• Save
Achieving PCI-DSS compliance with network security implementations - April 2011
Upcoming SlideShare
Loading in...5
×
 

Achieving PCI-DSS compliance with network security implementations - April 2011

on

  • 356 views

How to use network security solutions and technologies to achieve and maintain PCI-DSS compliance.

How to use network security solutions and technologies to achieve and maintain PCI-DSS compliance.

Statistics

Views

Total Views
356
Views on SlideShare
342
Embed Views
14

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 14

http://www.linkedin.com 12
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Achieving PCI-DSS compliance with network security implementations - April 2011 Achieving PCI-DSS compliance with network security implementations - April 2011 Presentation Transcript

  • Achieving PCI-DSS compliance with network security implementations Marco Ermini Vodafone Group Network Security 14 April 20111 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  • W this is about hat …and what is not about! This presentation is not about… > …what my company has done. This is personal point of view (of course based on experience) > …explaining what are the various network security devices. You know them. If not, you need other BrightTalks to get better informed > …choosing vendors/brands – even if we may lean towards network security vendors versus “host based” vendors, when this makes sense > …discussing if you need a network security device or not, or which technology you do need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s PCI -DSS” - it will do the job! > I assume you need and want PCI-DSS compliance > I assume you care about security, as much as compliance > I will only touch the main points. The argument is really wide What you are looking for, are best practices to make your investment worth2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about. However I am not a compliance expert – Do not ask me about compliance, but about technology > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort or nmap. It’s not about that > I have a realistic view about network security technology > Yes, I have been under a real attack. And not just once! > I am a customer of network security technology. I evaluate, test, deploy, implement, use them. But I don’t sell them. I will never try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view > Yes, I will compare host/agent-based against network-based approaches, and I prefer the second You are not drinking from the fountain of truth. Never ever! 3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security officer, security manager, or compliance manager, and need to… – of course achieve PCI-DSS compliance > You are a security or network engineer, or compliance manager, and need to… – possibly bring “real” value from your investment – are thinking/need about the network security approach for PCI-DSS > You are a PCI-DSS auditor, and need to… – understand if network security approach is valid > You are just curious… – graduate student, and/or future PCI-DSS auditor, getting into the security job’s World – experienced security or network personnel trying to understand network security appliances You are welcome to share your expectation, doubts, questions!4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • W is required by PCI-DSS? hat It is in many senses, a technical compliance standard W is PCI-DSS different from other compliance requirements? hy > Differently from others, it goes into the nitty-gritty details of technical specifications > For this reason, it has already required a couple of updates > However, like any requirement, you can have documented exceptions, if needed (i.e. NAT) > We are concentrating on the latest version, PCI DSS v 2.0 – Changes from latest version (1.2.1) are mainly about virtualisation and several clarifications > There are several standards: – Data Security Standard: how to protect cardholders’ data – Requirement and Security Assessment Procedures: about how to assess the environment – PIN Transaction Security – Various supporting documents focusing on roles like merchants, service providers, and so on5 The argument is extremely wide!!! level on title master Presentation title in footer Confidentiality January 3, 2013 Department on title master Version number on title master
  • W use network-based approach? hy In many cases it is easier to implement W should I stop securing with the PCI-DSS environment? hy > Although it is necessary by requirement to isolate the zone where cardholders’ data are processed, in many cases it is easier to implement many of the requirements to the whole DC > You can leverage the investment to apply best practices to a wider zone > In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI DSS zone?!?) > In many cases, network security appliances can be used in multiple zones and it is just a matter of license how many systems you protect – Caveat: management stations (we will see this later) > It is much easier to leverage this investment when using network-based approaches > In some cases, there is no choice but use network security devices – for instance when the requirements specify it If you are forced to invest in security, make the most of it!6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • Let’s see the requirements Requirement 2 “Do not use vendor-supplied defaults for system passwords and other security parameters” > You can use network security scanners and compliance scanners to verify that this is in place – Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not needed daemons…) have been implemented, through scanning of the environment – Some network scanners can login to the systems and verify that policies are implemented. This is very often a much better approach than deploying agent- based solutions – Be sure that the vendor supports both servers and network devices – You need to verify for instance wireless devices, if present – Scan virtualisation technologies: this seems to suggest that we must verify hypervisors – Only documented daemons/services must be running > Must verify that newer installed systems are compliant – This is much better done with a scanner, that detects when new systems are installed7 Presentation title in footer a network title master January 3, 2013 Confidentiality level on title master I do prefer by a great extent Version number onbased, agent-free solution for hardening Department on title master
  • Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Tricky pitfalls for network security devices, let’s see why > Keep data retention to a minimum, do not store authentication/authorisation data and credit cards – If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the WAF often cannot see them – However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic, they may also see authentication/authorisation data, or even credit card data – If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the transaction > How to address this? – Have a geographically/topologically localised management station in the zone (“manager of the manager” issue)? – Disable packet capture/logging? – Special policy for PCI-DSS IDS/IPS/WAF? – Disk encryption on the management station? – How security operation people handle packet captures of signatures? It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Management of encryption keys – Do you need HSM devices/modules? – Do your IDS/IPS/WAF supports HSM modules? – How are crypto keys stored on your device? – How are crypto keys distributed? – Do you implement “split knowledge” for key management? – Do you monitor for keys substitution/replacement? – Best practices for keys’ custodians Again, it can be tricky so we must plan this in advance. And choose the right devices9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • Let’s see the requirements Requirement 4 “Encrypt transmission of cardholder data across open, public networks” > Are considered public networks in scope: – Internet – Wireless technologies in general – GSM/GPRS networks as well > You must implement encryption, and take care that IDS/IPS/WAF supports: – inspection of HTTPS if necessary, or placed after reverse-proxies – GTP traffic, if this makes sense for you – Must implement wireless scanners, if this makes sense for you I do prefer by a great extent a network based, agent-free solution for hardening checks!!!10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > As per requirement 2, you can use network security scanners and compliance scanners – Verify that patches are installed – both with vulnerability and compliance scanners – Verify that undocumented or “custom” applications/services are removed – Verify that there are no development tools installed in production > Use Web Application Scanners to scan application for SQL injection, buffer overflows, XSS, CSRF, and so on – Suggestion: focus on OWASP top 10 – Ensure your vendor covers the PCI-DSS requirements but also OWASP – PCI-DSS inspired by OWASP I do prefer by a great extent a network based, agent-free solution for hardening checks!!!11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > It is required that for externally-facing web sites, either a review is done, or a Web Application Firewall (WAF) is in use > About reviews: – can be performed with “automated” tools (Web Application Scanners) or manually – however they must be done at least annually, and anyway after any change – if you find a vulnerability, you must correct it; this means you are deploying a change, so this means you must review again the application! – therefore it is better to plan for an automated tool anyway > About Web Application Firewalls (WAF) – you do not need to review your application – anyway, experience shows that it is better than you do it. Do not use WAF as scapegoat to avoid application reviews. Heard about Barracuda Networks recently? I suggest to have both W and assess the applications, as having the W simplify AF AF the application patching too – catch 2212 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > FAQ: can I use an IDS/IPS as WAF? – I cannot go into great extent into this, however I discourage it – They are inheritely different technologies – All of the IDS/IPS vendors have web protection functionality, however they are not the same as a Web Application Firewall – Although you may argue about that with an auditor, if you care about real security and not just compliance, do not take the shortcut – Please feel free to ask me about details on that off line if you care. I suggest to have both W and IDS/ AF IPS. Do not use shortcuts unless you are on a budget13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 7/8 “Restrict access to cardholder data by business need to know” > Use vulnerability and compliance scanners to assess that servers and network devices have proper RBAC set up in place > Firewalls and Access Control Systems set up with a final “deny all” rule – May look trivial, but sometimes it is not  “Assign a unique ID to each person with computer access” > Two factors authentication in place for all of the remote accesses > This is also valid for security appliance management! > If you have not implemented good practices for security appliance management, now you must do it! In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!!14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 8 “Assign a unique ID to each person with computer access” > Database protection > Restrict access to the databases, restrict direct user accesses, review database applications, do not use application IDs outside of applications > This can be achieved with a Database Activity Monitor (DAM) technology > Agent or Agent-less solution > I strongly suggest a combination of both, where the focus is on the agent-less solution > For specific questions contact me off line Database Activity Monitors are a good practice, along with proper set up of database management for the environment15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 9 “Restrict physical access to cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > If you have not implemented good physical security practices for security appliance management, now you must do it! > This includes camera surveillance, badge systems and practices, logs and physical escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on > Usually part of the DC practices, but it may be different for security monitoring In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!!16 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 10 “Track and monitor all access to network resources and cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > You must implement audit logs on accessing to the management systems of the security devices – You must implement single users and not use generic or default users – You must use a time server (NTP), and verify against company’s LDAP/AD > You must off-load logs to a syslog/logging server – Logs for IPS/IDS/firewalls/and so on – Best to use a SEM/SIEM if you are not doing it already > Use file integrity monitoring tool – Agent-less solutions are again my favourite Again, in many cases security appliances have a very simple management model, and SEM/ SIEM are not in use17 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > It goes without saying, internal network vulnerability and compliance scanners are often the best solution for test of systems from the internal network > Many scanners can scan themselves too > Ensure scanners also supports security systems and appliances – Some systems like IDS/IPS and possibly WAF, are only available for scan on the management network – Ensure scanners can also reach management networks, and networks for hypervisor’s management Ensure scanners can internally reach the whole environment and they support a wide range of checks18 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > External vulnerability scanning is a requirement > Can be done with external or internal resource, but it must be “qualified” > There are requirements clearly defined for external resources, a bit less for internals > Generally easier to use a qualified external supplier > Tricky for security: vulnerabilities are stored outside of company’s network, this can be a problem for some organisation’s policy – Some vendors offer solutions for that – Some vendors have not secure enough external solutions Ensure you are using a qualified vendor and you are not violating your own policies or compromising your security using an external vendor19 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > Ensure you have IDS/IPS systems at the perimeter – You must verify “all the traffic at the perimeter”, but nothing prohibits to check the internal network too – You must ensure proper management of IDS/IPS – Must verify that they can see decrypted traffic (after reverse-proxies) and packet captures are properly treated for the data retention requirements already explained > File integrity monitors Again, in many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!!20 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • Thank you21 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master