by Dr. Anton Chuvakin, SecurityWarrior, LLC
Current compliance methods are reactive and do little to improve security. In place of annual audits and document-heavy processes, a new, Proactive/Continous Compliance model makes compliance an element of normal information security operations. Compliance is managed day to day and minute to minute, providing clear visibility of compliance posture at any given time. Efficiency is increased, costs are reduced and the annual audit becomes a simple formality. In this presentation we'll cover the requirements, capabilities and benefits of this new compliance model.
Proactive / Continuous Compliance Approach to PCI DSS by Dr. Anton Chuvakin
1. Proactive Compliance for PCI DSS Dr. Anton Chuvakin SecurityWarrior LLC www.securitywarriorconsulting.com Author of “PCI Compliance” (Syngress, 2010) SANS webcast - February 11, 2011
2. Outline Security and/or/vs Compliance The spirit of PCI vs how it is really done? Proactive or continuous compliance Whys and why nots! PCI DSS 2.0 and continuous compliance How to DO continuous compliance right? 2
3. Why Are We Doing It? Risk of DEATH (continuous) Vs Risk of $60 fine? (audit time i.e. when caught)
4. Example: PCI DSS Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
5. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
13. PCI DSS 2.0 is Here! Select items changing for PCI 2.0 Scoping clarification Data storage Virtualization (!!) DMZ clarification Vulnerability remediation Remote data access
14. PA-DSS 2.0 Changes “use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant” “permissible for issuers and companies that support issuing processing to store sensitive authentication data” “new requirement to require payment applications to facilitate centralized logging, in alignment with PCI” 8
17. State of PCI DSS Validation Today ANNUAL: QSA on-site assessment QUARTERLY: ASV external vulnerability scan Q: What do we learn here? A: You can do (or not do!) compliance every day, but you will only be checked 1/year! 11
18. So, How to Stay Compliant? Ongoing compliance with PCI DSS – tasks:
19. DAILY Log Review??!! Now that you have a compliant infrastructure… …what do you do with all the data? “Compliance+”: buy for compliance, use for security! Operationalize PCI DSS – then use for other things: one WIN at a time! Use what you have! A lot of PCI focused gear (and data!) is useful for many things!
20. GETTING vs STAYING Q: Would you like to get rich? Or stay rich? A: CEO: “Silly. Both!!” Q: Would you like to get compliant with PCI or stay compliant? A: CEO: “Getting compliant is my focus.” WHY? 14
21. “Whack-an-assessor” PCI “game” as “whack-an-assessor” = PAIN, PAIN, PAIN! Instead…. Use PCI compliance for security daily, validate annually!
23. PCI Teachings: We Cannot Mandate “Caring” Q: Can we mandate caring about security? A: No We can mandate controls, approaches, tools, but we cannot mandate “doing a good job” Continuous compliance = doing a good job!
26. PCI Teachings: People Will Fear THE KNOWN <- This is the enemy! This is NOT the enemy! -> Audit “mad dash” only helps against the latter! The real goal of PCI is the former – thus, continuous compliance is a MUST!
32. To Summarize… “Mad dash” compliance = DONE for the auditor, teaching to the test Continuous compliance = DONE for the benefits; teaching to succeed in life Take your pick … you too can be a data breach media story on CNN 23
33. Strategic: Huh? PCI DSS done just to “get a QSA off our backs” is TACTICAL. If you do that, your approach to IT and information risk is also TACTICAL Are you OK with it? 24
34. How I Can “Audit” Myself Every Day? “Silly… this is called MONITORING!” Wouldn’t it be great if attackers only hit 1/year, like auditors? Get attackers to switch to annual attacks OR monitor all the time! 25
35. How To “Profit” From PCI DSS? Everything you do for PCI DSS, MUST have security benefit for your organization! Examples: log management, IDS/IPS, IdM, application security , etc
36. How? Operationalize!!! Learn these words: Operationalize Internalize Stop the “compliance is being done TO me, not BY me” insanity! 27
37. Conclusions and Action Items After validating that you are compliant, don’t stop: CONTINUING compliance AND security is your goal, not “passing an audit.” Develop “security and risk” mindset, not “compliance and audit” mindset. KILL “auditor-resistant” security! Learn how to “internalize” and “operationalize” compliance and thus gain security benefits – only from continuous compliance
38. Questions? Dr. Anton Chuvakin Principal at SecurityWarrior, LLC Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
39. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Editor's Notes
“Clarified that identification of all locations of cardholder data should include instructions for configuring the underlying software to prevent inadvertent capture or retention of cardholder data”“Updated requirement to ensure that identified vulnerabilities are ranked according to risk.”
See, How to STAY PCI DSS compliant:http://chuvakin.blogspot.com/2009/01/how-to-stay-compliant-or-ongoing-tasks.html
PCI assessment case studyfrom Branden Williams (my co-author for “PCI Compliance” http://www.pcicompliancebook.info)
Auditor-proof security SUCKS!
Not getting daily compliance/security Process of complianceOperationalize – internalizeCompliance is seen as forced, not needed