Avecto | Bitesize Article How to simply achieve PCI DSS 3.0 compliance Russell Smith, author of ‘Least Privilege Security for Windows 7, Vista and XP’. access to administrator accounts managed Effective from January 1st 2014, organizations have one year to implement PCI 3.0 and make sure that systems are compliant. so that an audit trail can be kept of who had root access to a server at any given time. 2 Protect data Encryption plays an important role in protecting sensitive files, but it’s also essential to ensure that devices handling or storing data are not compromised. Antivirus IT security doesn’t end with antivirus and and endpoint firewalls can help in this a network edge firewall. Today’s threats regard, but removing administrative privileges are sophisticated, often targeted, and it’s from users, and implementing application important to ensure that you have a whitelisting to ensure only approved defense-in-depth strategy in place to protect software can be run, reduce the chances of servers and desktops against attack. devices being infected with malware. A good place to start is to review some IT security doesn’t end with antivirus and a network edge firewall. Today’s threats are sophisticated, often targeted, and it’s important to ensure that you have a defense-indepth strategy in place to protect servers and desktops against attack. Russell Smith The rules for AV deployment in PCI 3.0 basic security best practices that are Malware has long developed beyond the have been expanded to require that not frequently overlooked. point of just causing some minor disruption only should antivirus be installed on each through simple denial-of-service attacks, endpoint, be current, operational, and able Maintain secure systems to phishing sensitive data and user to produce log files, but it must also be Administrative access to all systems credentials to get deeper access to configured to ensure that users are not should be appropriately controlled, including corporate systems. Attacks can be able to disable or uninstall it. vendor supplied systems and network automated and opportunistic, with harvested devices, like switches and routers. A common data being sent back to a server on the Most enterprise-grade antivirus solutions mistake is to set the same administrator Internet, with end users being unaware. already have the capability to prevent users 1 from disabling real-time scanning, and username and password on all PCs, guaranteeing that if the credentials are compromised, the entire network must also 3 Defend against threats and making it difficult to uninstall. Additionally, vulnerabilities it is virtually impossible to uninstall or disable Pattern-based antivirus detection has antivirus, or any other software that is used become less effective over the years as the to apply management or security policy to Similarly, generic administrator accounts sheer quantity of threats has increased, with an endpoint, from a standard user account. on servers should not be shared by IT staff. some malware having the ability to mutate A determined user with administrative Each person who logs on to a server should to avoid detection. Nevertheless, antivirus privileges, or malicious process running with either have their own named account, or still has an important role to play. the user’s login credentials, may be able to be considered ‘owned’. find a way to disable group policy and security systems, even those with tamperproof mechanisms. 5 Monitor privilege use Summary PCI 3.0 has a specific requirement to Achieving PCI DSS 3.0 compliance may log activity of privileged users. If users must seem like a daunting task, but if you follow retain some level of administrative access to some basic principles when designing and Access control machines, for instance when using a deploying IT systems, you will be in a much Like many other regulatory codes, PCI Protected Administrator account, or where better position to make sure your systems 3.0 explicitly states that user privileges must a Privilege Guard policy allows elevation of meet the new standards. be restricted to those required to perform certain apps or processes as defined by the the job role. This means that in most cases, IT department, it’s important to log that About Avecto employees should not be given administrative access to ensure privileges are not abused. As the market leader in privilege management, access to devices. Not only can Avecto Privilege Guard can be configured so organizations rely on Avecto to provide the administrative access to desktops quickly that users must enter a reason before ultimate in desktop and server security whilst lead to instability, system slowdowns and administrative privileges are granted, and measurably reducing operating expenses malfunctions, but it also allows malware to this information is recorded for future across their environments. With a focus on easily gain access to critical system files so analysis. Additionally, Privilege Guard has security through innovation, we are proud to that a PC can be completely owned. flexible messaging that allows Windows 7 have been crowned Fastest Growing Software UAC consent prompts to be customized, Company in the Deloitte Fast 50 and placed in with multi-language support, to give users the Top 10 software companies within EMEA. 4 Not only can administrative access to desktops quickly lead to instability, system slowdowns and malfunctions, but it also allows malware to easily gain access to critical system files so that a PC can be completely owned. Russell Smith confidence that they are responding to genuine requests. With our award-winning technology, Privilege Guard, organizations can now empower all 6 Maintain an IT policy desktop and server users with the privileges An acceptable usage policy should they require to perform their roles, without spell out the rules for using company IT compromising the integrity and security of their resources, and users’ responsibilities for systems. Privilege Guard can be utilized by protecting sensitive company data. Policy organizations of every size to reduce operating documents include information such as how expenses and strengthen security across to set strong passwords, advice about Windows-based environments. downloading documents and files from unknown sources, and installing programs About Russell Smith Standard user accounts limit the damage downloaded from the internet or sources not Russell Smith is the author that malware can inflict on a device should officially sanctioned by the IT department. of Least Privilege Security for Windows 7, Vista and XP it become infected, and in association with published by PACKT, which application whitelisting, the risk of malware Your company’s policy document should be infection can be further reduced. Windows 7 reviewed annually, and include a risk includes details about the applications of User Account Control (UAC) offers a good assessment procedure to identify important Avecto’s Privilege Guard software for solution for consumers, where an all or company assets, potential threats, and Windows least privilege management. Smith nothing least privilege configuration is vulnerabilities. is also contributing editor for Microsoft Best Practices at CDW’s Biztech magazine and a not usually acceptable, but businesses need a more granular privilege management solution. 7 Windows 8 regular contributor to leading industry With much of the focus on businesses journal Windows IT Pro. He holds a diploma migrating to Windows 7, Windows 8 is taking of higher education from the University of Avecto Privilege Guard gives system a backseat for the time being, partly due to London and is a Microsoft Certified Systems administrators the ability to set policies to concerns that the new Modern UI interface Engineer (MCSE). With over 10 years define exactly which applications and involves a steep learning curve for users. experience securing and managing processes are elevated, transparently to end But Windows 8 does offer some advantages Windows Server systems for Fortune users. In addition, Privilege Guard’s over Windows 7, notably support for Secure Global 500 companies and small to application whitelisting solution can be used Boot to help prevent rootkits if the hardware mid-size enterprises, Smith is also an to provide protection against unapproved sports UEFI 2.3.1 (or later), sandboxing of experienced trainer. apps and malicious processes. Windows Store apps, and improved performance and reliability. Americas +1 978-703-4169 UK +44 (0)845 519 0114 [email protected] Follow us on Twitter Americas Dundee Park, Andover, MA, 01810 USA UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK www.avecto.com Follow us on Google+