SlideShare a Scribd company logo
1 of 32
What PCI DSS Taught Us About Security Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com September 2010
Why Are We Here? Risk of DEATH  vsRisk of $40 fine?
Outline PCI DSS Refresher PCI Helps! PCI Hurts? Lessons from PCI DSS Will compliance break security? Conclusions and Action Items
Inspiration…. “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “ PCI Knowledge Base by late David Taylor
What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card  =  Payment Card Industry =  Data Security =  Data Security Standard =
PCI Regime vs DSS Guidance Since 2004, PCI Council publishes  PCI DSS  Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
[object Object]
Do not use vendor-supplied defaults for system passwords and other security parametersBuild and Maintain a Secure Network ,[object Object]
Encrypt transmission of cardholder data and sensitiveinformation across public networksProtect Cardholder Data ,[object Object]
Develop and maintain secure systems and applicationsMaintain a Vulnerability Management Program ,[object Object]
Assign a unique ID to each person with computer access
Restrict physical access to cardholder dataImplement Strong Access Control Measures ,[object Object]
Regularly test security systems and processesRegularly Monitor and Test Networks ,[object Object],Maintain an Information Security Policy PCI DSS  = Basic Security Practices!
So, PCI Helps! MUCH more organizations KNOW about security now – due to PCI DSS DSS gave many a starting point PCI DSS has motivating “teeth” Blatant card data abuses SEEM to have decreased More people vulnerability scan due to PCI
But Also: PCI Hurts! Anti-auditor measures “suck” resources from anti-hacker measures Now we have “checkbox compliance” Security vendors fund compliance-feature development
Checklist Mentality IS Evil!
PCI Teachings REVEALED…
PCI Teachings: Leaders vs Losers
PCI Teachings: Awareness =/= Action PCI DSS raised awareness of web security "82% of websites have had at least one security issue, with 63% still having issues of HIGH severity.” (WhiteHat) Now…everybody knows that >80% of sites have XSS. So what?
PCI Teachings: The Floor CAN Be The Ceiling Compliance is the “floor” of security And a motivator to DO IT! However, many prefer to treat it as a “ceiling” Result:  breaches, 0wnage, mayhem!
PCI Teachings: We Cannot Mandate “Caring” Q: Can we mandate caring about security?  A: No We can mandate controls, approaches, tools, but we cannot mandate “doing a good job” Thus: mandatory = minimum only!
PCI Teachings: It Can be “Too Easy” and “Too Hard”
PCI Teachings: Many Would Rather Whine Than Do W1: Why don’t the brands “fix the system?” A1: They will. W2: Can we have “a risk based” standard? A2: No. 91% of people can’t spell “risk” W3: Can we do something simpler? A3: Yes! Cash.
PCI Teachings: Mandatory Beats Sensible
Observations…
PCI Teaching: $40> Your Life Risk of DEATH vs Risk of $40 fine? DOT study on seatbelts: Compliance = (Awareness + Enforcement) /  Security Benefit
PCI Teachings: Compliance and Risk … have nothing to do with each other. But you KNOW compliance and you DO NOT KNOW risk! Which one will you act on?
PCI Teachings: People Will Fear THE KNOWN               <- This is the enemy! This is NOT the enemy! -> Sadly, many organization will fear QSA more than  an attacker!
PCI Teachings: Dead Data = Secure Data Many organization cannot be taught to secure the data … but they can be taught to delete it!
?
How To “Profit” From Compliance? Everything you do for compliance, MUST have security benefit for your organization! Examples: log management, IDS/IPS, IdM, application security , etc
In Other Words… Every time you think “PCI DSS OR security,”  god kills a kitten!

More Related Content

What's hot

Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementTripwire
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinAnton Chuvakin
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton ChuvakinAnton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Anton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...Anton Chuvakin
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherAnton Chuvakin
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinAnton Chuvakin
 
Choosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or OutsourceChoosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or OutsourceAnton Chuvakin
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
 
"Grand Challenges" of Log Management
"Grand Challenges" of Log Management"Grand Challenges" of Log Management
"Grand Challenges" of Log ManagementAnton Chuvakin
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 

What's hot (20)

Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log Management
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean::  Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
 
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinPCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Baselining Logs
Baselining LogsBaselining Logs
Baselining Logs
 
Choosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or OutsourceChoosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or Outsource
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
 
"Grand Challenges" of Log Management
"Grand Challenges" of Log Management"Grand Challenges" of Log Management
"Grand Challenges" of Log Management
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 

Similar to What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityAnton Chuvakin
 
PCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesAnton Chuvakin
 
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
 
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...i2Coalition
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Running with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsMichael Scheidell
 
