pci compliance not for dummies epb 30mar2016

PCI COMPLIANCE

Erika Powell-Burson, CISSP

Information Security Officer, Alegeus

PCI-DSS 3.1 SPeCIal

Foolish Assumptions

■ You’re an Early Bird

■ Having been through a recent audit, you want to commiserate

■ You have a vested interest in PCI Compliance, and you know: – PCI compliance can’t be Bought– Or Sold/Assigned to an unsuspecting employee

■ You have a modicum of InfoSec, Tech and/or Network skillz

■ You want useful Tips/Tools/Framework for achieving PCI compliance

Presenter

Presentation Notes

Or maybe you in Sales and have a “PCI” security compliance tool Of course you should consult a certified security professional, approved scanning vendor (ASV), and/or qualified site accessor (QSA) before embarking on implementing a PCI Compliance program and/or becoming certified.

Topic Coverage (aka AGENDA)

■ PART I – THREAT LANDSCAPE

■ PART II – PCI STANDARDS & REQUIREMENTS

■ PART III – MILESTONES & KEY COMPLIANCE AREAS

■ FINALE – TIPS & REMINDERS

PART ITHE THREAT LANDSCAPE

Presenter

Presentation Notes

“More than 868 million records with sensitive information have been breached between January 2005 and June 2014, according to PrivacyRights.org…Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; mobile devices, personal computers or servers; wireless hotspots; web shopping applications; paper-based storage systems; the transmission of cardholder data to service providers, and in remote access connections. Vulnerabilities may also extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards (see diagram on page 5). Compliance with the PCI DSS helps to alleviate these vulnerabilities and protect cardholder data.

2015 DBIR

”The industries most affected [by data breach] look remarkably similar to prior years, and the top three are exactly the same: Public, Information, and Financial

Services… No industry is immune to security failures.”

Presenter

Presentation Notes

Phishing… Patching….

Flashback to Verizon DBIR 2010

DBIR Observed Threat Actions

over 5 years

Top Security Incidents 2013 - 2014

WhiteHat 2015 Webinar

PART IIPCI STANDARDS & REQUIREMENTS

PCI = 3 Standards:

Presenter

Presentation Notes

MERCHANTS – PCI-DSS (CORE); PA-DSS – S/W DEV ; PIN / PTS POS.. Each of these standards share the same primary goal: protecting cardholder data. Some cardholder data are printed on a card; others reside in digital format on a magnetic stripe or computer chip. Figure 2-1 shows the types of sensitive data and where they reside on a payment card. PCI Data Security Standard (PCI DSS) is the CORE standard, which is primarily for merchants and processors. It addresses security technology controls and processes for protecting cardholder data. Payment Application Data Security Standard (PA-DSS) is for software developers who sell commercial applications for accepting and processing payment cards. Most card brands require merchants and processors to use only approved payment applications. Personal Identification Number (PIN) Transaction Security Requirements (also called PTS) are for manufacturers of payment card devices used at the point of sale. In addition to other PCI DSS requirements, software developers, merchants and processors must use only approved devices compliant with PTS.

PCI Tools, Founders & Participants

Presenter

Presentation Notes

Debuted in Dec 2004, Required in June 2005… last updated in April 2015 and the next update expected any day (3.2) 3.0 (Nov 2013) emphasized the need for in-house vulnerability assessments, adds flexibility to password requirements, and highlights the growing importance of provider compliance… make it part of day-to-day business operations! For the HISTORY of PCI – see this nice visual graphic: http://searchsecurity.techtarget.com/feature/The-history-of-the-PCI-DSS-standard-A-visual-timeline

All Merchant Levels = Annual Risk Assessment + Quarterly ASV Scan

PCI DSS Quick Reference GuideASSESS, REPAIR, REPORT

Presenter

Presentation Notes

6 Goals/Milestones; 12 Requirement Areas; ~240 Controls

Changes from 3.0 to 3.1 (April 2015)

■ Many ‘clarifications’ & ‘additional guidance’

■ Removed SSL and early TLS as secure technology. They are no longer considered strong cryptography.

