iScan Onlinepresentation for:

PCI DSS Mobile Task ForceApril 18, 2013

Our Backgrounds

Host Scanning

Binary Scanners

Mobile Scanning

Network Scanners

Browser Plugin

Scanning

1997

1998 2012

2012 2013

The world has changed...Security  and  Compliance  should  lead  and  not  follow.

Remember these Networks?

Good Old DaysXP  Desktops  with  a  Sta;c  IP

Easy to secureOnly  worry  -­‐  s;cky  notes  w/  passwords  and  customer  credit  card  data

• Mobile is moving faster than the speed of light

• Threats, attacks and mobile data breaches are here

• Security and Compliance regulations are for yesterdays network

• Government 2013 battling standards:

USGCB audit benchmarks:1. IE 72. IE 83. Windows XP4. Windows XP Firewall5. Windows Vista6. Windows Vista Firewall7. Windows 78. Windows 7 Firewall9. Red Hat Linux 5

Wake Up Time

Corporate America PCIResponse:  damn  this  is  expensive

Protecting Card Data

Today’s Response to PCIEncrypt.  Segment.  Reduce  Scope.

Scan Audit Zone Only Gets there how?

• Don’t write your passwords on sticky notes

• Don’t write, text, email or store cardholder data

Compliance 101

What do we tell employees: The employee responds?

• ?

• ?

Think users adhere to 101, think again.

Employees are MobileMobile  Cybercrime  War  has  Begun

Devices are on 24/7Assessment  approach  has  to  change

Employees on the goDon’t  care  about  security  nor  compliance.  They  sell  and  take  down  orders!!

2013 - Today’s Network

In Case you missed the TweetInsecure Smart Mobile Devices = Secure & Compliant PC fatality

0

2250

4500

6750

9000

2012 Q1 2013 Q1

US 90 Day PC Shipment

HP Dell

0

750

1500

2013

“Daily Activations”

Android

7 billion 2013 global population

6.3 billion mobile device subscriptions

5% stolenloss or theft

0% scannedvulnerabilities or cardholder data

Mobile Standard Remarks

Purpose

Protect Cardholders or Transaction?

Repeat HistoryMobile threats - too fast for awaiting slow Standards enforcement

Selection

Step 1

Define procedures

Step 2

Specs to be assessed

Step 3

Report & Score

Step 4

Mobile Standards -

Speed

Evidence Analyze Work flow

RemarksExample

Mobile Scan AnalysisApril 2013

Android DevicesSmartphones and Tablets - Last 500 global scans

500

Scan Deliver Thought Process

• PCI Provider - Assess & Service

• Acquiring Bank - Compliance proof of results by MID, Theft locate

• Vendor - develops technology, standards mapping and features

• End user - option to self assess

Standards are usually not in place until:

• Evidence is proven that procedures can be assessed

• Procedures can be analyzed to measure - risk and mitigation

Mobile Scans Performed

Android Vulnerability Scan

2%

5%

14%79%

None Low Medium High

• CVSS Scores

• CVE numbers

• Procedures are familiar, just like PC’s but easier

• Methodology has to change to assess mobile

Data Discovery ScanCardholder PAN Data

Vulnerability ScanOS & Applications

Configuration ScanOS & Applications

Mobile Vulnerabilities vs. History

0

50

100

150

200

2011 2012 Q1 -2013

Android Apple iOS

0

22.5

45

67.5

90

1998-99

Novell Windows Linux

Vulnerable Attack Vector

Attack Threat Vector Impact Remediation

Stolen / Loss / Misplacement of Device Data breach Encrypt cardholder data

SMS / Browser / Email Exploit Full device control Patches / Configurations

Malicious App Full device control Configuration / ~Some Patches

Bluetooth / Tethering / NFC / Wifi Partial data loss Configuration / User Awareness

Carrier Network / Black List Partial data loss Configuration / Policy / Awareness

Mobile Configurations

Sample Configuration Results Severity % Failed

Device Storage Encryption Enabled 8 99

Password Expired every 30 Days 7 97

Require Password or PIN Check (unlock device) 10 72

Device Rooted 9 48

Allows Non App Market App Installation 5 44

18 Configurations - All 500 failed something

8% of scans had PAN data on Android

Protect and assess P2PE ‘Point to Point Encryption’ the transaction?

Cardholder data on mobile is everywhere?

NFC, Google Drive, Dropbox, SMS, Contacts

Today’s NetworkAlways  connected,  Any;me,  Anywhere

Corporate Office

Yesterday

Static Networksare  the  past,  data  and  devices  are  not  only  at  corporate.

Employees  are  on  the  go  and  working  remote.

Remote Office

Network  Today

Small Officeslack  security  and  connect  indirectly  back  to  corporate.

TransmiQng  data  with  BYOD  connec;ons  who  are  on/off  untrusted  networks

Free wifi

Network  Today

Road warrior EmployeeWho  hasn’t  connected  to  a  free  wifi  network.

Mul;ple  network  connec;ons  over  ~untrusted  Wifi  /  4G

Mobile

Network  Today

Mobile Devicescan  now  be  assessed  for  threats  but  not  with  historical  network  approaches

Mobile facts vs. Non-Mobile

More likely to be stolen or lostequating to an increase in potential cardholder breaches. ~Processing w/ a financial app - Banks to get a call guaranteed.

Vulnerabilities & configurationsare equally important to assess and remediate, if not more important than traditional PC’s

Are your employees storing cardholder data?Just like not writing down passwords. They are going to SMS and store it.

Mobile Audit - Fast Easy Affordable

My Suggestions

Rapid Adopt 2Mobile moves fast and

standards should as well

Influence buyin 3Individuals: Merchant, Council,

Vendor, Bank, Providers

Continuous 5Changes to ensure costs don’t outweigh the threat

Baseline 1Many existing procedures can be used from DSS 2.0

Automate 4Utilize XML, JSON for communication and sharing

Questions?More Information?

iScan Online, Inc.19111 Dallas Parkway, Suite 200Dallas, TX 75287

Billy Austin, Presidentaustin@iscanonline.com214-276-1148