Organizations accepting credit card information abide by regulatory requirements through the PCI Security Standards Council. Auditors will ensure that the Cardholder Data Environments (CDE) have the required security controls. With Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and General Data Protection Regulation (GDPR) in the EU, are you ensuring that critical information not pertaining to PCI is also properly protected?
Privacy and Brand vs PCI DSS
The practice of only protecting PCI infrastructure is more common than most security professionals would like to believe. Protecting assets that are not required through regulations are costly. Security Information and Event Management (SIEM) have a monthly fee and those fees vary dramatically depending on the service provider. With PIPEDA and GDPR incurring breach costs of $100,000 CAD and $500,000 GBP respectively, the need to protect non-PCI data needs to be re-evaluated. Evaluating it could be as simple as determining if the risk of a breach and its total cost including reputation damage outweigh the cost of the additional asset coverage.
If the cost of a breach is higher, those critical assets should also include the same security controls as those within the PCI zone. Determining those critical assets could be tricky. Below is a list that will help guide you into identifying those critical systems.
What is critical information?
Critical information varies depending on the organization but can include any intellectual property (such as blueprints), Human Resources documents, or internal documents, workflows or processes. Think of this as information that if released to the public could cause reputational damage, an advantage to your competitors, or a fine (PIPEDA or GDPR).
Does the server store, transmit or reside in the same network as any critical information? Many organizations have share drives that all staff can access. These share drives are among the first targets of attackers when access to an internal network is obtained.
How secure are your passwords? When on a network, attackers can use simple tools to exploit legacy Windows System services to capture hashes. Capturing these hashes allows for attackers to authenticate (pass-the-hash) to any systems the account has access to. A strong password alone will not prevent this.
Are employees local admins on their workstations? Attackers use employee machines as pivots to traverse the network and find your critical data. Being a local admin allows an attacker to disable most security controls (such as anti-virus) to keep persistence on the workstation.
Have you checked for any unused services and service accounts? Many times these accounts and services are overlooked and not disabled. Most of the time they have elevated access that attackers can use.
The best way to further explore these situations would be to begin an exercise where you list your critical pieces of information and determine which controls are in place, who has access to it, what would happen if someone unauthorized obtained access, and most importantly, how to react if the information is exposed.
The above list is as a primer to protecting other critical assets. Penetration testing explores your entire business from an attackers perspective. Learn more about the purpose of a penetration test and contact us if you’d like to learn more about how we can help protect your customers.