Home » data security

Tag: data security

data security configuration

How Misconfiguration Can Lead to Data Compromise

configuration: the way a computer or computer system is put together; a specific set and arrangement of internal and external components, including hardware, software and devices.

Source: Dictionary.com

Configuration is Key to Data Security

Did you know that just about every data security related compliance framework contains extensive requirements around configuration of hardware and software controls? Why? Because the way in which hardware or software is configured is about as important as having the device or software itself. For instance, having a firewall is a good thing, but it won’t do any good unless it’s configured to filter traffic between the internet and your computer network in a manner consistent with your security goals.

Some examples of the importance of secure configuration come from Trustwave’s 2018 Global Security Report where testing of thousands of web applications found that 100% were found to have at least one vulnerability. In addition, OWASP (Open Web Application Security Project) has security misconfiguration on their top 10 list of the most critical web application security risks for 2017. Lastly, the Verizon 2018 Data Breach Investigations Report (DBIR) recommends routine scans to identify misconfigurations before hackers do. Misconfigured databases, such as those directly connected to the internet and searchable by anyone on the internet, were a notable finding in the report.

Even on brand new computers, the default configuration for the onboard operating system is often not very secure. This is because computer manufacturers often have goals of ease of use, easy setup, or ease of establishing internet-based communications rather than security. As an example of this, I was recently setting up a new computer for my parents. As I was leafing through all configuration settings, I was surprised when I found that one of the default security settings was for the firewall to be turned off. Needless to say, I quickly turned it on.

How to Monitor Your Security Configuration

If you are a business owner or manager busy with running a business, you may not understand or have time to review your computer security configuration settings on a regular basis. For this reason, one of the security services that is included with Wind River Financial’s new Advanced Security Package (ASP) is Security Configuration Monitoring.

This is a service that monitors computer configuration against the relevant PCI Data Security Standard controls. It’s an automated service that detects configuration settings that are non-compliant and may weaken your business’s security posture. It does so on an ongoing basis which is important because sometimes employees intentionally, or unintentionally, change settings on computers on which they are working. It’s important that those responsible for a business become aware when settings are changed that may introduce a risk to the business which is exactly the purpose of this service.

Security Configuration Monitoring is but one of many data security related services that are available as a software agent download as part of Wind River Financial’s ASP. If we have not contacted you about enrolling in this program, you may be hearing from us shortly as it’s being rolled out in phases. If you have not been contacted but would like to get a jump start on it, give us a call or send us an email and we can get you started.

WRF Director of Risk Management – “Is Health Care Ready for the Next Big Data Breach?”

As Wind River’s Director of Risk Management, Doug Buan understands data security and the dangers stemming from a data breach in intricate detail. His 23 years of experience encompass everything from law enforcement to retail loss prevention to fraud investigation. With that history comes a complex understanding of how to better manage data risk and mitigate security weaknesses.

Since joining our team, Doug has been using his expert knowledge to educate health care organizations about the risks associated with data breaches, especially in terms of the loss of sensitive patient financial information.

Recently, Doug contributed an article for the Healthcare Financial Management Association (HFMA). His article asks the question of whether health care is ready for the next big data breach. It’s a vital question. Back in 2017, approximately 5.6 million patient records were put at risk due to data breaches. With each ongoing year, the health care industry becomes a more and more enticing target for hackers. This fact ensures that data security needs to be an absolute top priority for these organizations.

In the article, Doug lays out security practices for how health care organizations can better protect themselves from a breach. The core concept comes down to implementing a Security First mindset. By shifting to focus on security above all else, IT departments and executives will be able to react quickly and strategically to any threat to their organization’s data while still meeting the PCI compliance framework.

If you’d like to read more about Doug’s strategy, make sure to check out the full article over on HFMA.org.

It’s not a matter of if, it’s a matter of when

As you may know, the continuous battle between hackers, malicious software, and data security gurus is a continual game of cat and mouse like many things. Some of you have heard the adage that “it’s not a matter of if, it’s a matter of when” you will experience a data breach.

In the data security arms race, bad guys are using very sophisticated means of exploiting computer networks around the world. These same tools are available for purchase or rental in criminal forums on the dark net. Although your first thought may be that they won’t come after you because you’re “not one of the biggies,” you should know that over 90% of data breaches are to small and medium businesses. The thought of much of this is scary and you may feel somewhat helpless. However, there are tools that can help with some effort.

First, we mention the importance of PCI compliance. Yes, the groans are audible as no one likes compliance – we don’t like to be told we have to do something that may distract us from running our business. However, about 1 in 5 businesses fail after a data breach due to related costs and reputation damage. It’s a very real risk. As a compliance framework, PCI’s goal is to be a tool that helps point out the weakest points in your network and data security so that they can be addressed.

