SlideShare a Scribd company logo

Duke Pci T Raining Slides

Laney Dale
Laney Dale

These are the training slides I presented at Duke University

1 of 53
Laney Dale NuOpus
Laney Dale NuOpus
Agenda  What are Policies?  Why are Policies Necessary?  The Parts of a Policy  What Makes a Policy Strong?  What are a Merchant’s Responsibilities?  Policy Distribution and Training
What are Policies?
What are Policies? Rules of Engagement
Why Are Policies Necessary?  Define:  What is acceptable  What is expected  Consequences  The security environment  The foundation of a secure environment
Why Are Policies Necessary?
The parts of a policy  1.0 Purpose  Describe the purpose of the document  2.0 Scope  Identify the scope of the document  3.0 Policy  The text of the policy  4.0 Definitions  A place to define terms
What Makes a Policy Strong?  The traits of a strong policy:  Clear Do not do X   Complete What about Y and Z?   Enforceable  Executive Sponsorship
Sample Policy Clean Desk Policy Overview The purpose for this policy is to establish a culture of security and trust for all employees at <company>. An effective clean desk effort involving the participation and support of all <Company Name> employees can greatly protect paper documents that contain sensitive information about our clients, customers and vendors. All employees should familiarize themselves with the guidelines of this policy. Purpose The main reasons for a clean desk policy are: A clean desk can produce a positive image when our customers visit the company. It reduces the threat of a security incident as confidential information will be locked away when unattended. Sensitive documents left in the open can be stolen by a malicious entity. Scope All staff, employees and entities working on behalf of <company> are subject to this policy. At known extended periods away from your desk, such as a lunch break, sensitive working papers are expected to be placed in locked drawers. At the end of the working day the employee is expected to tidy their desk and to put away all office papers. <Company> provides locking desks and filing cabinets for this purpose. Policy The following items must be done: Allocate time in your calendar to clear away your paperwork. Always clear your workspace before leaving for longer periods of time. If in doubt - throw it out. Lock your desk and filing cabinets at the end of the day Lock away portable computing devices such as laptops or PDA devices Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment Definitions None
What are a Merchant’s Responsibilities?  Requirement 12: Maintain a policy that addresses information security  12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:  12.1.1 Addresses all PCI DSS requirements.  12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.  12.1.3 Includes a review at least once a year and updates when the environment changes.  12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).  12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:
Policy Distribution and Training  Distribution  There are many ways including manual and electronic  Must be traceable to be enforceable  Training  Should be ongoing  Should be traceable  Offer incentives
Laney Dale NuOpus
Hacking Store Credit Card Readers May 2, 2008 by amritw Thieves managed to replace a card reader at a Northern California grocery with a fake machine that was skimming credit and debit card information. Prior to that thieves rigged a machine with a “sniffer” at a nearby Arco gas station, this follows multiple ATM thefts that included well-placed and stealthy video surveillance equipment. This is becoming an all to common form of theft as transaction devices are compromised at gas stations, retail outlets and ATM machines.
Agenda  Why is physical security so important?  What needs to be secured?  Case studies  Network Jack  Kiosk  WAP  POS Machines  Servers
Why is physical security so important?
What needs to be secured?  Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.
What needs to be secured?
What needs to be secured?  Any devices that store Cardholder data  Servers  PC’s  Laptops  Network Jacks  Etc.  Any paper with cardholder data  Receipts  Reports  Etc.
Case Study – Network Jacks  Why do they need to be secured?  A live network jack is an access point  Case : California Insurance Company  What Happened?  What could we access?
Case Study – Kiosk  Why do they need to be secured?  A kiosk is a node on your network  Case : Business A has a self service kiosk in lobby  What Happened?  What could we access?
Case Study – WAP  Why do they need to be secured?  Wireless Access Point  Case : Retail Home Builder  What Happened?  What could we access?
Case Study – POS Machines  Why do they need to be secured?  They may store credit card data  Case :Cellular company has older POS that stores data in DB on machine  What Happened?  What could we access?
