In this webinar, SecurityMetrics' George Mateaki (QSA, PA-QSA, CISSP, CISA) covers:
- What we learned about PCI in 2018
- Top payment breach threats and trends
- Tips to improve your PCI compliance and data security in 2019
This webinar was hosted on June 19th, 2019.
0:01 All right, welcome everyone to our webinar PCI compliance best practices for 2019. My name is Andrew and I work in Marketing here at SecurityMetrics.
0:10 And I'm pleased to introduce our presenter today George Mateaki who is a QSA CISSP and CISA. He's been here at SecurityMetrics for many years and he has a lot of experience helping businesses secure their sensitive data and meet PCI compliance requirements. Just a reminder. If you have any questions during the webinar, please feel free to email us. You can send those two events at securitymetrics.com. So with that I'm going to go ahead and turn the time over to George and we will dive into the agenda. Thanks everyone. Thank you. We'll go ahead and start with the agenda as mentioned. So what we're looking at doing today is we're going to talk about what we learned in 2018 with regards to PCI. And then we're going to take a look at some of the top payment breaches the threats and trends that we've seen and then we're going to finish off with a number of tips on how you can improve your compliance in 2019.
1:25 All right. So, what PCI best practices did we learn in 2018? Well, there wasn't a whole lot of new things that happened in the updates in the PCI standard. We moved to 3.2.1 that for the most part it was characterized by clarification. And so the PCI Council wanted to ensure that the intent of those controls were understood and and help people better comply with the intent of those controls. Another thing that was observed is that you know, merchants are still struggling with keeping up with all the vulnerabilities and over time these stack up and if they're not being addressed they become a real issue. We have a number of services we offer merchants and from that we were able to observe where merchants have issues. What are their top challenges and you'll see in these couple of slides here what the top failing SAQ sections were these represent the areas where you know people actually had challenges meeting and surprisingly the first one there is 12.1 for me. That's almost a shock because it will basically you're saying you're having trouble establishing your security policy. So 12.1 established publish, maintain and disseminate a security policy. I just want to reinforce this idea of it. That's your backbone. That's where everything is based on if you don't have a security policy, you can't determine whether what you can improve it serves as your baseline. That's where you start and it gives you an idea of where the direction you need to head to improve things. So that's just really critical. So anyhow, that's a surprise to me. But that's one area where people are struggling.
3:23 The second one is 12.6.1 which has to do with training now that's a pretty basic one. But basically ensuring that people are getting their training when they're around PCI security and security in general upon hiring at least annually and then the next one was 12.5.3. Now, this is more process around incident response. You know, do you have an established process? If you don't have your policy in place, you probably don't have a process in place that's going to address incident response meaning something happens that looks like a breach or somebody gets infected. What do you do the people know what they need to do and that does not seem to have been complied with based on what we saw and you'll notice these next few items reflect what we just mentioned here 12.10.1 is again another incident response item. And in this case the actual plan do they have a plan in place? A documented plan on what you do if something happens.
4:23 And then the final one here 12.1.1 again security policy. Well, if you don't establish one, then you know, you're not reviewing it either. So review your policy on an annual basis and ensure that somebody is signing off that they actually did that. Now we have for a forensics team and in 2018, they were able to collect some data and what we noticed was that 50% of the organizations that were breached were this was from a remote execution injection style of attacked and so those types of attacks have been on the rise in recent years, but 50 percent of the ones we investigated were of that type of attack and then 33 percent of them were from somebody on the inside.
5:21 Now you may say I'm just gonna throw this out real quick, but you may think well, how can we protect against you know, people that have the keys to the kingdom they have access. Well, how can we possibly protect against that? Well, it comes down to accountability right your change control ensuring that there's controls around when things change and and tracking who changed them.
5:44 That's how you deal with that sort of risk, but we'll get into more of that a little bit later and finally 17 percent of organizations were falling for the phishing schemes the schemes where people are trying to fake or trick people into responding to emails and to expose, you know, data that could possibly lead to additional data loss and so based on those our forensic team investigations, this is what we were seeing. Organizational vulnerabilities now, these are a little different but it's basically what parts of the organization have created a potential attack vectors ways that people can be attacked. So the very first item you see there's employee, the employees. Now, if you get anything out of this webinar, please understand that you need to train your employees. They represent a threat, meaning if they don't know what they're supposed to do in certain scenarios, you're opening yourself up to security breach. So employee training is critical in securing your organization. The second item there insecure coding and that's more of a process item.