As the first generation that has had to manage today’s technology, it’s important to understand that computer technology requires management. The “set it and forget it” approach will bring risks to your business. If we don’t have internal technical staff to manage it, we may have to contract with external IT resources to properly manage the systems that contain not only our business and employee information, but also the sensitive information on our customers – including credit card data.

A basic protection we should be using is an anti-virus/anti-malware solution which we’ll refer to simply as “a/v.” These solutions are changing a lot right now as they migrate from being signature based (has to recognize malicious software that has been added to a negative database) to next generation a/v which may use artificial intelligence, machine learning, or applied mathematics to do their job. The effectiveness of signature based a/v has come under fire as being too slow and having to rely on malicious software being added to a database before you are protected from it.

Some of the next generation a/v solutions can recognize malicious software in real-time. You can imagine the benefit.  We are linking a recent related article from the Wisconsin State Journal.

We should also mention that we are currently working with our PCI compliance partner, Trustwave, on developing a security tools bundle that will be available to our customers. The tools will include an a/v solution and other services to help our customers secure their computer networks. One of the best parts is that they will also help fulfill a number of PCI related requirements. Please watch for future communication on this.

Preparing for Data Breaches: What retailers need to do

Cybersecurity is one of the most urgent topics on the agendas of retail executives. In fact, cyberattacks resulting in the loss of customer cardholder data and personal identifiable information have been fairly common in recent years. The best-prepared retailers are shifting their cybersecurity strategies from focusing on prevention, to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.

Please join Jan Hertzberg, Derek Laczniak and me for a Lunch and Learn about how retailers can limit the scope and impact of cybersecurity breaches as well as leverage cyber-risk insurance to contain losses. Baker Tilly is sponsoring the event.

Event Info

Wed, September 30, 2015, 11:00am – 1:00pm CST

Nakoma Country Club
4145 Country Club Rd
Madison, WI

To learn more and register for this free event go here.

Reduce Risk from Data Breaches with 12 Main Security Requirements

Amidst the recent credit card breaches in the news from Target last year to Home Depot last month, it’s more important than ever to make sure your credit card data environment is secure at your business. As you may already know, back in 2004, the Payment Card Industry (PCI) put together a Security Standards Council to create a set of controls, including 12 main requirements, which businesses are to implement in order to properly protect credit card data.

Collectively, these control objectives and requirements are known as PCI DSS which stands for Payment Card Industry Data Security Standard. All major credit card companies including VISA, MasterCard, Discover and American Express have mandated that merchants and service providers who store, process or transmit cardholder data must demonstrate how they follow these 12 main requirements and their sub requirements.  Failure to do so may result in fines or termination of credit card processing privileges.

The main goal of PCI DSS is to reduce business risk of these ever-present data breaches and cybercriminals. The hard facts are that one in five small businesses falls victim to cybercrime each year. The US’ National Cyber Security Alliance found that some 60% of those small businesses go out of business within six months after an attack.

So, how can you get started on protecting your business? A great place to begin is by taking a look at the 12 high-level security requirements below to understand how your business can begin reducing risk. Then make sure to sign onto Wind River Financial’s PCI Partner Program to complete your annual security questionnaire and start protecting your business today!

PCI DSS 12 Main Requirements

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

For a more robust explanation of each requirement along with all the sub requirements and standards, check out the PCI DSS Security Standards Council’s official requirements guide here.

As always, if you have any questions accessing your PCI Security Questionnaire or if this is your first time logging onto our PCI Partner Program, please give us a call at 1-800-704-7253, Option #4 to speak directly to one of our Relationship Managers or email us at info@windriverfinancial.com.

PCI DSS 3.0 Information – Resources to Help You Prepare

PCI DSS new version 3.0 is available. PCI DSS is a credit card data security compliance framework to which Visa, MasterCard, Discover, and American Express require all entities that accept their branded cards to be complaint.

Version 3.0 became effective on January 1st, 2014, but the previous version (2.0) can continue to be used throughout 2014 during the transition period. Version 3.0 becomes mandatory on January 1st, 2015.

Wind River Financial customers who use our PCI compliance portal at Trustwave will be migrated to version 3.0 as it becomes available within the TrustKeeper Wizard and as potentially new questionnaires become available from the PCI SSC.

Below are some resources to help you prepare your business for version 3.0.

PCI DSS Version 3.0 is Here – How to Prepare (Truswave) Recorded Complimentary Webinar

Summary of Changes from 2.0 to 3.0 (PCI SSC) PDF Document