5 under-utilized pci requirements and how you can leverage them
DESCRIPTION
5 Under-utilized PCI Requirements and how you can leverage themTRANSCRIPT
By – Praveen Joseph Vackayil
5 Under-utilizedPCI Requirements
Praveen Joseph VackayilCISSP, CCNA, ISO 27001 LA, former PCI QSA, MS (Warwick), BE
AND HOW YOU CAN FULLY LEVERAGE THEM
By – Praveen Joseph Vackayil
DISCLAIMER
By – Praveen Joseph Vackayil
• Mobile phones – you know what to do! • Questions are welcome• Share your knowledge
Ground Rules
By – Praveen Joseph Vackayil
• Quick Introduction to PCI DSS–CHD and SAD–PCI Requirements
• 5 Under-utilized PCI Requirements
Agenda
By – Praveen Joseph Vackayil
A Quick Introduction to PCI DSS
By – Praveen Joseph Vackayil
The Payment Card Industry Data Security Standards are a set of security standards created to protect credit and debit card data.
What is PCI?
By – Praveen Joseph Vackayil
• One of the most precise and granular information security standards out there.• 12 broad requirements, 300+ sub-
requirements• People (10%) – Processes (30%) –
Technology (60%)
What is PCI?
By – Praveen Joseph Vackayil
Cardholder Data:• Card Number• Cardholder Name• Service Code (not shown
in image)• Expiry Date
Cardholder Data
By – Praveen Joseph Vackayil
Sensitive Authentication Data:• CVV• Track data (Magnetic
Stripe data or Chip data)• PINs or PIN blocks
123
Sensitive Authentication Data
By – Praveen Joseph Vackayil
What does PCI say about CHD and SAD?
By – Praveen Joseph Vackayil
Stored card numbers must be encrypted, truncated, hashed, or protected with one time pads.
In Other Words
1aM3fz9eo0F1idqKq2Z23i0F3akdjl53f32F23k3qsaf
4757 2828 9290 2929
By – Praveen Joseph Vackayil
CVV, Track/Chip and PIN data must never be stored.
In Other Words
“July_Customer_CVV.xlsx”
By – Praveen Joseph Vackayil
The PCI Requirements
Ref: PCI DSS v3.0
By – Praveen Joseph Vackayil
Requirement 1 - FirewallsFormal Change Management
Updated Network Diagram
Firewall config vs Business Justification Document
NATting
Check incoming packets for IP Spoofing
Internal Zone-> DMZ->External Zone
Firewall Rule Review
By – Praveen Joseph Vackayil
Requirement 2 – Device Configuration
Change all vendor supplieddefaults
Remove all unnecessary scripts, drivers, servers and other functionalities
One primary function per server
Non-console admin access must be encrypted
Hardening standards based on CIS, SANS, NIST, etc.
By – Praveen Joseph Vackayil
Requirement 3 – Protect Stored CHD
Do not store any SAD
Mask PAN when displayed
Render stored PAN un-readable
Key Management
Drive Awareness
Review stored PAN via quarterly data discovery scans
Minimize stored PAN
By – Praveen Joseph Vackayil
Requirement 4 – Protect Transmitted CHD
Encrypt PAN sent over wireless. Eg. IEEE 802.11i(No WEP, SSL v2.0)
Encrypt PAN sent on open public networks
Encrypt PAN if sent over email, chat, etc.
Drive Awareness
By – Praveen Joseph Vackayil
Requirement 5 – Use Anti-Malware SoftwareIf AV exists, deploy it
Do RA to identify threats for Mainframes or other systems without AV
Periodic ScansAutomatic UpdatesAnti-virus logs
By – Praveen Joseph Vackayil
Requirement 6 – SDLCIdentify new security vulnerabilities from external sources
Patch Management
Secure SDLCWAF or App VA for public facing web apps
By – Praveen Joseph Vackayil
Requirement 7 – Need to KnowAccess to CHD based on job-based need to know
Default deny-all setting in access provisioning
By – Praveen Joseph Vackayil
Requirement 8 – Accountability
User ID settings
Two-factor authentication for remote connections
Password settings
Session time-out settings
By – Praveen Joseph Vackayil
Requirement 9 – Physical SecurityPhysical Access Controls:-CCTV and/or-Access control mechanism
Visitor Management
Media Management
Physical Security of POS devices
By – Praveen Joseph Vackayil
Requirement 10 – Log ManagementWhat should be logged
What a log should contain
Log Retention
Log Review
FIM on logs
Time synchronization
Access to Logs
By – Praveen Joseph Vackayil
Requirement 11 – Testing and Monitoring
Wireless Scan IDS/IPS
Penetration Testing
Vulnerability Assessment
Change Detection Software
By – Praveen Joseph Vackayil
Requirement 12 – Documentation
Risk Assessment
Human Resources-NDA-BGV
Service Provider Management
Incident Management
Policies and Procedures- Information Security- Acceptable Usage, etc.