Case Study – Servers  Why do they need to be secured?  They may store credit card data  Case : Retired SQL server  What Happened?  What could we access?
Laney Dale NuOpus
Agenda  What are audit logs?  The importance of audit logs  Case Study  What is Required?  Automating Log Reviews  Case Study One  Case Study Two
What are audit logs?  Definition: Records created by hardware (servers, routers, firewalls, etc.) or software (data bases, network systems, individual applications, etc.) that track when data are created, modified, transmitted or destroyed, including the identity of the user initiating the action.
What are audit logs?  System Actions  Updates  Security  Etc  User actions  Logins  Data Access  Etc
Audit Logs
The importance of audit logs  Accountability  Who, What, Where, When!  Reconstruction  Follow the trail!  Intrusion Detection  Should that activity exist?  Problem Resolution  Transaction details
Case Study One : Banking  Suspicion : Someone was creating unauthorized transfers to a bank account  Action One: Review log files  Action Two: Implement new logging strategy
Case Study Two : Healthcare  Suspicion : Someone was accessing personal data unauthorized  Action One: Review log files  Action Two: Implement:  Logging  Monitor Suspects PC’s
Case Study Two : Healthcare  What was really Happening?  Accessing employee and patient data  Sending data offsite  Sending legal records to his girlfriend who was suing company  Stalking the HR girl  And MUCH, MUCH, more
What is Required?  Must Log Access (PCI-DSS 10.x)  Must Secure Logs to ensure validity(PCI DSS 10.5)  Use a tool to ensure changes do not occur (PCI DSS 10.5.5)  Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (PCI DSS 10.6)  Retain log files for at least one year (PCI DSS 10.7)
What is Required?  Must Secure Logs to ensure validity(PCI DSS 10.5)  Limit read only access to those that need it  Ensure they cannot be changed  Promptly back up audit trail files to a centralized log server or media that is difficult to alter.  Write logs for external-facing technologies onto a log server on the internal LAN.
What is Required? -Must Log Access (PCI-DSS 10.x)  What to Log?  User access to data  Data changes  All Admin Access  Access to Audit Logs  Failed Logins  Logs Must Contain  Date and Time  User ID  Type of event  Affected Resource  Success or Failure
What is Required?  Use a tool to ensure changes do not occur (PCI DSS 10.5.5)  Big Brother  TripWire  Etc. Log A Day Log A Day Log A Day 1 30 60 • 12345 • 1234 • abc1234 • abc1234 • abc1234
What is Required?  Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (PCI DSS 10.6)  2 Ways to Review Logs  Manual Read Every Log   Automated Software reviews the logs 
What is Required?  Retain log files for at least one year (PCI DSS 10.7)  3 months must be immediately available.
Automating Log Reviews  Manual Reviews are not really useful.  Tools will take all the pressure off of you.  Alerting  Constant Monitoring  Event Correlation
Automating Log Reviews
Case Study Three  Problem : Credit Card transfers over 100k per day. Manual logging is not possible  Solution : Implement logging and alerting for transfer files.
Case Study Four  Problem : Access to database by DBA’s and Developers cannot be removed.  Solution : Implement event logging and alerting over the database
Laney Dale NuOpus
Agenda  Types of testing  Vulnerability vs. Penetration Testing  Internal vs. external  Finding a qualified tester
Types of Testing – What is Required?  Security / Risk Assessments  Vulnerability Testing  Penetration Testing  Wireless Testing
Security / Risk Assessments  Looks at the security environment and risks  Performed using one of the following techniques:  Interview Talking to staff,  Etc.   Re-Performance Actually do the task   Observation Watch someone else doing something   Examination Look at evidence  Configurations,  Policies,  Etc. 
Wireless Testing  Test for the presence of unauthorized wireless devices.  Must be done Quarterly
Vulnerability Testing  Internal and External  Quarterly  After any changes  External must be done by an ASV
Penetration Testing  Hacking Your Systems  Internal and External  Must be done annually  After any significant changes  Network penetration  Application penetration
Vulnerability vs Penetration Testing  Vulnerability testing is generally automated  Nessus  GFI Languard  Qualys  Etc.  Penetration testing follows common hacking techniques  Done by a person  Uses manual techniques and tools
Finding a qualified tester  For Vulnerability scans use an ASV  Required for external  For Penetration tests look for a boutique firm that specializes in this practice.  Can be an internal resource if qualified and independent.
Questions

