PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

PCI DSS-based Security: Is This For Real?Using PCI DSS as A Foundation for Your Security Program
Dr. Anton Chuvakin
Author of “PCI Compliance”
http://www.pcicompliancebook.info
Security Warrior Consulting
www.securitywarriorconsulting.com
Secure 360, Minneapolis, MN
May 2010

Inspiration….
“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “
PCI Knowledge Base by late David Taylor

“PCI Is The Devil !!!”

Outline
What is PCI DSS? Why it is here?
PCI DSS as a security framework
PCI DSS as a data security framework
Starting from PCI: how to do it?
Risks and pitfalls

What is PCI DSS or PCI?
Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =

PCI Data Security Standard
PCI Council publishes PCI DSS –Data Security Standard
Outlined the minimumdata security protections measures for payment card data.
Defined Merchant & Service Provider Levels, and compliance validation requirements.
Left the enforcement to card brands (Council doesn’t fine anybody!)
Key point: PCI DSS (document) vs PCI (validation regime)

PCI Game: The Players
PCI Security Standards Council

My Data – Their Risk!?
*I* GIVE *YOU* DATA
*YOU* LOSE IT
*ANOTHER* SUFFERS!

Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Build and Maintain a Secure Network
Protect stored data
Encrypt transmission of cardholder data and sensitiveinformation across public networks
Protect Cardholder Data
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Maintain a Vulnerability Management Program
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Implement Strong Access Control Measures
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Regularly Monitor and Test Networks
Maintain a policy that addresses information security
Maintain an Information Security Policy
PCI Data Security Standard In-Depth

PCI DSS Coverage
… in no particular order:
Security policy and procedures
Network security
Malware protection
Application security (and web)
Vulnerability scanning and remediation
Logging and monitoring
Security awareness

PCI DSS With No Cards?

PCI Coverage: What Do We Learn?
Focus: confidentiality credit of card data…
… but not exactly: data avoidance is even better!
Now …
… a hard question: what is “a good security program”?
What technology, processes, etc?
What are the goals?
What are the metrics?

Our Goals!

Holes?
BIG HOLE#1 Everything availability
“If your payment app blows up, it magically becomes ‘PCI compliant’” 
HOLE #2 Everything productivity
Spam, web filtering, client protection, etc
HOLE #3 Card data discovery
PCI assumes omniscient data owners…

Sidetrack: WTH is “Data Security”
… back to
If you router is 0wned, is data security still achieved?
If a secondary system is compromised?
QA machine?
Public web server?
Know any “data idiots?”

Pros and Cons
Pros:
Good coverage of many domains (tech and process)
Useful focus on data elimination, app security and monitoring
Detailed guidance available
A lot of tools available to help
Lacks complexity of ISO, NIST, etc
Cons:
Does not start from policy (but you can!)
Holes!
Lack of logical structure (but Prioritized Approach is there)
Your risk not covered
“Kill the data” focus doesn’t apply to some
Measuring success?!

Pause…
What do you think?

OK, Diving In…

Phase 1 Understanding
Read PCI DSS and Prioritized Approach
Organize into domains
Split technology requirements from process/policy/procedure
Mind the holes!
Also: think about other regulations, e.g. breach disclosure laws

Holes? What Holes?

Phase 2 Plan
Gaps?
Policy/process gap
Technology gap
Anything to buy? Build? Outsource?
“Close the gap” strategy
Guidance: PCI SSC “Prioritized Approach”
“Reverse PCI”: start from Req 12 “Policy “
Coordinate with stakeholders

Scope Explodes!
Key lesson in PCI compliance:
SHRINK THE SCOPE! “Drop the data”
Here we expand the scope to all data and even all systems.

Phase 3 Do it!
Following the prioritized plan, start building
If under actual PCI regime, start from payment networks [of course!]
Adjust! You are not “praying to PCI gods”
Q: Can I use ISO27001 instead?
A: Sure, but you would not be reading this if you had this choice!

Phase 4 Run it!
Ongoing tasks in PCI:

Success? Success!!!
Measure success
Metrics system
No assessment prep (no QSA) – but do self-assess! (INPUTS)
Incident and loss reduction (OUTPUTS)
Document – as if for QSA!
“Compliance is validated security”

Key Issue
Q: Which one of these guarantees that you will never suffer a motorcycle accident?
A: Having “a helmet law” on the books
B. Being aware of the above law
C. Always wearing a basic helmet
D. Always wearing an advanced, “market leading” helmet

Answer!
E. NONE OF THE ABOVE!

Why Are We Doing It?
Risk of DEATH
Vs
Risk of $60 fine?

Conclusions
What we have achieved here?
Likely, became PCI compliant
Evaluated PCI as a foundation for security
Built a security program
Started operational processes
Helped protect data, systems and other valuable information assets!

In Other Words…
Every time you think “PCI DSS OR security,”
god kills a kitten!

Questions?
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Google Voice: 510-771-7106
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
LinkedIn:http://www.linkedin.com/in/chuvakin
Twitter:@anton_chuvakin

Get “PCI Compliance” Book!
Useful reference for merchants, vendors – and everybody else in “PCI realm”
Book released Dec 2009
Get two free chapters at
www.pcicompliancebook.info

More on Anton
NOW: consultanthttp://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Security Warrior Consulting Services
Logging and log management policy
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
Content development
Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

http://chuvakin.blogspot.com	80
http://jonsnetwork.com	23
http://www.slideshare.net	11
http://us-w1.rockmelt.com	11
http://www.computersecurityarticles.info	3
http://www.lmodules.com	3
http://www.securitybloggersnetwork.com	2
http://chuvakin.blogspot.com.au	1
http://webcache.googleusercontent.com	1
http://itknowledgehub.com	1
http://lifeofit.com	1
http://chuvakin.blogspot.in	1

PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

by Anton Chuvakin on May 14, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

12 Embeds 138

Statistics

PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin — Presentation Transcript