http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=1366&Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.
“The best method to protect data from hackers is to delete it”PCI Compliance book http://www.pcicompliancebook.info/
PCI DSS-based Security: Is This For Real?Using PCI DSS as A Foundation for Your Security Program Dr. Anton Chuvakin Author of “PCI Compliance” http://www.pcicompliancebook.info Security Warrior Consulting www.securitywarriorconsulting.com Secure 360, Minneapolis, MN May 2010
Inspiration…. “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “ PCI Knowledge Base by late David Taylor
Outline What is PCI DSS? Why it is here? PCI DSS as a security framework PCI DSS as a data security framework Starting from PCI: how to do it? Risks and pitfalls
What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
PCI Data Security Standard PCI Council publishes PCI DSS –Data Security Standard Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
PCI Game: The Players PCI Security Standards Council
My Data – Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS!
PCI Coverage: What Do We Learn? Focus: confidentiality credit of card data… … but not exactly: data avoidance is even better! Now … … a hard question: what is “a good security program”? What technology, processes, etc? What are the goals? What are the metrics?
Holes? BIG HOLE#1 Everything availability “If your payment app blows up, it magically becomes ‘PCI compliant’” HOLE #2 Everything productivity Spam, web filtering, client protection, etc HOLE #3 Card data discovery PCI assumes omniscient data owners…
Sidetrack: WTH is “Data Security” … back to If you router is 0wned, is data security still achieved? If a secondary system is compromised? QA machine? Public web server? Know any “data idiots?”
Pros and Cons Pros: Good coverage of many domains (tech and process) Useful focus on data elimination, app security and monitoring Detailed guidance available A lot of tools available to help Lacks complexity of ISO, NIST, etc Cons:
Phase 1 Understanding Read PCI DSS and Prioritized Approach Organize into domains Split technology requirements from process/policy/procedure Mind the holes! Also: think about other regulations, e.g. breach disclosure laws
Phase 2 Plan Gaps? Policy/process gap Technology gap Anything to buy? Build? Outsource? “Close the gap” strategy Guidance: PCI SSC “Prioritized Approach” “Reverse PCI”: start from Req 12 “Policy “ Coordinate with stakeholders
Scope Explodes! Key lesson in PCI compliance: SHRINK THE SCOPE! “Drop the data” Here we expand the scope to all data and even all systems.
Phase 3 Do it! Following the prioritized plan, start building If under actual PCI regime, start from payment networks [of course!] Adjust! You are not “praying to PCI gods” Q: Can I use ISO27001 instead? A: Sure, but you would not be reading this if you had this choice!
Success? Success!!! Measure success Metrics system No assessment prep (no QSA) – but do self-assess! (INPUTS) Incident and loss reduction (OUTPUTS) Document – as if for QSA! “Compliance is validated security”
Key Issue Q: Which one of these guarantees that you will never suffer a motorcycle accident? A: Having “a helmet law” on the books B. Being aware of the above law C. Always wearing a basic helmet D. Always wearing an advanced, “market leading” helmet
Why Are We Doing It? Risk of DEATH Vs Risk of $60 fine?
Conclusions What we have achieved here? Likely, became PCI compliant Evaluated PCI as a foundation for security Built a security program Started operational processes Helped protect data, systems and other valuable information assets!
In Other Words… Every time you think “PCI DSS OR security,” god kills a kitten!
Questions? Dr. Anton Chuvakin Email:firstname.lastname@example.org Google Voice: 510-771-7106 Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org LinkedIn:http://www.linkedin.com/in/chuvakin Twitter:@anton_chuvakin
Get “PCI Compliance” Book! Useful reference for merchants, vendors – and everybody else in “PCI realm” Book released Dec 2009 Get two free chapters at www.pcicompliancebook.info
More on Anton NOW: consultanthttp://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Security Warrior Consulting Services Logging and log management policy Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations Content development Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com