7:01 And the third item. Is this something that's becoming more and more acceptable is your bring your own device type procedures your iPhones or iPads are becoming more and more part of our life and they're finding their way into into the organization. Be aware., you do need policy and process around this or else those those issues that deal with with having less secure environments that affect these devices will find their way into your organization.
7:34 And then third party issues, issues around you know, how do you manage third-party access to your third parties that provide services? How do you manage that? Then finally,insecure remote access. This is probably one that has been around for many years and one that continues to be an issue and that's simply around not configuring it correctly. So sometimes attackers are looking at something beyond PCI and they can still affect you in a way. So sometimes people get caught up in the mode of I just need to click some checkboxes and to ensure that if I as long as I'm clicking these checkboxes, I'm putting in the basic stuff needed. I'll be secure and and what you know, what you miss is there could be other areas in your environment that open you up to to breach.
8:35 So let me just get going to outline a quick story about this are one of our QSAs was assessing an environment that had incorporated a peer-to-peer solution a P2PE solution and that you know took a lot of things out of scope and so the entity the organization so that we don't want you looking at everything you just look at only what's applicable scope wise. And so after that assessment what happened that they were hit with ransomware. And in this case what happened was the ransomware was able to make it so that their systems couldn't accept credit cards the things that the system's depended on for processing credit cards, which weren't in the environment but affected the environment we're not secured appropriately and this resulted in nine hundred locations not being able to process a transaction and that resulted in the loss of just those three days in the loss of millions of dollars in revenue.
9:42 So, you know, just because you have checked the boxes sometimes that sort of mentality toward compliance can get you in trouble. So payment applications. What are some of the top threats that affect them you see remote access now, this is as simple as properly securing your remote access to your infrastructure and that continues to be an issue. It's very easy to misconfigure these things and you know, you do need to allocate time and resource to make sure they're set up correctly. Next slide is talking about phishing, email phishing. This continues to be an issue again training. I'm going to re-emphasize this throughout this webinar training is how you address this mitigate this issue this risk making sure that employees know they shouldn't click on things that they're not familiar with that they shouldn't go to websites that they have no idea what they’re about.
10:49 Avoid exposing your company to unneeded risk. So email phishing continues to be a main issue that causes problems for payment systems. Ransomware, you know that's a newer type of threat in 2017 that rose to the top attack that was being observed out in the different organizations and then toward the end of 2017. It dropped as of recent, Ransomware attacks have declined. However, this still remains a very profitable area some of the other threats that have happened in that space our cyber mine or crypto mining rather and and Trojans and banking Trojans, and that's those sorts of threats in 2017.
11:50 Ransomware fell below those threats but so there is a little bit of a decline. But what we have observed is that they're being a little more careful on what they target. So in the realm of ransomware what has been the On The Rise is targeting of Health Care Systems. Health Care Systems and businesses that deal with public entities. So the targeting is becoming a little more surgical they're going after entities that can actually pay them and that actually have to be up. It's not easy for a hospital or a public entity to be down. So these represent targets that are more likely to pay and so that's where we've seen ransomware move toward. So what do you do? What can you do to mitigate risks around ransomware?
12:51 Well, so another thing that was observed is that you know Sophos got some data and that 75% of all the ransomware breaches had current endpoint updates security so current antivirus and all those things but still they had issue. Now here is a perfect example of defense in depth, right? You get away from the moat mentality, meaning you don't make this ultra hard perimeter and then once they breach it they're in and they have access to everything. You need another layer of defense. So in the case of ransomware, you have to make multiple strategies, right? Defense in depth. So in the event that they do somehow breach your perimeter. Do you have anything to mitigate risks inside things like a good backup strategy?
13:50 Meaning you have multiple days and weeks that you can go back to to find out when you know, you were not infected to try to reverse things. So simply, you know let me throw out some names of folks that were subject to ransomware. You have a Boeing aircraft, cities, the Department of Transportation. Department of Transportation in Colorado, they were hit with something called Sam Sam. And in this case Sam Sam had polymorphic attributes where it would change itself slightly. And so, you know antivirus had a difficult time detecting it and so you have these very advanced types of attacks going on. But anyhow, Sam Sam was able to net around six and a half million dollars. You'll see articles being written these days about ransomware. A lot of them say that the approach to it is don't pay them. Well, that may not be possible. If you're a public entity or a healthcare entity and you can't be down. So you know, in addition to doing what you need to do on the perimeter you need defense inside as well. You need good logging you need good backup process that protects you from backing up the ransomware, you know, making sure you're able to separate the backups in a way that they don't get contaminated.
