Small Company Cybersecurity basics: PCI Compliance!

Yes, the small company cyber security basics are included in PCI (Payment Card Industry)compliance.

There are 12 steps to compliance:

  1. Firewall maintenance
  2. Change your default passwords (and create a password policy)
  3. Protect stored cardholder data (if you are not developing software or have a website that you are developing – this may not be necessary)
  4. Encrypt Cardholder data – i.e. use devices that encrypt cardholder data (or develop this properly)
  5. Protect all systems against malware (using anti-virus software)
  6. Develop and maintain secure applications (only if you are developing software)
  7. Restrict access to cardholder data (if developing authenticate before giving access)
  8. Identify and authenticate access to system components
  9. Authentication physical access (only qualified people should access credit card systems)
  10. Track and monitor all access to network resources and cardholder data (log systems)
  11. regularly test security systems and procedures
  12. Maintain a policy that addresses security information for all personnel

But as you can tell – each business will have it’s own specifics to focus on – especially if they develop web software to accept credit cards. But if you do not have credit card(CC) development then a lot of items can be skipped. And if one does a few other items(like segment networks) then it is even easier. Just make sure all devices that run credit cards are encrypting the CC numbers.

We have modified this set of headings into a security policy. The inventory of all items may not have it’s own heading, but it is a part of a heading, and I believe it is important enough to get it’s own bubble in the infographic.

I.e. you can make a security policy out of all the headings here(ones relevant to you).

Why should one become compliant? Because it is basic cybersecurity, thus you will save yourself from potential future headaches (possible hacks and ransomware). The attackers are forever trying to steal your resources, and this is a good start (a minimum level of Cybersecurity).

What is better than just PCI compliance? Using a framework which encompasses all company processes and data (not just credit card data).

Contact us to discuss


Uploaded my latest Fixvirus show video: Why PCI compliance? 12 subheadings quick ~6min

New PCI – Payment Card Industry Standards in 2019

A new Secure Software Requirements and Assessment Procedures was released v1.0 on Jan 2019.

So if you are developing software for the Payment card industry either for an application on a website or for a retail location you have a new framework and software requirements standard.

Developing software to capture credit card information (and use it) is not an easy process. This PCI framework puts a process together to make developing software more secure.


A few helpful aides for small business and informational items.  we know small businesses are getting attacked – successfully for many reasons. PCI Security Standard’s:  small_merchant_guide to safepayments image from pdf file.

Next is an obvious attack  angle  into   your computer. Next image is from PCISecurityStandardsCouncil resource guide  defending against phishing attacks



Most companies are not creating software  but they just want to run equipment and software that works without getting hacked. So for that to happen (stay secure and stop the hackers):

  1. Learn how phishing works and create new rules before you answer emails/ texts/ phone calls
  2. Patch and update your equipment
  3. Make sure to change passwords periodically, and make them as long as possible (more important than a complex password).
  4. Multi factor authentication is a great idea to make it harder for hackers to get a successful attack.
  5. having somebody doublecheck your environment would be a good idea and reduce errors and omissions.

Contact Us to discuss

Risk Analysis Gone Wrong?

Since a picture says a thousand words here is an attempt at explanation of Risk Analysis.

The rows are “Impact on Environment”: none, minimal, minor, significant, major, critical

The “Likelihood” or “Likely – what is % to happen” is  the columns: not likely, low, medium, medium-high, high, will happen.

These are not “real” systems in anyone’s network, only an example of different CVE (Common Vulnerabilities and Exposures) risks in a hypothetical company.  Although I picked on the IoT systems as the likely weak link (one has to update those camera or ups device software or one can be hacked). IoT systems are a weak link since they are not as easy to upgrade and require upkeep like all systems.

In the past I was trying to explain the weak links with this picture:

The problem is that when a system is hacked it now leaves the whole network with all the critical systems open.

The new image, I am trying to explain if a less important system was hacked (like the IoT vulnerabilities) which means an IoT vulnerability system which is critical but has a medium likely chance to get hacked.

Once hacked this system allows the attacker to review other targets and it may be where systems that have lower CVE’s (3-6) are canvassed and with the right vulnerabilities the hacker will now attack and set up persistent methods to stay in the network. Of course the idea is not to just stay in the network, one wants to  attack valuable targets.

