Successfully reported this slideshow.

Proactive / Continuous Compliance Approach to PCI DSS by Dr. Anton Chuvakin

2

Share

Loading in …3
×
1 of 30
1 of 30

Proactive / Continuous Compliance Approach to PCI DSS by Dr. Anton Chuvakin

2

Share

by Dr. Anton Chuvakin, SecurityWarrior, LLC

Current compliance methods are reactive and do little to improve security. In place of annual audits and document-heavy processes, a new, Proactive/Continous Compliance model makes compliance an element of normal information security operations. Compliance is managed day to day and minute to minute, providing clear visibility of compliance posture at any given time. Efficiency is increased, costs are reduced and the annual audit becomes a simple formality. In this presentation we'll cover the requirements, capabilities and benefits of this new compliance model.

by Dr. Anton Chuvakin, SecurityWarrior, LLC

Current compliance methods are reactive and do little to improve security. In place of annual audits and document-heavy processes, a new, Proactive/Continous Compliance model makes compliance an element of normal information security operations. Compliance is managed day to day and minute to minute, providing clear visibility of compliance posture at any given time. Efficiency is increased, costs are reduced and the annual audit becomes a simple formality. In this presentation we'll cover the requirements, capabilities and benefits of this new compliance model.

More Related Content

More from Anton Chuvakin

Related Books

Free with a 14 day trial from Scribd

See all

Proactive / Continuous Compliance Approach to PCI DSS by Dr. Anton Chuvakin

  1. 1. Proactive Compliance for PCI DSS<br />Dr. Anton Chuvakin<br />SecurityWarrior LLC<br />www.securitywarriorconsulting.com<br />Author of “PCI Compliance” (Syngress, 2010)<br />SANS webcast - February 11, 2011<br />
  2. 2. Outline<br />Security and/or/vs Compliance<br />The spirit of PCI vs how it is really done?<br />Proactive or continuous compliance<br />Whys and why nots!<br />PCI DSS 2.0 and continuous compliance<br />How to DO continuous compliance right?<br />2<br />
  3. 3. Why Are We Doing It?<br />Risk of DEATH<br />(continuous)<br />Vs <br />Risk of $60 fine?<br />(audit time i.e. when caught)<br />
  4. 4. Example: PCI DSS<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
  5. 5. PCI Regime vs DSS Guidance<br />The PCI Council publishes PCI DSS <br />Outlined the minimumdata security protections measures for payment card data.<br />Defined Merchant & Service Provider Levels, and compliance validation requirements.<br />Left the enforcement to card brands (Council doesn’t fine anybody!)<br />Key point: PCI DSS (document) vs PCI (validation regime)<br />
  6. 6. <ul><li>Install and maintain a firewall confirmation to protect data
  7. 7. Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secure Network<br /><ul><li>Protect stored data
  8. 8. Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<br /><ul><li>Use and regularly update anti-virus software
  9. 9. Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Restrict access to data by business need-to-know
  10. 10. Assign a unique ID to each person with computer access
  11. 11. Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monitor all access to network resources andcardholder data
  12. 12. Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy that addresses information security</li></ul>Maintain an Information Security Policy<br />PCI DSS = Basic Security Practices!<br />
  13. 13. PCI DSS 2.0 is Here!<br />Select items changing for PCI 2.0<br />Scoping clarification<br />Data storage<br />Virtualization (!!)<br />DMZ clarification<br />Vulnerability remediation<br />Remote data access<br />
  14. 14. PA-DSS 2.0 Changes<br />“use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant”<br /> “permissible for issuers and companies that support issuing processing to store sensitive authentication data”<br />“new requirement to require payment applications to facilitate centralized logging, in alignment with PCI”<br />8<br />
  15. 15. THEY Are Coming…<br />9<br />Godzilla?<br />Aliens?<br />Evil?<br />No!<br />QSAs!!!<br />
  16. 16. Continuous Compliance vs Validation<br />Q: What to do after your QSA leaves?<br />A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted.<br /><ul><li>Use what you built for PCI to reduce risk</li></ul>“Own” PCI DSS; make it the basis for your policies<br />Think beyond credit card data and grow your security!<br />Note: a good QSA will check whether you are “wired” for continuous compliance. Pick one of that sort!<br />
  17. 17. State of PCI DSS Validation Today<br />ANNUAL: QSA on-site assessment<br />QUARTERLY: ASV external vulnerability scan<br />Q: What do we learn here?<br />A: You can do (or not do!) compliance every day, but you will only be checked 1/year!<br />11<br />
