Keeping U.S. commercial critical national infrastructure organizations safe is vital to national security, and it's never been more top of mind as international conflicts and cyberattacks increase and create tensions for businesses, governments, and citizens.
These 16 critical sectors - communications, energy, financial services to name a few - with their assets, systems and networks are considered so crucial that their breakdown or destruction would cripple the operations of the country and put public health or safety at serious risk.
Payment card data and payment systems within CNI networks are a natural target for cybercriminals thanks to the riches they hold.
By March 2024, compliance goals must be hit, and the harsh reality is that according to recent research only 37% of these organizations possess the capability to effectively categorize and prioritize compliance risks within their networks.
In the face of ever-evolving cybersecurity threats, this deficiency poses a significant threat to the security posture of critical national infrastructure and emphasizes the need for a robust and prioritized approach to compliance.
Recognizing the urgency of this challenge, it's time for organizations to adopt a risk-based prioritization approach to CDE network hardening; also known as risk-based vulnerability management.
Key to this is a detailed risk analysis of misconfigurations which leverages networking expertise to determine the ease of exploit, potential impact to security, and ease of fix.
Using risk-focused solutions, organizations are able to identify compliance risk trends and proactively address their most critical vulnerabilities to strengthen their defense against evolving cyber threats - efficiently and strategically.
Historically, achieving PCI DSS compliance involved laborious manual mapping of network infrastructure device checks to specific requirements.
New solutions allow for automating ready-mapped network device checks with drill-down access to testing procedures to provide evidence to QSAs.
Compliance reports demonstrate whether routers, switches, and firewalls either pass or fail to meet PCI DSS 4.0 requirements.
This allows internal security teams to quickly and efficiently categorize and prioritize mitigating action, which is a fundamental aspect of enhancing PCI DSS compliance posture.
A certified NSA cryptanalyst and PCI expert with over twenty years in the payment card industry recently shared that most products on the market don't truly understand PCI and vendors rarely have a deep understanding of data security requirements, so it is essential that companies investigate this when selecting a solution.
Understanding how adversaries operate is key to this, and essential to assessing risk, exposure to attack, and therefore, the priority with which networking devices should be remediated to protect critical areas of the network, such as the CDE. This is essential for targeting remediation efforts and resources where they are most needed - using attack surface vulnerability assessments and threat intelligence to inform risk prioritization and remediation allows organizations to view what is most critical but also what is most likely to be exploited.
Viewing the organization's risk through an attacker's lens takes RBVM to the next level - going way beyond just discovering a vulnerability, it helps understand the risk in the context of real-world threat and insight into the potential impact on a business.
With next year's deadline on the horizon, the time is ripe for organizations to embrace evidence-based reporting to elevate their PCI DSS compliance posture to new heights.
It's also an ideal opportunity to find solutions that support RBVM and provide a risk analysis of each non-compliance leverages networking expertise to determine exploit ease, potential security impact, and fix feasibility.
This will ensure organizations achieve security from compliance.
A proactive security approach underpinned with RBVM and coupled with strategies such as Zero Trust network segmentation empowers organizations to address vulnerabilities strategically, reinforcing their defense against evolving cyber threats and safeguarding operations and potentially national security.
Chief Architect, Ian Robinson, works closely with Titania's customers and partners to continuously hone the unique capabilities of its configuration assessment solutions Nipper Enterprise and Nipper; ensuring each product roadmap strategically builds customer value by providing organizations with the insight needed to mitigate their most critical network security and compliance risks, first.
This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Sat, 17 Feb 2024 18:43:05 +0000