By – Praveen Joseph Vackayil
5 Under-utilized PCI Requirements
By – Praveen Joseph Vackayil
?WHICH REQUIREMENTS DO YOU THINK WILL BE DISCUSSED?
By – Praveen Joseph Vackayil
Typical Challenge Areas in PCI Maintenance
By – Praveen Joseph Vackayil
5 Under-utilized PCI Requirements
• Firewall Rule Review• Log Review• Penetration Testing• Risk Assessment• Service Provider Management
By – Praveen Joseph Vackayil
Firewall Rule Review
By – Praveen Joseph Vackayil
Firewall Rule Review
1.1.7 Review firewall and router rule sets at least once every six months
WHAT IT IS
By – Praveen Joseph Vackayil
Firewall Rule ReviewHOW PEOPLE TEND TO DO IT
“Nipper gives a lot of false positives, you know?”
“We need ICMP for troubleshooting”
-We ran a Nipper scan.-And?-That’s it!
By – Praveen Joseph Vackayil
A Good Rule Review Will Achieve• Re-validation of all business requirements (and nothing else)
being met through the firewall• Review/removal of ACLs which are convenient for firewall
device management but not for network security.• Protection from new attack vectors (especially public facing
firewalls)• Checking for incorrectly configured rules• Clean-up of obsolete rules and user ids on firewall• Revoke of “temporary” access requests on expiry• Firewall performance tuning• More accurate responses from network administrator during
external audit.
By – Praveen Joseph Vackayil
Suggested Firewall Review Methodology
Prerequisites- Network Diagram- Device Inventory- Updated DFD- Firewall Rules Business Justification Document
Shortlist the firewalls to be reviewed - eg. Internet FW, Internal FW
- Review the network diagram, DFD- Validate the FW configuration against approved services, ports, protocols
What to Look For:- Obsolete ACLs- Inconsistencies with BJD- Insecure services, ports, protocols - FTP, Telnet, SNMP.
Remediation
By – Praveen Joseph Vackayil
Sample Firewall Review Sheet
Ref: SANS - Methodology for Firewall Reviews for PCICompliancehttp://www.sans.org/reading-room/whitepapers/auditing/methodology-firewall-reviews-pci-compliance-34195
By – Praveen Joseph Vackayil
Log Review
By – Praveen Joseph Vackayil
Log ReviewSCOPE10.6 Review logs and security events for all system components
FREQUENCY10.6.1 Review the following at least daily:• All security events • Logs of all system components that store, process, or transmit CHD/SAD• Logs of all critical system components• Logs of security devices - firewalls, IPS, etc.10.6.2 Review logs of all other system components periodically as determined by a risk assessment.
REMEDIATION10.6.3 Follow up anomalies identified during the review process.
WHAT IT IS
By – Praveen Joseph Vackayil
Log ReviewHOW PEOPLE TEND TO DO IT
“It is not possible to investigate all alerts. There are tons of false positives.”
-We manually review logs everyday. Surprisingly, we have no incidents so far.-You mean NOT surprisingly
By – Praveen Joseph Vackayil
Good Log Review Principles
Log Review
Central Log Storage for easy access and review
Continuous and Automated Monitoring
“Do Not Show Again” configuration to reduce false positives
Qualified personnel who know what kind of logs to look for
Timely Response Mechanism
By – Praveen Joseph Vackayil
Penetration Testing
By – Praveen Joseph Vackayil
Penetration Testing
Requirements for PT in PCI v2.011.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. These penetration tests must also include application and network layer penetration tests.
WHAT IT IS
By – Praveen Joseph Vackayil
Penetration TestingHOW PEOPLE TEND TO DO IT
“We fixed all the VA findings. So there are no vulnerabilities to exploit, meaning there is no point in a PT.”
(hence proved)
“We ran a PT scan. Here is the report.”
