pci 2.0 what's next for pci dss by dr. anton chuvakin
DESCRIPTION
PCI 2.0 What's Next for PCI DSS and LoggingTRANSCRIPT
PCI 2.0What's Next for PCI DSS
and Logging
Dr. Anton ChuvakinSecurity Warrior Consulting
www.securitywarriorconsulting.com/
September 2010
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
Outline
• PCI DSS Refresher• PCI DSS 2.0 Review• Logging – Key to PCI DSS!• PCI DSS: What You MUST Do Now!• Conclusions
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
QSA is Coming! Are You Ready?Annual on-site PCI DSS
assessment (“QSA visit”)• Review PCI DSS policies
and procedures• Evaluate the scope of PCI
applicability• Assess compliance with
technical controls – including collection and review of logs
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
What is PCI DSS or PCI?Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI Regime vs DSS Guidance
The PCI Council publishes PCI DSS • Outlined the minimum data security
protections measures for payment card data.• Defined Merchant & Service Provider Levels, and
compliance validation requirements.• Left the enforcement to card brands (Council
doesn’t fine anybody!)
Key point: PCI DSS (document) vs PCI (validation regime)
Page 6
The Requirements
Page 7
What Does PCI DSS Mean to You?PCI Compliance
Impact• Acquirer fines• Rate increases• Legal fees• Loss of card
network access
Related Security Impact
• Direct loss due to breach
• Breach notification costs
• Investigation costs• New security
measures• Brand damage• Cost of lost IP• Loss of customer
trust
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI is Changing!
Select items changing for PCI 2.0• Scoping clarification• Data storage• Virtualization (!!)• DMZ clarification• Vulnerability remediation• Remote data accessPA-DSS changes as well (including application
logging)
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
The Key Piece: Requirement 10
In brief:1. Must have good logs2. Must collect logs3. Must store logs for 1 year4. Must protect logs5. Must review logs daily
(using an automated system)
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI DSS Requirement 10.1• What it is?
– “Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.”
• What it means?– This means that every log of user action should have a user
name in it• What will QSA check for?
– ”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components”
What you MUST do?– Log all admin access, actions; make sure logs are tied to
user names
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI DSS Requirement 10.2
• What it is?– “Implement automated audit trails for all system
components”• What it means?
– Make sure you log all PCI-mandated events on all in-scope systems
• What will QSA check for?– ”Through interviews, examination of audit logs, and
examination of audit log settings” verify that this is being done
• What you MUST do?– Enable logging on all PCI systems; for details see PCI
DSS
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI DSS Requirement 10.5• What it is?
– “Secure audit trails so they cannot be altered.”• What it means?
– Collected logs must be protected from changes and unauthorized viewing
• What will QSA check for?– ”Interview system administrator and examine
permissions to verify that audit trails are secured so that they cannot be altered”
• What you MUST do?– Store logs on a secure system and log all access
to logs
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI DSS Requirement 10.5.3
• What it is?– “Promptly back up audit trail files to a centralized log
server or media that is difficult to alter.”• What it means?
– Logs must be centrally collected• What will QSA check for?
– ” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter”
• What you MUST do?– Deploy a log server to collect logs from all PCI
systems
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI DSS Requirement 10.6• What it is?
– “Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like IDS and authentication, authorization, and accounting protocol servers.”
• What it means?– Collected logs must be reviewed daily
• What will QSA check for?– ”Obtain and examine security policies … to verify that they
include procedures to review security logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.”
• What you MUST do?– Establish a log review process and follow it
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
PCI DSS Requirement 10.7
• What it is?– “Retain audit trail history for at least one year, with a
minimum of three months immediately available for analysis.”
• What it means?– Collected logs must be stored for ONE YEAR.
• What will QSA check for?– ”Verify that audit logs are available for at least one year
and processes are in place to restore at least the last three months’ logs for immediate analysis.”
• What you MUST do?– Make sure that all PCI logs are stored for a year
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
Want a PCI DSS Book?
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Released December 2009!
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin Security Warrior Consulting
Email: [email protected] Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org Twitter: @anton_chuvakinConsulting: http://www.securitywarriorconsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
More on Anton
• Now: independent consultant• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
Security Warrior Consulting Services• Logging and log management strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
More on Anton
• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
Security Warrior Consulting Services• Logging and log management strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com Dr. Anton Chuvakin
Want a PCI DSS Book?
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Released December 2009!www.pcicompliancebook.info