■ A vulnerability scan could be a combination of automated and manual tools, techniques, or other methods.

■ Included SMS as an example of end-user messaging technology and added guidance

■ Clarification: The intent of the penetration testing is to verify that all out-of-scope systems are segmented (isolated) from systems “in the CDE”.

■ Risk assessment process must be formal documented analysis of risk

Revised Compliance Date for SSL & EARLY TLS

JUNE 2018

Coming Soon… PCI 3.2

Critical Coverage Areas

■ Documentation

■ SMEs

■ Network Security

■ Firewall Configs.

■ Change Management

■ Daily Procedures

■ Incident Response

■ Restrict Access

■ Account Management

■ Patching!

■ Encryption!

■ Logging

■ Testing

■ Track & Monitor

PART IIIPREPARATION & COMPLIANCE

Keep it in Perspective

Yes, you have to meet the requirements, but REMEMBER, It’s YOUR BUSINESS, Your Program and Your Risk Management, so It’s OK TO USE YOUR FRAMEWORK, TOOLS, PROCESSES

- SANS CSC

- ISO 27001

Applying the Basics

■ Management Support

■ Clear Accountability, Defined Roles

■ Risk Management

■ An InfoSec Program

■ Policies & Procedures

■ Technical Controls

■ Greater complexity requires greater diligence

■ Plan WELL in advance

■ Leverage Existing Tools &Resources

■ Designated PCI Coordinator / Communicator

■ Training & Awareness

6 Goals - 12 Requirements ~240 ControlsPrioritized Mile Stones

Overall PCI DSS 3.1 GOALS

1 RISK MANAGEMENT - Remove sensitive authentication data and limit data retention — This milestone targets key risk areas for those who have been compromised—if you don’t need it, don’t store it

2 PROTECT SYSTEMS & NETWORKS — Be prepared to respond to a system breach – this milestone targets points of access to most compromises, and response processes

3 SECURE PAYMENT CARD APPLICATIONS — Controls for applications, application processes, and application servers have been shown to be easy prey when weaknesses exist.

4 MONITOR & CONTROL SYSTEM ACCESS — This milestone provides controls to allow you to detect the who, what, when, and how of who is accessing your network and cardholder data environment. A blind spot for many who have been compromised.

5 PROTECT STORED CARDHOLDER DATA — If you must store Primary Account Numbers (PAN), this milestone targets key protection mechanisms for that stored data.

6 FINALIZE REMAINING COMPLIANCE EFFORTS and ensure all controls are in place.

INVENTORY 1st!

■ SCOPE & INVENTORY – req. 2.4– Hardware– Software– Devices 9.9.1

– Incl. Mobile Devices– Wireless– Databases– Common Services

■ Patch Servers■ AD

■ Automate inventory process if possible – supports every PCI milestone

■ Helps show determine what is in/out of scope

■ Attack vectors can be more easily identified, tracked and managed with a complete inventory

Milestone 1 … Risk Management■ IMPLEMENT A RISK ASSESSMENT PROCESS

that is done annually+, identifies critical assets, threats = formal doc 12.2

■ CURRENT NETWORK DIAGRAM – ID all connections between CDE & other networks 1.1.2

■ CURRENT CARDHOLDER DATA (CHD) FLOWS – across systems and networks 1.1.3

■ KEEP CHD TO A MINIMUM – by implementing data retention and disposal policies, procedures and processes 3.1

■ DO NOT STORE SENSITIVE AUTH DATA AFTER AUTHORIZATION 3.2

■ DESTROY MEDIA WHEN NO LONGER NEEDED 9.8

Milestone 2 … Protect System & Networks ■ IMPLEMENT A FIREWALL AT EACH INTERNET

CONNECTION… 1.1.4

■ ESTABL. DOCUMENTATION & BUSINESS JUSTIFICATION for all services, protocols, and ports allowed, incl. FTP… 1.1.6

