Protecting Customer Data: Identify and Remediate Online Vulnerabilities Now!

Do you know there's an easy way to identify and predict how cybercriminals might get into your organization? Fortunately for already-busy franchisees, the process isn't as complicated as you may think. Vulnerability management is the simplest way for franchisees to locate and patch security holes before would-be data thieves find and exploit them.

Vulnerability management is the process, implementation, and controls that identify the location of weaknesses in an infrastructure that could act as secret tunnels into your network. Ultimately, it's a critical foundation on which to build your business's network security.

While there is no such thing as being hack-proof, data thieves and cybercriminals are notoriously lazy. They would much rather go after low-hanging fruit than invest the time and trouble to break into a secured network or website. By ensuring that your business addresses and resolves known vulnerabilities, you dramatically limit your organization's exposure to hackers.

Before reading any further, you should first determine whether you have control over your own network security and vulnerability management. Some franchisors negotiate deals with vendors that take care of vulnerability management from the franchisor end. In other cases, the entire security process is up to each individual franchisee. In either case, some of the work ends up falling upon the franchisee. Since accountability varies on a case-by-case basis, I recommend that you contact your franchisor directly to discover how much of your vulnerability management is in your hands.

Managing vulnerabilities

The more systems, computers, and apps your company has, the more places a cybercriminal can find a weakness. Vulnerability management helps guard against common cybercriminal tactics such as back doors, buffer overflows, denial of service, and injection-related issues. The most common way of managing vulnerabilities is through vulnerability scanning. Other ways include:

• developing or implementing applications created using secure coding guidelines;
• updating security software with the most current version;
• pre-testing and deploying vendor-supplied patches within a month of release; and
• regularly using and updating anti-virus protection to protect systems from evolving malicious threats.

While all these tactics help impede hacker progression, vulnerability scanning is arguably the easiest way to discover holes in your business systems that cybercriminals could exploit, gain access to, and use to compromise your organization.

If your business processes, handles, maintains, stores, or transmits credit or debit card information over the Internet, you are required by the Payment Card Industry Data Security Standard (PCI DSS) to complete quarterly vulnerability scanning.

Vulnerability scans are automated, affordable, high-level tests that identify known weaknesses in software, hardware, and network structures. Some are able to identify more than 50,000 unique external weaknesses. Because cybercriminals discover new and creative ways to hack businesses daily, it's important to scan often. An added benefit of vulnerability scanning is identifying out-of-date services or missing security patches. This is a great way for you to identify patches or updates that might have been overlooked in your regular update schedule.

Make it a regular habit

Vulnerability scanning isn't just about locating and reporting vulnerabilities. It's also about establishing a repeatable and reliable process for implementing remediation month after month. Negative scan results that aren't remediated render all the scanning (and other security precautions) you just completed worthless.

After a scan completes, it's crucial to fix any located vulnerabilities on a prioritized basis. Our vulnerability support team recommends prioritizing based on risk and effort required. Continue running scans until the scan returns clean. Your PCI vendor or IT director can assist further in your vulnerability remediation and repair of vulnerabilities.

Finally, a quick note about vulnerability scans. Not all of them are created equal. It's important to ensure that a company with PCI Approved Scanning Vendor (ASV) accreditation conducts your scan. Shop around for an ASV that regularly updates their scanning engines and tests for at least 50,000 vulnerabilities. If scanning engines aren't updated regularly, criminals may easily be able to exploit the system you thought was secure. If regular scanning is important to you, select a vendor that allows you to conduct unlimited scanning without extra fees.

Vulnerability management is only a single component of PCI DSS, and not the only thing you should be doing to ensure the security of your business. However, I recommend it as one of the best things you can do to make your processing environment as secure as possible.

Luke Engelhardt is a support supervisor at SecurityMetrics, a provider of merchant data security and compliance for businesses worldwide. To learn more about vulnerability scanning, visit www.securitymetrics.com/scanning. He can be reached at 801-995-6747.