pci 2.0 what's next for pci dss by dr. anton chuvakin

PCI 2.0What's Next for PCI DSS

and Logging

Dr. Anton ChuvakinSecurity Warrior Consulting

www.securitywarriorconsulting.com/

September 2010

http://www.securitywarriorconsulting.com/

Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin

Outline

• PCI DSS Refresher• PCI DSS 2.0 Review• Logging – Key to PCI DSS!• PCI DSS: What You MUST Do Now!• Conclusions


QSA is Coming! Are You Ready?Annual on-site PCI DSS

assessment (“QSA visit”)• Review PCI DSS policies

and procedures• Evaluate the scope of PCI

applicability• Assess compliance with

technical controls – including collection and review of logs


What is PCI DSS or PCI?Payment Card Industry Data Security Standard

Payment Card =

Payment Card Industry =

Data Security =

Data Security Standard =


PCI Regime vs DSS Guidance

The PCI Council publishes PCI DSS • Outlined the minimum data security

protections measures for payment card data.• Defined Merchant & Service Provider Levels, and

compliance validation requirements.• Left the enforcement to card brands (Council

doesn’t fine anybody!)

Key point: PCI DSS (document) vs PCI (validation regime)

The Requirements

What Does PCI DSS Mean to You?PCI Compliance

Impact• Acquirer fines• Rate increases• Legal fees• Loss of card

network access

Related Security Impact

• Direct loss due to breach

• Breach notification costs

• Investigation costs• New security

measures• Brand damage• Cost of lost IP• Loss of customer

trust


PCI is Changing!

Select items changing for PCI 2.0• Scoping clarification• Data storage• Virtualization (!!)• DMZ clarification• Vulnerability remediation• Remote data accessPA-DSS changes as well (including application

logging)


The Key Piece: Requirement 10

In brief:1. Must have good logs2. Must collect logs3. Must store logs for 1 year4. Must protect logs5. Must review logs daily

(using an automated system)


PCI DSS Requirement 10.1• What it is?

– “Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.”

• What it means?– This means that every log of user action should have a user

name in it• What will QSA check for?

– ”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components”

What you MUST do?– Log all admin access, actions; make sure logs are tied to

user names


PCI DSS Requirement 10.2

• What it is?– “Implement automated audit trails for all system

components”• What it means?

– Make sure you log all PCI-mandated events on all in-scope systems

• What will QSA check for?– ”Through interviews, examination of audit logs, and

examination of audit log settings” verify that this is being done

• What you MUST do?– Enable logging on all PCI systems; for details see PCI

DSS



– “Secure audit trails so they cannot be altered.”• What it means?

– Collected logs must be protected from changes and unauthorized viewing

• What will QSA check for?– ”Interview system administrator and examine

permissions to verify that audit trails are secured so that they cannot be altered”

• What you MUST do?– Store logs on a secure system and log all access

to logs


PCI DSS Requirement 10.5.3

• What it is?– “Promptly back up audit trail files to a centralized log

server or media that is difficult to alter.”• What it means?

– Logs must be centrally collected• What will QSA check for?

– ” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter”

• What you MUST do?– Deploy a log server to collect logs from all PCI

systems



– “Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like IDS and authentication, authorization, and accounting protocol servers.”

• What it means?– Collected logs must be reviewed daily

• What will QSA check for?– ”Obtain and examine security policies … to verify that they

include procedures to review security logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.”

• What you MUST do?– Establish a log review process and follow it


PCI DSS Requirement 10.7

• What it is?– “Retain audit trail history for at least one year, with a

minimum of three months immediately available for analysis.”

• What it means?– Collected logs must be stored for ONE YEAR.

• What will QSA check for?– ”Verify that audit logs are available for at least one year

and processes are in place to restore at least the last three months’ logs for immediate analysis.”

• What you MUST do?– Make sure that all PCI logs are stored for a year


Want a PCI DSS Book?

“PCI Compliance” by Anton Chuvakin and Branden Williams

Useful reference for merchants, vendors – and everybody else

Released December 2009!


Questions?

Dr. Anton Chuvakin Security Warrior Consulting

Email: [email protected] Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org Twitter: @anton_chuvakinConsulting: http://www.securitywarriorconsulting.com

mailto:[email protected]

http://www.chuvakin.org/

http://www.securitywarrior.org/



More on Anton

• Now: independent consultant• Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager


Security Warrior Consulting Services• Logging and log management strategy, procedures and practices

– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems

– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation

– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations

– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development

– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs

– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations

More at www.SecurityWarriorConsulting.com



More on Anton

• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager



Security Warrior Consulting Services• Logging and log management strategy, procedures and practices

– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems

– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation

– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations

– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development

– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs

– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations

More at www.SecurityWarriorConsulting.com



Want a PCI DSS Book?

“PCI Compliance” by Anton Chuvakin and Branden Williams

Useful reference for merchants, vendors – and everybody else

Released December 2009!www.pcicompliancebook.info

http://www.pcicompliancebook.info/

pci 2.0 what's next for pci dss by dr. anton chuvakin

Technology