By Dustin Roybal
•
March 19, 2021
Implementing Cyber Security-as-a-Service (CSaaS) to Protect Consumer Data MMIS 690 Graduate Capstone Dustin T. Roybal Embry-Riddle Aeronautical University Abstract Consumer data continues to be targeted by cyber criminals; corporate merchants appear to be the primary targets. Over the last decade small merchants have found themselves the victims of data breaches at an alarming rate. Since the implementation of the Payment Card Industry Data Security Standard (PCI DSS) in 2006, a minimal standard has been created to protect consumer data. This standard applies to all entities that store, process, or transmit cardholder data (i.e., payment card data and cardholder information). Large merchants had the resources and capabilities to follow the standards making data breaches of their networks extremely difficult. Cyber criminals began to shift focus onto small merchants and many excuses have been conveyed for non-compliance to the new standard. Small business leaders lacked the information technology (I.T.) and cyber security knowledge and awareness to realize the risk their businesses were facing. “My business is too small to be a target,” “The standards don’t apply to my industry,” “Compliance is to complicated,” and “Compliance is too expensive” are some of the excuses utilized by small merchants for non-compliance. Cloud based Cyber Security as a Service (CSAAS) may be implemented as a cost-effective means to assist small and medium sized merchants to become PCI DSS compliant. Table of Contents Abstract Statement of Problem Literature Review History & Trend Tools used by cyber criminals PCI DSS Compliance Is PCI DSS enough? The broken QSA System Data Encryption Hashing Analysis of Evidence Level four Merchants are being targeted Cost of Non-Compliance Limitations of Study Conclusion Recommendations Cyber Security Solutions Cyber Security Awareness Cloud-Based Cyber Security References Tables Implementing Cyber Security-as-a-Service (CSaaS) to protect Consumer Data Every year the number of consumer data breaches in the United States (U.S.) increases resulting in millions of dollars in losses to individuals, businesses, and organizations. Unlike ordinary data breaches, consumer data breaches involve the loss of banking, credit card, identity, and other financial information associated with individuals. Consumer data breaches affect organizations of all sizes, across all industries, public or private entities alike. In other words, any organization that handles the personal financial information of one or more individuals can experience a consumer data breach. Technology makes it “virtually” impossible for either individuals or organizations to exist without conducting any electronic financial transactions, and therefore inevitable that individuals and organizations risk becoming victims of a consumer data breach. While the risk itself is unavoidable, the level of risk can be controlled and reduced by implementing strong cyber security strategies. This is particularly true for organizations which are legally and morally obligated to protect consumer data from theft, exposure, or compromise. Organizations are required to exercise due care and due diligence when handling and safeguarding the financial data of consumers (e.g., customers, clients, individuals, etc.). Given the increasing number of consumer data breaches each year, it is evident that organizations are struggling and failing to properly implement the safeguards necessary to protect this data. What more can organizations do to protect the financial data that individuals have entrusted to them? To address this question, it is important to understand that organizations vary in size and budget, as do the risks, therefore there is no one-size-fits-all solution. Rather, organizations must efficiently and effectively allocate/invest an appropriate margin of resources in cyber security for their information systems and data. Furthermore, not all organization specialize in information technology (IT), much less cyber security, so outsourcing has become a more viable solution for the vast majority of organizations that lack the technological expertise or resources to manage their computing assets in-house. Not only are organizations outsourcing their IT infrastructure, but they are migrating it to the cloud, where the speed, availability, and competitiveness of virtual resources are reducing in costs and increasing in popularity. There are many commercially based services available, including but not limited to: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), Identity-as-a-Service (IDaaS), and the most relevant to this study is Cyber Security-as-a-Service (CSaaS). Regardless of where the data physically resides, the organization that owns the data ultimately has the responsibility and legal obligation to protect it. This growing trend begs the question for organizations to research and to understand what cyber security cloud-based services are available and which of those solutions/services are the most effective at preventing data breaches. The purpose of this report is to assess the available defense-in-depth technologies that can be implemented by a cloud-based service provider in order to reduce the vulnerability or susceptibility of consumer data to data breaches. Statement of Problem Consumer data remains a highly targeted asset among cyber criminals, who namely exploit information system vulnerabilities and weaknesses for financial profit. Cyber criminals are the robbers of 21st Century that target individuals, small business, and large organizations, as well as, financial institutions (e.g., banks), to steal credit card information, bank account information, and personally identifiable information (PII) that can be used for profiteering. Any organization, institution, or business that handles consumer data must be cognizant of the evolving threats posed by cyber criminals, and must pro-actively implement safeguards to protect the data of their consumers. Protecting consumer data is not an easy or inexpensive task for an organization of any size, which is why outsourcing technology is gaining popularity and why, with the reduced costs of virtualization, cloud-based service providers are amongst the fastest growing. The research in this report will focus on a cloud-based service provider (Global-Root Security Company) that provides CSaaS solutions to clients that process or store credit card data. There are numerous reports of data breaches in the U.S., and many organizations do not comply with the Payment Card Industry Data Security Standard for protecting credit card data. Global-Root is invested in identifying, implementing, and offering the most effective capabilities and countermeasures to protect the credit card information processed/stored by its customers. With numerous technologies to choose from, Global-Root is researching and assessing the effectiveness of preventive technologies (e.g., encryption, data masking, etc.), and serving as third-party provider to commercially host these products and solutions. PCI DSS What is the Payment Card Industry Data Security Standard (PCI DSS) and why is it important? The objective of PCI DSS is to provide “a baseline of technical and operational requirements designed to protect account data,” (PCI Security Standards Council, LLC, 2018). There are twelve PCI DSS requirements that will be briefly discussed. PCI DSS is a globally accepted security standard and applicable to “all entities involved in payment card processing—including merchants, processors, acquires, issuers, and service providers,” as well