Firewalls, Breaches and the 2015 Verizon PCI DSS Report: What You Need to Know

According to the recently released Verizon 2015 PCI Compliance Report “27% of organizations that suffered a data breach in 2014 were compliant with Requirement 1 [of the PCI DSS standards] at the time of their breach”, which means that 73% were not… And, as the report points out, “there is strong correlation between a badly configured firewall and the likelihood of a security breach”.

Requirement 1, as we know, requires companies to install and maintain a firewall configuration to protect cardholder data. In this post I’d like to discuss Verizon’s findings and its recommendations to help companies comply with Requirement 1.

Things Should Only Go Where They Need to Go

The Verizon report says, “Network segmentation and context-aware traffic filtering are key ways to limit exposure and reduce the likelihood of a successful breach.”

Exactly right. Don’t think of a firewall as a one big fence that keeps the bad guys out and the good data in. As we frequently discuss on this blog, use firewalls to create secure zones, and to restrict traffic flow (and user access) only to parts of the network where they belong. Think of the firewall as like being analogous to employee swipe cards for each floor and building in a corporate campus: Things should only go where they need to go.

You Can’t Secure What You Can’t See

Another observation by the Verizon team is that compliance “is often problematic, because organizations do not know which services, ports and protocols are open on systems within their organization, and in particular within their DSS scope.”

You can’t secure what you can’t see, so what can you do about it? The Verizon report says it well: “It is highly recommended that the management of system configuration is automated to provide ongoing visibility and active monitoring of system configurations, fully integrated into the corporate change control process.”

Businesses Stakeholders Must Take Responsibility for the Security of their Applications

Building on that, Verizon observes that there’s a disconnect between application owners of business data and the IT team charged with protecting the data and the network: “Companies must have a thorough understanding of the flow of data, and few do. Often it’s only the application’s owner that knows what data is passed from one server to another, and it’s very unlikely that a firewall administrator will know. It’s important to change this. Firewall administrators should ensure that any request for a rule change includes details of what business process need justifies the change and what type of data will be affected.”

This fits our own observations and strategy at AlgoSec: Business managers too often blindly trust that the IT team will protect everything, yet the IT team doesn’t have the business knowledge to properly evaluate service requests, security settings for new applications, and thereby make good decisions about traffic flows and security risk – this disconnect creates delays in the rollout schedule and outages post rollout. In addition, breaches are a big concern: Misconfigured firewalls with inadvertently open ports can create access points for hackers.

Ultimately, businesses stakeholders have to take responsibility for the security of their applications. “Owning the risk”, as we like to say, improves performance, accountability, security and the customer experience. And Verizon agrees: “Firewall teams can report on the current rules and provide guidance, but it should be the business and application owners that are ultimately responsible and who provide the business justification for firewall rules.”

Security Without Automation is Impossible

 One final point: Don’t forget the importance of automating change management. As the Verizon analysts succinctly puts it, “Configuration and change management isn’t cool, but it’s a highly effective way to simplify compliance and improve security. We strongly recommend that organizations automate the management of system configuration. Change is a constant in security and without automation it’s impossible to keep abreast of the state of the whole DSS scope. No matter how many layers of security you have, if network devices are unpatched or incorrectly configured your chances of an attack turning into a breach are much higher.”