What PCI DSS Taught Us About Security<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorcon...
Why Are We Here?<br />Risk of DEATH  vsRisk of $40 fine?<br />
Outline<br />PCI DSS Refresher<br />PCI Helps!<br />PCI Hurts?<br />Lessons from PCI DSS<br />Will compliance break securi...
Inspiration….<br />“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Asse...
What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card  = <br />Payment Card Industry...
PCI Regime vs DSS Guidance<br />Since 2004, PCI Council publishes  PCI DSS <br />Outlined the minimumdata security protect...
<ul><li>Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secur...
Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<b...
Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Res...
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monit...
Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy ...
So, PCI Helps!<br />MUCH more organizations KNOW about security now – due to PCI DSS<br />DSS gave many a starting point<b...
But Also: PCI Hurts!<br />Anti-auditor measures “suck” resources from anti-hacker measures<br />Now we have “checkbox comp...
Checklist Mentality IS Evil!<br />
PCI Teachings REVEALED…<br />
PCI Teachings: Leaders vs Losers<br />
PCI Teachings: Awareness =/= Action<br />PCI DSS raised awareness of web security<br />"82% of websites have had at least ...
PCI Teachings: The Floor CAN Be The Ceiling<br />Compliance is the “floor” of security<br />And a motivator to DO IT!<br /...
PCI Teachings: We Cannot Mandate “Caring”<br />Q: Can we mandate caring about security? <br />A: No<br />We can mandate co...
PCI Teachings: It Can be “Too Easy” and “Too Hard”<br />
PCI Teachings: Many Would Rather Whine Than Do<br />W1: Why don’t the brands “fix the system?”<br />A1: They will.<br />W2...
PCI Teachings: Mandatory Beats Sensible<br />
Observations…<br />
PCI Teaching: $40> Your Life<br />Risk of DEATH vs Risk of $40 fine?<br />DOT study on seatbelts:<br />Compliance = (Aware...
PCI Teachings: Compliance and Risk<br />… have nothing to do with each other.<br />But you KNOW compliance and you DO NOT ...
PCI Teachings: People Will Fear THE KNOWN<br />              <- This is the enemy!<br />This is NOT the enemy! -><br />Sad...
PCI Teachings: Dead Data = Secure Data<br />Many organization cannot be taught to secure the data … but they can be taught...
?<br />
How To “Profit” From Compliance?<br />Everything you do for compliance, MUST have security benefit for your organization!<...
In Other Words…<br />Every time you think “PCI DSS OR security,” <br />god kills a kitten!<br />
Upcoming SlideShare
Loading in...5
×

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

1,291

Published on

... aka “Teachings of Don PCI”

