pci compliance not for dummies epb 30mar2016
TRANSCRIPT
PCI COMPLIANCE
Erika Powell-Burson, CISSP
Information Security Officer, Alegeus
PCI-DSS 3.1 SPeCIal
Foolish Assumptions
■ You’re an Early Bird
■ Having been through a recent audit, you want to commiserate
■ You have a vested interest in PCI Compliance, and you know: – PCI compliance can’t be Bought– Or Sold/Assigned to an unsuspecting employee
■ You have a modicum of InfoSec, Tech and/or Network skillz
■ You want useful Tips/Tools/Framework for achieving PCI compliance
Topic Coverage (aka AGENDA)
■ PART I – THREAT LANDSCAPE
■ PART II – PCI STANDARDS & REQUIREMENTS
■ PART III – MILESTONES & KEY COMPLIANCE AREAS
■ FINALE – TIPS & REMINDERS
PART ITHE THREAT LANDSCAPE
2015 DBIR
”The industries most affected [by data breach] look remarkably similar to prior years, and the top three are exactly the same: Public, Information, and Financial
Services… No industry is immune to security failures.”
Flashback to Verizon DBIR 2010
DBIR Observed Threat Actions
over 5 years
Top Security Incidents 2013 - 2014
WhiteHat 2015 Webinar
PART IIPCI STANDARDS & REQUIREMENTS
PCI = 3 Standards:
PCI Tools, Founders & Participants
All Merchant Levels = Annual Risk Assessment + Quarterly ASV Scan
PCI DSS Quick Reference GuideASSESS, REPAIR, REPORT
Changes from 3.0 to 3.1 (April 2015)
■ Many ‘clarifications’ & ‘additional guidance’
■ Removed SSL and early TLS as secure technology. They are no longer considered strong cryptography.
■ A vulnerability scan could be a combination of automated and manual tools, techniques, or other methods.
■ Included SMS as an example of end-user messaging technology and added guidance
■ Clarification: The intent of the penetration testing is to verify that all out-of-scope systems are segmented (isolated) from systems “in the CDE”.
■ Risk assessment process must be formal documented analysis of risk
Revised Compliance Date for SSL & EARLY TLS
JUNE 2018
Coming Soon… PCI 3.2
Critical Coverage Areas
■ Documentation
■ SMEs
■ Network Security
■ Firewall Configs.
■ Change Management
■ Daily Procedures
■ Incident Response
■ Restrict Access
■ Account Management
■ Patching!
■ Encryption!
■ Logging
■ Testing
■ Track & Monitor
PART IIIPREPARATION & COMPLIANCE
Keep it in Perspective
Yes, you have to meet the requirements, but REMEMBER, It’s YOUR BUSINESS, Your Program and Your Risk Management, so It’s OK TO USE YOUR FRAMEWORK, TOOLS, PROCESSES
- SANS CSC
- ISO 27001
Applying the Basics
■ Management Support
■ Clear Accountability, Defined Roles
■ Risk Management
■ An InfoSec Program
■ Policies & Procedures
■ Technical Controls
■ Greater complexity requires greater diligence
■ Plan WELL in advance
■ Leverage Existing Tools &Resources
■ Designated PCI Coordinator / Communicator
■ Training & Awareness
6 Goals - 12 Requirements ~240 ControlsPrioritized Mile Stones
Overall PCI DSS 3.1 GOALS
1 RISK MANAGEMENT - Remove sensitive authentication data and limit data retention — This milestone targets key risk areas for those who have been compromised—if you don’t need it, don’t store it
2 PROTECT SYSTEMS & NETWORKS — Be prepared to respond to a system breach – this milestone targets points of access to most compromises, and response processes
3 SECURE PAYMENT CARD APPLICATIONS — Controls for applications, application processes, and application servers have been shown to be easy prey when weaknesses exist.
4 MONITOR & CONTROL SYSTEM ACCESS — This milestone provides controls to allow you to detect the who, what, when, and how of who is accessing your network and cardholder data environment. A blind spot for many who have been compromised.
5 PROTECT STORED CARDHOLDER DATA — If you must store Primary Account Numbers (PAN), this milestone targets key protection mechanisms for that stored data.
6 FINALIZE REMAINING COMPLIANCE EFFORTS and ensure all controls are in place.
INVENTORY 1st!