Recommended

Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 

Recommended

Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
Acuent Security
Acuent Security Acuent Security
Acuent Security Stephen Bates
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discoverywlucina
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 

More Related Content

What's hot

PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discoverywlucina
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 

What's hot (20)

Acuent Security
Acuent Security Acuent Security
Acuent Security
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction Practices
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discovery
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 

Similar to Duke Pci T Raining Slides

Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Peter GEELEN ✔
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Peter GEELEN ✔
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Security Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariSecurity Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariAli Ahangari
 
Jaxxon consulting presentation
Jaxxon consulting presentationJaxxon consulting presentation
Jaxxon consulting presentationDarrin Jackson
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc
 

Similar to Duke Pci T Raining Slides (20)

Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)Data compliance - get it right the first time (Full color PDF)
Data compliance - get it right the first time (Full color PDF)
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
DTS Services
DTS ServicesDTS Services
DTS Services
 
Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)Data compliance - get it right the first time (Black/White printable PDF)
Data compliance - get it right the first time (Black/White printable PDF)
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAM
 
199 baseline security
199 baseline security199 baseline security
199 baseline security
 
Security Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariSecurity Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali Ahangari
 
Jaxxon consulting presentation
Jaxxon consulting presentationJaxxon consulting presentation
Jaxxon consulting presentation
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 

More from Laney Dale

Continuous Pentration Testing Services
Continuous Pentration Testing ServicesContinuous Pentration Testing Services
Continuous Pentration Testing ServicesLaney Dale
 
Nu Opus Llc Product Overview
Nu Opus Llc Product OverviewNu Opus Llc Product Overview
Nu Opus Llc Product OverviewLaney Dale
 
Ethical Hacking Class
Ethical Hacking ClassEthical Hacking Class
Ethical Hacking ClassLaney Dale
 
Gartner Briefing Fed Comp Nu Opus
Gartner Briefing Fed Comp Nu OpusGartner Briefing Fed Comp Nu Opus
Gartner Briefing Fed Comp Nu OpusLaney Dale
 
Gartner Briefing Simple Compliance Manager Nu Opus
Gartner Briefing Simple Compliance Manager Nu OpusGartner Briefing Simple Compliance Manager Nu Opus
Gartner Briefing Simple Compliance Manager Nu OpusLaney Dale
 
Is IFRS Worth The Cost
Is IFRS Worth The CostIs IFRS Worth The Cost
Is IFRS Worth The CostLaney Dale
 

More from Laney Dale (7)

Continuous Pentration Testing Services
Continuous Pentration Testing ServicesContinuous Pentration Testing Services
Continuous Pentration Testing Services
 
Lucy
LucyLucy
Lucy
 
Nu Opus Llc Product Overview
Nu Opus Llc Product OverviewNu Opus Llc Product Overview
Nu Opus Llc Product Overview
 
Ethical Hacking Class
Ethical Hacking ClassEthical Hacking Class
Ethical Hacking Class
 
Gartner Briefing Fed Comp Nu Opus
Gartner Briefing Fed Comp Nu OpusGartner Briefing Fed Comp Nu Opus
Gartner Briefing Fed Comp Nu Opus
 