Presentation title: What PCI DSS Taught Us About Security
Brief abstract: This presentation will derive some useful lessons from our industry experience with PCI DSS. Organization can use these lessons to improve their security programs and reduce risk as well.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,291
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • First: we are not here to learn how to become PCI compliant!! Keynote = THINK about security and HAVE FUN, not get trained.TODO: Netherlands fine for now wearing seat belt in car (bicycle?)NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement&quot;Dumb management&quot;PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
  • http://www.pciknowledgebase.com/index.php?option=com_mtree&amp;task=viewlink&amp;link_id=1366&amp;Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.Damn “PCI industry”
  • Some folks are OK with organizations doing security ONLY because of compliance fines!!!PhilosophyDo you agree with &quot;laws against stupid?&quot;Tenuous connection of controls/practices vs outcomesCompliance is &quot;easy&quot;, security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?&quot;We might get hacked, but we will get audited&quot;Age of irresponsibility&apos; entitlementANTI-COMPLIANCE&quot;Checklist mentality&quot;&quot;Teaching for the test&quot;&quot;Whack-an-auditor&quot; gameInduction of &quot;mandate=ceiling&quot; thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security&quot;PCI compliance has not been “operationalized” by 95 percent of merchants&quot;
  • While many hope for gaussian, in security – counter to intuition! – most people are below average!
  • http://projects.webappsec.org/Web-Application-Security-Statisticshttp://www.whitehatsec.com/home/assets/presentations/09PPT/PPTstats0209.pdf
  • CSR reference!!Thus: mandatory You can drag the horse to water … but you cannot stop her fromDrowningb) Abuse water - &lt;whatever&gt;
  • As someone closely involved with PCI DSS, I observed this peculiarity more than a few times.Myth: PCI is too hard …“… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable”Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned”“What do we need to do - get a scan and answer some questions?”Reality: Not exactly - you need to:a) Get a scan – and then resolve the vulnerabilities foundb) Do all the things that the questions refer to – and prove itc) Keep doing a) and b) forever!
  • A1 a) in 5-10 years – when you will be ready. Replace the system -&gt; bigger impact than PCI DSS!! (see interview)A2 Today if you follow you risk ass of custodial data, while being mindful of PCI requirements, likely you arrive at smth similar to PCI DSSA3 “It is not necessary to change; survival is not mandatory”
  • 2/3 of value in OWN data, ½ is spent protecting it!Forrester report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost,or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”+ infrastructure to handle either kind of data, business critical processes, etc!!!Consequences&quot;PCI technology&quot; or &quot;PCI industry&quot;Custodian vs owner of dataLaws made you secure 3rd party dataYou are free to screw yourself by losing your dataPCI vs &quot;your risk&quot;Might be protecting CC &gt; your key data!
  • + not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
  • First: we are not here to learn how to become PCI compliant!! Best insight into compliance.Link IS established: belt -&gt; less chance of death.Still, only EDUCATION + ENFORCEMENT works.Click it – or ticket! &lt;= works!Click it – don’t risk it! &lt;= FAILs!NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement&quot;Dumb management&quot;PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
  • http://www.visa.com/dropthedata/Drop the Data is a nationwide tour between the U.S. Chamber of Commerce and Visa, Inc. along with participating local Chambers of Commerce. The multi-city campaign is designed to make businesses aware of the risks of retaining prohibited cardholder data and educating them on actionable steps they can take to avoid storing such data.
  • OR: Every time you think “Compliance OR security,” god kills a kitten!Profit = not ROI scam, but how to benefit from the fact that PCI exists.HACKER &lt;- This is the enemy!This is NOT the enemy! -&gt; QSASecurity first, compliance as a resultCompliance as motivation, security as actionPhilosophyDo you agree with &quot;laws against stupid?&quot;Tenuous connection of controls/practices vs outcomesCompliance is &quot;easy&quot;, security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?&quot;We might get hacked, but we will get audited&quot;Age of irresponsibility&apos; entitlementANTI-COMPLIANCE&quot;Checklist mentality&quot;&quot;Teaching for the test&quot;&quot;Whack-an-auditor&quot; gameInduction of &quot;mandate=ceiling&quot; thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security&quot;PCI compliance has not been “operationalized” by 95 percent of merchants&quot;
  • Longer term: slow trend toward chasm closureSome from the 1st camp will call it “aligning security and business”, but it is not.2020http://chuvakin.blogspot.com/search/label/2020
  • + After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”PhilosophyDo you agree with &quot;laws against stupid?&quot;Tenuous connection of controls/practices vs outcomesCompliance is &quot;easy&quot;, security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?&quot;We might get hacked, but we will get audited&quot;Age of irresponsibility&apos; entitlementTrendsOutsource!!! Outsource!!!You DO outsource cash storage to banks?Avoid toxic shit!E2EETokenizationDeletion before encryption!
  • http://taosecurity.blogspot.com/2010/03/ge-cirt-joins-first.html
  • What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