15:34 Okay, so that's probably a lot of discussion there on ransomware. Let's let's move on to the next area here formjacking now. This is something that we've seen on the rise and and it also has many folks, like who is it, Symantec did studies on some of the threats that they're seeing and they have done studies where they found 33 thousand websites that if you go to them they're going to automatically infect you with with different types of malware that allows for you know, stealing of data. So messing with web resources in a way that they can exfiltrate data and grab stuff that you're processing view your browser Is on the rise and it's out there.
16:33 You know to include people sticking in malware that can actually take over your system and be helping in the crypto mining where they're using your system as a resource. So malware is lurking in all sorts of places and I think SecurityMetrics has some resources that can help specifically help with this type of threat, but this is something that is on the rise. So basically formjacking in this context that I'm on this slide you have a piece of code that is taking over and making it look like a transaction’s going through but it's actually exfiltrating data to a malicious entity. Okay. Now we did so as mentioned earlier from the forensic investigation, 33% of the threats came from insiders and and again, I mentioned earlier that you know good accounting can help mitigate that sort of risk and you know, so those are the types of actions you can take against that, you know, this whole section is all basically PCI controls and perhaps, you know, I'll try to emphasize those things that I see that people have challenges with. The first one, determine your scope. Okay? So this is critical right if you notice the top cybersecurity top 20 items, top 20 cyber security controls up there on the top is your inventory. You have to know what you have in order to protect it. For PCI, it's the same thing.
18:25 You have to determine where your card data environment is, where are the card flows occurring. So part of understanding your scope, you have to document it right you have to have a process in place that people do not create new flows unless they go through someone they go through some change process that a diagram that shows the card flow documentation needs to be part of that process and you need to understand, you know, your flows that come into your card data environment and those that go out so that's critical. So what's involved in the scope? You have people you have processed and you have technology. Sometimes people can get caught up with the technology side of things, you know, and they think oh, PCI is all about the computers in the systems. Well remember that it's also the process and people involved in those things.
19:22 A lot of times people can introduce a part of the process that it causes exposure, you know, simply changing the process to okay, we're going to keep a little form that has payment information on it just for a couple days just in case somebody tries to cancel something and then we'll shred it. So it's okay because it'll be shred. Well for a PCI perspective those couple of days after you've sent the transaction through represent card storage that data needs to be secured. There's all kinds of extra items that come into play the moment, you know, you change your process so be well aware that's something that you need to consider as things change. So critical here when you're having those discussions with perhaps other people that do card data is to understand how it enters their department and how it exits, you know, sometimes there are things like well, we have a courier take the whatever the card data is and take it somewhere for processing. So those are things that need to be understood, tracked, you know accountabilities, big, those sorts of things. So for segmentation in PCI, if you're doing a segmentation test your testing to see that networks that may be attached via a device but should not have any access to the card data environment actually do not. You're validating that things by design that should not have access to your card data environment are actually that way. So when it comes to segmentation, you're trying to remove things from scope the moment that you have scope or rather that you don't segment your network and you have other networks attached you increase your scope and you create the potential for problems. So for example, your office network and your system, your network that has your database system and maybe parts of the payment application though need to be separate, you know from your office network so that all of the little systems and all the various pieces of software for other purposes do not cause a problem. So segmenting your environment is critical in limiting your scope to just what it needs to be. Let's talk a little bit about documentation. So I mentioned that changes in your process your card flow will, you know, those are important to document and make sure they go through change management. Now your documentation is part of what helps keep you secure if you're not tracking what's occurring, you know things or process could be sidetracked and you open up new vulnerabilities. Determine and address your vulnerabilities, review and update your risk assessment on an annual basis. So this section here, I'm gonna go into a little more detail. So with the risk assessment and PCI, the purpose is that you look at the big picture and you see threats to your industry. And if any of those affect your PCI environment, then you need to take appropriate action, right? So the approach is that you lay out all the potential threats to your industry to include any threats right include things that are of a technical nature and then you find out what impact would be if that threat were realized.
