pci dss vs hd moore’s law chris todd unisys canada inc

PCI DSSvs

HD Moore’s Law

Chris ToddUnisys Canada Inc.

© 2011 Unisys Corporation. All rights reserved.

Who is Chris Todd?

• Security Consultant with Unisys Canada Inc– 10+ years experience in networking and security

– GIAC Certified Firewall Analyst (GCFW), Incident Handler (GCIH), and Penetration Tester (GPEN)

– Maintain a PCI DSS compliant environment

– Provide security audit, vulnerability assessment and penetration testing services internally and externally

• SANS Mentor– Taught SEC504: Hacker Techniques, Exploits & Incident Handling

– Teaching SEC464: Hacker Detection for Systems Administrators• Nov 24/25 in Halifax

Where did PCI come from?

• The PCI Security Standards Council:– An open global forum, launched in 2006

• www.pcisecuritystandards.org

– Responsible for the development, management, education, and awareness of the PCI Security Standards

– Founded by five founding global payment brands• American Express• Discover Financial Services• JCB International• MasterCard Worldwide• Visa Inc.

– Incorporate the PCI DSS as the technical requirements of each of their data security compliance programs


http://www.pcisecuritystandards.org/

What is PCI?

• PCI Security Standards include:– Payment Application Data Security Standard (PA-DSS)

• Software vendors

– PIN Transaction Security (PTS) • Device vendors and manufacturers

– Point-to-Point Encryption (P2PE)• Solution providers

– Data Security Standard (PCI DSS)• Anyone who stores, processes or transmits cardholder data• Specifically the Primary Account Number (PAN)

• Overall intent is to prevent the theft of electronic or paper cardholder data


PCI DSS Requirements

• Build and Maintain a Secure Network– Requirement 1: Install and maintain a firewall configuration to protect

cardholder data

– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data– Requirement 3: Protect stored cardholder data

– Requirement 4: Encrypt transmission of cardholder data across open, public networks

• Maintain a Vulnerability Management Program– Requirement 5: Use and regularly update anti-virus software or

programs

– Requirement 6: Develop and maintain secure systems and applications


PCI DSS Requirements (cont)

• Implement Strong Access Control Measures– Requirement 7: Restrict access to cardholder data by business need-

to-know

– Requirement 8: Assign a unique ID to each person with computer access

– Requirement 9: Restrict physical access to cardholder data

• Regularly Monitor and Test Networks– Requirement 10: Track and monitor all access to network resources

and cardholder data

– Requirement 11: Regularly test security systems and processes

• Maintain an Information Security Policy– Requirement 12: Maintain a policy that addresses information

security for all personnel


PCI DSS Requirements (cont… again!)

• Total number of sub-requirements:

220+


PCI Compliance – Why do I care?

• Potential penalties for non-compliance:– Hefty fines– Refused merchant accounts– Accountability for breach


Concerns about PCI DSS

• It’s too specific

• It’s too vague

• Doesn’t address new technologies– e.g. virtualization

• Sucks the air out of the room– Disproportionate budget assigned to PCI compliance– Excessive time spent interpreting the requirements

• First step in getting there is to limit the scope– Therein lies one of the problems


More concerns about PCI DSS

• Why comply? PCI Council says:– Compliance has indirect benefits as well:

• Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.

– OK• You will likely identify ways to improve the efficiency of your IT

infrastructure– Possibly

• You’ll have a basis for a corporate security strategy– Not so sure about this one

– Compliance with the PCI DSS means that your systems are secure

– What?? That’s a bold statement...


Whose Law?

• May have heard of Moore’s Law:– Gordon Moore was co-founder of Intel– States the number of transistors on a chip will

double approximately every two years

• Who is HD Moore?– And why does he have a “law”???


Who is HD Moore?

• One of the best known names in information security– Particularly the offensive side

• Founded the Metasploit Project in 2003– open-source penetration testing platform

• Metasploit acquired by Rapid7 in 2009– Became CSO at Rapid7 and…

– Still chief architect of Metasploit

• Rapid7 offers commercial versions of Metasploit– But Metasploit Framework is still free

– And as of Oct 18, 2011 so is Metasploit Community Edition!