■ SCOPE & INVENTORY – req. 2.4– Hardware– Software– Devices 9.9.1
– Incl. Mobile Devices– Wireless– Databases– Common Services
■ Patch Servers■ AD
■ Automate inventory process if possible – supports every PCI milestone
■ Helps show determine what is in/out of scope
■ Attack vectors can be more easily identified, tracked and managed with a complete inventory
Milestone 1 … Risk Management■ IMPLEMENT A RISK ASSESSMENT PROCESS
that is done annually+, identifies critical assets, threats = formal doc 12.2
■ CURRENT NETWORK DIAGRAM – ID all connections between CDE & other networks 1.1.2
■ CURRENT CARDHOLDER DATA (CHD) FLOWS – across systems and networks 1.1.3
■ KEEP CHD TO A MINIMUM – by implementing data retention and disposal policies, procedures and processes 3.1
■ DO NOT STORE SENSITIVE AUTH DATA AFTER AUTHORIZATION 3.2
■ DESTROY MEDIA WHEN NO LONGER NEEDED 9.8
Milestone 2 … Protect System & Networks ■ IMPLEMENT A FIREWALL AT EACH INTERNET
CONNECTION… 1.1.4
■ ESTABL. DOCUMENTATION & BUSINESS JUSTIFICATION for all services, protocols, and ports allowed, incl. FTP… 1.1.6
■ RESTRICT INBOUND & OUTBOUND TRAFFIC to that which is necessary for CDE, deny all other traffic… 1.1.2
■ SECURE/SYNCH ROUTER CONFIG FILES 1.2.2
■ INSTALL PERIMETER FIREWALLS between all wireless networks and the CDE… 1.2.3
■ PROHIBIT PUBLIC ACCESS BETWEEN INTERNET & SYSTEM COMPONENTS IN CDE … 1.3
■ ENSURE ALL P&P ARE DOCUMENTED, IN USE & KNOWN TO AFFECTED PARTIES… 1.5
Milestone 2 … Protect System & Networks ■ INSTALL PERS. F/W SW …1.4
■ ALWAYS CHANGE VENDOR SUPPLIED DEFAULTS &/or REMOVE UNNECESS. ACCOUNTS … 2.1
■ ENCRYPT ALL NON-CONSOLE ADMIN ACCESS USING STRONG ENCRYPTION (NOT SSL/early TLS) … 2.3
■ ENSURE THAT SECURITY P&P for managing defaults & other security parameters & encrypting transmissions are documented & in use …2.5 ; 4.3
■ USE STRONG CRYPTOGRAPHY & SECURITY PROTOCOLS… 4.1
■ NEVER SEND UNPROTECTED PANS BY END-USER MSSG. (email, IM, Chat) 4.2
■ DEPLOY ANTI-VIRUS ON SYSTEMS 5.1
■ USE 2-FACTOR FOR REMOTE NETWORK ACCESS…8.2
■ ADD’L REQ. FOR SVC. PROVIDERS W/REMOTE ACCESS… 8.5.1
■ APPROP. PHYSICAL ACCESS … 9.1
■ INSPECT FOR TAMPERING...9.9.2
■ TRAINING RE: TAMPERING… 9.9.3
■ INCIDENT RESPONSE… 11.1.2
■ RUN INT/EXT NETWORK VULNERABILITY SCANS 11.2
■ PENETRATION TESTING 11.3
■ IDS/IPS 11.4
■ INCIDENT RESPONSE & P&P 12.5.3 / 12.8
Milestone 3 … Secure Payment Card Apps■ DEVELOP CONFIG. STANDARDS FOR ALL
SYSTEM COMPENENTS… 2.2
■ PROCESS TO ID SECURITY VULNERABILITIES AND PROTECT FROM THEM … 6.1; 6.2
■ SECURE INTERNAL & EXTERNAL SOFTWARE APPLICATIONS, incl. web-based admin…6.3
■ FOLLOW CHANGE CONTROL PROCEDURES FOR ALL SYSTEM COMPONENTS… 6.4
■ DO NOT STORE SENSITIVE AUTH DATA AFTER AUTHORIZATION 3.2
■ TRAIN & ADDRESS COMMON CODING VULNERABILITIES IN S/W DEVELOPMENT… e.g OWASP 6.5
Milestone 4… Monitor & Control System Access■ LIMIT ACCESS TO SYS. COMPONENTS & CHD
to only those required by job…7.1+
■ ESTABLISH AN ACCESS CONTROL SYSTEM FOR SYSTEM COMPONENTS.. Default “deny all” setting… 7.2+
■ ENSURE THAT SECURITY P&P FOR RESTRICTING ACCESS TO CHD IS DOCUMENTED/KNOWN … 7.3
■ DEFINE & IMPLEMENT P&P TO ENSURE PROPER USER ID MGT for non-consumer users and admins… 8.1+
■ UNIQUE USER IDs FOR EACH EMPLOYEE & SEVERAL AUTH. METHODS… 8.2+
■ SECURE AUTHENTICATION 8.5; 8.6
■ RESTRICT ACCESS TO ANY DB with CHD …8.7
■ ENSURE THAT P&P FOR ID & AUTH DOC … 8.8
■ IMPLEMENT AUDIT TRAILS FOR ALL SYSTEM COMPONENTS … 10.2+
■ AUDIT LOGGING SPECS...10.3; 10.7 1 yr. ret.
