Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
What PCI DSS Taught Us About Security<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorcon...
Why Are We Here?<br />Risk of DEATH  vsRisk of $40 fine?<br />
Outline<br />PCI DSS Refresher<br />PCI Helps!<br />PCI Hurts?<br />Lessons from PCI DSS<br />Will compliance break securi...
Inspiration….<br />“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Asse...
What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card  = <br />Payment Card Industry...
PCI Regime vs DSS Guidance<br />Since 2004, PCI Council publishes  PCI DSS <br />Outlined the minimumdata security protect...
<ul><li>Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secur...
Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<b...
Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Res...
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monit...
Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy ...
So, PCI Helps!<br />MUCH more organizations KNOW about security now – due to PCI DSS<br />DSS gave many a starting point<b...
But Also: PCI Hurts!<br />Anti-auditor measures “suck” resources from anti-hacker measures<br />Now we have “checkbox comp...
Checklist Mentality IS Evil!<br />
PCI Teachings REVEALED…<br />
PCI Teachings: Leaders vs Losers<br />
PCI Teachings: Awareness =/= Action<br />PCI DSS raised awareness of web security<br />"82% of websites have had at least ...
PCI Teachings: The Floor CAN Be The Ceiling<br />Compliance is the “floor” of security<br />And a motivator to DO IT!<br /...
PCI Teachings: We Cannot Mandate “Caring”<br />Q: Can we mandate caring about security? <br />A: No<br />We can mandate co...
PCI Teachings: It Can be “Too Easy” and “Too Hard”<br />
PCI Teachings: Many Would Rather Whine Than Do<br />W1: Why don’t the brands “fix the system?”<br />A1: They will.<br />W2...
PCI Teachings: Mandatory Beats Sensible<br />
Observations…<br />
PCI Teaching: $40> Your Life<br />Risk of DEATH vs Risk of $40 fine?<br />DOT study on seatbelts:<br />Compliance = (Aware...
PCI Teachings: Compliance and Risk<br />… have nothing to do with each other.<br />But you KNOW compliance and you DO NOT ...
PCI Teachings: People Will Fear THE KNOWN<br />              <- This is the enemy!<br />This is NOT the enemy! -><br />Sad...
PCI Teachings: Dead Data = Secure Data<br />Many organization cannot be taught to secure the data … but they can be taught...
?<br />
How To “Profit” From Compliance?<br />Everything you do for compliance, MUST have security benefit for your organization!<...
In Other Words…<br />Every time you think “PCI DSS OR security,” <br />god kills a kitten!<br />
Upcoming SlideShare
Loading in …5
×

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

1,888 views

Published on

... aka “Teachings of Don PCI”

Presentation title: What PCI DSS Taught Us About Security
Brief abstract: This presentation will derive some useful lessons from our industry experience with PCI DSS. Organization can use these lessons to improve their security programs and reduce risk as well.