The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantJohn Bedrick
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPNick Selby
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Berezha Security Group
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Payment account data security – PCI DSS
Payment account data security – PCI DSSPayment account data security – PCI DSS
Payment account data security – PCI DSSsocassurance
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511Stan Stahl, PhD
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for DummiesLiberteks
 

Similar to What PCI DSS Taught Us About Security by Dr. Anton Chuvakin (20)

Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
 
PCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and Technologies
 
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Running with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needs
 
The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being Compliant
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLP
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Payment account data security – PCI DSS
Payment account data security – PCI DSSPayment account data security – PCI DSS
Payment account data security – PCI DSS
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511Cal cpa meeting infosec challenge - 160511
Cal cpa meeting infosec challenge - 160511
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
 

More from Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinAnton Chuvakin
 

More from Anton Chuvakin (18)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
 

Recently uploaded

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Recently uploaded (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

  • 1. What PCI DSS Taught Us About Security Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com September 2010
  • 2. Why Are We Here? Risk of DEATH vsRisk of $40 fine?
  • 3. Outline PCI DSS Refresher PCI Helps! PCI Hurts? Lessons from PCI DSS Will compliance break security? Conclusions and Action Items
  • 4. Inspiration…. “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “ PCI Knowledge Base by late David Taylor
  • 5. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
  • 6. PCI Regime vs DSS Guidance Since 2004, PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Assign a unique ID to each person with computer access
  • 12.
  • 13.
  • 14. So, PCI Helps! MUCH more organizations KNOW about security now – due to PCI DSS DSS gave many a starting point PCI DSS has motivating “teeth” Blatant card data abuses SEEM to have decreased More people vulnerability scan due to PCI
  • 15. But Also: PCI Hurts! Anti-auditor measures “suck” resources from anti-hacker measures Now we have “checkbox compliance” Security vendors fund compliance-feature development
  • 19. PCI Teachings: Awareness =/= Action PCI DSS raised awareness of web security "82% of websites have had at least one security issue, with 63% still having issues of HIGH severity.” (WhiteHat) Now…everybody knows that >80% of sites have XSS. So what?
  • 20. PCI Teachings: The Floor CAN Be The Ceiling Compliance is the “floor” of security And a motivator to DO IT! However, many prefer to treat it as a “ceiling” Result: breaches, 0wnage, mayhem!
  • 21. PCI Teachings: We Cannot Mandate “Caring” Q: Can we mandate caring about security? A: No We can mandate controls, approaches, tools, but we cannot mandate “doing a good job” Thus: mandatory = minimum only!
  • 22. PCI Teachings: It Can be “Too Easy” and “Too Hard”
  • 23. PCI Teachings: Many Would Rather Whine Than Do W1: Why don’t the brands “fix the system?” A1: They will. W2: Can we have “a risk based” standard? A2: No. 91% of people can’t spell “risk” W3: Can we do something simpler? A3: Yes! Cash.
  • 24. PCI Teachings: Mandatory Beats Sensible
  • 26. PCI Teaching: $40> Your Life Risk of DEATH vs Risk of $40 fine? DOT study on seatbelts: Compliance = (Awareness + Enforcement) / Security Benefit
  • 27. PCI Teachings: Compliance and Risk … have nothing to do with each other. But you KNOW compliance and you DO NOT KNOW risk! Which one will you act on?
  • 28. PCI Teachings: People Will Fear THE KNOWN <- This is the enemy! This is NOT the enemy! -> Sadly, many organization will fear QSA more than an attacker!
  • 29. PCI Teachings: Dead Data = Secure Data Many organization cannot be taught to secure the data … but they can be taught to delete it!
  • 30. ?
  • 31. How To “Profit” From Compliance? Everything you do for compliance, MUST have security benefit for your organization! Examples: log management, IDS/IPS, IdM, application security , etc
  • 32. In Other Words… Every time you think “PCI DSS OR security,” god kills a kitten!
  • 33. What Does Future Hold? More regulation to compel the laggards More threats to challenge the leaders New approaches to compliance -mandating care? More organization understanding and measuring security Longer term: slow trend toward more secure world
  • 34. Conclusions and Action Items Kill the data– whenever you can PCI is basic security; stop whining about it - start doing it! Develop “security and risk” mindset, not “compliance and audit” mindset. Use compliance to drive security If you are doing PCI DSS and not getting a security benefit, please STOP!
  • 35. Action Item! NOW LET’S ALL GO PRACTICE INCIDENT RESPONSE!!!
  • 36. Questions? Dr. Anton Chuvakin Security Warrior Consulting Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
  • 37. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009!
  • 38. More on Anton Now: independent consultant Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Editor's Notes

