1. PCI-DSS and Security Overview

2. Agenda Introduction Security in Software Industry Top 10 Vulnerabilities Examples Threats & Risks PCI DSS Security Breaches examples and solutions Q&A 3. Introduction Security is hard to achieve Security is relevant Assess the risk, so you can define your security level Industry is now more aware about the risk End-users are more affected by breaches Phones, Tablets, Notebooks Social Networks 4. Security in the Software Industry Security means: The public and/or private information is always available The private information is well protected and not exposed The user identity is always verified Managing risk, not just avoiding vulnerabilities In case of a breach: Reduce the loss Identify the compromised data Identify the breaching source 5. Security in the Software Industry Contd HTTPS, HSTS, Certificates, etc Physical identification of the user Mobile Phone Captcha Personal questions Physical Bundles Code Scanning for security breaches Security Scanning tools Joint efforts between development and deployment teams Engineers have to bake security into the product 6. Top 10 Vulnerabilities OWASP stands for Open Web Application Security Project https://www.owasp.org Based on OWASPs 2013 report, the Top 10 vulnerabilities are: Injection Broken Authentication and Session Management Cross-Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards 7. Worst Security Breaches Heartland Payment Systems Date: March 2008 Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems. TJX Companies Inc. Date: December 2006 Impact: 94 million credit cards exposed. Sony's PlayStation Network Date: April 20, 2011 Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month. Full List here: http://www.csoonline.com/article/700263/the-15-worst- data-security-breaches-of-the-21st-century 8. Risks in Payment Industry 9. The gaps Weak Configurations OS Flaws Programming Errors Backdoors Network Risks in Payment Industry Credit card theft: Phishing attempts on the rise: to trick individuals into divulging financial info. Many chat channels devoted to underground trading of credit card #s 10. Before 2004 11. PCI-SSC 12. Credit Card Industry Players 13. Credit Card information 14. What is PCI PCI ensure your are compliant so you avoid costly security breaches. Define the Framework of Secure Payment Environment. PCI Compliance is universally required, validation requirements can vary: By classification By size 15. PCI Requirments Build and maintain a secure network Protect cardholder data Segregation of duties by deparment Maitain a vulnerability management program Implement strong access control measures Regulary monitor and test networks Maintain an information security policy 16. PCI Requirments We can split the Requirments into 3 Major parts: 1. Network infrastructure 2. Software security 3. Regulary Monitor and Maintain Network 17. Network Infrastructure Three-tier computing e-commerce infrastructure 18. Software Security PCI DSS must be applied on software/code for: POS Mobile apps Web Application Common PCI Mistakes: Storing CC info in plain text. Poor coded websites (XSS, CSRF) Lack of monitoring and logging Loggin payment info Not using SSL (at least for payment page) 19. Monitor and Maintain Network Manager security including firewalls, digital certificates and SSL encryption Regulary change server/network passwords Scheduled backups (DB and Application) Performance monitoring. Restrict access to servers/Database. 20. What are the costs of a secruity breach? Banned from accepting credit cards Loss of reputation and customers Fines up to $500,000 per incident Replacement cards for breached accounts ($20- $30/account) 21. Vulnerabilities Injection Flaws Cross-site Scripting (XSS) Cross-site Request Forgery (CSRF) Buffer Overflows Weak Authentication and Session Credentials Brute force and Dictionary attacks And more 22. Injection flaws In addition to SQL injection, this include OS and LDAP injection. These flaws occur when data input to a website is not properly validated by the application code, and results in the injection of potentially malicious data to execute commands that may result unauthorized access. i.e.: Dim query As String = "select [fields] from [table] where Email = '" & email & "';" 23. Injection flaws A normal query: Lets login, no need to account What about predicting some table names And lots more SELECT fields FROM tableName WHERE Email = 'test@gmail.com''; SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x'; SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members; --'; 24. SQL Injection Sol. Validate user input: length, type and syntax. Ensure that users with permission to access the database have the leaset privileges. Use strongly typed parameterized query APIs Use of stored procedures instead of plain text queries. 25. Cross-site Scripting (XSS) The result of poor application level input validation practices. XSS allows an attacker to place a code to the victims browser to hijack the browser session and redirect the victim to a malicious website. i.e.: Response.Redirect("Login.asp?ErrorMessage=Invalid"+username+"or"+password") 26. Cross-site Scripting (XSS) The form: The attacker changes the url: The form will be: 27. XSS sol. Possible sources of malicious data: QueryString Cookies Posted data XSS solutions: Encode input parameters (client and server side) Filter input parameters for special characters 28. Cross-site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. 29. Cross-site Request Forgery (CSRF) i.e.: Request: What if also this is possible: The easiest way: Or: POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 View my Pictures! 30. CSRF Sol. The solution is: Anti-Forgery Tokens Unique token Store in user's session POST the token from UI POST Data, and disable GET 31. Q&A