Gartner Briefing Simple Compliance Manager Nu Opus
Gartner Briefing Simple Compliance Manager Nu OpusGartner Briefing Simple Compliance Manager Nu Opus
Gartner Briefing Simple Compliance Manager Nu Opus
 
Is IFRS Worth The Cost
Is IFRS Worth The CostIs IFRS Worth The Cost
Is IFRS Worth The Cost
 

Duke Pci T Raining Slides

  • 1. Laney Dale NuOpus
  • 2. Laney Dale NuOpus
  • 3. Agenda  What are Policies?  Why are Policies Necessary?  The Parts of a Policy  What Makes a Policy Strong?  What are a Merchant’s Responsibilities?  Policy Distribution and Training
  • 5. What are Policies? Rules of Engagement
  • 6. Why Are Policies Necessary?  Define:  What is acceptable  What is expected  Consequences  The security environment  The foundation of a secure environment
  • 7. Why Are Policies Necessary?
  • 8. The parts of a policy  1.0 Purpose  Describe the purpose of the document  2.0 Scope  Identify the scope of the document  3.0 Policy  The text of the policy  4.0 Definitions  A place to define terms
  • 9. What Makes a Policy Strong?  The traits of a strong policy:  Clear Do not do X   Complete What about Y and Z?   Enforceable  Executive Sponsorship
  • 10. Sample Policy Clean Desk Policy Overview The purpose for this policy is to establish a culture of security and trust for all employees at <company>. An effective clean desk effort involving the participation and support of all <Company Name> employees can greatly protect paper documents that contain sensitive information about our clients, customers and vendors. All employees should familiarize themselves with the guidelines of this policy. Purpose The main reasons for a clean desk policy are: A clean desk can produce a positive image when our customers visit the company. It reduces the threat of a security incident as confidential information will be locked away when unattended. Sensitive documents left in the open can be stolen by a malicious entity. Scope All staff, employees and entities working on behalf of <company> are subject to this policy. At known extended periods away from your desk, such as a lunch break, sensitive working papers are expected to be placed in locked drawers. At the end of the working day the employee is expected to tidy their desk and to put away all office papers. <Company> provides locking desks and filing cabinets for this purpose. Policy The following items must be done: Allocate time in your calendar to clear away your paperwork. Always clear your workspace before leaving for longer periods of time. If in doubt - throw it out. Lock your desk and filing cabinets at the end of the day Lock away portable computing devices such as laptops or PDA devices Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment Definitions None
  • 11. What are a Merchant’s Responsibilities?  Requirement 12: Maintain a policy that addresses information security  12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:  12.1.1 Addresses all PCI DSS requirements.  12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.  12.1.3 Includes a review at least once a year and updates when the environment changes.  12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).  12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:
  • 12. Policy Distribution and Training  Distribution  There are many ways including manual and electronic  Must be traceable to be enforceable  Training  Should be ongoing  Should be traceable  Offer incentives
  • 13. Laney Dale NuOpus
  • 14. Hacking Store Credit Card Readers May 2, 2008 by amritw Thieves managed to replace a card reader at a Northern California grocery with a fake machine that was skimming credit and debit card information. Prior to that thieves rigged a machine with a “sniffer” at a nearby Arco gas station, this follows multiple ATM thefts that included well-placed and stealthy video surveillance equipment. This is becoming an all to common form of theft as transaction devices are compromised at gas stations, retail outlets and ATM machines.
  • 15. Agenda  Why is physical security so important?  What needs to be secured?  Case studies  Network Jack  Kiosk  WAP  POS Machines  Servers
  • 16. Why is physical security so important?
  • 17. What needs to be secured?  Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.
  • 18. What needs to be secured?
