Your SlideShare is downloading. ×
0
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

2,344

Published on

PCI DSS-based Security: Is This For Real? Using PCI DSS as A Foundation for Your Security Program

PCI DSS-based Security: Is This For Real? Using PCI DSS as A Foundation for Your Security Program

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,344
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=1366&Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.
  • “The best method to protect data from hackers is to delete it”PCI Compliance book http://www.pcicompliancebook.info/
  • Transcript

    • 1. PCI DSS-based Security: Is This For Real?Using PCI DSS as A Foundation for Your Security Program
      Dr. Anton Chuvakin
      Author of “PCI Compliance”
      http://www.pcicompliancebook.info
      Security Warrior Consulting
      www.securitywarriorconsulting.com
      Secure 360, Minneapolis, MN
      May 2010
    • 2. Inspiration….
      “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “
      PCI Knowledge Base by late David Taylor
    • 3. “PCI Is The Devil !!!”
    • 4. Outline
      What is PCI DSS? Why it is here?
      PCI DSS as a security framework
      PCI DSS as a data security framework
      Starting from PCI: how to do it?
      Risks and pitfalls
    • 5. What is PCI DSS or PCI?
      Payment Card Industry Data Security Standard
      Payment Card =
      Payment Card Industry =
      Data Security =
      Data Security Standard =
    • 6. PCI Data Security Standard
      PCI Council publishes PCI DSS –Data Security Standard
      Outlined the minimumdata security protections measures for payment card data.
      Defined Merchant & Service Provider Levels, and compliance validation requirements.
      Left the enforcement to card brands (Council doesn’t fine anybody!)
      Key point: PCI DSS (document) vs PCI (validation regime)
    • 7. PCI Game: The Players
      PCI Security Standards Council
    • 8. My Data – Their Risk!?
      *I* GIVE *YOU* DATA
      *YOU* LOSE IT
      *ANOTHER* SUFFERS!
    • 9.
      • Install and maintain a firewall confirmation to protect data
      • 10. Do not use vendor-supplied defaults for system passwords and other security parameters
      Build and Maintain a Secure Network
      • Protect stored data
      • 11. Encrypt transmission of cardholder data and sensitiveinformation across public networks
      Protect Cardholder Data
      • Use and regularly update anti-virus software
      • 12. Develop and maintain secure systems and applications
      Maintain a Vulnerability Management Program
      • Restrict access to data by business need-to-know
      • 13. Assign a unique ID to each person with computer access
      • 14. Restrict physical access to cardholder data
      Implement Strong Access Control Measures
      • Track and monitor all access to network resources and cardholder data
      • 15. Regularly test security systems and processes
      Regularly Monitor and Test Networks
      • Maintain a policy that addresses information security
      Maintain an Information Security Policy
      PCI Data Security Standard In-Depth
    • 16. PCI DSS Coverage
      … in no particular order:
      Security policy and procedures
      Network security
      Malware protection
      Application security (and web)
      Vulnerability scanning and remediation
      Logging and monitoring
      Security awareness
    • 17. PCI DSS With No Cards?
    • 18. PCI Coverage: What Do We Learn?
      Focus: confidentiality credit of card data…
      … but not exactly: data avoidance is even better!
      Now …
      … a hard question: what is “a good security program”?
      What technology, processes, etc?
      What are the goals?
      What are the metrics?
    • 19. Our Goals!
    • 20. Holes?
      BIG HOLE#1 Everything availability
      “If your payment app blows up, it magically becomes ‘PCI compliant’” 
      HOLE #2 Everything productivity
      Spam, web filtering, client protection, etc
      HOLE #3 Card data discovery
      PCI assumes omniscient data owners…
    • 21. Sidetrack: WTH is “Data Security”
      … back to
      If you router is 0wned, is data security still achieved?
      If a secondary system is compromised?
      QA machine?
      Public web server?
      Know any “data idiots?”
    • 22. Pros and Cons
      Pros:
      Good coverage of many domains (tech and process)
      Useful focus on data elimination, app security and monitoring
      Detailed guidance available
      A lot of tools available to help
      Lacks complexity of ISO, NIST, etc
      Cons:
      • Does not start from policy (but you can!)
      • 23. Holes!
      • 24. Lack of logical structure (but Prioritized Approach is there)
      • 25. Your risk not covered
      • 26. “Kill the data” focus doesn’t apply to some
      • 27. Measuring success?!
    • Pause…
      What do you think?
    • 28. OK, Diving In…
    • 29. Phase 1 Understanding
      Read PCI DSS and Prioritized Approach
      Organize into domains
      Split technology requirements from process/policy/procedure
      Mind the holes!
      Also: think about other regulations, e.g. breach disclosure laws
    • 30. Holes? What Holes?
    • 31. Phase 2 Plan
      Gaps?
      Policy/process gap
      Technology gap
      Anything to buy? Build? Outsource?
      “Close the gap” strategy
      Guidance: PCI SSC “Prioritized Approach”
      “Reverse PCI”: start from Req 12 “Policy “
      Coordinate with stakeholders
    • 32. Scope Explodes!
      Key lesson in PCI compliance:
      SHRINK THE SCOPE! “Drop the data”
      Here we expand the scope to all data and even all systems.
    • 33. Phase 3 Do it!
      Following the prioritized plan, start building
      If under actual PCI regime, start from payment networks [of course!]
      Adjust! You are not “praying to PCI gods”
      Q: Can I use ISO27001 instead?
      A: Sure, but you would not be reading this if you had this choice!
    • 34. Done?
    • 35. Phase 4 Run it!
      Ongoing tasks in PCI:
    • 36. Success? Success!!!
      Measure success
      Metrics system
      No assessment prep (no QSA) – but do self-assess! (INPUTS)
      Incident and loss reduction (OUTPUTS)
      Document – as if for QSA!
      “Compliance is validated security”
    • 37. Key Issue
      Q: Which one of these guarantees that you will never suffer a motorcycle accident?
      A: Having “a helmet law” on the books
      B. Being aware of the above law
      C. Always wearing a basic helmet
      D. Always wearing an advanced, “market leading” helmet
    • 38. Answer!
      E. NONE OF THE ABOVE!
    • 39. Why Are We Doing It?
      Risk of DEATH
      Vs
      Risk of $60 fine?
    • 40. Conclusions
      What we have achieved here?
      Likely, became PCI compliant
      Evaluated PCI as a foundation for security
      Built a security program
      Started operational processes
      Helped protect data, systems and other valuable information assets!
    • 41. In Other Words…
      Every time you think “PCI DSS OR security,”
      god kills a kitten!
    • 42. Questions?
      Dr. Anton Chuvakin
      Email:anton@chuvakin.org
      Google Voice: 510-771-7106
      Site:http://www.chuvakin.org
      Blog:http://www.securitywarrior.org
      LinkedIn:http://www.linkedin.com/in/chuvakin
      Twitter:@anton_chuvakin
    • 43. Get “PCI Compliance” Book!
      Useful reference for merchants, vendors – and everybody else in “PCI realm”
      Book released Dec 2009
      Get two free chapters at
      www.pcicompliancebook.info
    • 44. More on Anton
      NOW: consultanthttp://www.securitywarriorconsulting.com
      Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
      Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
      Standard developer: CEE, CVSS, OVAL, etc
      Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
      Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
    • 45. Security Warrior Consulting Services
      Logging and log management policy
      Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
      Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
      Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
      Help integrate logging tools and processes into IT and business operations
      Content development
      Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
      Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
      More at www.SecurityWarriorConsulting.com

    ×