port forwarding rules to open ports on the firewall in a controlled manner for specific applications.
• Check source addresses with anti-spoof to protect against hackers that fake source addresses in packets to hide or impersonate another user.
• Establish a demilitarized zone (DMZ) for a layered approach.
5. Implement parallel networks for third parties and risky applications.
The network will continue to grow in size and complexity for the foreseeable future. With the increasing adoption of IoT technologies, BYOD practices, and third-party vendors that need network access, consistently meeting PCI DSS requirements will require most organizations to look at how the network architecture either enables or, more likely, impedes efficient implementation of security practices.
Before adding yet another security service to what is likely already a long list of vendors, consider launching Parallel Networks for third parties and risky applications. By completely separating, or “air-gapping,” networks that serve applications such as guest WiFi and third-party vendor access, companies can vastly reduce the scope of PCI compliance and therefore the time and resources required to maintain the highest levels of security on the network. It also eliminates any dependence on third parties for maintaining compliance and controls that could impact cardholder data.
In turn, the enterprise can focus more closely on protecting the cardholder data environment — the network that, if breached, would pose some of the greatest risk to the organization’s overall health and success.
Expore Secure, Cloud-Managed Routing Platforms
Learn more about Cradlepoint's array of cloud-managed wired and wireless routing platforms featuring best-in-breed security.