Published in: Technology
  • Be the first to comment

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

  1. 1. What PCI DSS Taught Us About Security<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />September 2010<br />
  2. 2. Why Are We Here?<br />Risk of DEATH vsRisk of $40 fine?<br />
  3. 3. Outline<br />PCI DSS Refresher<br />PCI Helps!<br />PCI Hurts?<br />Lessons from PCI DSS<br />Will compliance break security?<br />Conclusions and Action Items<br />
  4. 4. Inspiration….<br />“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “<br />PCI Knowledge Base by late David Taylor<br />
  5. 5. What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
  6. 6. PCI Regime vs DSS Guidance<br />Since 2004, PCI Council publishes PCI DSS <br />Outlined the minimumdata security protections measures for payment card data.<br />Defined Merchant & Service Provider Levels, and compliance validation requirements.<br />Left the enforcement to card brands (Council doesn’t fine anybody!)<br />Key point: PCI DSS (document) vs PCI (validation regime)<br />
  7. 7. <ul><li>Install and maintain a firewall confirmation to protect data
  8. 8. Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secure Network<br /><ul><li>Protect stored data
  9. 9. Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<br /><ul><li>Use and regularly update anti-virus software
  10. 10. Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Restrict access to data by business need-to-know
  11. 11. Assign a unique ID to each person with computer access
  12. 12. Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monitor all access to network resources andcardholder data
  13. 13. Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy that addresses information security</li></ul>Maintain an Information Security Policy<br />PCI DSS = Basic Security Practices!<br />
  14. 14. So, PCI Helps!<br />MUCH more organizations KNOW about security now – due to PCI DSS<br />DSS gave many a starting point<br />PCI DSS has motivating “teeth”<br />Blatant card data abuses SEEM to have decreased<br />More people vulnerability scan due to PCI<br />
  15. 15. But Also: PCI Hurts!<br />Anti-auditor measures “suck” resources from anti-hacker measures<br />Now we have “checkbox compliance”<br />Security vendors fund compliance-feature development<br />
  16. 16. Checklist Mentality IS Evil!<br />
  17. 17. PCI Teachings REVEALED…<br />
  18. 18. PCI Teachings: Leaders vs Losers<br />
  19. 19. PCI Teachings: Awareness =/= Action<br />PCI DSS raised awareness of web security<br />"82% of websites have had at least one security issue, with 63% still having issues of HIGH severity.” (WhiteHat)<br />Now…everybody knows that >80% of sites have XSS. So what?<br />
  20. 20. PCI Teachings: The Floor CAN Be The Ceiling<br />Compliance is the “floor” of security<br />And a motivator to DO IT!<br />However, many prefer to treat it as a “ceiling”<br />Result: breaches, 0wnage, mayhem!<br />
  21. 21. PCI Teachings: We Cannot Mandate “Caring”<br />Q: Can we mandate caring about security? <br />A: No<br />We can mandate controls, approaches, tools, but we cannot mandate “doing a good job”<br />Thus: mandatory = minimum only!<br />
  22. 22. PCI Teachings: It Can be “Too Easy” and “Too Hard”<br />
  23. 23. PCI Teachings: Many Would Rather Whine Than Do<br />W1: Why don’t the brands “fix the system?”<br />A1: They will.<br />W2: Can we have “a risk based” standard?<br />A2: No. 91% of people can’t spell “risk”<br />W3: Can we do something simpler?<br />A3: Yes! Cash.<br />
  24. 24. PCI Teachings: Mandatory Beats Sensible<br />
  25. 25. Observations…<br />
  26. 26. PCI Teaching: $40> Your Life<br />Risk of DEATH vs Risk of $40 fine?<br />DOT study on seatbelts:<br />Compliance = (Awareness + Enforcement) / Security Benefit<br />
  27. 27. PCI Teachings: Compliance and Risk<br />… have nothing to do with each other.<br />But you KNOW compliance and you DO NOT KNOW risk! Which one will you act on?<br />
  28. 28. PCI Teachings: People Will Fear THE KNOWN<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />Sadly, many organization will fear QSA more than an attacker!<br />
  29. 29. PCI Teachings: Dead Data = Secure Data<br />Many organization cannot be taught to secure the data … but they can be taught to delete it!<br />
  30. 30. ?<br />
  31. 31. How To “Profit” From Compliance?<br />Everything you do for compliance, MUST have security benefit for your organization!<br />Examples: log management, IDS/IPS, IdM, application security , etc<br />
  32. 32. In Other Words…<br />Every time you think “PCI DSS OR security,” <br />god kills a kitten!<br />
  33. 33. What Does Future Hold?<br />More regulation to compel the laggards<br />More threats to challenge the leaders<br />New approaches to compliance -mandating care?<br />More organization understanding and measuring security<br />Longer term: <br />slow trend toward more secure world<br />
  34. 34. Conclusions and Action Items<br />Kill the data– whenever you can<br />PCI is basic security; stop whining about it - start doing it!<br />Develop “security and risk” mindset, not “compliance and audit” mindset.<br />Use compliance to drive security<br />If you are doing PCI DSS and not getting a security benefit, please STOP!<br />
  35. 35. Action Item!<br />NOW LET’S ALL GO PRACTICE INCIDENT RESPONSE!!!<br />
  36. 36. Questions?<br />Dr. Anton Chuvakin <br />Security Warrior Consulting<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
  37. 37. Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, vendors – and everybody else<br />Released December 2009!<br />
  38. 38. More on Anton<br />Now: independent consultant<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

×