■ RESTRICT INBOUND & OUTBOUND TRAFFIC to that which is necessary for CDE, deny all other traffic… 1.1.2

■ SECURE/SYNCH ROUTER CONFIG FILES 1.2.2

■ INSTALL PERIMETER FIREWALLS between all wireless networks and the CDE… 1.2.3

■ PROHIBIT PUBLIC ACCESS BETWEEN INTERNET & SYSTEM COMPONENTS IN CDE … 1.3

■ ENSURE ALL P&P ARE DOCUMENTED, IN USE & KNOWN TO AFFECTED PARTIES… 1.5

Milestone 2 … Protect System & Networks ■ INSTALL PERS. F/W SW …1.4

■ ALWAYS CHANGE VENDOR SUPPLIED DEFAULTS &/or REMOVE UNNECESS. ACCOUNTS … 2.1

■ ENCRYPT ALL NON-CONSOLE ADMIN ACCESS USING STRONG ENCRYPTION (NOT SSL/early TLS) … 2.3

■ ENSURE THAT SECURITY P&P for managing defaults & other security parameters & encrypting transmissions are documented & in use …2.5 ; 4.3

■ USE STRONG CRYPTOGRAPHY & SECURITY PROTOCOLS… 4.1

■ NEVER SEND UNPROTECTED PANS BY END-USER MSSG. (email, IM, Chat) 4.2

■ DEPLOY ANTI-VIRUS ON SYSTEMS 5.1

■ USE 2-FACTOR FOR REMOTE NETWORK ACCESS…8.2

■ ADD’L REQ. FOR SVC. PROVIDERS W/REMOTE ACCESS… 8.5.1

■ APPROP. PHYSICAL ACCESS … 9.1

■ INSPECT FOR TAMPERING...9.9.2

■ TRAINING RE: TAMPERING… 9.9.3

■ INCIDENT RESPONSE… 11.1.2

■ RUN INT/EXT NETWORK VULNERABILITY SCANS 11.2

■ PENETRATION TESTING 11.3

■ IDS/IPS 11.4

■ INCIDENT RESPONSE & P&P 12.5.3 / 12.8

Milestone 3 … Secure Payment Card Apps■ DEVELOP CONFIG. STANDARDS FOR ALL

SYSTEM COMPENENTS… 2.2

■ PROCESS TO ID SECURITY VULNERABILITIES AND PROTECT FROM THEM … 6.1; 6.2

■ SECURE INTERNAL & EXTERNAL SOFTWARE APPLICATIONS, incl. web-based admin…6.3

■ FOLLOW CHANGE CONTROL PROCEDURES FOR ALL SYSTEM COMPONENTS… 6.4

■ DO NOT STORE SENSITIVE AUTH DATA AFTER AUTHORIZATION 3.2

■ TRAIN & ADDRESS COMMON CODING VULNERABILITIES IN S/W DEVELOPMENT… e.g OWASP 6.5

Milestone 4… Monitor & Control System Access■ LIMIT ACCESS TO SYS. COMPONENTS & CHD

to only those required by job…7.1+

■ ESTABLISH AN ACCESS CONTROL SYSTEM FOR SYSTEM COMPONENTS.. Default “deny all” setting… 7.2+

■ ENSURE THAT SECURITY P&P FOR RESTRICTING ACCESS TO CHD IS DOCUMENTED/KNOWN … 7.3

■ DEFINE & IMPLEMENT P&P TO ENSURE PROPER USER ID MGT for non-consumer users and admins… 8.1+

■ UNIQUE USER IDs FOR EACH EMPLOYEE & SEVERAL AUTH. METHODS… 8.2+

■ SECURE AUTHENTICATION 8.5; 8.6

■ RESTRICT ACCESS TO ANY DB with CHD …8.7

■ ENSURE THAT P&P FOR ID & AUTH DOC … 8.8

■ IMPLEMENT AUDIT TRAILS FOR ALL SYSTEM COMPONENTS … 10.2+

■ AUDIT LOGGING SPECS...10.3; 10.7 1 yr. ret.

