2023 was once again the year of the cyberattack. Record-breaking attacks were reported, including some of the world’s biggest distributed denial of service (DDOS) attacks targeting Google and Amazon. Despite increased spending on security and enhanced compliance regulations to thwart attacks, the hits kept coming. They will continue to rise and potentially cause disruption, including putting our critical infrastructure at risk.
Safeguarding U.S. commercial critical national infrastructure (CNI) has risen to the forefront of national security concerns. The 16 critical sectors, including communications, energy, and financial services, form the nation’s backbone, making their protection paramount. Within these vital sectors, payment card data and payment systems are lucrative targets for cybercriminals.
As the deadline for compliance with the latest data security standards, PCI DSS 4.0, approaches in March, organizations are under increasing pressure to fortify their security measures. Recent research indicates a concerning statistic: only 37% of these organizations can effectively categorize and prioritize compliance risks within their networks. This underscores the urgency for a comprehensive and prioritized approach to compliance to ensure the resilience of CNI. It will be a heavy lift for most businesses because version 4.0 is a significant departure from older versions. It necessitates a shift in organizations’ approach to safeguarding cardholder data, entailing updates to anti-malware and access controls, focused risk analysis, and the ongoing maintenance of security measures for emerging payment technologies.
Read More: Global Tensions Fuel Cyber Threats to Critical Infrastructure
Adopting a Proactive Security Approach
But there is a roadmap for companies to follow. It starts with three critical steps. The first is adopting a proactive security approach. The best way is to anchor your organization to risk-based vulnerability management (RBVM). This involves a meticulous risk analysis of misconfigurations. Leveraging networking expertise, organizations can assess the ease of exploit, potential security impact, and the feasibility of fixes. Automated solutions, scalable at a network level and continuous if required, enable organizations to identify compliance risk trends proactively. This stance strengthens their defense against evolving cyber threats efficiently and strategically. It allows organizations to view their risk through an attacker’s lens, too – beyond merely discovering vulnerabilities, it helps comprehend the risk in real-world threats, providing insights into potential business impacts. Understanding adversaries’ operations is crucial for assessing risk and exposure to attacks and determining the priority for remediating networking devices in critical areas like the CDE.
Selecting the Right Tools
The second step is selecting an appropriate tool to aid in the efficacy of compliance efforts. Many products on the market lack a deep understanding of PCI, so a thorough investigation is essential when selecting a solution. Automated risk-based prioritization solutions, focusing on PCI DSS 4.0 requirements, guide businesses toward a more secure and resilient future. These solutions not only identify non-compliance areas but also streamline the remediation process. Modern solutions now allow ready-mapped network device checks with drill-down access to testing procedures. Compliance reports now showcase whether routers, switches, and firewalls meet PCI DSS 4.0 requirements, with non-compliances prioritized by risk. This transformation enables internal security teams to categorize and prioritize mitigating actions swiftly, a fundamental step in enhancing the PCI DSS compliance posture. Reducing the time to remediate issues is as crucial as identifying non-compliance. Therefore, solutions that pinpoint non-compliance and provide actionable insights on remediation are essential for a robust compliance strategy.
Adopting a Zero Trust Strategy
Finally, adopt a Zero Trust strategy that includes network segmentation. It starts with assuming the perimeter is breached and requires you to adopt a ‘never trust, always verify’ philosophy. This, coupled with cordoning off networks into small islands, prevents attacks by inhibiting lateral movement across the network. Since 80% of all network traffic is inside the perimeter, switches, and routers, it plays a fundamental role in preventing bad actors from traveling across organizations when configured correctly. This should also include using threat vector guidance to layer risk lenses on your network infrastructure vulnerability dataset. This approach empowers organizations to strategically address vulnerabilities and reinforce their defense against evolving cyber threats to safeguard their operations. Vulnerability management shouldn’t only be a compliance function but a core part of threat prevention.
What to Expect in the Future
And as part of this, in the future we will see organizations asking more questions about what networking infrastructure is inside their perimeters, with greater focus on asset discovery, asset validation, and asset inventory and then asset assessment, to support risk prioritized remediation.
Read More: Why EASM Solutions Are Crucial for Managing Cyber Risks
Ransomware will become the benchmark as automation variants of this attack become more and more sophisticated and move laterally across the network. Zero Trust effective network segmentation will play a vital role in the war against these attacks and in defending against insider threats, an area which can result in devasting losses for organizations and is on the rise. The total average cost of an insider-related incident rose from $11.45 million in 2019 to $15.38 million in 2021 according to the 2020 and 2022 Cost of Insider Threats Global Reports by the Ponemon Institute. But insiders don’t act maliciously most of the time which is why it’s harder to detect harmful insider activities than it is to detect external attacks. But insiders know the weaknesses of an organization’s cybersecurity and the location and nature of sensitive data they can exploit. We will see more of a focus on risk RBVM, with organizations asking questions like “what is our ransomware risk/exposure for this given network segment?”, thereby allowing them to start to protect their IP and critical systems from insider threat, whether accidental or nefarious by minimizing their attack surfaces.
Beyond that, organizations could start looking towards an AI solution for automation defense, especially if risk prioritization and remediation of existing vulnerabilities and miss configurations is currently in the too hard box due to vulnerability fatigue.
Right now, organizations must embrace evidence-based reporting to elevate their compliance posture as the deadline for PCI DSS compliance approaches. This is an opportune moment to adopt solutions supporting RBVM, providing risk analysis for each non-compliance, considering exploit ease, potential security impact, and fix feasibility. A proactive security approach, complemented by strategies such as Zero Trust, puts companies on the front foot versus the back foot, which is a far more efficient and less expensive endeavor than a breach.