Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates

2,943 views

Published on

PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates

Published in: Technology
  • Be the first to comment

PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates

  1. 1. 2014 North American Community Meeting 2014 North American Community Meeting 2015 SIG Proposals Securing Cryptographic Keys and Digital Certificates
  2. 2. 2014 North American Community Meeting 2014 North American Community Meeting Purpose  Clarify cryptographic key and digital certificate security − Protects data at rest and data in transit − Authorizes and authenticates servers, devices, software, cloud, and privileged administrators and users  Deliver guidance and new insights − Guidelines & implementation checklist − Recommended changes to the PCI DSS 2
  3. 3. Background  Trust-based attack vulnerabilities are increasing  Heartbleed showed how serious the impact could be “Heartbleed is catastrophic…This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.” - Bruce Schneier, Cryptographer 2014 North American Community Meeting 2014 North American Community Meeting 3 Heartbleed When, not if next Heartbleed-level response will be needed
  4. 4. Background Threats to keys and certificates 2014 are no longer theoretical. They have become an everyday attack. 2014 North American Community Meeting 2014 North American Community Meeting 4 2010 2011 2012 Attacks on CAs Stuxnet & Duqu Everyday Attack Method
  5. 5. Background “PKI is under attack…” 2014 North American Community Meeting 2014 North American Community Meeting 5 Scott Charney Corporate Vice President, Microsoft
  6. 6. Background Experts agree the problem is only going to get worse:  McAfee Labs Threat Report for Fourth Quarter 2013 noted that malware signed with legitimate certificates more than tripled between 2012 and 2013  Gartner predicts “50% of network attacks will use SSL by 2017”  University of Michigan found 99% of SSL certificates in use considered vulnerable by current NIST standard  Netcraft found 40% mobile banking apps don’t validate SSL certificates, vulnerable to man-in-middle attacks – Fandango & Credit Karma Settle Violations with FTC 2014 North American Community Meeting 2014 North American Community Meeting 6
  7. 7. Opportunity −Detail specifics for key and certificate security −Indicate how security of keys and certificate influence other security controls −Provide recommendations to mitigate threats, including  Apply key and certificate requirements to data in transit  Require encryption for data in transit within the CDE 2014 North American Community Meeting 2014 North American Community Meeting 7
  8. 8. 2014 North American Community Meeting 2014 North American Community Meeting Objectives  Scope: Security strategies that protect keys and certificates 8 – Limit access and locations – Recommend algorithm and cryptoperiod – Ensure key retirement and replacement – Enable dual control – Respond to attacks – Secure entire key lifecycle – Provide clarity on asymmetric and symmetric cryptographic key security – Close gap between data encryption keys and key encryption keys – Use strong, protected, securely stored, and securely distributed keys
  9. 9. 2014 North American Community Meeting 2014 North American Community Meeting Approach  Develop guidelines and checklist for QSAs and organizations − Research industry best practices and consult with industry experts − Indicate different options, combinations, and configurations for deploying key and certificate security − Highlight how security elements interrelate and impact each other 9 Experts to Engage
  10. 10. Participation & Support Co-submitter: Kevin Bocek, Venafi, Security Vendor Co-submitter: Gary Glover, SecurityMetrics, QSA Current participants (listed alphabetically by last name):  Brandon Benson, SecurityMetrics, QSA  David W. Buchanan, Delap, QSA  Mike Carmack, Bank of America, Financial Institution, ISA  Christine Drake, Venafi, Security Vendor  Eppy Thatcher, Townsend Security, Security Vendor  Patrick Townsend, Townsend Security, Security Vendor  Laurie Sanborn, Venafi, Security Vendor, Former QSA  Jeff Stapleton, Bank of America, Financial Institution, Former QSA  Charles Watts, Walmart, Merchant, ISA 2014 North American Community Meeting 2014 North American Community Meeting 10

×