  1. First: we are not here to learn how to become PCI compliant!! Keynote = THINK about security and HAVE FUN, not get trained.TODO: Netherlands fine for now wearing seat belt in car (bicycle?)NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement&quot;Dumb management&quot;PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
  2. http://www.pciknowledgebase.com/index.php?option=com_mtree&amp;task=viewlink&amp;link_id=1366&amp;Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.Damn “PCI industry”
  3. Some folks are OK with organizations doing security ONLY because of compliance fines!!!PhilosophyDo you agree with &quot;laws against stupid?&quot;Tenuous connection of controls/practices vs outcomesCompliance is &quot;easy&quot;, security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?&quot;We might get hacked, but we will get audited&quot;Age of irresponsibility&apos; entitlementANTI-COMPLIANCE&quot;Checklist mentality&quot;&quot;Teaching for the test&quot;&quot;Whack-an-auditor&quot; gameInduction of &quot;mandate=ceiling&quot; thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security&quot;PCI compliance has not been “operationalized” by 95 percent of merchants&quot;
  4. While many hope for gaussian, in security – counter to intuition! – most people are below average!
  5. http://projects.webappsec.org/Web-Application-Security-Statisticshttp://www.whitehatsec.com/home/assets/presentations/09PPT/PPTstats0209.pdf
  6. CSR reference!!Thus: mandatory You can drag the horse to water … but you cannot stop her fromDrowningb) Abuse water - &lt;whatever&gt;
  7. As someone closely involved with PCI DSS, I observed this peculiarity more than a few times.Myth: PCI is too hard …“… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable”Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned”“What do we need to do - get a scan and answer some questions?”Reality: Not exactly - you need to:a) Get a scan – and then resolve the vulnerabilities foundb) Do all the things that the questions refer to – and prove itc) Keep doing a) and b) forever!
  8. A1 a) in 5-10 years – when you will be ready. Replace the system -&gt; bigger impact than PCI DSS!! (see interview)A2 Today if you follow you risk ass of custodial data, while being mindful of PCI requirements, likely you arrive at smth similar to PCI DSSA3 “It is not necessary to change; survival is not mandatory”
  9. 2/3 of value in OWN data, ½ is spent protecting it!Forrester report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost,or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”+ infrastructure to handle either kind of data, business critical processes, etc!!!Consequences&quot;PCI technology&quot; or &quot;PCI industry&quot;Custodian vs owner of dataLaws made you secure 3rd party dataYou are free to screw yourself by losing your dataPCI vs &quot;your risk&quot;Might be protecting CC &gt; your key data!
  10. + not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
  11. First: we are not here to learn how to become PCI compliant!! Best insight into compliance.Link IS established: belt -&gt; less chance of death.Still, only EDUCATION + ENFORCEMENT works.Click it – or ticket! &lt;= works!Click it – don’t risk it! &lt;= FAILs!NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement&quot;Dumb management&quot;PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
  12. http://www.visa.com/dropthedata/Drop the Data is a nationwide tour between the U.S. Chamber of Commerce and Visa, Inc. along with participating local Chambers of Commerce. The multi-city campaign is designed to make businesses aware of the risks of retaining prohibited cardholder data and educating them on actionable steps they can take to avoid storing such data.
  13. OR: Every time you think “Compliance OR security,” god kills a kitten!Profit = not ROI scam, but how to benefit from the fact that PCI exists.HACKER &lt;- This is the enemy!This is NOT the enemy! -&gt; QSASecurity first, compliance as a resultCompliance as motivation, security as actionPhilosophyDo you agree with &quot;laws against stupid?&quot;Tenuous connection of controls/practices vs outcomesCompliance is &quot;easy&quot;, security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?&quot;We might get hacked, but we will get audited&quot;Age of irresponsibility&apos; entitlementANTI-COMPLIANCE&quot;Checklist mentality&quot;&quot;Teaching for the test&quot;&quot;Whack-an-auditor&quot; gameInduction of &quot;mandate=ceiling&quot; thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security&quot;PCI compliance has not been “operationalized” by 95 percent of merchants&quot;
  14. Longer term: slow trend toward chasm closureSome from the 1st camp will call it “aligning security and business”, but it is not.2020http://chuvakin.blogspot.com/search/label/2020
  15. + After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”PhilosophyDo you agree with &quot;laws against stupid?&quot;Tenuous connection of controls/practices vs outcomesCompliance is &quot;easy&quot;, security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?&quot;We might get hacked, but we will get audited&quot;Age of irresponsibility&apos; entitlementTrendsOutsource!!! Outsource!!!You DO outsource cash storage to banks?Avoid toxic shit!E2EETokenizationDeletion before encryption!
  16. http://taosecurity.blogspot.com/2010/03/ge-cirt-joins-first.html