By – Praveen Joseph Vackayil
Penetration Testing• PT Methodology
– A methodology will bring structure and consistency to the testing approach– Provide standardized documentation– Assist in training and KT between staffEg. N/w PT – OSSTM (from Institute for Security and Open Methodologies), NIST SP 800-115 App PT - OWASP Testing Project for App PT
• External and Internal PT
WHAT HAPPENED IN V3.0 HAS BEEN NOTHING SHORT OF RADICAL
Outside Inside
Has no access to systemsNo knowledge about the systems
Has at least general user access, may have some knowledge on the systems
Begins with reconnaissance (public information) and enumeration (network discovery, port scanning)
Begins with user privilege escalation (eg. General to admin user)
By – Praveen Joseph Vackayil
Penetration Testing• PT must validate network segmentation
methods used to isolate the CDE– Router or Firewall ACLs– VLANs configured on L3 switches
Eg. Port scanning to check for any open ports on the router through which one can connect from a trusted but non-CDE network.
• PT must be on-going – Remediation must be validated by re-testing
By – Praveen Joseph Vackayil
SAMPLE TESTS• Database security audit• SQL injection techniques • Network traffic eavesdropping• Access control testing • Network intrusion testing • Network stress testing• DoS attacks• Manipulating user input data• Web application penetration
testing
OSSTM PT WorkflowInduction Phase:- Decide on test timelines- Shortlist the tests to be done
Interaction Phase:- Network Discovery-Select target systems for each test
Inquest Phase:Find out as much data as possible about target systems
Intervention Phase:Verify functionality of security and alerting mechanisms
• Web server, DB Server• Firewall, etc.
• Which ports are open• What services are
running• Device configuration
vulnerabilities
• Log alerts• FIM alerts• IPS alerts
By – Praveen Joseph Vackayil
Risk Assessment
By – Praveen Joseph Vackayil
Risk AssessmentPCI Req 12.2Implement a risk-assessment process that:Frequency:• Is performed at least annually and upon significant changes to
the environment (for example, acquisition, merger, relocation, etc.)
Entities:• Identifies critical assets, threats, and vulnerabilities, Methodology:• Results in a formal risk assessment
WHAT IT IS
By – Praveen Joseph Vackayil
Risk AssessmentHOW PEOPLE TEND TO DO IT
This is an example of a compliance RA. Not a security RA
By – Praveen Joseph Vackayil
Risk Assessment
A PCI Risk Assessment must be:• Formal:– Measurable– Comparable– Repeatable
• Focusing on card data as the central asset• Emphasizing security and not compliance
WHAT IT IS
By – Praveen Joseph Vackayil
Risk Assessment
Risk Assessment can be used to• Tailor the PCI requirement to the unique
nature of the organization’s CDE• Reduce the overall cost of compliance
and security maintenance• Assist in scope reduction
By – Praveen Joseph Vackayil
Suggested PCI RA WorkflowScope
Assets
Threat
VulnerabilityRisk Score
Risk Management-Treat, Transfer,
Terminate, Tolerate
Documentation
E-Commerce Website
Primary Asset – CHDSupporting Assets– People, Technology
Disclosure of CHD via compromise of perimeter firewall by external entity
No defined frequency for firewall rule review
Medium
Treat:Firewall config to be reviewed every quarter by Security team. Corrective action to be taken by Network team.
By – Praveen Joseph Vackayil
Service Provider Management
By – Praveen Joseph Vackayil
Service Provider Management: Typical Concerns
No knowledge on– the extent to which service provider can access client’s systems and
information– service provider’s information security controls and how effective they
are – how they verify employees’ backgrounds
No defined ownership of applicable PCI requirementsEg. Application hosted at client’s site, but developed remotely by a third party organization:
– 6.4.1 Separate development/test environments from production environments ->Client
– 6.4.2 Separation of duties between development/test and production -> Service Provider
By – Praveen Joseph Vackayil
Service Provider Management12.8: Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data• Maintain a list of service providers• Due diligence in selecting service providers• MSA: Service providers are responsible for the security of
cardholder data they possess or otherwise store, process or transmit on behalf of the customer
• Annually monitor their PCI compliance• Classify PCI requirements as per client - service providers’
responsibility and get mutual agreement
WHAT IT IS
By – Praveen Joseph Vackayil
?
By – Praveen Joseph Vackayil
Stay in Touch
• www.linkedin.com/in/vackayil
THANK YOU