responsible information technology security strategy ian ...• pci dss stands for payment card...
TRANSCRIPT
EHMA 2009 - SEVILLEEHMA 2009 - SEVILLE
Responsible Information Technology Security Strategy
Ian Millar CHTP
2
OBJECTIVESOBJECTIVES• Understand the importance of Information
technology Security
• Evaluate and implement the necessary protection for a modern IT network
• Implement PCI compliance for your business
• Leave with a clearer understanding of security issues that you can immediately check/implement
• Ensure both operational and guest security and safety are correct
3
Technology practicesTechnology practices
• Does your computer network have a firewall?
• Do you run antivirus scans at least weekly on all your computers?
• Is your virus scanning software and signature files up to date?
• Do you require users to change passwords every 90 days?
• Are passwords required to consist of numbers and letters?
• Are user access privileges revoked immediately upon or before separation from your company?
• Do you encrypt all payment transactions that are collected, stored, and transmitted electronically?
4
Cont…Cont…• Do you restrict user access to guest credit card data?
• Have you asked your computer software vendors if their applications are PCI compliant?
• Have you changed all vendor supplied passwords and restricted vendor access to your systems?
• Are your computer servers located in physically secure areas?
• Are the operating systems you use up to date with the latest security patches?
• Do you conduct regular audits of your computer systems and network security?
• Do you routinely monitor your hotels systems for changes made to settings, applications and passwords?
• Do your systems or applications maintain journal logs?
5
It is a bad world out thereIt is a bad world out there
6
What is happening nowWhat is happening now
• http://itw.trendmicro.com/trend_tracker.php
7
20072007 20082008
WEBS ITES BLOCKED PER
D AY1253
WEBS ITES BLOCKED PER
D AY2290
SPAM RATE84.5%
SPAM RATE81.2%
E MAIL VIRUS1 IN 140 MAILS
E MAIL VIRUS1 IN 130 MAILS
8
2008 cont…2008 cont…
• The decline can be attributed to the transition to spreading malware using malicious content hosted on websites and drive-by installs rather than favoring email as the primary means of distribution.
• The number of phishing attacks was 1 in 244.9 (.41 percent) emails across 2008
9
PhishingPhishing
10
Lots of moneyLots of money
11
MicrosoftMicrosoft
12
In the UKIn the UK
13
TodayToday
• From BBC technology
Lets get physical – Your IT roomLets get physical – Your IT room
15
IT room contIT room cont
• This room is more important than your office
• Air conditioned
• Preferably not below ground level
• Special access to get into the room
• Fire system (not water)
• All Servers protected by UPS
16
UPS – UPS – uninterrupted power supplyuninterrupted power supply
17
What happens in hospitalityWhat happens in hospitality
18
Cont 5* propertyCont 5* property
19
Which cable does what?Which cable does what?
Software protectionSoftware protection
21
The six steps to securityThe six steps to security
22
Anti virusAnti virus
• Do you have up to date paid for anti virus software on EVERY computer in your hotel?
23
Taken by me in a Hotel business centreTaken by me in a Hotel business centre
24
SPAMSPAM
25
Anti spamAnti spam
• Junk E mail
• YouTube - Monty Python – Spam
• Some facts:
– 2007 - (June) 100 billion per day
– Adult 25%
– June 2008 96.5% of e-mail received by businesses
– Bill Gates receives four million e-mails per year, most of them spam
26
Why Spam?Why Spam?
• A survey on Marshal Limited's website (an e-mail and Internet content security company) showed that 29.1% of the 622 respondents had bought something from a spam email
27
Why protect?Why protect?
• the recipient directly bears the cost of delivery, storage, and processing
• How much time do you and your employees spend removing spam.
28
FirewallFirewall
• Do you have an up to date Firewall installed
• Either software or a hardware version
• Even better BOTH !
29
Windows updateWindows update
• Should be set to automatically install when available
30
VPNVPN
• IF you have laptops used by your hotel and they can connect back to the hotel, you should be doing this with a VPN
31
No copied softwareNo copied software
• BSA (business software alliance) shows that 1 in 4 European businesses use copied software
• The Pirate Bay - The world's largest BitTorrent tracker
32
BSA - statisticsBSA - statistics
33
Why?Why?
• You can be fined
• Most copied software contains viruses
• You do not get security upgrades
• You will have no support
34
PCI - CompliancePCI - Compliance
35
Pci compliancePci compliance• What would happen to your hotel as a business if you
could no longer accept credit cards?
• Or you receive a heavy fine?
36
World wide Credit card fraudWorld wide Credit card fraud
• What % of credit card fraud comes from hospitality?
• The payment card industry compliance, American hotel and lodging association & Visa.com
37
WHAT IS PCI COMPLIANCEWHAT IS PCI COMPLIANCE• PCI DSS stands for Payment Card Industry Data
Security Standard.
• It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.
• A company processing, storing, or transmitting payment card data must be PCI DSS compliant
38
PCI COMPLIANCEPCI COMPLIANCE
• Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.
• All in-scope companies must validate their compliance annually. This validation can be conducted by auditors - i.e. persons who are PCI DSS Qualified Security Assessors (QSAs)
39
Build and Maintain a Secure Network Build and Maintain a Secure Network
40
Protect cardholder dataProtect cardholder data
41
Maintain a Vulnerability Management Maintain a Vulnerability Management Program Program
42
Implement Strong Access Control Implement Strong Access Control Measures Measures
43
Regularly Monitor and Test Networks Regularly Monitor and Test Networks
44
Maintain an Information Security Policy Maintain an Information Security Policy
45
Real life exampleReal life example
• Hotel chain Best Western has downplayed concerns over a recent hack attack that was reported to have put at risk the personal details of all its customers since 2007.
Best Western downplays hack attack - vnunet.com
46
• According to a report in the Sunday Herald, an unknown Indian hacker had managed to gain unauthorised access to Best Western’s databases
• which contain the names, addresses and credit card numbers of international customers.
• 10 customers personal data was stolen
47
• He added that Best Western complies with the Payment Card Industry Data Security Standard for secure online payments to protect customer information. The hotel chain is now working with the FBI and other international authorities to investigate further.
48
Compliance and Wireless LANsCompliance and Wireless LANs• The PCI DSS recognizes wireless LANs as public
networks and automatically assumes they are exposed to vulnerabilities and threats.
• PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless networks used in any environments containing credit card data. They are:
– Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with credit card information.
– Use of wireless analyzers (a.k.a. Wireless Intrusion Detection System) to detect any unauthorized wireless devices and attacks
49
Worried about your wirelessWorried about your wirelessOctober 11th 2008October 11th 2008
• A computer hacker is threatening to release "personal and sensitive" e-mails swiped from the Thompson hotel chain after taunting the company about its lax security practices.
• The hacker threats against the Thompson hotel chain, which includes several five-star hotels in Manhattan, Beverly Hills and Washington, could result in lawsuits against the company, said Hobson, but the resultant publicity could put off high-spending guests from staying at the boutique hotels, with a consequent loss of revenue.
50
What your guests do!!What your guests do!!
53
Questions?Questions?
54
REFERENCESREFERENCES• PCI DSS - Wikipedia, the free encyclopedia
• Best Western downplays hack attack - vnunet.com
• UK hotels vulnerable to same Wi-Fi hack as US hotel chain | 15 Oct 2008 | ComputerWeekly.com
• BBC NEWS | Technology | Spam plummets as gang leaves net
• http://www.nytimes.com/2008/11/30/business/30privacy.html?_r=2&emc=eta1
• Payment Applications | Merchants | Visa USA
55
Viruses for macViruses for mac