as, “other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD),” (PCI Security Standards Council, LLC, 2018). Cyber Criminal Threats In order to implement the appropriate and most effective cyber security mechanisms to protect against consumer data breaches, the service provider (Global-Root) must have an understanding of the threat sources and threat vectors that lead to data breaches. There are numerous ways in which cyber criminals are able to compromise consumer data. Their methods and strategies can be grouped into three different categories: 1. Social Engineering 2. Viruses, Malware, and/or Ransomware 3. Exploiting Weaknesses Social Engineering is a technique used by a malicious outsider to trick or to gain the trust of an authorized individual within the organization in order to compromise one or more information systems. A social engineer often deceives an employee through a simple or seemingly harmless request, such as resetting an account password, opening a malicious email attachment, or clicking on a bad uniform resource locator (URL), (Chapple, Stewart, & Gibson, 2018). Other types of social engineering attacks involve phishing for specific data from employees or whaling attempts to gather data from high-ranking employees. There are several forms of malicious software used by cyber criminals. Viruses date back to the earliest forms of malicious code and consist of two primary functions: propagation and destruction. Malware is a contraction for malicious software, including but not limited to viruses, worms, Trojan Horses, spyware, adware, and ransomware. Ransomware is similar to a Trojan Horse, whereby it is often transmitted by a software program that appears benevolent to the user who downloaded or installed it. The unique characteristic of Ransomware is that it uses encryption technology to encrypt documents and other files stored on the infected system and denies the user access to these files (via the decryption key) until the ransom is paid in full, which usually requires an electronic payment, (Chapple, Stewart, & Gibson, 2018). Malicious software is not always required to hack, crack, or penetrate an information system when components have open vulnerabilities or weaknesses, like unsecured back doors, which can allow cyber criminals to gain access to data. Vulnerabilities and weaknesses are frequently discovered in hardware, software, and firmware. These weaknesses can consist of bad code designs, software flaws, or poorly implemented security configurations. For example, leaving the default vendor password on a product’s root or administrator account is a common vulnerability that is easily exploited by cyber criminals without the need for malware or hacking tools. By the year 2019 the annual loss due to data breaches has reached over $2.1 Trillion, (Vasileios Mavroeidis, 2017). Cyber-crime has been an issue for corporations and consumers since the conception of computers on the global market. From the 1970’s cases involving the infamous hacker Kevin Mitnick whom was known for his social engineering and dumpster diving tactics to gather sensitive data such as phone numbers, computer codes, usernames with passwords along with other technical information to exploit systems, (Middleton, 2017). To the famous Target data breach in 2013 where more than 40 million debit and credit card information along with over 70 million consumers’ PII had been exposed by hackers causing Target in excess of $61 Million in damages, (Kashmiri S., 2016). As a result of the consistent attacks on the retail and banking industry with a string of successful data breaches occurring in the early turn of the century, the Payment Card Industry Security Council was formed in 2006 through the collaboration of American Express, Discover, JCB International, Master Card and Visa (PCI Security Council, 2018). PCI DSS was created with the purpose of standardizing the minimal security requirements to be utilized by all merchants and financial institutions in order to protect consumer data specific to credit card processing information, (PCI Security Council, 2018). Literature Review History & Trend The historical trend of cyber criminals attacking the financial and consumer markets has been growing exponentially in quantity of attacks but also in the level of sophistication and severity of exploited data in every breach. In 2005 Bank of America lost computer tapes resulting in a data breach that exploited 1.2 million customers PII including social security numbers, account numbers and addresses, 900,000 of those customers worked for the Department of Defense (DoD), (Holtfreter, 2015). In May of the same year Iron Mountain Transportation Company had also lost tapes containing the PII data for over 600,000 employee files belonging to Time Warner Cable Company (Holtfreter, 2015). In March of 2006, the United States Marine Corps lost a portable external hard drive containing nearly 208,000 Enlisted Marines’ PII, and in April, a hacker was able to access 190,000 records of current and prospective students, alumni, faculty and staff members for the University of Texas’s McCombs School of Business, (Holtfreter, 2015). In 2013, Target fell victim to a major cyber-attack that resulted in 40 million debit and credit card numbers and 70 million consumer PII being exposed to the cyber criminals. The result of this attack not only left millions of consumers vulnerable to personal cyber-attacks, but also resulted in a 5.3% decrease in Target’s revenue and a 46% decrease in revenues generated by Target that year along with a $61 million expenditure in the 4th quarter of 2013, (Kashmiri S., 2016). From 2013 to 2015, an organized international cyber-criminal group known as the Carbanak Cyber Gang stole in excess of $1 Billion from banks around the world, (Johnson, 2019). On 7 September 2017, hackers exploited a vulnerability in Equifax’s softer to gain access to Equifax’s internal network. This data breach resulted in over 143 million Americans consumer information, including names, addresses, social security numbers, date of birth and financial history stollen by the hackers. 44% of the American population’s identity and financial history was compromised during this attack, (Marcus, 2018). Tools used by cyber criminals In the case of the Carbanak Gang, the group utilizes a covert and persistent strategy when attacking their target. The gang will wait for months slowly gaining access to their target’s infrastructure utilizing social engineering tactics against the employees, (Rashid, 2016). Social engineer is among the oldest method utilized in cyber-attacks, and to this day remains the most beneficial and successful tool in any cyber-criminal’s arsenal. There are two basic methods of attack a cyber-criminal will leverage in order to gain access to a target’s I.T. infrastructure. A network-based attack will be conducted through the use of phishing emails, malware or some other method of code injection attack, while a physical attack will leverage methods such as copying data directly to a removable device or obtaining access to physical documents, (Ullah, 2018). PCI DSS Compliance PCI DSS covers standardized requirements in three primary areas: Network, Wireless and outsourcing to third-party service providers, (PCI Security Standards Council, LLC, 2018). In 2013 it was reported that more than 66% of consumer point-of-sale transactions involved the use of payment cards while only half of all small merchants accepted payment card during the same given time, (Clapper D., 2016). Research conducted by Intuit discovered that 83% of all small businesses had begun accepting payment cards such as credit cards