Your SlideShare is downloading. ×
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Sergey Gordeychik, Security Metrics for PCI DSS Compliance

1,376
views

Published on

Published in: Technology, News & Politics

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,376
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
63
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Measuring Security Security Metrics for PCI DSS Compliance Sergey Gordeychik Security Lab by Positive Technologies
  • 2. What is PCI DSS?
    • QSA audits?
    • ASV scans ?
    • Pentests ?
    • Web applications security assessment ?
  • 3. What is PCI DSS?
    • Building up the process of maintaining IS in secure (and compliant) condition!
      • The process of monitoring and audit ( ISO 27001 A.15.2… )
        • QSA audits?
        • ASV scans ?
        • Pentests ?
        • Web applications security assessment ?
  • 4. What is PCI DSS?
    • Building up the process of maintaining IS in secure (and compliant) condition!
      • The process of monitoring and audit ( ISO 27001 A.15.2… )
        • QSA audits?
        • ASV scans ?
        • Pentests ?
        • Web applications security assessment ?
  • 5. Black-and-white approach
    • Technical orientation of PCI provokes auditors into black-and- white ( red-and-yellow ) result
        • Not in compliance !
        • In compliance !
    • Reality is much more complicated …
  • 6. Example : Updating Oracle
    • Auditor :
        • There are some problems with Oracle
    • Company :
        • Consultation with developers
        • Waiting for approval
        • Testing
        • Deployment
  • 7. Example : Updating Oracle . What to do ?!!
    • Speed up the process ?
    • Update at one’s own risk ?
    • Restrict access to firewall ?
    • Migrate the application to terminal ?
    • Implement customized IPS ?
  • 8. What is good and what is bad ?
    • How to measure the current level of compliance in nonbinary format ?
    • How to divide the process of compliance maintenance into measurable tasks ?
    • How to assess planned and current expenses ?
  • 9. Security metrics
    • Explicitly measured , no " expert opinion "
    • Available for calculations and analysis ( automatically, if possible )
    • Rendered quantitatively ( not just " high ", " medium ", " low ")
    • Measured in units that fit for analysis (such as " errors ", " hours ", " cost " )
    • Comprehensible and pointing to the problem area and possible solutions ( the " So what ?" test )
  • 10. Compliance With respect to requirements
  • 11. Compliance With respect to hosts
  • 12. Compliance With respect to hosts and requirements
  • 13. Compliance
    • How many PCI requirements do we violate ?
    • What violations are the most common ?
    • What issues should be addressed in the first place ?
  • 14. Good , but not enough !
    • Allows you to trace a course of action
    •   Allows you to observe the dynamics
    • Unable to provide a comprehensible engineering estimate !
  • 15. Labor input metrics
    • Allow you to assess planned and current labor input in achieving the goal
      • Labor input in making the system match the compliance
      • Justification of chosen compensatory security measures
      • Assessment of spent resources
    • Differentiation of types of modifications
      • Patch installation
      • Version update
      • Configuration modification
      • Code change
  • 16. Labor input metrics
  • 17. Process metrics
    • Are generated on the basis of Compliance and the derivatives
      • Quantity and percentage of workstations with anti-virus software installed
      • Quantity and percentage of hosts that comply with patch-management requirements
      • Quantity and percentage of DBMS servers that comply with password requirements
      • Quantity and percentage of network devices that comply with security requirements
  • 18. Process metrics
    • Example with Oracle
      • Convergence on hosts : from 20 days to eternity
      • Maximum compliance level : 23%
    • Perhaps it’s better not to think of installation of Oracle patches at all ?
  • 19. Comparison with the world level
    • What about others ?
    • Is my level acceptable ?
    • Perhaps I needn’t do anything ?
  • 20. Web applications vulnerability research , 2008.
    • Scope of research:
      • Automatic mode – approximately 10000 hosts
      • Detailed analysis – approximately 1000 hosts
    • Results:
      • Most websites security level is low
      • Detection of vulnerabilities and their exploitation methods is automated
      • Web Application Security Consortium
      • preliminary data
  • 21. Distribution of websites according to the amount of detected vulnerabilities ( the year 2008)
  • 22. The most common vulnerabilities
  • 23. To compromise a website attackers usually exploit …
    • Analysis of a compromised website exposes a pack of vulnerabilities , one third of which could be exploited by an attacker
  • 24. How soon can these issues be solved ?
      • Whitehat Security
  • 25. Thank you for your attention ! Sergey Gordeychik http://gordeys.blogspot.com www.ptsecurity.com [email_address]