Measuring   Security Security Metrics for PCI DSS Compliance Sergey   Gordeychik Security Lab by Positive Technologies
What is PCI DSS? <ul><li>QSA audits? </li></ul><ul><li>ASV scans ? </li></ul><ul><li>Pentests ? </li></ul><ul><li>Web appl...
What is PCI DSS? <ul><li>Building up the process of maintaining IS in secure (and compliant) condition! </li></ul><ul><ul>...
What is PCI DSS? <ul><li>Building up the process of maintaining IS in secure (and compliant) condition! </li></ul><ul><ul>...
Black-and-white approach <ul><li>Technical orientation of PCI   provokes auditors into black-and- white  ( red-and-yellow ...
Example :  Updating Oracle <ul><li>Auditor :  </li></ul><ul><ul><ul><li>There are some problems with Oracle </li></ul></ul...
Example :  Updating   Oracle .  What to do ?!! <ul><li>Speed up the process ? </li></ul><ul><li>Update at one’s own risk ?...
What is good and what is bad ? <ul><li>How to measure   the current level of compliance   in nonbinary format ? </li></ul>...
Security metrics <ul><li>Explicitly measured ,  no  &quot; expert opinion &quot; </li></ul><ul><li>Available for calculati...
Compliance With respect to requirements
Compliance With respect to hosts
Compliance With respect to hosts and requirements
Compliance <ul><li>How many PCI requirements do we violate ? </li></ul><ul><li>What violations are the most common ? </li>...
Good ,  but not enough ! <ul><li>Allows you to trace a course of action </li></ul><ul><li>  Allows you to observe the dyna...
Labor input metrics <ul><li>Allow you to assess planned and current labor input in achieving the goal </li></ul><ul><ul><l...
Labor input metrics
Process metrics <ul><li>Are generated on the basis of Compliance and the derivatives </li></ul><ul><ul><li>Quantity and pe...
Process metrics <ul><li>Example with Oracle </li></ul><ul><ul><li>Convergence on hosts :  from  20  days to eternity </li>...
Comparison with the world level <ul><li>What about others ? </li></ul><ul><li>Is my level acceptable ? </li></ul><ul><li>P...
Web applications vulnerability research ,   2008. <ul><li>Scope of research: </li></ul><ul><ul><li>Automatic mode  –  appr...
Distribution of   websites according to the amount of detected vulnerabilities  ( the year  2008)
The most common vulnerabilities
To compromise a website attackers usually exploit … <ul><li>Analysis of a compromised website   exposes a pack of vulnerab...
How soon can these issues be solved ? <ul><ul><li>Whitehat Security </li></ul></ul>
Thank you for your attention ! Sergey   Gordeychik http://gordeys.blogspot.com  www.ptsecurity.com [email_address]
Upcoming SlideShare
Loading in …5
×

Sergey Gordeychik, Security Metrics for PCI DSS Compliance

1,867 views

Published on

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,867
On SlideShare
0
From Embeds
0
Number of Embeds
100
Actions
Shares
0
Downloads
74
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Sergey Gordeychik, Security Metrics for PCI DSS Compliance