and debit cards also saw an increase in generated business with 52% seeing an increase of a minimal of $1,000 per month and 18% showing an increase in revenue by at least $20,000 per month, (Clapper D., 2016). In 2004 in a joint effort between credit issuers the PCI Council was formed with the purpose of developing a standardize compliance for merchants who accept payment card as a form of transaction with the purpose of protecting consumer data. Originally the PCI DSS was developed for larger merchants that fall under the PCI DSS Level 1 category, those that have in excess of 6 million transactions per year, (Clapper D., 2016). In 2015 the PCI council released a security bulletin stating the requirements for merchants that fall under Level four category or those merchants with less than 20,000 transactions per year to be in full compliance with the PCI DSS by 2017, (Clapper D., 2016). The most vital component of any PCI DSS project is to ensure that the scope PCI DSS compliance requirements is understood in its entirety from the beginning, if there is any miscommunication or misunderstanding in the beginning, otherwise the possibility of compliance failure will be substantially increased as the project is brought to a conclusion, resulting in a significant amount of time, money and resources being wasted, (Rees, The Challenges of PCI DSS Compliance, 2010). Large corporations will spend on average approximately $2.1 Million annually to remain compliant with PCI DSS requirements, (Clapper D., 2016). While larger level 1 merchants are capable of investing millions annually into security compliance, it is not feasible for the small level four merchants to be required to invest at the same level. According to a Symantec survey in 2012, 85% of small companies within the United States have no plans to invest into cyber security. The Symantec survey conducted in 2012 also found that 77% of small business within the United States feel they are safe from cyber threats even though 40% of cyber-attacks in 2012 targeted businesses with fewer than 500 employees, (Clapper D., 2016). Given the level of cyber-attacks against merchants from the corporate giants to the small shops, the PCI DSS was designed and implemented with the intentions of protecting individual consumers’ bank card data from being compromised and misused, (Rees, Tackling the PCI DSS Challenges, 2012). The large corporate merchants are capable of spending tens of thousands, or even millions, of dollars annually on cyber security to maintain PCI DSS compliance, in addition to corporate defense mechanisms against growing cyber threats. Smaller companies are incapable of this level of investments into cyber security, in fact according to a PWC survey, 52% of small businesses do nothing to prevent cyber attacks into their own networks (Clapper D., 2016). There are many reasons for this failure, including excuses, such as PCI DSS is too difficult, too expensive, or too vague. Some small businesses even specify PCI DSS does not apply to their specific business or they are a small company so they are not a target of cyber criminals, (Rees, Tackling the PCI DSS Challenges, 2012). Those statements, however, are fallacies, any merchant who processes credit or banking card transactions, whether one transaction or a million per year, are vulnerable to cyber-attacks and are susceptible to bank fraud. The PCI counsel has presented “best practices” in the PCI DSS Requirements and Security Assessment Procedures, with the latest version release in May 2018 as Version 3.2.1, (PCI Security Council, 2018). PCI DSS compliance is not and should not be a one-time assessment preparation to pass, and then to forget about it until the following year. Rather, it is a continually evolving process, which requires constant maintenance throughout the year, subsequently leading up to each required compliance evaluation (Rees, Tackling the PCI DSS Challenges, 2012). As stated by the (PCI Security Council, 2018), there are six best practices to maintain compliance with the PCI DSS while minimizing costs. 1.) Designated personnel should perform continual monitoring of security controls, such as firewalls, intrusion detection systems and intrusion prevent systems (IDS/IPS), file integrity monitoring, ant-virus/anti-malware software and access controls of which would include both electronic and physical controls. 2.) Entities should ensure a timely detection and response to all failed security controls process is in place. The processes must include restoring the security control, identifying any causes leading to the failure of the security controls, identifying as well as addressing all security problems that had arisen as a result of the security control failures, implementation of mitigations/safeguards in order to prevent the security control failures in the future and finally, and resuming the continued monitoring of all security controls. 3.) Change control should be established by implementing a review (process) for any changes to the environment that would include the addition or subtraction of any equipment, system or changes to the network configuration prior to completion of the change. The change review process should include an impact assessment to the scope of the PCI DSS, identifying all PCI DSS requirements that would be applicable to the new system or network change and updating the PCI DSS Scope to include the change as well as any new security control requirements. 4.) Entities should document and review any organizational structure changes such as corporate mergers or acquisitions that would result in impacting the PCI DSS scope and requirements. 5.) Entities should implement a periodic review process to maintain compliance of PCI DSS requirements. 6.) Finally, entities should implement a process at a minimal to be conducted annually a review of all hardware and software utilized within the corporate infrastructure. The review should verify the continuation of vendor support and validate that the minimal security requirements are in place to meet PCI DSS compliance. The PCI DSS requirements are applicable to any merchant who directly accepts card payment for any good or services rendered. The standard divides each merchant into four (4) categories based on number of annual transactions. Level 1 merchants process more than 6 million transactions per year. Level 2 merchants process less than 6 million but more than 1 million. Merchants that fall under Level 3 process less than 1 million but more than 20,000. Level four merchants are organizations that process less than 20,000 transactions each year. All merchants are required to follow the same 12 base requirements found in Table 1, along with additional requirements being mandated for the higher tiered merchants, (D'Agostino, 2016). In addition to the base requirements, Level four merchants must complete an annual self-assessment and a security scan through an approved scanning vender. Level 3 merchants are required to complete the same as the Level four merchants, however the network scans must be completed on a quarterly basis. The Level 2 merchants have the same requirements as the level 3 merchants but must also complete an onsite assessment at the merchant’s discretion. Level 1 merchants having the highest level of potential fallout should a breach occur have the most stringent requirements to maintain PCI DSS compliant. Level 1 merchants must comply with all requirements of Level 2 merchants however the security assessment must be completed by a qualified security assessor, (D'Agostino, 2016). When selecting a Qualified Security Assessor (QSA), take great care and