23:14 So you have a vulnerability, some flaw, some issues, some design problem or something that threatens your business and then if that threat were realized what would be the impact or the value and then the other question is how likely is that to happen? And that would represent your risk. So your risk is basically how bad it would be and how likely it is that that thing would happen and as that goes up then your risk goes up and you prioritize these things, right? So for example, there is a risk of flood for some reason. Our data center was put in a basement and you know, it sounded like a cheap alternative at the time and now we understand that there's a threat of flood in the environment in the area that we didn't have before so that's a very real threat, a very real risk. All right. So what would be the impact? Well, you can assess a dollar value to that and and how often the floods happen, you know in the area you can say well the likelihood is we get a flood once every 10 years.
24:29 And so you make that calculation and you create a level of risk and then you get all the items that could cause a problem for your business and you rank them via based on the risk the ones on the top you need to address them immediately. Right? And so the idea is you're well aware, you get the big picture, you know, what threatens your environment you mitigate the risks as appropriate you allocate resources and this items really critical you need to put time you need to associate a target time that thing gets mediated remediated.
25:06 So why? Because otherwise, this is just a long list of good intentions. And we all know what road is paved that way, right? So good intentions will only get you so far allocating a real live resource and a target date is what helps move things forward and when it comes to risk assessment, that's something that's required. As we mentioned earlier, things change in your environment to include card data flows . In the bigger picture, when you’re doing a risk assessment, you want to look at things like, was there a recent merger? Did we acquire anybody? You know have computer systems changed? Did we upgrade our operating system? Have the server's gone out of warranty? Are they no longer covered? Do we need things like that? You know, you need to look at what's happening in your environment. What are the major changes that have occurred?
26:03 So back to my little reinforcement of how important it is to assign a date and a resource to the risk that you rank. You can't put this thing off. Procrastination will increase your risk and increase the probability that you'll be breached. So by all means get that down immediately or get your remediation immediately done. This whole section is about security policies and procedures. Place someone in charge. So that's a PCI requirement, right? You can't get PCI compliant unless you're following this and that should be in your policy.
26:46 Someone needs to think about this when they go home at night, you know, is there somebody that worries about information security and I'm just going to throw this out there because this is a big thing that I've seen many times in the interest of saving money, people pile stuff on the IT person and to include compliance. And many times they are creating a security risk, a problem because the person is not able to multitask and they only have a finite amount of resources. They'll reach a limit where they're going to have to decide on doing one thing well, and the others, just whatever is possible and at that point you've created a security risk. So you need to allocate resources appropriately to strengthen security. That is a security concern not allocating adequate staff. So by all means place somebody in charge of the compliance efforts, your PCI compliance. You can also, you know bring in consultants, bring in a trained security person that's familiar with these things and understands, you know, what some challenges are.
28:00 Point out that you know, the IT person has a bit of a conflict if they're also the security person right when the IT person says or thinks that oh, this is easier on me from a job perspective. I'm not going to push this security side of it because that's impacting how easy it is to do my job. So there's a conflict there, right? So making the IT person also the security person is not always the best idea. Again, another reinforcement of training; important that you're training your staff on your policies and procedures so they know what they're supposed to do and let me just add to that; that when you are trying to push out policy and procedure this needs to be culture, right? It comes from the top, it needs to become this is how things are done here at our organization.
29:02 It can't be we have to do this silly PCI thing. That's not a culture, that's you know, that it needs to change from that. It can't be, that's more along the lines of checklist compliance. And so in order for policies and procedures to become effective, they have to become the culture of the organization, and again that comes from the top. You can't have executives, you know, making little exceptions for themselves and not being a good example to people that need to be compliant. It becomes more dangerous as your higher level leadership are making exceptions and skirt the controls because they actually have more to lose, they have actual critical data that can be lost.
29:56 All right. Also, you know policy that's two to three pages is not going to do it for PCI. And if any of you have done that you realize there's a lot of supplemental policies that support your main policy and it's going to be a lot longer than two to three pages strengthening physical security. Okay again with the idea that you don't want a moat mentality, you know, you have to understand the big picture understand where card flows are, understand the areas that could impact security, right? There have been buildings that will spend a ton of money on securing the front of their office and then they buy a $20 Home Depot door for the kitchen and the kitchen, you know leads right to the office and so the back door, the little kitchen door $20 type of investment in security does not make sense, right?