  1. 1. Measuring Security Security Metrics for PCI DSS Compliance Sergey Gordeychik Security Lab by Positive Technologies
  2. 2. What is PCI DSS? <ul><li>QSA audits? </li></ul><ul><li>ASV scans ? </li></ul><ul><li>Pentests ? </li></ul><ul><li>Web applications security assessment ? </li></ul>
  3. 3. What is PCI DSS? <ul><li>Building up the process of maintaining IS in secure (and compliant) condition! </li></ul><ul><ul><li>The process of monitoring and audit ( ISO 27001 A.15.2… ) </li></ul></ul><ul><ul><ul><li>QSA audits? </li></ul></ul></ul><ul><ul><ul><li>ASV scans ? </li></ul></ul></ul><ul><ul><ul><li>Pentests ? </li></ul></ul></ul><ul><ul><ul><li>Web applications security assessment ? </li></ul></ul></ul>
  4. 4. What is PCI DSS? <ul><li>Building up the process of maintaining IS in secure (and compliant) condition! </li></ul><ul><ul><li>The process of monitoring and audit ( ISO 27001 A.15.2… ) </li></ul></ul><ul><ul><ul><li>QSA audits? </li></ul></ul></ul><ul><ul><ul><li>ASV scans ? </li></ul></ul></ul><ul><ul><ul><li>Pentests ? </li></ul></ul></ul><ul><ul><ul><li>Web applications security assessment ? </li></ul></ul></ul>
  5. 5. Black-and-white approach <ul><li>Technical orientation of PCI provokes auditors into black-and- white ( red-and-yellow ) result </li></ul><ul><ul><ul><li>Not in compliance ! </li></ul></ul></ul><ul><ul><ul><li>In compliance ! </li></ul></ul></ul><ul><li>Reality is much more complicated … </li></ul>
  6. 6. Example : Updating Oracle <ul><li>Auditor : </li></ul><ul><ul><ul><li>There are some problems with Oracle </li></ul></ul></ul><ul><li>Company : </li></ul><ul><ul><ul><li>Consultation with developers </li></ul></ul></ul><ul><ul><ul><li>Waiting for approval </li></ul></ul></ul><ul><ul><ul><li>Testing </li></ul></ul></ul><ul><ul><ul><li>Deployment </li></ul></ul></ul>
  7. 7. Example : Updating Oracle . What to do ?!! <ul><li>Speed up the process ? </li></ul><ul><li>Update at one’s own risk ? </li></ul><ul><li>Restrict access to firewall ? </li></ul><ul><li>Migrate the application to terminal ? </li></ul><ul><li>Implement customized IPS ? </li></ul>
  8. 8. What is good and what is bad ? <ul><li>How to measure the current level of compliance in nonbinary format ? </li></ul><ul><li>How to divide the process of compliance maintenance into measurable tasks ? </li></ul><ul><li>How to assess planned and current expenses ? </li></ul>
  9. 9. Security metrics <ul><li>Explicitly measured , no &quot; expert opinion &quot; </li></ul><ul><li>Available for calculations and analysis ( automatically, if possible ) </li></ul><ul><li>Rendered quantitatively ( not just &quot; high &quot;, &quot; medium &quot;, &quot; low &quot;) </li></ul><ul><li>Measured in units that fit for analysis (such as &quot; errors &quot;, &quot; hours &quot;, &quot; cost &quot; ) </li></ul><ul><li>Comprehensible and pointing to the problem area and possible solutions ( the &quot; So what ?&quot; test ) </li></ul>
  10. 10. Compliance With respect to requirements
  11. 11. Compliance With respect to hosts
  12. 12. Compliance With respect to hosts and requirements
  13. 13. Compliance <ul><li>How many PCI requirements do we violate ? </li></ul><ul><li>What violations are the most common ? </li></ul><ul><li>What issues should be addressed in the first place ? </li></ul>
  14. 14. Good , but not enough ! <ul><li>Allows you to trace a course of action </li></ul><ul><li>  Allows you to observe the dynamics </li></ul><ul><li>Unable to provide a comprehensible engineering estimate ! </li></ul>
  15. 15. Labor input metrics <ul><li>Allow you to assess planned and current labor input in achieving the goal </li></ul><ul><ul><li>Labor input in making the system match the compliance </li></ul></ul><ul><ul><li>Justification of chosen compensatory security measures </li></ul></ul><ul><ul><li>Assessment of spent resources </li></ul></ul><ul><li>Differentiation of types of modifications </li></ul><ul><ul><li>Patch installation </li></ul></ul><ul><ul><li>Version update </li></ul></ul><ul><ul><li>Configuration modification </li></ul></ul><ul><ul><li>Code change </li></ul></ul><ul><ul><li>… </li></ul></ul>
  16. 16. Labor input metrics
  17. 17. Process metrics <ul><li>Are generated on the basis of Compliance and the derivatives </li></ul><ul><ul><li>Quantity and percentage of workstations with anti-virus software installed </li></ul></ul><ul><ul><li>Quantity and percentage of hosts that comply with patch-management requirements </li></ul></ul><ul><ul><li>Quantity and percentage of DBMS servers that comply with password requirements </li></ul></ul><ul><ul><li>Quantity and percentage of network devices that comply with security requirements </li></ul></ul>
  18. 18. Process metrics <ul><li>Example with Oracle </li></ul><ul><ul><li>Convergence on hosts : from 20 days to eternity </li></ul></ul><ul><ul><li>Maximum compliance level : 23% </li></ul></ul><ul><li>Perhaps it’s better not to think of installation of Oracle patches at all ? </li></ul>
  19. 19. Comparison with the world level <ul><li>What about others ? </li></ul><ul><li>Is my level acceptable ? </li></ul><ul><li>Perhaps I needn’t do anything ? </li></ul>
  20. 20. Web applications vulnerability research , 2008. <ul><li>Scope of research: </li></ul><ul><ul><li>Automatic mode – approximately 10000 hosts </li></ul></ul><ul><ul><li>Detailed analysis – approximately 1000 hosts </li></ul></ul><ul><li>Results: </li></ul><ul><ul><li>Most websites security level is low </li></ul></ul><ul><ul><li>Detection of vulnerabilities and their exploitation methods is automated </li></ul></ul><ul><ul><li>Web Application Security Consortium </li></ul></ul><ul><ul><li>preliminary data </li></ul></ul>
  21. 21. Distribution of websites according to the amount of detected vulnerabilities ( the year 2008)
  22. 22. The most common vulnerabilities
  23. 23. To compromise a website attackers usually exploit … <ul><li>Analysis of a compromised website exposes a pack of vulnerabilities , one third of which could be exploited by an attacker </li></ul>
  24. 24. How soon can these issues be solved ? <ul><ul><li>Whitehat Security </li></ul></ul>
  25. 25. Thank you for your attention ! Sergey Gordeychik http://gordeys.blogspot.com www.ptsecurity.com [email_address]

×