spend a good amount of time choosing the right QSA for the organization in question, (Rees, Tackling the PCI DSS Challenges, 2012). QSAs generally charge by the day and will cost in excess of $1,000 per assessor per day, (Rees, Tackling the PCI DSS Challenges, 2012). Is PCI DSS enough? PCI DSS has been in place since 2006 giving the project more than a decade to yield results and still merchants of all sizes are still breached, and cardholder data is still being compromised. PCI DSS assists businesses in protecting consumer data through the implementation of security best practices throughout the payment card process, (D'Agostino, 2016). In 2007, the United Kingdom Payment Association, APACS reported an increase of 26% in credit and debit card fraud losses in just the first half of 2007 compared to the same period in 2006, (Meadowcroft, 2008). In 2006, the UK cyber fraud reached £154.5 Million with 73% of which were “card-not-present” fraud cases due to the introduction of the Chip & PIN technology that had been implemented in Europe just 2 years prior, (Meadowcroft, 2008). Due to the introduction to technological security measures to protect consumer data for financial institutions, fraudsters were required to change tactics becoming more advanced and moved to sophisticated internet-based measures to carry out their fraudulent attacks in an effort to gain consumer financial data. A decade later, cyber criminals are still breaching merchants and compromising consumer data. In 2014, data breaches were up by 29% from 2013 (D'Agostino, 2016). In January of 2016, Wendy’s fast-food restaurant was breached through a vulnerability that had been exploited in the point-of-sale (POS) system. Hyatt Hotels had 250 hotels in 50 nations compromised by a data breach through a malware attack leveraged against their POS systems. In 2008, cyber-criminals exploited a SQL injection vulnerability resulting in a data breach of Heartland Payment System, which processes more than 4 Billion transactions each year, (D'Agostino, 2016). In 2019 a survey conducted by Hiscox revealed that 55% of British companies had faced an attack in 2019, an increase from 40% in 2018 (Lloyd, 2020). The report also showed that small to medium sized businesses were not exempt from the cyber-attacks as they were intentionally targeted due to their small stature since it was less likely for a small to medium sized company to implement the same level of security protections as the large enterprise size companies. According to a Cyber Security Breaches Survey conducted in 2019, 78% of small to medium sized companies saw cyber security as a high priority. This however did not translate into actions to implement cyber defense measure to protect the company data. Only 15% of small business have implemented a formal cyber incident management process, (Lloyd, 2020). The Ponemon Institute estimated there to be approximately 130 successful data breaches per company in 2017 resulting in $11.7 million per organization in damages resulting from data breaches, a 27% increase from 2016 (Marcus, 2018). The Ponemon Institute study also found an estimated 16.7 million U.S. consumers had fallen victim to identity fraud in 2017, resulting in approximately $16.8 billion stolen, (Marcus, 2018). When speaking at a cyber security conference in 2012, the former FBI Director Robert Mueller made the statement: “There are two types of companies: Those that have been hacked and those that will be,” (Marcus, 2018). Assuming that Mueller is correct in his statement, and it is an inevitability that all companies will fall victim to data breaches, the question then remains: What security controls can a company put into place in order to minimize the risk of data breaches, exposing consumer PII and financial transaction information to unauthorized individuals? The Identity Theft Resource Center found that 9,395 data breaches had been document in the United States that resulted in the compromising of over one billion consumer records to cyber criminals between January 1, 2005 and September 30, 2018, (Marcus, 2018). The broken QSA System To become a Qualified Security Assessor, the QSA must be employed by a certified QSA company, complete the QSA training program, maintain an industry certification, and pass two certification examinations. (D'Agostino, 2016) states a major shortcoming of the QSA program is Level 1 merchants are required to contract a QSA company to complete an annual security and PCI DSS Compliance audit. Since the QSA companies are independent of the PCI Security Standards Council, as well as, from any of the transaction card brands, and they must be contracted by the Level 1 merchant, the merchants essentially become the customer of the QSA. As the customer, the merchants may then dictate the audit outcome, creating a conflict of interest for the QSA. Data Encryption Encryption is the principal application of cryptography, the process of making data incomprehensible to ensure its confidentiality. Encryption uses an algorithm called a cipher and a secret value called the key, without the key the cipher cannot be unscrambled, maintaining the security of the encrypted data, (Aumasson, 2018). Encrypting corporate proprietary data (including customer information and financial transaction data) is a viable measure to ensure the security of the data even during the occurrence of a breach. Even secured encryption algorithms such as a 1024-bit symmetric key encryption, while complex and extremely difficult to break can still yield a host of issues for the company in question should it be disclosed, (Williams, 2011). Data encryption solutions fall under two basic categories: data-at-rest and data-in-transit. Data-at-rest is the process of encrypting data while it sits in hard disk storage on a system, not in use. Data-in-transit encryption solutions protect the data while the data is being transferred − either while it is being utilized by an authorized user with access to the data and the system of which the data resides, or when transferring the data from one location to another. Both data-at-rest and data-in-transit encryption may be utilized for securing data to meet PCI DSS requirements. To ensure PCI DSS compliant through the use of data-at-rest encryption, there are six basic guidelines to follow. 1.) The administrator(s) must ensure that the database and host system’s Operating System (OS) are up to date with the latest security patches applied and are properly maintained on a regular basis. 2.) The platform must not run any additional services other than the specific services to ensure functionality of the host system’s OS and the database. 3.) The administrator(s) must remove all unused functions from the database, such as the default stored procedures. 4.) The administrator(s) must restrict access to the raw tables, forcing the tables to interact with the database through views and stored procedures. This process will not only enhance the security of the stored data within the database but will also improve database performance. 5.) The platform must enable mandatory encryption link(s), such as TLS to the database for access by all users. 