Successfully reported this slideshow.

iScan Online - PCI DSS Mobile Task Force

1,353 views

Published on

iScan Online presentation to the PCI DSS Mobile task force, illustrating the results of the latest 500 Android Scans

Published in: Technology
  • Be the first to comment

  • Be the first to like this

iScan Online - PCI DSS Mobile Task Force

  1. 1. iScan Online presentation for:PCI DSS Mobile Task Force April 18, 2013
  2. 2. Our Backgrounds Host Binary MobileScanning Scanners Scanning 1998 20121997 2012 2013 Browser Network Plugin Scanners Scanning
  3. 3. Remember these Networks? Good Old Days XP  Desktops  with  a  Sta;c  IP Easy to secure Only  worry  -­‐  s;cky  notes  w/   passwords  and  customer   credit  card  data The world has changed... Security  and  Compliance  should  lead  and  not  follow.
  4. 4. Wake Up Time• Mobile is moving faster • Government 2013 than the speed of light battling standards:• Threats, attacks and USGCB audit benchmarks: mobile data breaches 1. IE 7 2. IE 8 are here 3. Windows XP 4. Windows XP Firewall 5. Windows Vista• Security and Compliance 6. Windows Vista Firewall 7. Windows 7 regulations are for 8. Windows 7 Firewall 9. Red Hat Linux 5 yesterdays network
  5. 5. Protecting Card Data Scan Audit Zone Only Gets there how?Corporate America PCI Today’s Response to PCIResponse:  damn  this  is  expensive Encrypt.  Segment.  Reduce  Scope.
  6. 6. Compliance 101 What do we tell employees: The employee responds?• Don’t write your • ? passwords on sticky notes• Don’t write, text, email • ? or store cardholder data Think users adhere to 101, think again.
  7. 7. 2013 - Today’s NetworkEmployees are MobileMobile  Cybercrime  War  has  Begun Employees on the go Don’t  care  about  security  nor   compliance.  They  sell  and   take  down  orders!! Devices are on 24/7 Assessment  approach  has  to  change
  8. 8. In Case you missed the Tweet Insecure Smart Mobile Devices = Secure & Compliant PC fatality HP Dell US 90 Day PC Shipment9000 Android6750 “Daily Activations”4500 15002250 750 0 0 2012 Q1 2013 Q1 2013
  9. 9. 7 billion 2013 global population 6.3 billionmobile device subscriptions 5% stolen 0% scanned loss or theft vulnerabilities or cardholder data
  10. 10. Mobile Standard Remarks Example Remarks Purpose Work Protect CardholdersSelection Evidence Analyze flow or Transaction? Repeat History Step 1 Step 2 Step 3 Step 4 Mobile threats - too fast for awaiting slow Standards Define Specs to be Report & Mobile procedures assessed Score Standards - enforcement Speed
  11. 11. April 2013 Mobile Scan Analysis Android Devices 500 Smartphones and Tablets - Last 500 global scans
  12. 12. Scan Deliver Thought Process • PCI Provider - Assess & Service • Acquiring Bank - Compliance proof of results by MID, Theft locate • Vendor - develops technology, standards mapping and features • End user - option to self assess
  13. 13. Mobile Scans Performed Standards are usually not in place until:• Evidence is proven that procedures can be assessed• Procedures can be analyzed to measure - risk and mitigation
  14. 14. Android Vulnerability Scan None Low Medium High• CVSS Scores• CVE numbers• 79% Procedures are familiar, 14% just like PC’s but easier 5%• Methodology has to 2% change to assess mobile
  15. 15. Data Discovery Scan Vulnerability Scan Configuration ScanCardholder PAN Data OS & Applications OS & Applications
  16. 16. Mobile Vulnerabilities vs. History Android Apple iOS Novell Windows Linux200 90150 67.5100 45 50 22.5 0 0 2011 2012 Q1 -2013 1998-99
  17. 17. Vulnerable Attack Vector Attack Threat Vector Impact RemediationStolen / Loss / Misplacement of Device Data breach Encrypt cardholder data Patches / SMS / Browser / Email Exploit Full device control Configurations Configuration / ~Some Malicious App Full device control Patches Configuration / User Bluetooth / Tethering / NFC / Wifi Partial data loss Awareness Configuration / Policy / Carrier Network / Black List Partial data loss Awareness
  18. 18. Mobile Configurations Sample Configuration Results Severity % Failed Device Storage Encryption Enabled 8 99 Password Expired every 30 Days 7 97Require Password or PIN Check (unlock device) 10 72 Device Rooted 9 48 Allows Non App Market App Installation 5 44 18 Configurations - All 500 failed something
  19. 19. 8% of scans had PAN data on AndroidProtect and assess P2PE ‘Point to Point Encryption’ the transaction? Cardholder data on mobile is everywhere? NFC, Google Drive, Dropbox, SMS, Contacts
  20. 20. Today’s Network Always  connected,  Any;me,  Anywhere ff ice Free wifi Corporate Office R e mote O Mobile Yesterday Network  Today Network  Today Network  TodayStatic Networks Small Offices Road warrior Employee Mobile Devicesare  the  past,  data  and  devices   lack  security  and  connect   Who  hasn’t  connected  to  a  free   can  now  be  assessed  for  threats  are  not  only  at  corporate. indirectly  back  to  corporate. wifi  network. but  not  with  historical  network   approachesEmployees  are  on  the  go  and   TransmiQng  data  with  BYOD   Mul;ple  network  connec;ons  working  remote. connec;ons  who  are  on/off   over  ~untrusted  Wifi  /  4G untrusted  networks
  21. 21. Mobile Audit - Fast Easy Affordable More likely to be stolen or lost equating to an increase in potential cardholder Mobile facts vs. Non- breaches. ~Processing w/ a financial app - Banks to get a call Mobile guaranteed. Vulnerabilities & configurations are equally important to assess and remediate, if not more important than traditional PC’s Are your employees storing cardholder data? Just like not writing down passwords. They are going to SMS and store it.
  22. 22. My Suggestions Baseline 1 Many existing Rapid Adopt 2 procedures can be Mobile moves fast and used from DSS 2.0 standards should as wellContinuous 5Changes to ensure costsdon’t outweigh the threat Influence buyin 3 Individuals: Merchant, Council, Automate 4 Vendor, Bank, Providers Utilize XML, JSON for communication and sharing
  23. 23. Questions?More Information?iScan Online, Inc.19111 Dallas Parkway, Suite 200Dallas, TX 75287Billy Austin, Presidentaustin@iscanonline.com214-276-1148

×