■ SECURE AUDIT TRAILS … 10.5
■ NTP … 10.4
■ REVIEW LOGS FOR SECURITY EVENTS incl. daily security tasks 10.6
■ TEST WAPS QUARTERLY / INVENTORY 11.1
■ CHANGE-DETECTION MECHANISM (file integrity monitoring FIM) 11.5
Milestone 5 … Protect Stored Cardholder Data■ MASK PAN WHEN DISPLAYED… 3.3
■ RENDER PAN UNREADABLE ANYWHERE… 3.4
■ KEY MANAGEMENT…3.5; 3.6
■ EASILY DISTINGUISH BETWEEN ONSITE PERSONNEL & VISITORS… 9.2; 9.4
■ PHYSICALLY SECURE ALL MEDIA including backup media 9.6
■ ENSURE ALL SECURITY POLICIES & PROCEDURES FOR RESTRICTING PHYSICAL ACCESS ARE KNOWN/IN USE… 9.10
Milestone 6 … Finalize Compliance / Ensure■ FORMAL PROCESS FOR APPROVING/TESTING
ALL NETWORK CHANGES… 1.1.1
■ DESCRIPTION OF GROUPS, ROLES AND RESPONSIBILITIES … 1.1.5
■ REVIEW FIREWALL & ROUTER RULE SETS AT LEAST EVERY 6 MONTHS …1.1.7
■ CHANGE CONTROL PROCEDURES FOR SECURITY PATCHES & S/W CHGS… 6.4.5
■ SECURITY POLICIES / CRITICAL TECHNOLOGIES annual review 12.1; 12.3; 12.4; 12.5
■ FORMAL SECURITY AWARENESS PROGRAM 12.6
■ BACKGROUND CHECKS 12.7
FINALE / FINALLYSUMMARY / TIPS
READY…SET… PROJECT MANAGE!
• IDENTIFY SME’S
• GATHER & ORGANIZE DOCUMENTATION
• AUTOMATED REMINDERS / ASSIGNED RESPONSIBILITIES FOR PERIODIC TASKS
• SCHEDULE RESOURCES
• SCOPE & INVENTORY REVIEWS
• PREP WITH INDIVIDUALS
USE TEMPLATES FROM YOUR QSA AND/OR PCI
AVOID DOING EVERYTHING IN 3-4 PLACES THOUGH!
TRAIN YOUR HELPERS!
FEED YOUR HELPERS!
THANK THEM!
GIVE THEM TREATS!
Verizon PCI Report 2015
GET & MAINTAIN PCI COMPLIANCE
Biggest GAPS between Compliance & Post-Breach
1 - Firewalls5 – Antivirus / Anti-malware7 – Account Access Restrictions8 – Unique IDs
11 – Scanning/Testing (PCI-level ASV Scans Quarterly)12 – Policies & Procedures; Vendor Mgt.; Risk Mgt.
Verizon’s Lessons Learned from Payment Breaches ■ LOGGING, MONITORING, PATCHING & MAINTAINING
■ GOVERNANCE
■ ACCESS CONTROLS
■ PERIMETER SECURITY
■ DEFEATING MALWARE
■ PROTECTING STORED DATA
7 THINGS *NOT* TO DO!
1. Don’t store magnetic stripe cardholder data or the CVV or CVC code (the additional security number on the back of credit cards) after authorization
2. Don’t use vendor-supplied or default system passwords or common/weak passwords
3. Don’t allow personnel to share logins or passwords
4. Don’t allow physical access to any component in your CDE
5. Don’t store cardholder data in any systems in clear text (i.e., unencrypted)
6. Don’t leave remote access applications in an “always on” mode
7. Don’t use SSL or earlier versions of TLS
MAKES THE DREAM WORK
And helps a lot with PCI Compliance!
QUESTIONS?
TIPS?
References / Resources
■ PCI DSS 3.1 - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf– https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-
1.pdf https://www.pcisecuritystandards.org/.../Prioritized_Approach_v3.xlsx– PCI Cloud: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
■ PCI Compliance by Qualys - https://www.qualys.com/docs/PCI-for-Dummies.pdf
■ PCI Compliance by Control -http://www.verizonenterprise.com/placeholder/resources/reports/rp_pci-report-2015_en_xg.pdf
■ Key Findings from the 2015 IBM Cyber Security Intelligence -http://www.slideshare.net/ibmsecurity/key-findings-from-the-2015-ibm-cyber-security-intelligence-index
■ Verizon PCI Report 2015 ; Verizon DBIR Report 2015
■ OWASP TOP TEN - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project