6.) Should the database application reside on a separate system than the data being accessed, such as a Storage Area Network (SAN), the administrator(s) must ensure the link is encrypted, (Williams, 2011). Data-in-transit encryption is a requirement of PCI DSS, specified in Requirement 4.1 of the PCI DSS Requirements and Security Assessment Procedures guide provided by the PCI Security Council. However, this requirement is only applied to public and open networks and is not specified as a requirement for data transfers from within a companies’ internal network. The 2013 Target data breach was a result of cyber criminals gaining access to Target’s internal network through the use of malware installed on Target’s POS systems. This data breach resulted in the exposure of over 40 million debit and credit cards, as well as, over 70 million personally identifiable information (PII) data, (Piggni F., 2018). Target’s data breach could have avoided such a high level of impact, if Target had considered implementing both a data-at-rest and data-in-transit encryption solutions to encompass not only external data transfers, but data transfers over the company’s internal network as well. The biggest challenge when deploying an encryption solution is key management. Encryption algorithms are far beyond the capabilities of humans to manage all the keys to encrypt and decrypt the data being protected. The issue resides with utilizing a key to encrypt the data and storing the key in a way for other authorized individuals to be able to access the key to decrypt the data as necessary while keeping the keys safe from unauthorized access, (Williams, 2011). Hashing A hash is a cryptographic operation that is performed with the purpose of turning the original data into a fixed length called a “fingerprint” that cannot be reversed, (Williams, 2011). When a user logs into a system OS, they may generally enter a username and password. The operating system − whether it be Windows, MacOS, Linux or Unix − will convert the username and password into a single hash to act as an identity fingerprint for the user accessing the system. Encryption hashing works in the same way. The downside to hashing is the creation of rainbow tables. A rainbow table is the stored database of a pre-computed list of known inputs and hashed results that are capable of being indexed for and compared to when capturing the hash during a cyber-attack. Cardholder data is narrowly defined, with a relatively small number of values that would pass the initial mathematical checks as a valid card number, (Williams, 2011). It is due to the limited “keyspace,” or the total population of values that may be utilized, which reduces the computational effectiveness of hashes that should be capable of creating an encryption value equivalent to a minimal of a 128-bits to remain effective, but instead brings the value down to roughly 53-bits (Williams, 2011). Analysis of Evidence Level four Merchants are being targeted Many Level four merchants lack the resources, capabilities and knowledge to be able to achieve PCI DSS compliance. They are utilizing legacy equipment, specifically legacy POS systems, leaving this class of merchants at a higher level of vulnerability, (D'Agostino, 2016). Combined with the fact that the majority of the leaders running Level four merchants lack the technical and cyber security knowledge to understand and implement processes and technological designs to meet PCI DSS compliance, resulting in an elevated risk of being targeted by cyber criminals. Current forensic data gathered during incident handling investigations of data breaches have shown that legacy POS systems remain a constant issue among Level four merchants, (D'Agostino, 2016). Common methods currently being deployed against Level four merchants are attacks exploiting untrained integrators that are utilizing default administrator credentials in order to access and steal cardholder data. Phishing email campaigns and social engineering tactics are being employed to exploit the human vulnerabilities of Level four merchants with the purpose of infiltrating integrators’ networks. Once the cyber criminals have gained access to the integrators network, the cyber criminals will then utilize remote access default credentials to steal data of the integrator customer base, whereby many of the systems being exploited are PC based POS systems that are configured with default settings, (D'Agostino, 2016). The PCI Security Standards Council has recognized this attack vector and has implemented a security process in response to the threat. The PCI Security Standards Council has implemented the Qualified Integrator and Reseller (QIR) program. The QIR program certifies companies that meet the requirements to be QIRs who then are permitted to sell and implement secure payment applications and POS systems. Another role of the QIR is to participate in the forensics investigation in the event of a data breach, (D'Agostino, 2016). An incentive provided by Visa was presented in January 2017 with the purpose of convincing Level four merchants to utilize the QIR as a POS vendor by waiving the annual Self Assessing Questionnaire (SAQ). According to a 2017 survey conducted by the Ponemon Institute, the cost of PCI DSS compliance is listed as the number one reason for non-compliance. It was estimated to take approximately 35% of the annual security budget for a typical Level 1 merchant to maintain compliance with PCI DSS requirements, and 60% of the companies surveyed stated that they lacked the necessary resources to remain compliance, (D'Agostino, 2016). The Ponemon Institute also surveyed 155 QSAs worldwide regarding the costs for an annual audit. The fees for one annual audit ranged between $225,000 and $500,000 which only includes the QSA’s fee. Additional costs are also incurred during a typical QSA audit such as the price of the labor and technology costs incurred by the merchant to become PCI DSS compliant, (D'Agostino, 2016). Cost of Non-Compliance While the costs to maintain PCI DSS compliant is extraordinarily high, it pales in comparison to the potential losses due to a data breach as a result of remaining non-compliant. It is relatively simple to calculate the costs to maintain PCI DSS compliance, QSA fees, costs for system and software upgrades, potential costs to hire qualified staff, and proper training are all costs incurred to remain PCI DSS compliant. Non-compliant risks are more difficult to calculate as a data breach resulting in non-compliance with PCI DSS requirements will result in a host of incurred costs, such as the loss based on the value of the data compromised, loss of business, reputation, and public outcry would fall into the indirect costs category. Under the direct costs category, there are costs associated with hiring an incident handling team to investigate the breach, costs incurred on hardware and software upgrades to patch or mitigate vulnerabilities, and the costs of new hire salaries to fill I.T staff and cyber security positions or to hire a third party I.T and cyber security firm to manage the company’s technology and security needs. It was estimated the costs incurred as a direct result from data breaches reached $2.1 trillion in 2019, (Vasileios Mavroeidis, 2017). Limitations of Study Daily news broadcasts routinely report on the most recent large data breaches, such as the 2013 Target data breach, the 2015 Office of Personnel Management data breach, and the 2017 Equifax breach − all of which resulted in 100s of thousands to hundreds of millions of individuals’ PII, personal health information (PHI), and financial information being compromised. It is highly unlikely to hear any news being broadcasted regarding a data breach of small merchants. It is for this reason that a great deal of data is available for study regarding large enterprise companies’ data breaches, however there is very little data on small company data breaches. There are two main reasons for this lack of data, many successful data breaches perpetrated against small companies generally go unnoticed, since the company is unaware of the breach, no