Introducing Joshua Corman

• Director of Security Intelligence, Akamai Technologies– Former Research Director, Enterprise Security, The 451 Group

– Former Principal Security Strategist, IBM ISS

• Industry Experience: – Expert Faculty: The Institute for Applied Network Security (IANS)

– 2009 NetworkWorld Top 10 Tech People to Know• http://www.networkworld.com/supp/2009/outlook/010509-tech-peop

le-to-know.html

– Co-Founder of “Rugged Software” www.ruggedsoftware.org

• Recently coined “HD Moore’s Law”


http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html

http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html

Attacker Drop-Off: Casual Attacker


1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120

Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA

Provided courtesy of

Joshua Corman

HD Moore’s Law


1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120


HDMoore’s Law


Joshua Corman

Attacker Drop-Off: QSA


1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120



Joshua Corman

Attacker Drop-Off: APT/APA


1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120



Joshua Corman

Attacker Drop-Off: Chaotic Actors


1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120



Joshua Corman

Welcome to Metasploit


Metasploit’s Sweet ASCII Art


And some more...


Last one


Build and set the trap


User interaction


Hmm. Double-click and it does nothing... or does it...

Meanwhile, back in Metasploit...


Finding a better place to live...


And movin’ on in!


Now living in the Symantec User Session process• tasklist doesn’t show the malicious DLL• netstat doesn’t show network sessions• no way to tell it’s running on your system

PWNED!

How does PCI DSS stack up?

• AntiVirus?– Yes, it was actually enabled

• Firewall?– Do you allow port 443 to the internet?

• IPS?– Can’t check encrypted traffic

• Web proxy?– Does privacy policy allow decryption of outbound SSL?

“Attention users: If you happen to forget your online banking password, please contact the network group. They will gladly provide it to you.”


A little about scoping

• Workstations likely not in scope– And less secured because focus

is on PCI compliance

• But that’s ok because two-factor authentication is required, right?– Where is the certificate?– What version of SecureID?


Compliance Architecture


What does it all mean?

• PCI DSS is a useless piece of trash?– No!– Will certainly help those doing nothing

• Use it wisely– Get the security budget you need– Spend smart– Implement flexibly

• Don’t be afraid of the compensating control– Challenge may be to find a QSA who feels the same

– Don’t let it distract you from securing your intellectual property


More from Joshua Corman

• Unconventional Strategies For Unconventional Adversaries

─ Discusses HD Moore’s Law and Visible Ops

─ https://community.rapid7.com/docs/DOC-1520

• RSA Pecha Kucha Speed talk "Why Zombies Love PCI”

─ http://www.youtube.com/watch?v=JQEBYxp_vKs&list=FLGpGqR0fqnX-9UBB0GTPSiA&index=25&feature=plpp

• NetSecPodcast scheduled this week with HD Moore– http://netsecpodcast.com

• Blog post coming soon with more on HD Moore’s Law– Not sure where this will be posted yet– Contact me at [email protected] or @imchristodd


https://community.rapid7.com/docs/DOC-1520

http://www.youtube.com/watch?v=JQEBYxp_vKs&list=FLGpGqR0fqnX-9UBB0GTPSiA&index=25&feature=plpp

http://www.youtube.com/watch?v=JQEBYxp_vKs&list=FLGpGqR0fqnX-9UBB0GTPSiA&index=25&feature=plpp

http://netsecpodcast.com/

PCI Hug-it-Out

• Find it at http://netsecpodcast.com/?s=PCI+hug+it+out

• 3 part series featuring:– Michael Dahn

• Works with Visa and MC developing PCI DSS and PA-DSS standards

• Has trained thousands of PCI qualified security assessors (QSA)

– Joshua Corman• We’ve already met him• Questions whether compliance actually weakens security

– Face-to-face• They’re actually not that far apart...


http://netsecpodcast.com/?s=PCI+hug+it+out

Conclusion

Chris [email protected]

902-421-2460@imchristodd

SANS Security 464:Hacker Detection for Systems Administratorshttp://www.sans.org/mentor/details.php?nid=26319

Nov 24-25 in Halifax


http://www.sans.org/mentor/details.php?nid=26319

pci dss vs hd moore’s law chris todd unisys canada inc

Documents