What can we learn from Hannaford & TJX?
The Hannaford data breach was of course all over the news last week. It is reported that Hannaford’s internal practices were considered PCI compliant, yet they suffered a massive data breach. It begs the question whether PCI requirements were sufficient.
While many companies still lag behind in terms of achieving PCI compliance, quite a few organizations have gone above and beyond to protect their critical operations. I call those "next practice" adopters (as opposed to best practice). For instance, PCI requires that you scan your computing assets quarterly. Many of the next practice companies would scan their most critical assets weekly or even daily.
So, what should you consider as your critical assets. Here is a list to get you started:
– Web applications (those that handle online transactions)
– Web servers (those that interface with external Web users)
– Database servers
– Application servers that serve up your core applications
– Firewall (between DMZ and the Internet)
– VPN servers
Your list may defer, depending on your business operations. For instance, some businesses operate SCADA system, and that would be their critical asset. But the above list is a good place to start thinking about your critical network assets and how you should management vulnerabilities both at the network layer and in the applications.
For more information, see the Forrester report: "Operationalizing Application Vulnerability Management".