30:54 But anyhow, physical security is something you need to consider. Even though many times people focus on the technology side. So make any necessary physical security changes.
31:11 Make sure you're controlling visitors, maintenance people that come in to clean the place. Make sure that that's all controlled appropriately so that you know, you're not opening yourself up to vulnerability there. Make sure that appropriate tracking is their video surveillance, etc.
31:29 And this is sort of reinforcing what we mentioned earlier about documentation. The documentation is critical. So if processes change make sure that there's a way that things get documented right for process change. There should be some notification process many organizations and this may be a bit much for some smaller organizations, but many organizations have what's called a change board. They meet on a regular basis and they approve all changes, you know, the point I'm trying to emphasize here is that there needs to be a process that alerts to any changes in any sorts of changes and if a change occurs something, you know things like do we need to update the network diagram do we need to update card data flows? Those should be part of the process established and documented.
32:24 I cannot emphasize this enough updates and patching. It's amazing to me that I go into very large organizations and I see people not patching, you know, and and in my mind, you know, a system administrator. I've a lot of my career was spent doing that. It's difficult to see how someone could fail at patching their system. But you know possibly as IT professionals are overloaded or whatever the issue is things will fall out of patch. Criminals continue till this day; 222 breach systems that are missing old patches, which is amazing to me, but that is still a very common way of reaching a system looking for old vulnerabilities.
33:16 All right. So you need to be consistent on doing your patches and remember it's not just your OS, right?
33:24 Especially with this formjacking and the newer ways that people are stealing data. You need to update those software pieces that are critical to your card data environment. And in fact, you know, if in general, IT in general, systems that are critical to your business, they need to be updated and patched. So, you know, whatever Java you're using or whatever software you are using they need to be patched and with current security patches. You cannot neglect that that's one piece you have to take care of and it's not easy. All right patches can cause systems to crash so you do what's appropriate, you set up maintenance windows, you make sure that there's functionality testing. People from the business come and test and make sure software still does what it's supposed to do. It is a very critical piece of securing your IT environment actually. Let me just mention a few items here that you should probably update with your patching. Obviously we mention operating system, you know, your windows system, patch Tuesday, Linux and whatever operating system is running your systems antivirus, you know, there's signatures that need to be there, need to be updated firewalls. Sometimes firewalls get less attention for whatever reason but you should be up to date whoever your sysadmin is or whoever's taking care of these needs to know what patches are coming out and what needs to be done. Intrusion detection systems and file integrity monitoring those have patches. Do it all. It's just a piece of software and they get updates and applications configure and review logs.
35:15 Logging is big in PCI. There's a ton of requirements that you have to meet for logging. And again, it's accountability. If you aren't able to track what's going on, it's difficult to deter criminals. You need to be able to understand, you know things that are not normal, things that should alert you to a potential for a problem. So logs are super critical and so from a PCI perspective in 2019, make sure you have a good established process around logs that things that need to be logged they’re being logged and that people that need to be alerted are being alerted.
36:04 Let me just throw this out there. Intrusion detection, if you have an idea system and it's spewing 20,000 alerts every day that becomes very difficult to manage it you have to tame that thing to where it's manageable to where you can deal with all the issues. It's saying you have to deal with things like false positives. You need to make your logging practical, it needs to work. It needs to be able to alert someone to say hey, this is different. You better look at this. This could be somebody trying to steal stuff from your business. So encryption’s huge right, any data at rest needs to be encrypted any card data, and so you have to use appropriate encryption which PCI outlines for you. What's the bare minimum requirement, intrusion detection. We've talked about these things already file integrity monitoring, remote access security, make sure you configure it correctly. Again another area that has been a top of the list of reasons why people get breached and let me just add something else here. So PCI, you know the controls they represent a minimum of what you have to have in place because every single one of these has been the reason someone was breached, right? So they represent the bare minimum of where there are baseline and then based on what you're protecting based on your organization you decide where you need to put additional controls, you know. I know of people that set up a monitoring system where any change occurs in their environment be it a patch or a new server comes online, there's five people that get alerted every time something happens.