incident handling investigation is carried out resulting in a lack of information regarding small company data breaches. The second reason is that there is no incentive to report the breach once discovered. Small merchants generally lack the resources and the incentive to evaluate their systems to determine if a data breach has occurred on their networks. Small companies generally spend any available resources to generate more revenue and not to evaluate their systems for possible breaches into their networks let alone into their payment card infrastructure. Small companies lack the capability or the desire to hire QSAs as the $250,000+ fee could send a small company into Chapter 11. The research has revealed that cyber crime is on the rise with each year resulting in more data breaches that compromise consumer data, the research has aThe body content of your post goes here. To edit this text, click on it and delete this default text and start typing your own or paste your own from a different source.lso shown that Level four merchants are becoming the prime target of PCI data breaches due to their lack of resources, knowledge, awareness and desire to harden their networks to bring them into compliance with the PCI DSS. No matter the reason, due to the lack of available data on small merchant data breaches, both in regard to the exact quantity or frequency of data breaches or attempted data breaches, and in regard to the vulnerabilities used to exploit the small business network. There is also very little data on the number of small businesses that are compliant versus non-compliant with PCI DSS. Conclusion As global threats are increasing at an exponential rate, instead of targeting only government agencies and large corporations, small and medium sized companies are also finding themselves in the crosshairs of cyber criminals. Cyber criminals are continually advancing their capabilities and the sophistication of their attacks, patiently gathering intelligence on their intended targets before the attack. Most small and medium sized companies are incapable of expending the necessary resources to properly secure their systems and internal networks let alone meet the demanding requirements of the PCI DSS. With over $2.1 trillion of estimated losses due to data breaches in 2019 alone, small businesses require a system that will provide a higher level of security with a reduced cost to implement and maintain. PCI DSS has proven to be an effective countermeasure to the ongoing global cyber threats against merchants. Merchants remaining PCI DSS compliant have a lower likelihood of falling victim to a data breach. However, not all companies have the available resources to obtain or maintain PCI DSS compliance, the costs in equipment, and employment of proper staff to build the infrastructure and secure it while also monitoring system/network activity to maintain secure can be costly. A cloud based cyber security firm may be capable of providing a cost effective and efficient means of actively securing their clients by providing CSaaS. Recommendations Cyber Security Awareness The first step to securing small merchant systems is through awareness, the development of a cyber security and information assurance awareness training is a fundamental component to reducing the exploitation of the social engineering vulnerability. Cyber awareness and information assurance (IA) training cover the topics beginning with exposing the merchant to the level of threats in existence today and the growing threats of tomorrow. Proper awareness will establish that small companies are just as highly targeted as large ones, particularly due to the lack of awareness and resources invested into cyber security by small businesses. The cyber security training should thoroughly cover social engineering tactics, phishing, smishing and whaling campaigns, which are commonly employed by cyber criminals, as well as, basic techniques and solutions to protect publicly available information that may be utilized to compromise the infrastructure. Cyber criminals may spend days, weeks even months during the intelligence phase of their attack. The use of social media sites, company websites, domain lookup sights, job descriptions all provide information that may be compiled to generate usable intelligence to leverage against the intended target. IA refresher training should be given to all client employees on an annual basis, with a policy being developed and approved by the client company’s leadership, mandating training compliance. Cloud-Based Cyber Security Remote centrally located security tools may be leveraged through third-party vendors to enhance the cyber security posture of an organization. Such outsourcing may result in a lower cost and higher benefit solution to ensure PCI DSS compliance for Level four and Level 3 merchants. A case study showed that 71% of businesses had experienced an insider threat either through malicious intent or inadvertent incidents, (Sneha, 2017). Through the deployment of security information and event management (SIEM) Tools, such as Splunk, Tanium, and Host Based Security Systems (HBSS), both internal and external threats may be mitigated through the constant monitoring of active directory, system, user and network activity. Splunk Splunk is a SIEM tool that can collect and analyze large quantities of big data being generated by the business technology. Logs are the go-to archives for gaining company-wide operational intelligence. Spunk may be configured to ingest system logs, network traffic logs, cyber security tool event logs, user account activity logs, and parse key fields of interest, (Ball, 2016). SplunThe body content of your post goes here. To edit this text, click on it and delete this default text and start typing your own or paste your own from a different source.k maintains the capabilities of tracking activity events to recognize patterns and sending alerts to a security team for further investigation on a suspicious activity. Logs are produced as raw data, exploring logs to understand the activity and events that had occurred from the logs is complicated and not easily read by individuals, compounded by the fact that logging data is generated at an average rate of 10s or even 100s of Gigabytes (GB) of data every second on a typical Information System (IS) network. Splunk allows real-time threat analysis and response capabilities by offering real-time log forwarding or the collection of logs generated by systems and network devices to a central location remotely, Splunk then does real-time syslog analysis, and monitoring which then may send alerts that trigger appropriate action in response to the real-time detection of suspicious activity. A final capability offered by Splunk is the generation of historical data and trends of which may be presented in visual analytics of which may be utilized for data driven decision making process. Splunk is available and hosted through numerous cloud service providers, such as Amazon Web Services (AWS), as well as, through Splunk Cloud directly from the vendor. Tanium Tanium is an endpoint management and security SIEM solution product. Tanium offers basic cyber security hygiene. One of the most common misconceptions of cyber security is that hacks are generally done by nation states with an abundance of resources to exploit zero-day vulnerabilities, when the reality is most vulnerabilities that are exploited are through basic I.T. hygiene issues, which can be exploited by script kiddies. Failing to properly manage, update and patch systems, installing the latest software updates and applying patches for open