Cisco Blogs


Cisco Blog > Enterprise Networks

Snort your way to PCI compliance

When organizations look to secure their retail stores, branches, or points-of-sale, meeting the required mandates for Payment Card Industry (PCI) security compliance quickly becomes the number one prioritized focus area.  In fact, the 2015 Verizon PCI compliance report demonstrates this when it states that the number of companies that fully complied with the payment card industry (PCI) security standards during 2014 rose to 20 percent from about 11% in 2013. While this standalone increase in compliance is great, Verizon also notes that less than a third of the companies were fully compliant a year later after successful validation. The major takeaway here is that it is unfortunately easy to fall out of compliance if organizations don’t take the appropriate steps to maintain their security.  With 69% of consumers admitting that they will be less inclined to do business with a breached company, it is increasingly important for reaching and maintaining PCI compliance to be one of the highest priorities for organizations.

PCI Requirement 11 demands that organizations have a sustainable network and application vulnerability management program and that evaluates the overall effectiveness of security measures in place across the organization.  In a very telling sign, most organizations that suffered a breach were not compliant with Requirement 11.  Intrusion detection and prevention systems (hereafter, “IPS”) technology play a critical role in helping meet PCI compliance by monitoring all traffic in the cardholder data environment and issuing timely alerts to suspected compromises. Of course, simply having the technology is not enough.  Considering many organizations fall out of compliance due to maintenance, it is absolutely critical that IPS engines are updated with new signatures and rule sets to ensure that new threats are stopped.

Snortpig_professor2

Here, at Cisco, we’re happy to announce that our Cisco Integrated Services Router (ISR) 4000 Series  now come equipped with Snort IPS to help customers meet these PCI-compliance requirements at the branch. Read More »

Tags: , , ,

#CiscoChampion Radio S2|Ep 18. Securing ACI

CiscoChampion200PXbadge#CiscoChampion Radio is a podcast series by Cisco Champions as technologists. Today we’ll be talking about securing ACI with Cisco Technical Marketing Engineer Carly Stoughton.

Listen to the Podcast.

Learn about the Cisco Champions Program HERE.
See a list of all #CiscoChampion Radio podcasts HERE.
Ask about the next round of Cisco Champions nominations. EMAIL US.

Cisco SME
Carly Stoughton, @_vCarly, Cisco Technical Marketing Engineer

Cisco Champion Guest Hosts
Chris Nickl, @ck_nic, Cloud Infrastructure Architect
Michael Aossey, @aossey, Solutions Architect Read More »

Tags: , , , , , ,

Batman, TrustSec, and PCI

One of my passions is around PCI compliance. I know that sounds oxymoronic. How can someone actually be passionate about something as dry as compliance? Well, for the sake of argument, I prefer delusional rationalization. I think of myself as Batman! I don’t have his intelligence, money, car, or cape (well, I do have the cape, but that is another story), but I DO want to fight injustice where I can. I do think that there are bad guys out there trying to steal my family’s hard earned money. PCI compliance is the leading method for securing the world’s payment systems. The bad guys are real, security is getting harder, and I want to fight on the side of good.

The problem with fighting crime with compliance is that it can be so complex. The general strategy to minimize the complexity of PCI compliance is to use segmentation. Segmentation typically involves putting credit card applications and devices onto its own network, and use traditional firewalls to secure the perimeter. Although effective, this method brings about its own headaches around management. Firewall rulesets can become tedious and complex. Readdressing an entire enterprise with the sole driver of compliance is Herculean. Over time, if not properly managed and sustained, this method, can lead to bloat, misconfiguration, or worse, a breach.

Read More »

Tags: , ,

9 of 9 HIPAA Network Considerations

The HIPAA Omnibus Final Rule is now in effect and audits will continue in 2014. The Department of Health and Human Services’ Office for Civil Rights has stated several times that both Covered Entities and Business Associates will be audited.  And the scope of Business Associates has greatly expanded.  I wrote another blog directed towards these new Business Associates.  This final blog of this series focuses on covered entities that work with business associates.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

The HIPAA Omnibus Final Rule changed the Business Associate definition, and also makes Business Associates obligated to comply with HIPAA.  You most likely will have more business associates than previously, and those business associates that have access to your network and/or your PHI data are obligated to be HIPAA compliant.    The Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), reveals that 42% of the breaches involved a third party “snafu”.

blog9

Read More »

Tags: , , ,

8 of 9 HIPAA Network Considerations

Discovering a breach where ePHI has been stolen certainly falls into the ‘not a good day at work’ category.  It can be catastrophic for some, especially if the compromise occurred months ago and wasn’t detected.  Or if a 3rd party discovered the breach for you, which occurs more often than we think, 47-51% from 2010 – 2012 based on the Ponemon Institutes 3rd Annual Benchmark Study on Patent Privacy and Data Security.

On our list of 9 HIPAA Network Considerations, we are onto topic #8, Breach discovery times: know your discovery tolerance.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

From the 2013 Verizon Data Breach Investigations Report, two thirds of the compromises were not discovered for months, or longer.  What is your tolerance for “not knowing?”  Can that discovery time tolerance be justified through reasonable due diligence, or are you back at the “ignorance is bliss” phase (blog #4), which could be interpreted as Willful Neglect in the case of a breach of PHI?

Source: Verizon 2013 Data Breach Investigations Report

Source: Verizon 2013 Data Breach Investigations Report

Read More »

Tags: , , ,