■ SECURE AUDIT TRAILS … 10.5

■ NTP … 10.4

■ REVIEW LOGS FOR SECURITY EVENTS incl. daily security tasks 10.6

■ TEST WAPS QUARTERLY / INVENTORY 11.1

■ CHANGE-DETECTION MECHANISM (file integrity monitoring FIM) 11.5

Milestone 5 … Protect Stored Cardholder Data■ MASK PAN WHEN DISPLAYED… 3.3

■ RENDER PAN UNREADABLE ANYWHERE… 3.4

■ KEY MANAGEMENT…3.5; 3.6

■ EASILY DISTINGUISH BETWEEN ONSITE PERSONNEL & VISITORS… 9.2; 9.4

■ PHYSICALLY SECURE ALL MEDIA including backup media 9.6

■ ENSURE ALL SECURITY POLICIES & PROCEDURES FOR RESTRICTING PHYSICAL ACCESS ARE KNOWN/IN USE… 9.10

Milestone 6 … Finalize Compliance / Ensure■ FORMAL PROCESS FOR APPROVING/TESTING

ALL NETWORK CHANGES… 1.1.1

■ DESCRIPTION OF GROUPS, ROLES AND RESPONSIBILITIES … 1.1.5

■ REVIEW FIREWALL & ROUTER RULE SETS AT LEAST EVERY 6 MONTHS …1.1.7

■ CHANGE CONTROL PROCEDURES FOR SECURITY PATCHES & S/W CHGS… 6.4.5

■ SECURITY POLICIES / CRITICAL TECHNOLOGIES annual review 12.1; 12.3; 12.4; 12.5

■ FORMAL SECURITY AWARENESS PROGRAM 12.6

■ BACKGROUND CHECKS 12.7

FINALE / FINALLYSUMMARY / TIPS

READY…SET… PROJECT MANAGE!

• IDENTIFY SME’S

• GATHER & ORGANIZE DOCUMENTATION

• AUTOMATED REMINDERS / ASSIGNED RESPONSIBILITIES FOR PERIODIC TASKS

• SCHEDULE RESOURCES

• SCOPE & INVENTORY REVIEWS

• PREP WITH INDIVIDUALS

USE TEMPLATES FROM YOUR QSA AND/OR PCI

AVOID DOING EVERYTHING IN 3-4 PLACES THOUGH!

TRAIN YOUR HELPERS!

FEED YOUR HELPERS!

THANK THEM!

GIVE THEM TREATS!

Verizon PCI Report 2015

GET & MAINTAIN PCI COMPLIANCE

Biggest GAPS between Compliance & Post-Breach

1 - Firewalls5 – Antivirus / Anti-malware7 – Account Access Restrictions8 – Unique IDs

11 – Scanning/Testing (PCI-level ASV Scans Quarterly)12 – Policies & Procedures; Vendor Mgt.; Risk Mgt.

Presenter

Presentation Notes

Logging, Monitoring, Patching & Maintaining Governance Access Controls Perimeter Security Defeating Malware Protecting Stored Data

Verizon’s Lessons Learned from Payment Breaches ■ LOGGING, MONITORING, PATCHING & MAINTAINING

