Compliance with cyber security standards sometimes gets a bad rap as a check box that organizations tick off without any real concern for the efficacy of the measures taken to meet those standards. While this can be the case, the requirements of some standards, when pursued in the spirit of protecting the organization and user data, are actually quite capable of reducing the opportunity for threat actors to easily breach defenses.
With cyber security, there is never a surefire guarantee. Even the most secure and complex systems can be breached with enough time and persistence. But making your system even a little less accessible for attackers will limit the prospect of being attacked.
In this blog, we will take a look at how PCI DSS Compliance actually stacks up against the general tactics, techniques, and procedures (TTPs) of threat actors.
The CIA Triad: What You Need to Know
This sounds like something from a spy film, but it is an important aspect of cyber security to address briefly before we proceed. CIA represents the pillars of cyber security: Confidentiality, Integrity, and Availability. What we need to know to move forward is that the more confidential a system becomes, the less available it is, and vice versa. If an organization accepts payment card information, there has to be a balance between security and usability of its systems, and this affects how security controls are considered and implemented.
PCI DSS Compliance
PCI DSS, or Payment Card Industry Data Security Standard, is pretty self-explanatory; A series of standards that help safeguard customers’ sensitive information associated with their credit cards. There are levels of compliance that are required based on the number of transactions an organization processes annually, with increasing degrees of security strictness.
Take a look at our blog covering the recent changes with the PCI DSS 4.0 update.
MITRE ATT&CK Framework
The MITRE ATT&CK Framework (Adversarial Tactics, Techniques, & Common Knowledge) is a constantly updated database of TTPs found in the real world. Each one is backed by examples of tactics and methods used in data breaches, ransomware, and other cyber incidents that have occurred in the last several decades. It is a constantly cited resource for creating a map of how a threat actor gains access, moves through a network, and ultimately achieves their aim.
We will use examples from this framework to compare against the PCI DSS standards.
MITRE ATT&CK VS PCI DSS
The following will be a general representation of the TTPs used by threat actors to breach a network and the security control concepts that would hinder or prevent those avenues of attack or actions.
Threat: Reconnaissance / Discovery
Using these methods, a threat actor enumerates a network, looking at infrastructure, software versions, open ports, and other means that could provide a way in.
- Active Scanning
- Open Source Intelligence
- File and Directory Discovery
- Account Discovery
Defense: Scope your Card Data Environment
This concept involves preemptively investigating your own network to find the weak places and patch them before the attacker does.
- Identify Cardholder Data Flows
- Create Detailed Network Diagrams
- Review Data Storage Locations
- Evaluate Third-Party Services
Threat: Initial Access / Collection
These are the ways that an attacker enters a network and begins gathering the information that allows further access.
- Known Default Accounts
- Exploiting Public-Facing Apps
- Capturing Network Traffic
Defense: Secure Network and Systems
Setting up a perimeter defense by closing common gaps can deter the majority of attackers who will move on to easier targets.
- Firewall Configuration
- Changing Default Logins
- Ensuring Data Encryption in Transit
Threat: Credential Access / Lateral Movement
Once inside, an attacker can begin more targeted actions, discovering forgotten or highly privileged accounts for access to more sensitive areas.
- Forgotten Active Accounts
- Spearphishing
- Lax Administrative Controls
Defense: Control Access & Cardholder Data
While defending the perimeter is important, limiting access to sensitive data stored within the network can prevent some of the most damaging effects of a breach.
- Least Privilege Policy
- Segment PCI Data
- Security Awareness Training
Threat: Execution / Impact
The attacker accomplishes their end goals, whether that be ransom of critical data, theft, or exposure.
- Software Vulnerabilities
- Lax Technical Controls
- Data Stolen or Ransomed
Defense: Manage Vulnerabilities
While preventative measures and network hygiene can be occasionally disruptive to an organization, for long-term health and information safety, they are essential.
- Patching and Updating
- Vulnerability Scans
Threat: Defense Evasion / Persistence
Once an attacker gains a foothold in a network, one of the first steps is to create other means of access, should the first be discovered.
- Valid Account Creation
- Disabling / Impairing Defenses
- Modifying Authentication Process
Defense: Monitor and Test Your Networks
Having systems and procedures in place to record and triage network activity and alert security when suspicious activity is discovered is vital for prevention, recovery, and sanitization.
- Monitor Network Traffic
- Review Network Logs
- Penetration Tests
Conclusion
Compliance can seem like an annoying chore if the practical reasons behind it are not fully understood. For organizations that are entrusted with customers’ personal and financial information, a data breach not only exposes those people to harm but also damages the organization’s reputation.
If you would like a partner that can walk through the compliance process in a way that protects your customers (and your organization) instead of just checking a box, TCM Security offers PCI DSS auditing services with our team of experienced QSAs to assist with the entire process. Also offered is penetration testing that will professionally prepare your network for the TTPs of ever-present threat actors, such as those listed above.
About the Author: Josh Daniels
Josh is an avid storyteller and writer who loves learning about the behind-the-scenes of the digital world we live in. While his professional experience is in content marketing, Josh began pursuing a career in cybersecurity in 2022, gaining a Sec+ certificate along with other training from industry professionals and a life long learner attitude.
When he is not writing, Josh enjoys outdoor adventures with his family, watching movies, reading, and an unofficial (unpaid) side gig as a Game Master Consultant for several friends who play table top RPGs. At TCM, Josh has found a home where his passion for storytelling and cybersecurity meet.
“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
– Frank Herbert
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcm-sec.com/our-services/ Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.