37:58 So they've increased their monitoring beyond what the bare minimum of what PCI requires but in that case they have a reason right there. They have a specific piece of data that has a value and they've determined that it merits that sort of business resource allocation. And so again PCI should be the bare minimum of what you do and then you build from there, you refine from there, improve on that and secure it for what your environment requires. Wireless, you know, a lot of times a PCI people just avoid it avoid it altogether, but if you are using wireless, you have to protect it appropriately with the firewall. You need to use some at least WPA2 with AES 256 is a very common approach, you secure it appropriately. Web application security, this is you know, really important. PCI prescribes having scanning technology, as you do changes to your web environment, your web application. They also advocate incorporating a web application firewall which stops, you know, if you go to the Olaf's top attacks, you can see a lot of web application firewalls will protect against those sorts of attacks. And then system hardening, this is a pretty critical and I'm just going to comment on this just a little bit if you look at CIS hardening standards their massive three to four hundred page documents that detail all the different areas you can you can configure to secure a system be it windows or other. And in some instances, if you did every single thing they said to do you'd be very secure but some things may not work.
39:57 So you have to make a determination of what makes sense in your environment. Very often people will do the basic, you know changing the system administrator name increasing the parameters required for authentication, beefing up remote access requirements, those types of things. You don't have to have a 300-page hardening guide, but you should at least address the things that are the most critical, the things that are resulting in breaches today. So that should be a guidance on how you can approach that but definitely changing any sort of default configuration that, you know, would open you up to a security problem. Things like passwords, obviously.
40:49 And then penetration testing. So penetration testing is pretty critical beyond just your vulnerability scanning. It's a you know, it's a much deeper test and many times people will compare a vulnerability scan to an x-ray and a penetration test an MRI. You're going way deep, way detailed and you're trying to see if you know, if a serious attacker came upon your environment, what could they do? Could they actually breach anything? And so that's critical to determining where you're at and seeing what direction you need to move to further secure things. Training; I know I've mentioned this many times but again training’s critical if you looked at a chain, you know, they represent the link where there could be a problem if people don't know what they should do with their emails. You're going to be subject to phishing attacks if people don't know.
41:51 What they should do if they see something suspicious, you know, things will go uninvestigated and potentially set you up for lengthy breaches of data and all sorts of problems. So training is important, training staff properly. It is advisable that when you do your training that you test your staff, you know, some sort of little quiz to help reinforce principles of and this. This is probably more personal than PCI best practice. But I would advocate that you move in the direction of keeping morale up. Many times when you use a punitive approach to training that can reduce morale, meaning, you know, if you don't do well on your security training or you do something you're going to get punished for it trying to help people understand that it's a culture. It's how we do things.
42:49 And to help give them opportunities to succeed it helps promote good behavior punitive measures they do work, right, but sometimes that environment promotes or encourages turnover and turnover is a security issue.
43:12 So because as new people come in, they're not as familiar with what needs to happen. So be aware that you know sometimes punitive measures can have an adverse effect on maintaining security. All right, that's probably more opinion than PCI best practice some training topics you could do so this is again. Let me just re-emphasize this this is huge. If your people are being, you know attacked on the phone and people are trying to get data from them. They need to know how to recognize these types of attacks and what they should do, you know, sometimes people just aren't sure what they should do. So social media sort of compliance phishing attacks, social engineering attacks, physical security, you know, what do you do? If a maintenance guy suddenly shows up on your office floor. Is that cool?
44:11 You should, your people should know what they do, you know, if you don't see anyone escorting them you should ask them for ID. Ask them why you're there that sort of thing, you know, whatever your policy is, but you're the bottom line is your people, your employees should know what they need to do and you re-emphasize that through good training test your staff. You know, some people aren't comfortable with this but it's probably a good idea just to spot check things and see if people are really understanding the training you're doing it again best intentions, right? You could have the best intentions but your training method’s not engaging and nobody's getting it, you know, and there, perhaps it's like a clique, clique, clique thing and that they're just not understanding what you're trying to get across. So you need to understand what you know, whether you're training is effective and you need to find out and test your people incident response. This is critical right again, your people need to know what to do when something happens.
45:12 What should you do? You should have the following procedures, you know for PCI. You have an incident response plan that's required. You have a business continuity plan.
