Blog

Are you protecting your customers private information?

Organizations accepting credit card information abide by regulatory requirements through the PCI Security Standards Council. Auditors will ensure that the Cardholder Data Environments (CDE) have the required security controls. With Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and General Data Protection Regulation (GDPR) in the EU, are you ensuring that critical information not pertaining to PCI is also properly protected?

Privacy and Brand vs PCI DSS

The practice of only protecting PCI infrastructure is more common than most security professionals would like to believe. Protecting assets that are not required through regulations are costly. Security Information and Event Management (SIEM) have a monthly fee and those fees vary dramatically depending on the service provider. With PIPEDA and GDPR incurring breach costs of $100,000 CAD and $500,000 GBP respectively, the need to protect non-PCI data needs to be re-evaluated. Evaluating it could be as simple as determining if the risk of a breach and its total cost including reputation damage outweigh the cost of the additional asset coverage.

If the cost of a breach is higher, those critical assets should also include the same security controls as those within the PCI zone. Determining those critical assets could be tricky. Below is a list that will help guide you into identifying those critical systems.

What is critical information?

Critical information varies depending on the organization but can include any intellectual property (such as blueprints), Human Resources documents, or internal documents, workflows or processes. Think of this as information that if released to the public could cause reputational damage, an advantage to your competitors, or a fine (PIPEDA or GDPR).

  • Does the server store, transmit or reside in the same network as any critical information? Many organizations have share drives that all staff can access. These share drives are among the first targets of attackers when access to an internal network is obtained.

  • How secure are your passwords? When on a network, attackers can use simple tools to exploit legacy Windows System services to capture hashes. Capturing these hashes allows for attackers to authenticate (pass-the-hash) to any systems the account has access to. A strong password alone will not prevent this.

  • Are employees local admins on their workstations? Attackers use employee machines as pivots to traverse the network and find your critical data. Being a local admin allows an attacker to disable most security controls (such as anti-virus) to keep persistence on the workstation.

  • Have you checked for any unused services and service accounts? Many times these accounts and services are overlooked and not disabled. Most of the time they have elevated access that attackers can use.

The best way to further explore these situations would be to begin an exercise where you list your critical pieces of information and determine which controls are in place, who has access to it, what would happen if someone unauthorized obtained access, and most importantly, how to react if the information is exposed.

The above list is as a primer to protecting other critical assets. Penetration testing explores your entire business from an attackers perspective. Learn more about the purpose of a penetration test and contact us if you’d like to learn more about how we can help protect your customers.

Featured Posts

See All

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104