www.sisainfosec.com

Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE

Introductions

SISA

Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics

Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions

Products •SISA Security Assistant Compliance Management Tool for

•PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security

•SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA

Consulting– Training –Products

Customers in 25 Countries

About SISA

Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms

PCI DSS

1. Network Diagram •Formal •Comprehensive

2. Network Device Administration •Change Management •Console Connections •Remote Connections

3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months

4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network

5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses

1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234

2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points

3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened

4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet

1. Storage •Protect Stored Card Number •Do not store CVV or Track Data

2. Retention Period

• Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data

3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime

1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM

• SSH, SSL/TLS, IPSec are acceptable

2. Never send unprotected card numbers over E-mail or chat

1. Scope • All Windows systems

must have AV

2. AV should be •On •Updated •Running periodic scans • Getting automatic updates

3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule

1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities

2. Application Development •Code Review •Change Management

3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc

4. Public Facing Applications •WAF or •Application VA annually

1. Assigning Access to CHD

•Job related need •Approval mechanism for access

2. Implementing Access to CHD • Automated access control system •Default deny-all setting

1. Password

Requirements •History, Lifetime, Length, Complexity,

2. Account Lockout, Forgot Password • Password Reset Process

1. CCTV Recordings

2. Access Card Logs

3. Visitor Management

3. Media Management

1. Every system and

network component has to have logs

2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects

3. Log Retention •3 months – 1 year rule

4. NTP 5. FIM on logs

1. VA •Internal VA •External VA by an ASV •Every quarter

2. PT •Internal PT •External PT •Annually

3. Wireless Scans 4. IDS/IPS 5. FIM

High

Med

Low

1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP

800-30, OCTAVE, etc.

2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination

3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy

6. Service Providers 7. Incident Management

PCI DSS 3.0

Dates

•PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014

1. Updated Network

Diagram

2. Updated Hardware Inventory

1. AV is required on

Non-Windows based systems also

1. Update list of

application vulnerabilities as per OWASP, NIST, SANS, etc.

1. Security Requirements for Authentication Mechanisms Other than Passwords

• Tokens • Smart Cards

1. More Stringent Requirements for Penetration Testing

1. Maintain a list of service providers and what services they offer

2. Service providers should maintain their applicable PCI Requirements

3. Risks pertaining to service providers

Thank You