3. Agenda
What are Policies?
Why are Policies Necessary?
The Parts of a Policy
What Makes a Policy Strong?
What are a Merchant’s Responsibilities?
Policy Distribution and Training
6. Why Are Policies Necessary?
Define:
What is acceptable
What is expected
Consequences
The security environment
The foundation of a secure environment
8. The parts of a policy
1.0 Purpose
Describe the purpose of the document
2.0 Scope
Identify the scope of the document
3.0 Policy
The text of the policy
4.0 Definitions
A place to define terms
9. What Makes a Policy Strong?
The traits of a strong policy:
Clear
Do not do X
Complete
What about Y and Z?
Enforceable
Executive Sponsorship
10. Sample Policy
Clean Desk Policy
Overview
The purpose for this policy is to establish a culture of security and trust for all employees at <company>. An effective clean desk effort
involving the participation and support of all <Company Name> employees can greatly protect paper documents that contain sensitive
information about our clients, customers and vendors. All employees should familiarize themselves with the guidelines of this policy.
Purpose
The main reasons for a clean desk policy are:
A clean desk can produce a positive image when our customers visit the company.
It reduces the threat of a security incident as confidential information will be locked away when unattended.
Sensitive documents left in the open can be stolen by a malicious entity.
Scope
All staff, employees and entities working on behalf of <company> are subject to this policy. At known extended periods away from your
desk, such as a lunch break, sensitive working papers are expected to be placed in locked drawers. At the end of the working day the
employee is expected to tidy their desk and to put away all office papers. <Company> provides locking desks and filing cabinets for this
purpose.
Policy
The following items must be done:
Allocate time in your calendar to clear away your paperwork.
Always clear your workspace before leaving for longer periods of time.
If in doubt - throw it out.
Lock your desk and filing cabinets at the end of the day
Lock away portable computing devices such as laptops or PDA devices
Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of
employment
Definitions
None
11. What are a Merchant’s
Responsibilities?
Requirement 12: Maintain a policy that addresses information security
12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes
the following:
12.1.1 Addresses all PCI DSS requirements.
12.1.2 Includes an annual process that identifies threats, and vulnerabilities,
and results in a formal risk assessment.
12.1.3 Includes a review at least once a year and updates when the
environment changes.
12.2 Develop daily operational security procedures that are consistent with requirements
in this specification (for example, user account maintenance procedures, and log review
procedures).
12.3 Develop usage policies for critical employee-facing technologies (for example,
remote-access technologies, wireless technologies, removable electronic media, laptops,
personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define
proper use of these technologies for all employees and contractors. Ensure these usage
policies require the following:
12. Policy Distribution and Training
Distribution
There are many ways including manual and electronic
Must be traceable to be enforceable
Training
Should be ongoing
Should be traceable
Offer incentives
14. Hacking Store Credit Card Readers
May 2, 2008 by amritw
Thieves managed to replace a card reader at a Northern California grocery
with a fake machine that was skimming credit and debit card information.
Prior to that thieves rigged a machine with a “sniffer” at a nearby Arco gas
station, this follows multiple ATM thefts that included well-placed and
stealthy video surveillance equipment. This is becoming an all to common
form of theft as transaction devices are compromised at gas stations, retail
outlets and ATM machines.
15. Agenda
Why is physical security so important?
What needs to be secured?
Case studies
Network Jack
Kiosk
WAP
POS Machines
Servers
17. What needs to be secured?
Any physical access to data or systems that house
cardholder data provides the opportunity for
individuals to access devices or data and to remove
systems or hardcopies, and should be appropriately
restricted.
19. What needs to be secured?
Any devices that store Cardholder data
Servers
PC’s
Laptops
Network Jacks
Etc.
Any paper with cardholder data
Receipts
Reports
Etc.
20. Case Study – Network Jacks
Why do they need to be secured?
A live network jack is an access point
Case : California Insurance Company
What Happened?
What could we access?
21. Case Study – Kiosk
Why do they need to be secured?
A kiosk is a node on your network
Case : Business A has a self service kiosk in lobby
What Happened?
What could we access?
22. Case Study – WAP
Why do they need to be secured?
Wireless Access Point
Case : Retail Home Builder
What Happened?
What could we access?
23. Case Study – POS Machines
Why do they need to be secured?
They may store credit card data
Case :Cellular company has older POS that stores data
in DB on machine
What Happened?
What could we access?
24. Case Study – Servers
Why do they need to be secured?
They may store credit card data
Case : Retired SQL server
What Happened?
What could we access?