vulnerabilities as they are released by the individual software vendors is a tedious and continuous process. As the I.T. infrastructure grows, this process becomes even more difficult to maintain, systems are neglected, patches and updates are not applied, and vulnerabilities are permitted to stay open for extended periods of time. Tanium, offers a visual analytics of IS hygienic state. All systems that are managed by the Tanium server through the agent, are constantly monitored. Tanium scans the individual systems to generate a baseline report, and presents a near real-time analysis of all managed systems, any systems that are missing patches or software updates, open vulnerabilities that are capable of being closed are all generated in a visual dashboard. Updates, patches and even approved software may be uploaded to Tanium for deployment to the managed systems. Rogue system detection is an additional feature of Tanium so that as systems are added or turned on from within the monitored network environment, Tanium discovers those systems and then may be utilized to attempt to install the Tanium agent on the systems should those systems require it or be reported if the systems are unauthorized. Tanium is not only available through vendor licensing, but also through cloud service providers, including but not limited to AWS and Google Cloud. Host Based Security Systems (HBSS) Host Based Security Systems are an all-encompassing cyber security solution. HBSS offers a suite of cyber security products that may be managed remotely from a central location. Anti-Virus/Malware (AV), Host Intrusion Detection/Prevent (HID/P), Rogue System Detection (RSD), Data Loss Prevention (DLP), Software based Firewall (FW), File and System Encryption Capabilities, Endpoint Security (ENS), Application Configuration and Control Module (ACCM), Policy Auditor (PA) and Web Control are all products offered through HBSS. Each product is capable of being independently configured based on the specific clients needs to maintain the highest degree of security without interrupting legitimate work functionality. HBSS Management Console The management console is accessed through the web browser by typing in the specific URL or IP address for the HBSS Application Server and the Port that had been defined during the HBSS configuration process during installation and setup. The application is capable of being secured for user access utilizing standard username and password or may be configured to except token based 2-factor authentication through the utilization of certificate and PIN, such as the standard feature of the Common Access Card (CAC), which is a Department of Defense (DoD) issued smartcard. The management console offers visual analytics to the security health of the network and all managed systems presented on the HBSS Administrators dashboard. Information such as number of threat events per day, week, month or year, number of systems reporting into the HBSS ePolicy Orchestrator (ePO) server, number of “unmanaged” also referred to as rogue systems as well as monitored subnets and unmanaged but discovered network subnets. The dashboard also indicates product version information to give immediate information for any specific HBSS product requiring upgrade or patches as well as how many systems have the updated HBSS products installed versus out of compliant software. The management console also gives the HBSS security administrator easy access to the system tree which gives direct access to all systems that are managed by the HBSS ePO. Accessing the individual systems properties gives an organized view of system information including hard drive space, random access memory information, system hardware manufacture information, installed Operating System (OS), user currently logged into the system, any specific HBSS related tags, installed products and network configuration information. The administrator can organize the systems into groups and subgroups for proper and easier management of specific policies. The organization may be grouped by organization, server system versus workstation, operating system such as Linux, Unix, MacOS and Windows and system function such as Domain Controllers, Terminal Servers, Web Servers, Security Scanning Servers, etc. Specific policies for each HBSS product may be configured based on the specific needs of the individual organization requirements as well as the individual system requirements. Each system may have its own specific policy or be given policies based on the group the system resides within. Anti-Virus/Malware (AV) Anti-Virus and Anti-Malware capabilities are a basic requirement to meet PCI DSS minimum standards, however for organizations, out of the box anti-virus software will not meet the requirements. Policies need to be configured to specifically permit some actions such as Registry access and modifications by specific applications but not permit access to other applications. Sometimes specific folders require exemptions to the On Access Scans (OAS) and On Demand Scan (ODS) processes so that they will not be automatically flagged and marked for deletion by the AV software. HBSS maintains policy management configuration of AV software to be tailored to specific environments to maintain the highest degree of security without disruption of business operations. Multiple policies may be created and applied to manage a variety of resources across multiple environments. Host Intrusion Detection/Prevention (HID/P) Host Intrusion Detection and Prevention systems are also stated requirements for compliance with the PCI DSS standards. Small businesses do not necessarily have the available resources and expertise to manage HID/P systems as the processes can be extremely complicated. HID/P is a defensive tool to minimize the insider threat as well as any external threats that have gained access to the network. HID/P minimizes the risk and threat potential of any other vulnerability that has been utilized to exploit and gain access to a network by an unauthorized individual. HID/P detects and reports as a threat event any attempt to modify software, system registry, installation of any applications, even blocking PowerShell, Shell and BASH (Borne Again Shell) scripts from running on the managed system. Rogue System Detection (RSD) RSD detects any system on the monitored network, organizing systems as managed or unmanaged systems as well as organizing network subnets as either managed or unmanaged. A single RSD sensor can be deployed onto any system within a single subnet, optimum is to deploy two RSD sensors per subnet. The sensors will passively monitor the managed subnets as well as detect additional subnets that are not managed. Once a sensor detects a “Rogue” system on a subnet a more invasive scanning capability is available to gather as much information as possible. Because the RSD sensors are passive by default, rogue systems do not detect the RSD sensor’s presence on the network. Even with passive sensing capabilities, the RSD sensor may be able to obtain a large quantity of information of any rogue system such as IP address, Media Access Control (MAC) address for the network port on the Rogue system, Operating System information and system name. RSD sensors are valuable defensive cyber security tools for detecting possible unauthorized devices residing on the monitored network. Not all “Rogue” systems discovered on a network however will be the result of an unauthorized device. Some devices such as printers, phones and other network attached peripheral devices are incapable of being managed and there for exceptions will have to be created for each