    1. 1. What PCI DSS Taught Us About Security<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />September 2010<br />
    2. 2. Why Are We Here?<br />Risk of DEATH vsRisk of $40 fine?<br />
    3. 3. Outline<br />PCI DSS Refresher<br />PCI Helps!<br />PCI Hurts?<br />Lessons from PCI DSS<br />Will compliance break security?<br />Conclusions and Action Items<br />
    4. 4. Inspiration….<br />“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “<br />PCI Knowledge Base by late David Taylor<br />
    5. 5. What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
    6. 6. PCI Regime vs DSS Guidance<br />Since 2004, PCI Council publishes PCI DSS <br />Outlined the minimumdata security protections measures for payment card data.<br />Defined Merchant & Service Provider Levels, and compliance validation requirements.<br />Left the enforcement to card brands (Council doesn’t fine anybody!)<br />Key point: PCI DSS (document) vs PCI (validation regime)<br />
    7. 7. <ul><li>Install and maintain a firewall confirmation to protect data
    8. 8. Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secure Network<br /><ul><li>Protect stored data
    9. 9. Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<br /><ul><li>Use and regularly update anti-virus software
    10. 10. Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Restrict access to data by business need-to-know
    11. 11. Assign a unique ID to each person with computer access
    12. 12. Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monitor all access to network resources andcardholder data
    13. 13. Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy that addresses information security</li></ul>Maintain an Information Security Policy<br />PCI DSS = Basic Security Practices!<br />
    14. 14. So, PCI Helps!<br />MUCH more organizations KNOW about security now – due to PCI DSS<br />DSS gave many a starting point<br />PCI DSS has motivating “teeth”<br />Blatant card data abuses SEEM to have decreased<br />More people vulnerability scan due to PCI<br />
    15. 15. But Also: PCI Hurts!<br />Anti-auditor measures “suck” resources from anti-hacker measures<br />Now we have “checkbox compliance”<br />Security vendors fund compliance-feature development<br />
    16. 16. Checklist Mentality IS Evil!<br />
    17. 17. PCI Teachings REVEALED…<br />
    18. 18. PCI Teachings: Leaders vs Losers<br />
    19. 19. PCI Teachings: Awareness =/= Action<br />PCI DSS raised awareness of web security<br />"82% of websites have had at least one security issue, with 63% still having issues of HIGH severity.” (WhiteHat)<br />Now…everybody knows that >80% of sites have XSS. So what?<br />
    20. 20. PCI Teachings: The Floor CAN Be The Ceiling<br />Compliance is the “floor” of security<br />And a motivator to DO IT!<br />However, many prefer to treat it as a “ceiling”<br />Result: breaches, 0wnage, mayhem!<br />
    21. 21. PCI Teachings: We Cannot Mandate “Caring”<br />Q: Can we mandate caring about security? <br />A: No<br />We can mandate controls, approaches, tools, but we cannot mandate “doing a good job”<br />Thus: mandatory = minimum only!<br />
    22. 22. PCI Teachings: It Can be “Too Easy” and “Too Hard”<br />
    23. 23. PCI Teachings: Many Would Rather Whine Than Do<br />W1: Why don’t the brands “fix the system?”<br />A1: They will.<br />W2: Can we have “a risk based” standard?<br />A2: No. 91% of people can’t spell “risk”<br />W3: Can we do something simpler?<br />A3: Yes! Cash.<br />
    24. 24. PCI Teachings: Mandatory Beats Sensible<br />
    25. 25. Observations…<br />
    26. 26. PCI Teaching: $40> Your Life<br />Risk of DEATH vs Risk of $40 fine?<br />DOT study on seatbelts:<br />Compliance = (Awareness + Enforcement) / Security Benefit<br />
    27. 27. PCI Teachings: Compliance and Risk<br />… have nothing to do with each other.<br />But you KNOW compliance and you DO NOT KNOW risk! Which one will you act on?<br />
    28. 28. PCI Teachings: People Will Fear THE KNOWN<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />Sadly, many organization will fear QSA more than an attacker!<br />
    29. 29. PCI Teachings: Dead Data = Secure Data<br />Many organization cannot be taught to secure the data … but they can be taught to delete it!<br />
    30. 30. ?<br />
    31. 31. How To “Profit” From Compliance?<br />Everything you do for compliance, MUST have security benefit for your organization!<br />Examples: log management, IDS/IPS, IdM, application security , etc<br />
    32. 32. In Other Words…<br />Every time you think “PCI DSS OR security,” <br />god kills a kitten!<br />
    33. 33. What Does Future Hold?<br />More regulation to compel the laggards<br />More threats to challenge the leaders<br />New approaches to compliance -mandating care?<br />More organization understanding and measuring security<br />Longer term: <br />slow trend toward more secure world<br />
    34. 34. Conclusions and Action Items<br />Kill the data– whenever you can<br />PCI is basic security; stop whining about it - start doing it!<br />Develop “security and risk” mindset, not “compliance and audit” mindset.<br />Use compliance to drive security<br />If you are doing PCI DSS and not getting a security benefit, please STOP!<br />
    35. 35. Action Item!<br />NOW LET’S ALL GO PRACTICE INCIDENT RESPONSE!!!<br />
    36. 36. Questions?<br />Dr. Anton Chuvakin <br />Security Warrior Consulting<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
    37. 37. Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, vendors – and everybody else<br />Released December 2009!<br />
    38. 38. More on Anton<br />Now: independent consultant<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

    ×