How to simply achieve PCI DSS 3.0 compliance

Avecto | Bitesize Article
How to simply
achieve
PCI DSS 3.0
compliance
Russell Smith, author of ‘Least
Privilege Security for Windows 7,
Vista and XP’.
access to administrator accounts managed
Effective from January 1st
2014, organizations have one
year to implement PCI 3.0
and make sure that systems
are compliant.
so that an audit trail can be kept of who had
root access to a server at any given time.
2
Protect data
Encryption plays an important role
in protecting sensitive files, but it’s also
essential to ensure that devices handling or
storing data are not compromised. Antivirus
IT security doesn’t end with antivirus and
and endpoint firewalls can help in this
a network edge firewall. Today’s threats
regard, but removing administrative privileges
are sophisticated, often targeted, and it’s
from users, and implementing application
important to ensure that you have a
whitelisting to ensure only approved
defense-in-depth strategy in place to protect
software can be run, reduce the chances of
servers and desktops against attack.
devices being infected with malware.
A good place to start is to review some
IT security doesn’t end with
antivirus and a network edge
firewall. Today’s threats are
sophisticated, often targeted,
and it’s important to ensure
that you have a defense-indepth strategy in place to
protect servers and desktops
against attack.
Russell Smith
The rules for AV deployment in PCI 3.0
basic security best practices that are
Malware has long developed beyond the
have been expanded to require that not
frequently overlooked.
point of just causing some minor disruption
only should antivirus be installed on each
through simple denial-of-service attacks,
endpoint, be current, operational, and able
Maintain secure systems
to phishing sensitive data and user
to produce log files, but it must also be
Administrative access to all systems
credentials to get deeper access to
configured to ensure that users are not
should be appropriately controlled, including
corporate systems. Attacks can be
able to disable or uninstall it.
vendor supplied systems and network
automated and opportunistic, with harvested
devices, like switches and routers. A common
data being sent back to a server on the
Most enterprise-grade antivirus solutions
mistake is to set the same administrator
Internet, with end users being unaware.
already have the capability to prevent users
1
from disabling real-time scanning, and
username and password on all PCs,
guaranteeing that if the credentials are
compromised, the entire network must also
3
Defend against threats and
making it difficult to uninstall. Additionally,
vulnerabilities
it is virtually impossible to uninstall or disable
Pattern-based antivirus detection has
antivirus, or any other software that is used
become less effective over the years as the
to apply management or security policy to
Similarly, generic administrator accounts
sheer quantity of threats has increased, with
an endpoint, from a standard user account.
on servers should not be shared by IT staff.
some malware having the ability to mutate
A determined user with administrative
Each person who logs on to a server should
to avoid detection. Nevertheless, antivirus
privileges, or malicious process running with
either have their own named account, or
still has an important role to play.
the user’s login credentials, may be able to
be considered ‘owned’.
find a way to disable group policy and
security systems, even those with tamperproof mechanisms.
5
Monitor privilege use
Summary
PCI 3.0 has a specific requirement to
Achieving PCI DSS 3.0 compliance may
log activity of privileged users. If users must
seem like a daunting task, but if you follow
retain some level of administrative access to
some basic principles when designing and
Access control
machines, for instance when using a
deploying IT systems, you will be in a much
Like many other regulatory codes, PCI
Protected Administrator account, or where
better position to make sure your systems
3.0 explicitly states that user privileges must
a Privilege Guard policy allows elevation of
meet the new standards.
be restricted to those required to perform
certain apps or processes as defined by the
the job role. This means that in most cases,
IT department, it’s important to log that
About Avecto
employees should not be given administrative
access to ensure privileges are not abused.
As the market leader in privilege management,
access to devices. Not only can
Avecto Privilege Guard can be configured so
organizations rely on Avecto to provide the
administrative access to desktops quickly
that users must enter a reason before
ultimate in desktop and server security whilst
lead to instability, system slowdowns and
administrative privileges are granted, and
measurably reducing operating expenses
malfunctions, but it also allows malware to
this information is recorded for future
across their environments. With a focus on
easily gain access to critical system files so
analysis. Additionally, Privilege Guard has
security through innovation, we are proud to
that a PC can be completely owned.
flexible messaging that allows Windows 7
have been crowned Fastest Growing Software
UAC consent prompts to be customized,
Company in the Deloitte Fast 50 and placed in
with multi-language support, to give users
the Top 10 software companies within EMEA.
4
Not only can administrative
access to desktops quickly
lead to instability, system
slowdowns and malfunctions,
but it also allows malware to
easily gain access to critical
system files so that a PC can
be completely owned.
Russell Smith
confidence that they are responding to
genuine requests.
With our award-winning technology, Privilege
Guard, organizations can now empower all
6
Maintain an IT policy
desktop and server users with the privileges
An acceptable usage policy should
they require to perform their roles, without
spell out the rules for using company IT
compromising the integrity and security of their
resources, and users’ responsibilities for
systems. Privilege Guard can be utilized by
protecting sensitive company data. Policy
organizations of every size to reduce operating
documents include information such as how
expenses and strengthen security across
to set strong passwords, advice about
Windows-based environments.
downloading documents and files from
unknown sources, and installing programs
About Russell Smith
Standard user accounts limit the damage
downloaded from the internet or sources not
Russell Smith is the author
that malware can inflict on a device should
officially sanctioned by the IT department.
of Least Privilege Security
for Windows 7, Vista and XP
it become infected, and in association with
published by PACKT, which
application whitelisting, the risk of malware
Your company’s policy document should be
infection can be further reduced. Windows 7
reviewed annually, and include a risk
includes details about the applications of
User Account Control (UAC) offers a good
assessment procedure to identify important
Avecto’s Privilege Guard software for
solution for consumers, where an all or
company assets, potential threats, and
Windows least privilege management. Smith
nothing least privilege configuration is
vulnerabilities.
is also contributing editor for Microsoft Best
Practices at CDW’s Biztech magazine and a
not usually acceptable, but businesses
need a more granular privilege
management solution.
7
Windows 8
regular contributor to leading industry
With much of the focus on businesses
journal Windows IT Pro. He holds a diploma
migrating to Windows 7, Windows 8 is taking
of higher education from the University of
Avecto Privilege Guard gives system
a backseat for the time being, partly due to
London and is a Microsoft Certified Systems
administrators the ability to set policies to
concerns that the new Modern UI interface
Engineer (MCSE). With over 10 years
define exactly which applications and
involves a steep learning curve for users.
experience securing and managing
processes are elevated, transparently to end
But Windows 8 does offer some advantages
Windows Server systems for Fortune
users. In addition, Privilege Guard’s
over Windows 7, notably support for Secure
Global 500 companies and small to
application whitelisting solution can be used
Boot to help prevent rootkits if the hardware
mid-size enterprises, Smith is also an
to provide protection against unapproved
sports UEFI 2.3.1 (or later), sandboxing of
experienced trainer.
apps and malicious processes.
Windows Store apps, and improved
performance and reliability.
Americas +1 978-703-4169
UK +44 (0)845 519 0114
[email protected]
Follow us on Twitter
Americas Dundee Park, Andover, MA, 01810 USA
UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK
www.avecto.com
Follow us on Google+