of those unmanaged but authorized devices discovered on the network. RSD is also a great feature for discovering forgotten devices that may fall under the “Legacy” category to be removed from the network as they may pose a security risk to the network as whole due to open vulnerabilities that are unable to be patched. RSD sensors are not specifically identified by the PCI DSS as a requirement but are a cost-effective measure for added security as well as to close security vulnerabilities to remain PCI DSS compliant. Data Loss Prevention (DLP) DLP acts as a hardware protection capability, DLP policies may be configured as either a whitelisting feature or the less effective blacklisting measure. Whitelisting is more intrusive and may temporarily shutdown business operations in the beginning of the configuration process but is the most secure method. DLP may be set into a log mode in the beginning to gather device information as they are attached to the individual systems being monitored. After a specified quantity of time has passed the exceptions may be created for those devices deemed authorized and DLP may then be switched to enforcement mode. DLP in enforcement mode then blocks any device that has not had an exception created within the DLP policy, example of possible unauthorized devices may be personal thumb drives or external hard drives, personal smart phones, even unauthorized peripherals such as keyboards and mice may be blocked from being utilized on a system. Device exceptions could be created within the policy through a variety of filtering options such as VID/PID identification for which permits any device with the same manufacturer, model and type, the device serial number which is the hardware serial number not the device serial number that is visible on the device’s sticker. The hardware serial number is unique and is identified only through software once the device is detected on the system. DLP offers advanced security measures to minimize the risk of insider threats either through malice or accidental leakage of data. Firewall (FW) HBSS FW is strictly endpoint software based, that is the software FW deployed onto each individual system. Modern operating systems such as Windows and Linux have FW software built into the operating system but are generally open and must be configured to lock down network-based access to the systems. HBSS FW offers a remote centrally managed capability to configure and monitor network activity on each system. Policies may be tuned for specific individual systems or group of systems based on the client organization’s requirements. The FW may be configured to allow only specific applications on source systems, specifying the permitted traffic permitted by source IP to destination IP and port permitted information. This allows the FW to be much more restrictive only opening up wholes within the FW as they are needed. For larger enterprise networks the endpoint FW is only one layer of the overall network protection, hardware-based FWs should also be should be placed on multiple layers of the OSI model. Routers, Switches and network FWs need to be in place for a more encompassing security posture. Endpoint Security (ENS) ENS is an enhanced version of AV that is made up of 4 components: Platform, Threat Prevention, Firewall and Web Control. Platform is the base layer that is required in order for any other component to be installed and function on the endpoint system. Threat Prevention includes the Anti-Virus/Malware and HID/P capabilities, FW is the third component of ENS and Web Control. ENS offers a single application to be installed to minimize storage utilization as well as resource utilization such as CPU processes. Utilizing ENS as part of the endpoint deployment, HID/P, FW and AV as individual applications may all be bypassed with the bonus of Web Control. Web Control utilizes Global Threat Intelligence (GTI) to protect the users web browsing activity from wondering into sights that imbed threat codes and products that may be utilized for the express purpose of compromising systems. This will assist in accidently and unwittingly downloading exploit code, that may act as a virus, worm or trojan on the individual system as well as possible spyware and ransom ware onto the system. References Aumasson, J.-P. (2018). Serious Cryptography. San Francisco: No Starch Press, In. Ball, A. D. (2016). Responding Proactively to the Problem of Compromised User Accounts. Serials Review, 259-265. Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC)2 CISSP Certified Information Systems Security Professional: Official Study Guide (8e). Indianapolis: Sybex. Clapper D., R. W. (2016). Small Business Compliance with PCI DSS. Journal of Management Information and Decision Sciences, pp. 54-67. D'Agostino, V. J. (2016). Ten Years of PCI DSS and We Are Still Losing Cardholder Data. Utica: Utica College. Holtfreter, R. E. (2015). Data Breach Trends in the United States. Journal of Financial Crime Vol.22 No. 2, 242260. Johnson, A. (2019). Banks Confront the Insecurity of Physical Security. Retrieved from Business Insights: Essentials: https://bi-gale-com.ezproxy.libproxy.db.erau.edu/essentials/article/GALE|A602280201?u=embry&sid=summon Kashmiri S., N. C. (2016, June 10). Birds of a Feather: Intra-Industry Spillover of the Target Customer Data Breach and the Shielding Role of IT, Marketing and CSR. Academy of Marketing Science. Lloyd, G. (2020). The Business Benefits of Cyber Security for SMEs. Computer Fraud & Security, 1417. Marcus, D. J. (2018). The Data Breach Dilemma: Proactive Solutions for Protecting Consumers' Personal Information. Duke Law Journal, 555-593. Meadowcroft, P. (2008). Card Fraud: Will PCI-DSS Have the Desired Impact. Berkshire: Thales e-Security. Middleton, B. (2017). A History of Cyber Security Attacks: 1980 to Present. Boco Raton: CRC Press. PCI Security Council. (2018, May). Document Library. Retrieved from PCI Security Standards Council: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1605990056455 PCI Security Standards Council, LLC. (2018, May). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures. Retrieved from PCI Security Standards: https://www.pcisecuritystandards.org/document_library Piggni F., B. M. (2018). Targeting Target with a 100 Million Dollar Data Breach. Journal of Information Technology Teaching Cases, pp. 9-23. Rashid, F. (2016, Feb 08). Cyber Criminals Cash out Using Power Shell, Other Legitimate Tools. Retrieved from Infoworld: https://bi-gale-com.ezproxy.libproxy.db.erau.edu/essentials/article/GALE|A481575715?u=embry&sid=summon Rees, J. (2010). The Challenges of PCI DSS Compliance. Computer Fraud & Security, 14-16. Rees, J. (2012). Tackling the PCI DSS Challenges. Computer Fraud & Security, 15-17. Sneha, P. (2017). Reinforcing Your SME Against Cyberthreat. Computer Fraud & Security, 13-15. Ullah, F. E. (2018). Data Exfiltration: A Review of External Attack Vectors and Countermeasures. Journal of Network and Computer Applications, 18-54. Vasileios Mavroeidis, S. B. (2017). Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies Within Cyber Threat Intelligence. 2017 European Intelligence and Security Informatics Conference. Williams, B. R. (2011). How Tokenization and encyrption can enable PCI DSS Compliance. Flower Mound: Elsevier Ltd. Tables Table 1 PCI Data Security Standard-High Level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for systems passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel Note: High Level overview of PCI Data Security Standards requirements described by the PCI DSS Requirements and Security Assessment Procedure guidelines by (D'Agostino, 2016).