“Such as having a High CVE on less critical systems ” before the final attack on a critical system at the highest level.

The ultimate and worst possible attack is a remote code execution attack, as with a simple attack one can execute an attack on the system. for a hacker it is easily done.

So explaining the attack in total gives one a further and more complete understanding of the ultimate goal . But what is even more important? To now have the ability to assess risk better. Instead of assessing each device separately with each vulnerability now one must assess the impact and likelihood with a total attack in mind.

Which means? The lower vulnerabilities can have higher impacts. How should we account for this phenomenon?

We have to become attackers (even hypothetically) to figure out which system would be nice to have with a lower vulnerability… so that the hypothetical attack  can advance through to the eventual goal.

You might be saying now – that’s all? That is all I have to do ? sort my systems, figure out the vulnerabilities, and then patch them. Well, it is not that easy since life and it’s vacations, sicknesses, labor issues, and other things coming your way. Since the vulnerabilities may come at inopportune times (they do not care if your family has an event). the hacker will hack you at Christmas without batting an eye.  The truth of it is the reasons  why people and companies get hacked is because the vulnerability management  programs do not take into account sickness and vacations. Thus labor is always pushed to ever more difficult situations. There seems to be always a push for cost containment in IT and computer security, since it is assumed all systems should be secure. A cost was not associated with computer security in the past. So this is why many companies lost their cohesion over time and then something happens and the attackers get in.

Once the attacker has a toehold, it is possible to stay undetected for months. In the meantime the patching lifecycle is front and center the reason for many systems getting hacked as well.

Notice that when a vulnerability is found by a researcher it takes many days to actually get a fix for the vulnerability and then it takes yet another few weeks before installing it in your system. It may be 60 days before the  system is safe from attack. So we are in a constant state of risk in our networks.  This is why every month with new vulnerabilities is an important report to view. And this is why we must continually test for any potential weaknesses in the network.


Now that you know the full reasons from A to Z it is easier to actually assess risk on systems.

What you need when assessing risk is to review all possible risk and decide what to focus on next.

Contact for more information or to discuss your risk assessment.

Also the latest CapitalOne hack seems to have been a misconfigured cloud configuration, including why is it storing private information in a public cloud?? Cyberscoop discusses this in more detail. The breach response may have been fast, but there was a major failure of architecture.


Interesting take on CapitalOne breach from former employee:

He says that the configuration was faulty as one IAM (Identity Access management) could be used to access all data (which is a large weak link). I.e. if a hacker can get one account username and password they have all of the data.

The thing to do is to perform threat modeling and review your architecture as well as vulnerability management.

Compliance vs Framework

Is it better to focus on compliance or a on a framework system?

I.e. PCI or HIPAA compliance versus ITIL or COBIT for example.

There are more regulations coming so let’s add a couple of the US based ones. SHIELD(Stop Hacks and Improve Electronic Data Security) and CCPA(California Consumer Privacy Act).

  1. SHIELD – Stop Hacks and Improve Electronic Data Security Act , became law in New York(January 2019). Must adopt “reasonable safeguards to protect security, confidentiality and integrity” of private information.
  2. CCPA – becomes law in January 2020 and requires broad protection of information (job description, ip addresses, web browsing history, and more personal data like addresses and more)

Red Gate software has an interesting comparison of the compliance and regulation issues in the USA.

In the case of ‘who’ is most affected by compliance or framework focus we need to define the audience first.  The audience for this blog post is the small medium business (SMB) person in charge of the business or the top IT person. An enterprise business will perform a framework, compliance, and all regulations eventually, the larger one is the more likely a framework has to make sense.

What will a SMB entity  decision require?

  1. Depends mostly on organization -how big
  2. How many people, computers, type of must have compliance
  3. The issue is how decisions are made from the business to IT

In the past for me I have been in these situations where I am in charge of the IT department and the decision process leads to the Operations Officer or President. Some business need is presented to either Officer and then I am tasked as IT to provide a solution to the basic business need (new computer system) or a bigger task like adding a new branch.