■ GOVERNANCE

■ ACCESS CONTROLS

■ PERIMETER SECURITY

■ DEFEATING MALWARE

■ PROTECTING STORED DATA

Presenter

Presentation Notes

LOGGING, MONITORING, PATCHING AND MAINTAINING - Although we’re still seeing breaches even with good system hardening [Requirement 2], none of the companies that had suffered a breach complied with the requirements for maintaining systems and software security [Requirement 6] or logging and monitoring [Requirement 10]. Patching, maintaining, and monitoring key systems is critical for achieving sustainable security. As reported in the DBIR each year, many breaches go undetected for months or even years. GOVERNANCE - The next major delta between our datasets is on Requirement 12, which demonstrates the importance of strong and consistent security governance. ACCESS CONTROLS - There was also a large disparity between QSA and PFI clients on restricting access [Requirement 7]. Most security professionals are very familiar with the concept of least-privilege access, but as business demands and complexity grow, so too do the administrative challenges of adhering to it in practice. Apparently, breach victims struggle with this much more than other organizations. Breached companies were equally bad at authenticating access [Requirement 8] PERIMETER SECURITY - Every day, attackers are vigorously and repeatedly probing your defenses and trying to penetrate your perimeter, and the firewall is your first line of defense. Firewalls only work effectively if architected, tuned, and maintained properly. 71% of our QSA clients met all the controls associated with maintaining firewalls [Requirement 1] at the time of their interim assessment. In comparison, just 27% of breached organizations did. This suggests that ineffective perimeter security is a key contributor to the likelihood of suffering a breach. DEFEATING MALWARE - Malware is another major threat. And again, we see a large gap between the groups on maintaining anti-virus [Requirement 5]. 80% of our QSA clients maintained all the controls in this area, compared to just 36% in the group of breached companies. CHD breaches typically involve a number of techniques, but many culminate in dropping a piece of malware on a high-value system. Having anti-virus software on all in-scope systems isn’t just a PCI DSS requirement, it should be a fundamental part of any security program. Traditional signature-based protection anti-virus scanners are largely reactive and not sufficiently effective to counter new and emerging threats — such as zero-day and social-engineering-based attacks. Therefore, organizations should use more sophisticated technologies that include proactive behavior detection, sandboxing, whitelisting, application control, cloud-enabled threat intelligence, heuristics, and reputation analysis. PROTECTING STORED DATA - Protecting stored cardholder data [Requirement 3] is also important, but the gap between the two groups has been shrinking over the years. The QSA group is doing a decent, but not great, job with 62% of companies compliant. In the breached group just 36% are compliant. As more organizations shift to encryption, tokenization, and/or not storing CHD at all, we expect this requirement to further converge in the years to come.

7 THINGS *NOT* TO DO!

1. Don’t store magnetic stripe cardholder data or the CVV or CVC code (the additional security number on the back of credit cards) after authorization

2. Don’t use vendor-supplied or default system passwords or common/weak passwords

3. Don’t allow personnel to share logins or passwords

4. Don’t allow physical access to any component in your CDE

5. Don’t store cardholder data in any systems in clear text (i.e., unencrypted)

6. Don’t leave remote access applications in an “always on” mode

7. Don’t use SSL or earlier versions of TLS

MAKES THE DREAM WORK

And helps a lot with PCI Compliance!

QUESTIONS?

TIPS?

References / Resources

■ PCI DSS 3.1 - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf– https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-

1.pdf https://www.pcisecuritystandards.org/.../Prioritized_Approach_v3.xlsx– PCI Cloud: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

■ PCI Compliance by Qualys - https://www.qualys.com/docs/PCI-for-Dummies.pdf

■ PCI Compliance by Control -http://www.verizonenterprise.com/placeholder/resources/reports/rp_pci-report-2015_en_xg.pdf

■ Key Findings from the 2015 IBM Cyber Security Intelligence -http://www.slideshare.net/ibmsecurity/key-findings-from-the-2015-ibm-cyber-security-intelligence-index

■ Verizon PCI Report 2015 ; Verizon DBIR Report 2015

■ OWASP TOP TEN - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-1.pdf

https://www.pcisecuritystandards.org/.../Prioritized_Approach_v3.xlsx

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

https://www.qualys.com/docs/PCI-for-Dummies.pdf

http://www.verizonenterprise.com/placeholder/resources/reports/rp_pci-report-2015_en_xg.pdf

http://www.slideshare.net/ibmsecurity/key-findings-from-the-2015-ibm-cyber-security-intelligence-index

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

pci compliance not for dummies epb 30mar2016

Documents