Page 50 - GS150702
P. 50
Education
Help merchants reduce third-party remote access threats
By Gary Glover How do hackers do it?
SecurityMetrics Many businesses open their networks to vendors for
a streamlined process, better service and improved
emote access makes doing business extremely support. Few implement security policies and procedures
convenient for merchants. Yet with this ease, governing third-party access. In the majority of recent
comes vulnerability. Insecure remote access is hacking cases, specific businesses weren't necessarily
R the number one attack pathway used by hack- targeted; the hackers likely scanned the Internet for
ers today. Keep reading if you're concerned about your vulnerable remote access systems and then attempted to
portfolio's security. compromise them.
With an Internet connection and remote access technology, If not properly secured, remote access allows attackers to
small business owners and their third parties can easily bypass firewalls and most other system security measures
access the business network from anywhere. However, and remotely access the POS or other systems in the
insecure remote access gives hackers a pathway to payment environment. It's simply that easy for hackers,
compromise organization networks and access credit card especially because while rules tend to be in place for
data. employees using remote access, the rules aren't always
applied to external parties.
Remember Target Corp.'s massive data compromise in
2013? That incident reportedly began when a hacker ac- Merchant recommendations
cessed one of Target's systems via a remote access account
belonging to an HVAC company. Thus, hackers gained a Your merchants are using remote access technologies. It's
foothold on an internal system and then leapfrogged to up to you to ensure they are educated to manage this tool
other systems inside the retailer's network. This resulted securely. Here are five best practices you can recommend
in the theft of 40 million consumers' credit and debit card to your merchants to encourage remote access security:
data and affected over 70 million people.
1. Limit those who can access the system remotely.
Only provide remote access to those whose jobs
Snap Shot of 2015 require it. Don't share remote access credentials,
and ensure everyone has a unique username and
Calendar of Events password.
2. Don't use default remote access passwords. Many
remote access systems come pre-installed with a
default password easily found online. Not changing a
default remote access password just makes a hacker's
job easier.
3. Require two-factor authentication. Using a single
factor (a password) makes it easy for attackers to gain
access. A two-factor authentication process greatly
reduces the risk of a successful attack. (Note: user IDs
The Prepaid Press Expo are not considered a factor of authentication.)
August 11 - 13 4. Keep firewalls up to date. This will help ensure
www.prepaidpressexpo.com inbound rules provide adequate protection.
5. Train employees. Periodically review data security
practices to ensure employees protect sensitive data.
WSAA Annual Conference Remote access is here to stay. Security-wise, if
merchants wish to continue to use remote access
October 28 - 29
www.westernstatesacquirers.com and remain Payment Card Industry Data Security
Standard compliant, they have some work to do.
http://www.greensheet.com/datebook. Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security
Assessment at SecurityMetrics. Gary has worked in the IT security
php?fag=calendar_display
industry as a QSA for over 10 years. For more information about
SecurityMetrics, visit www.securitymetrics.com.
50
Help merchants reduce third-party remote access threats
By Gary Glover How do hackers do it?
SecurityMetrics Many businesses open their networks to vendors for
a streamlined process, better service and improved
emote access makes doing business extremely support. Few implement security policies and procedures
convenient for merchants. Yet with this ease, governing third-party access. In the majority of recent
comes vulnerability. Insecure remote access is hacking cases, specific businesses weren't necessarily
R the number one attack pathway used by hack- targeted; the hackers likely scanned the Internet for
ers today. Keep reading if you're concerned about your vulnerable remote access systems and then attempted to
portfolio's security. compromise them.
With an Internet connection and remote access technology, If not properly secured, remote access allows attackers to
small business owners and their third parties can easily bypass firewalls and most other system security measures
access the business network from anywhere. However, and remotely access the POS or other systems in the
insecure remote access gives hackers a pathway to payment environment. It's simply that easy for hackers,
compromise organization networks and access credit card especially because while rules tend to be in place for
data. employees using remote access, the rules aren't always
applied to external parties.
Remember Target Corp.'s massive data compromise in
2013? That incident reportedly began when a hacker ac- Merchant recommendations
cessed one of Target's systems via a remote access account
belonging to an HVAC company. Thus, hackers gained a Your merchants are using remote access technologies. It's
foothold on an internal system and then leapfrogged to up to you to ensure they are educated to manage this tool
other systems inside the retailer's network. This resulted securely. Here are five best practices you can recommend
in the theft of 40 million consumers' credit and debit card to your merchants to encourage remote access security:
data and affected over 70 million people.
1. Limit those who can access the system remotely.
Only provide remote access to those whose jobs
Snap Shot of 2015 require it. Don't share remote access credentials,
and ensure everyone has a unique username and
Calendar of Events password.
2. Don't use default remote access passwords. Many
remote access systems come pre-installed with a
default password easily found online. Not changing a
default remote access password just makes a hacker's
job easier.
3. Require two-factor authentication. Using a single
factor (a password) makes it easy for attackers to gain
access. A two-factor authentication process greatly
reduces the risk of a successful attack. (Note: user IDs
The Prepaid Press Expo are not considered a factor of authentication.)
August 11 - 13 4. Keep firewalls up to date. This will help ensure
www.prepaidpressexpo.com inbound rules provide adequate protection.
5. Train employees. Periodically review data security
practices to ensure employees protect sensitive data.
WSAA Annual Conference Remote access is here to stay. Security-wise, if
merchants wish to continue to use remote access
October 28 - 29
www.westernstatesacquirers.com and remain Payment Card Industry Data Security
Standard compliant, they have some work to do.
http://www.greensheet.com/datebook. Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security
Assessment at SecurityMetrics. Gary has worked in the IT security
php?fag=calendar_display
industry as a QSA for over 10 years. For more information about
SecurityMetrics, visit www.securitymetrics.com.
50