45:27 Now this is very common place in organizations of today. But that has more to do with things that are around it. If you have some sort of catastrophic issue, what happens? You know, if the building is blown up if you know, what is there a phone trees there? You know, who do we call the do your people know what to do if they show up at the parking lot and there's no building but you know and that so these are some items that are important then Disaster Recovery plan. This is more specific to a systems fail. What's the recovery plan? Do we have backup systems in a different data center or you know, is there a warehouse where we go and get the systems and we stand them up and bring them back as part of the plan.
46:21 So these are you know, when incidents happen, making sure that we have good plans in place to address whatever could happen and a good process. All right slide 42, another important point to point out that's going to be done but incident response plan is, you know, should we test it? And the reason you want to test it is so that you can figure things out when critical assets are not on the line. If you're testing it and you know, if you're still working things out and a real incident occurs things could go poorly. So you definitely want to work out the kinks in your plan a while. They're still critical assets on the line and this can be as easy as a tabletop exercise, you know, we come up with scenarios.
47:16 We work through them together and we ensure that our plan appropriately addresses what's required meaning depending on the situation, you know, we're going to bring the right resources to bear now. Here's some, here's a very important point, ensure that in the event of some emergency or alternate plan that we don't reduce security.
47:42 So sometimes when people say hey, we'll pull up these temp systems then we'll go back to normal and everything will be fine. Well sometimes those temp systems may not have the appropriate security in place and they can result in a breach in addition to that. Let's say you have an incident where someone notices something funny. You got some weird alert on the monitoring and you say I think somebody's messing with our website and stealing card data.
48:12 Well, you follow your plan. You're like, okay, we follow the plan. Everything is cool. Then you find out it's the activities continuing, you know, the next evening your plan better have a part in it that says remediate the issue right? It's possible and I know it sounds silly but in the heat of the battle in the passion of the moment, you can forget to actually fix the issue or cut the access to the what's causing a problem in your, you know attempts to try to follow all the steps. Make sure a step in there is remediate the issue, ensure that it's not continuing in any other form. You can document your issue and get re-breached which is kind of embarrassing. So make sure that that's part of your process another re-emphasis of training your employees.
49:07 So security awareness is important; that's required of PCI, has to happen upon hire and annually your people need to know what to do if something happens, to include an incident, right? They need to know and practicing, you know and querying employees ad hoc here and there just to make sure the training’s working, is important to making sure your program’s effective. Kind of mentioned this earlier, but testing your incident response plan with the tabletop exercise basically walking through it. And that's how you would address that when you're doing the tabletop exercise and this is part of PCI. There is a requirement that you document any lessons learned, right? So this is an iterative process, continually improving process, right? So as you go through the process you look at what did we learn or how could we improve, what would be better, you know, and then you document that and make that part of the process so that the things you learn help to strengthen what your plan is.
50:17 So basic takeaways, you know, I mentioned training quite a bit. And so, you know, that's been an area where I see that the people again and again get hit with phishing attacks and all sorts of things. It's difficult, you know. To be realistic you have turnover and people come and go but if you make, again, back with the culture thing, in addition to the training, whatever you do for security needs to be part of the culture the organizational culture the way things are done. It needs to be that way. It's you know, everybody accepts it and nobody is looking at it as a just, you know, an irritating thing that we have to do to be PCI Compliant. You need to move away from that mentality determine what you store and how it should be handled.
51:12 So again, you can't protect what you don't know you have,. You need to have a process to document it and understand what you need to do to protect it and then your risk assessment. We went over that earlier. So and let me just throw a few more takeaways again training, training, training and then there are things occurring trend-wise in the way of formjacking that puts extra emphasis on patching your systems.
51:49 You know, it's shocking to me that people still are negligent unpacking their systems that needs to take a high priority and you know, take proactive steps to look at your you know, do the risk assessment take a big picture. Look at things. Make sure you're allocating appropriate resources to mitigate risk. That's critical. That's really important.
52:17 It's what I've been sort of pushing all throughout this webinar train and test your employees regularly.
52:25 All right, so that pretty much brings us to slide 48, which is question time and our folks our marketing folks will help to coordinate that and will take time for questions now. Thank you very much.
52:43 All right. Thank you George, and thank you to everyone who has watched this webinar today. We hope you were able to gain some good insights about your PCI best practices going forward at your organization in 2019. As mentioned before, please send in any questions that you may have. You can send those two events at www.securitymetrics.com, and we look forward to speaking with you more. Thank you very much, and we'll see you next time.