26. Agenda
What are audit logs?
The importance of audit logs
Case Study
What is Required?
Automating Log Reviews
Case Study One
Case Study Two
27. What are audit logs?
Definition: Records created by hardware (servers,
routers, firewalls, etc.) or software (data bases,
network systems, individual applications, etc.) that
track when data are created, modified, transmitted or
destroyed, including the identity of the user initiating
the action.
28. What are audit logs?
System Actions
Updates
Security
Etc
User actions
Logins
Data Access
Etc
30. The importance of audit logs
Accountability
Who, What, Where, When!
Reconstruction
Follow the trail!
Intrusion Detection
Should that activity exist?
Problem Resolution
Transaction details
31. Case Study One : Banking
Suspicion : Someone was creating unauthorized
transfers to a bank account
Action One: Review log files
Action Two: Implement new logging strategy
32. Case Study Two : Healthcare
Suspicion : Someone was accessing personal data
unauthorized
Action One: Review log files
Action Two: Implement:
Logging
Monitor Suspects PC’s
33. Case Study Two : Healthcare
What was really Happening?
Accessing employee and patient data
Sending data offsite
Sending legal records to his girlfriend who was suing
company
Stalking the HR girl
And MUCH, MUCH, more
34. What is Required?
Must Log Access (PCI-DSS 10.x)
Must Secure Logs to ensure validity(PCI DSS 10.5)
Use a tool to ensure changes do not occur (PCI DSS
10.5.5)
Review logs for all system components at least daily.
Log reviews must include those servers that perform
security functions like intrusion-detection system
(IDS) and authentication, authorization, and
accounting protocol (PCI DSS 10.6)
Retain log files for at least one year (PCI DSS 10.7)
35. What is Required?
Must Secure Logs to ensure validity(PCI DSS 10.5)
Limit read only access to those that need it
Ensure they cannot be changed
Promptly back up audit trail files to a centralized log
server or media that is difficult to alter.
Write logs for external-facing technologies onto a log
server on the internal LAN.
36. What is Required? -Must Log
Access (PCI-DSS 10.x)
What to Log?
User access to data
Data changes
All Admin Access
Access to Audit Logs
Failed Logins
Logs Must Contain
Date and Time
User ID
Type of event
Affected Resource
Success or Failure
37. What is Required?
Use a tool to ensure changes do not occur (PCI DSS
10.5.5)
Big Brother
TripWire
Etc.
Log A Day Log A Day Log A Day
1 30 60
• 12345 • 1234 • abc1234
• abc1234 • abc1234
38. What is Required?
Review logs for all system components at least daily.
Log reviews must include those servers that perform
security functions like intrusion-detection system
(IDS) and authentication, authorization, and
accounting protocol (PCI DSS 10.6)
2 Ways to Review Logs
Manual
Read Every Log
Automated
Software reviews the logs
39. What is Required?
Retain log files for at least one year (PCI DSS 10.7)
3 months must be immediately available.
40. Automating Log Reviews
Manual Reviews are not really useful.
Tools will take all the pressure off of you.
Alerting
Constant Monitoring
Event Correlation
42. Case Study Three
Problem : Credit Card transfers over 100k per day.
Manual logging is not possible
Solution : Implement logging and alerting for transfer
files.
43. Case Study Four
Problem : Access to database by DBA’s and Developers
cannot be removed.
Solution : Implement event logging and alerting over
the database
45. Agenda
Types of testing
Vulnerability vs. Penetration Testing
Internal vs. external
Finding a qualified tester
46. Types of Testing – What is
Required?
Security / Risk Assessments
Vulnerability Testing
Penetration Testing
Wireless Testing
47. Security / Risk Assessments
Looks at the security environment and risks
Performed using one of the following techniques:
Interview
Talking to staff,
Etc.
Re-Performance
Actually do the task
Observation
Watch someone else doing something
Examination
Look at evidence
Configurations,
Policies,
Etc.
48. Wireless Testing
Test for the presence of unauthorized wireless devices.
Must be done Quarterly
50. Penetration Testing
Hacking Your Systems
Internal and External
Must be done annually
After any significant changes
Network penetration
Application penetration
51. Vulnerability vs Penetration Testing
Vulnerability testing is generally automated
Nessus
GFI Languard
Qualys
Etc.
Penetration testing follows common hacking
techniques
Done by a person
Uses manual techniques and tools
52. Finding a qualified tester
For Vulnerability scans use an ASV
Required for external
For Penetration tests look for a boutique firm that
specializes in this practice.
Can be an internal resource if qualified and
independent.