Using Least Privilege to Effectively Meet PCI DSS Compliance
With a number of high-profile security breaches plaguing the financial sector over the past year, the Payment Card Industry Security Standards Council has introduced a series of guidelines intended to help organizations ensure compliance with PCI-DSS.
Issued in November, the guidelines advise organizations that handle debit or credit card data how to best conduct their annual risk assessments, as mandated in PCI DSS Requirement 12.1.2.
These guidelines certainly reinforce how compliance has hardened from suggestive or advisory directives to true mandates with hefty fines and strict consequences for those failing to take heed. With harsher enforcement by government agencies, compliance has also evolved from merely ticking a box on a checklist to implementing, sometimes arduous and complex, processes.
This can be tough considering the organic nature of compliance mandates today, which are constantly under revision and evolving. To keep from being buried under the weight of bureaucracy, ideally, organizations should be continuously checking their compliance processes rather than conducting a behemoth risk assessment once a year.
One major step that organizations can take toward making assessment an ongoing part of business operations – rather than a daunting year-end endeavor – is implementing a least privilege approach which includes proactive monitoring.
For instance, the new guidelines specifically highlight the threat of assigning inappropriate access permissions. This is a threat that most companies can equip themselves to combat on an ongoing basis with full visibility into emerging and existing vulnerabilities.
In fact, many organizations remain largely unaware of the danger of employees logging onto to PCs with administrative privileges to carry out everyday tasks, ranging from software downloads to connecting to a printer. The problem is that the privilege to conduct such tasks without reasonable limitations can dramatically increase the risk of PCI compliance violation by allowing unauthorized access or exposure to cardholder data.
Here are some of the risks that organizations – especially those that handle a customer’s financial information – could incur when allowing privilege rights to employees:
- Unauthorized system changes, enabled by an employee’s admin rights, could not only result in costly system downtime, but could also block important management software, antivirus and policy settings configured by the IT department and designed to protect devices and data. Unwittingly or otherwise, privileged users could enable malware onto the system that results in massively expensive and excruciating data breaches.
- Even worse, with admin rights, the malware could attack other PCs and servers on the network, broadening the range of accessible cardholder information. Furthermore, malware can run automatically without a user’s knowledge, via Internet browser or other application exploits.
- With full administrative privileges, users could access the local data of others who use that same PC, potentially putting protected customer data at risk or exposing sensitive personnel information.
Antivirus and firewalls provide limited protection against threats to cardholder data, especially when users have the privileges to shut security programs off. Instead, these should be used in combination with more proactive, defense-in-depth security measures that not only protect against external hackers, but also secure systems from the inside.
Where sensitive data are involved, access should be granted on a “need-to-do” basis, and this can be accomplished through least privilege security, where users are granted only the rights necessary for the scope of their job.
By removing admin rights and elevating them only when needed, organizations can ensure PCI compliance with a user base that is a) prevented from introducing exploits that might cause data leaks, and b) prevented from accidental system configurations that could result in insecure devices. In fact, 90% of the exploits in Windows 7 are mitigated when user run with standard user rights.
Considering today’s soaring levels of malware attack incidents and sophistication levels, organizations can no longer afford to conduct a single annual risk assessment. To meet PCI requirements, organizations need to have an ongoing process of threat identification and protection, one that is an inherent part of their usual business operations.
With least privilege security, companies in the financial sector can rest easy, knowing their data are under diligent restriction, 24/7/365.