These basic decisions are not complicated decisions.  But they do set a direction of the company. When buying a new device does it get checked to see if it is configured for security? When designing a new branch system how will the new branch be integrated into the current systems?

Under PCI compliance all one needs to do is segment the network that the payment system is on and now compliance is easier to prove. Of course if that can’t be done due to business needs which integrate credit card payment and customer information then there is no segregation of credit card data with the  other streams of data in the company.

Whenever the lines between the compliance needs and the rest of the company become blurred is when a framework could help with a solution.

Governance is  when a group of people(the board) make decisions with a future direction in mind.  The decisions become more strategic, as several items are weighed: Business needs (CEO/COO), Cybersecurity (CISO), Information Technology(CIO), and other business leaders – depending on specialization.  Each new direction or decision, like starting to create branches of the company can be built in many different ways using technology.  The governance board will publish the decisions and create a security policy which talks about bringing your own devices on the network (only to go on guest network for example).

What is COBIT for example: “COBIT is an IT management framework developed by the ISACA to help businesses develop, organize and implement strategies around information management and governance.” has an article that gives a decent overview (a third party looking at COBIT – instead of ISACA review)

So 40 governance and management system objectives for establishing a new governance program. And most interesting we can use maturity and capability measurements. One can now truly keep all company factors in mind to create an IT governance strategy.

The difference with PCI compliance is stark, as PCI compliance needs a quarterly report with a method to review and solve vulnerability  assessments with a patching program. Basically a vulnerability management program will write the PCI compliance report without too many additional points.

So PCI compliance does not address how to make future decisions, although one can see how a decision could affect the compliance report. There is no mechanism  that says with A,B, and C you should do “this acme action”. In fact only Credit Card(CC) data is focused with the Compliance standard. The problem in an integrated environment (without segmented areas of the network to keep the CC data in) is to make open all devices to vulnerability management.

There are more regulations that focus on privacy data like ip addresses, physical addresses of customers, cookies, and any other possible privacy revealing data of possible customers. This would be the CCPA the California.

Another regulation is the NY SHIELD law which is a minimum cybersecurity requirements.  It also revises the current NY data breach notification law.

Courtney Bowman has a good blog post discussing this Act.

Don’t forget to include a pervasive testing regimen to help your IT staff validate the environment. The PCI compliance requires it and thus it is also in all governance initiatives.

Here is our focus (the testing of the environment) and we use tests and reports to help the governance board to make decisions to complete business goals.

Contact Us to discuss

Why Are Hackers Successful?

The Number 1 reason is: “We do not do an adequate job of patching and paying attention to security!”

Again and again we can find reports and stories of entities not doing basic tasks:

Above image is from Protiviti report


Why are the basics not being done?

Because a concerted effort to manage IT tasks month after month is not easy, and in fact it is a difficult challenge.  What is difficult about regular every day life in patching hundreds of systems on a monthly basis at minimum?

Well, let’s list a few problems that arise:

  1. Personnel challenges – sickness, vacation, doctor visits, kids, parents, brothers, sisters, and spouse conflicts.
  2. So many things can go wrong with the actual device itself even when used correctly…  Or if this is a laptop, then it has to be plugged into the network with VPN or directly on the network for it to download and get updated.
  3. Above 2 are the normal challenges, how about abnormal challenges? What about somebody installing a new software that conflicts with the patch? Now the patch does not install correctly and the system is vulnerable to attack.


So knowing some of these items means management has to schedule and account for potential problems which means it costs more resources sometimes than anticipated.   This may be a problem, and then management  pushes back onto IT to say no more OT this month!

In basic terms – stuff happens and then patches are not applied. If this management process is more broken than fixed there will be plenty of chances for hackers to attack.

It depends on the maturity of management thoughts and actions. Is management more willing to make sure the patches are applied or are they willing to let patches slide for a little while?

The answer is to create processes to fulfill compliance mandates and do not deviate from this method.

I.e. quarterly meetings at minimum with required review and testing of all systems that are important and potential other systems.

Contact Us to discuss this with you

Punch line? Hackers are successful due to the failure of management actions and thoughts in regards to cybersecurity.