  18. 18. So, How to Stay Compliant?<br />Ongoing compliance with PCI DSS – tasks:<br />
  19. 19. DAILY Log Review??!!<br />Now that you have a compliant infrastructure…<br />…what do you do with all the data?<br />“Compliance+”: buy for compliance, use for security!<br />Operationalize PCI DSS – then use for other things: one WIN at a time!<br />Use what you have! A lot of PCI focused gear (and data!) is useful for many things!<br />
  20. 20. GETTING vs STAYING<br />Q: Would you like to get rich? Or stay rich?<br />A: CEO: “Silly. Both!!”<br />Q: Would you like to get compliant with PCI or stay compliant?<br />A: CEO: “Getting compliant is my focus.”<br />WHY?<br />14<br />
  21. 21. “Whack-an-assessor”<br />PCI “game” as<br /> “whack-an-assessor” = PAIN, PAIN, PAIN! <br />Instead….<br />Use PCI compliance for security daily, validate annually!<br />
  22. 22. Specifically …<br />“Classic” example from my PCI book co-author Branden Williams<br />16<br />
  23. 23. PCI Teachings: We Cannot Mandate “Caring”<br />Q: Can we mandate caring about security? <br />A: No<br />We can mandate controls, approaches, tools, but we cannot mandate “doing a good job”<br />Continuous compliance = doing a good job!<br />
  24. 24. Progression from Audit to Caring<br />
  25. 25. Checklist Mentality IS Evil!<br />
  26. 26. PCI Teachings: People Will Fear THE KNOWN<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />Audit “mad dash” only helps against the latter!<br />The real goal of PCI is the former – thus, <br />continuous compliance is a MUST!<br />
  27. 27. “Mad dash” vs Continuous<br />“Mad dash” compliance<br />Pros<br />Only takes time 1/year<br />Solves the immediate problem – auditor!<br />Cons<br />Does NOT help security<br />No side benefits realized<br />Disruptive to business<br />NOT strategic<br />21<br />Continuous compliance<br />Pros<br /><ul><li>Solves many problems
  28. 28. Improves security
  29. 29. Reduced cost over time
  30. 30. Reduced breach costs </li></ul>Cons<br /><ul><li>Takes time every day
  31. 31. Takes effort to adopt</li></li></ul><li>Another Way to Look at It…<br />Pay 1X every year<br />Mad dash – audit – FAIL– mad dash – audit – pass – “wheew! See ya in a year!” process<br />Vs<br />Pay 10X first year + pay 0.1x every year<br />Build technology and process, automate, operationalize – cruise through audits every year<br />All numbers above are made up <br />22<br />
  32. 32. To Summarize…<br />“Mad dash” compliance = DONE for the auditor, teaching to the test<br />Continuous compliance = DONE for the benefits; teaching to succeed in life<br />Take your pick … you too can be a data breach media story on CNN <br />23<br />
  33. 33. Strategic: Huh?<br />PCI DSS done just to “get a QSA off our backs” is TACTICAL.<br />If you do that, your approach to IT and information risk is also TACTICAL<br />Are you OK with it?<br />24<br />
  34. 34. How I Can “Audit” Myself Every Day?<br />“Silly… this is called MONITORING!”<br />Wouldn’t it be great if attackers only hit 1/year, like auditors? <br />Get attackers to switch to annual attacks OR monitor all the time!<br />25<br />
  35. 35. How To “Profit” From PCI DSS?<br />Everything you do for PCI DSS, MUST have security benefit for your organization!<br />Examples: log management, IDS/IPS, IdM, application security , etc<br />
  36. 36. How? Operationalize!!!<br />Learn these words:<br />Operationalize<br />Internalize<br />Stop the “compliance is being done TO me, not BY me” insanity!<br />27<br />
  37. 37. Conclusions and Action Items<br />After validating that you are compliant, don’t stop: CONTINUING compliance AND security is your goal, not “passing an audit.”<br />Develop “security and risk” mindset, not “compliance and audit” mindset. KILL “auditor-resistant” security!<br />Learn how to “internalize” and “operationalize” compliance and thus gain security benefits – only from continuous compliance<br />
  38. 38. Questions?<br />Dr. Anton Chuvakin <br />Principal at SecurityWarrior, LLC<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
  39. 39. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

Editor's Notes

  • “Clarified that identification of all locations of cardholder data should include instructions for configuring the underlying software to prevent inadvertent capture or retention of cardholder data”“Updated requirement to ensure that identified vulnerabilities are ranked according to risk.”
  • See, How to STAY PCI DSS compliant:http://chuvakin.blogspot.com/2009/01/how-to-stay-compliant-or-ongoing-tasks.html
  • PCI assessment case studyfrom Branden Williams (my co-author for “PCI Compliance” http://www.pcicompliancebook.info)
  • Auditor-proof security SUCKS!
  • Not getting daily compliance/security Process of complianceOperationalize – internalizeCompliance is seen as forced, not needed
  • ×