I am frequently asked on what does a good PCI DSS architecture and set-up look like and how can we make it effective in supporting the protection of our data?
The problem here is that I need to try and describe a non-tangible infrastructure, with the only physical assets being pieces of ‘tin-ware’, e.g.
• Hyper visors
PCI DSS approach
In PCI DSS, they provide organisations with a suite of controls that are logically ordered, based upon 12 requirements:
This ‘tin-ware’ provides the underlying infrastructure, but this is only as effective as the effectiveness of additional measures that are applied to it:
• Restriction of network traffic flows
• Systems Configuration
• Vulnerability Management
• Vulnerability scanning.
• Logical & Physical Access Control.
• Alerting and Monitoring.
• Risk Management.
• Policies & Processes.
Rarely is it ‘tin-ware’ that causes the breach but, more often than not, is caused by someone failing to maintain the integrity of these systems, or someone using the systems in a negligent manner.
But once these layers have been applied what does effective look like?
Thankfully, whilst watching the movie ‘Ironclad 2: The Battle for Blood’ there is a scene, set in 13th Century England, the Castle of Rochester is lay siege the Scottish , which clearly demonstrates the intent of a good security infrastructure and operations.
Although far from being the best film I have ever watched, it does help to provide an outstanding example of how an effective defence looks, within the tangible world.
The architecture of the castle is as follows
• The Castle sits on an elevated position
• Surrounded by fortified walls
• Large, robust wooden access gates
• Strategically placed observation towers -Manned 24/7, 365 days a year, providing early warnings of any incursions
• Inbound/outbound traffic flows strictly controlled and restricted.
• Any authorised traffic, into the Castle, is subject to search.
• Bordering the Castle walls, is a number of small villages - In essence, a De-Militarised Zone (DMZ).
During attack, you can clearly see all the security operations coming together to respond to the advancing Scottish assailants. The alerting, the security incident response plan, etc.
However, much like world of Cybersecurity defence, today, the effectiveness of the defences were undermined by human failings. As the incident response team were responding to a brute force attack by the main party of attackers (a team of approximately 20-30 people), a small team of hostile intruders (a team of 2-3 personnel) managed to find a vulnerability in the access control, at the entry to the castle. This exploit consisted of the opportunity to gain unauthorised access, gaining entry from the Castle moat, under the drawbridge, enabling access through an unguarded gate.
In the Cyber world, this can be likened to having a firewall’s port, service or protocol open or running an unknown insecure service (without justified, documented and approved, business need).
Believe me, if a hostile aggressor successfully manages to gain access into your DMZ, you can bet your ‘Bottom Dollar’ that they will be looking to exploit any vulnerabilities, so as to gain unauthorised access into your network’s castle.
Lessons learned from history
In the physical world, we have been developing effective defences, as the result of centuries of being attacked, such as:
- The 10 year siege of Troy - 1200 B.C.
- The Great Strategy of the Western Roman Empire – 3 A.D.
- The Insurgent attack on Camp Bastion, Afghanistan - 2012 A.D.
Perhaps, it would be useful to ask yourself some of the following questions (to name a few), so as to be better prepared for when those unknown attackers attempt to breach your network defences:
- What confidence do you have in the effectiveness of your network defences?
- What are the capabilities of your hostile aggressors?
- How many weaknesses does your network architecture have?
- Have you considered running automated testing tools, against your systems, networks and firewalls/routers, e.g.
o Open AudIT
o CIS CAT Tool
o SCAP validated tools
- When was the last time you reviewed your network defences?
- Have you restricted the access to your network’s castle, to only those that are explicitly needed?
- How effective is your Anti-Virus?
- How good is your end-user security awareness training (so that they recognise the tactics of your aggressors)?
- How effective is your company’s ability to respond swiftly and effectively, to ensure that you can close off your citadel in time?
- When was the last time your business tested how effective your Security Incident Response Plan (SIRP) really is?
- Have you ever instigated the use of a known hostile aggressor (Penetration Test) to test both your network architecture and SIRP, at the same time?
- When was the last time (if ever) you have subjected your organisation to Social Engineering test?
To contact Nettitude’s editor, please email firstname.lastname@example.org.