  • 19. What needs to be secured?  Any devices that store Cardholder data  Servers  PC’s  Laptops  Network Jacks  Etc.  Any paper with cardholder data  Receipts  Reports  Etc.
  • 20. Case Study – Network Jacks  Why do they need to be secured?  A live network jack is an access point  Case : California Insurance Company  What Happened?  What could we access?
  • 21. Case Study – Kiosk  Why do they need to be secured?  A kiosk is a node on your network  Case : Business A has a self service kiosk in lobby  What Happened?  What could we access?
  • 22. Case Study – WAP  Why do they need to be secured?  Wireless Access Point  Case : Retail Home Builder  What Happened?  What could we access?
  • 23. Case Study – POS Machines  Why do they need to be secured?  They may store credit card data  Case :Cellular company has older POS that stores data in DB on machine  What Happened?  What could we access?
  • 24. Case Study – Servers  Why do they need to be secured?  They may store credit card data  Case : Retired SQL server  What Happened?  What could we access?
  • 25. Laney Dale NuOpus
  • 26. Agenda  What are audit logs?  The importance of audit logs  Case Study  What is Required?  Automating Log Reviews  Case Study One  Case Study Two
  • 27. What are audit logs?  Definition: Records created by hardware (servers, routers, firewalls, etc.) or software (data bases, network systems, individual applications, etc.) that track when data are created, modified, transmitted or destroyed, including the identity of the user initiating the action.
  • 28. What are audit logs?  System Actions  Updates  Security  Etc  User actions  Logins  Data Access  Etc
  • 30. The importance of audit logs  Accountability  Who, What, Where, When!  Reconstruction  Follow the trail!  Intrusion Detection  Should that activity exist?  Problem Resolution  Transaction details
  • 31. Case Study One : Banking  Suspicion : Someone was creating unauthorized transfers to a bank account  Action One: Review log files  Action Two: Implement new logging strategy
  • 32. Case Study Two : Healthcare  Suspicion : Someone was accessing personal data unauthorized  Action One: Review log files  Action Two: Implement:  Logging  Monitor Suspects PC’s
  • 33. Case Study Two : Healthcare  What was really Happening?  Accessing employee and patient data  Sending data offsite  Sending legal records to his girlfriend who was suing company  Stalking the HR girl  And MUCH, MUCH, more
  • 34. What is Required?  Must Log Access (PCI-DSS 10.x)  Must Secure Logs to ensure validity(PCI DSS 10.5)  Use a tool to ensure changes do not occur (PCI DSS 10.5.5)  Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (PCI DSS 10.6)  Retain log files for at least one year (PCI DSS 10.7)
  • 35. What is Required?  Must Secure Logs to ensure validity(PCI DSS 10.5)  Limit read only access to those that need it  Ensure they cannot be changed  Promptly back up audit trail files to a centralized log server or media that is difficult to alter.  Write logs for external-facing technologies onto a log server on the internal LAN.
  • 36. What is Required? -Must Log Access (PCI-DSS 10.x)  What to Log?  User access to data  Data changes  All Admin Access  Access to Audit Logs  Failed Logins  Logs Must Contain  Date and Time  User ID  Type of event  Affected Resource  Success or Failure
  • 37. What is Required?  Use a tool to ensure changes do not occur (PCI DSS 10.5.5)  Big Brother  TripWire  Etc. Log A Day Log A Day Log A Day 1 30 60 • 12345 • 1234 • abc1234 • abc1234 • abc1234
  • 38. What is Required?  Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (PCI DSS 10.6)  2 Ways to Review Logs  Manual Read Every Log   Automated Software reviews the logs 
  • 39. What is Required?  Retain log files for at least one year (PCI DSS 10.7)  3 months must be immediately available.
  • 40. Automating Log Reviews  Manual Reviews are not really useful.  Tools will take all the pressure off of you.  Alerting  Constant Monitoring  Event Correlation
  • 42. Case Study Three  Problem : Credit Card transfers over 100k per day. Manual logging is not possible  Solution : Implement logging and alerting for transfer files.
  • 43. Case Study Four  Problem : Access to database by DBA’s and Developers cannot be removed.  Solution : Implement event logging and alerting over the database
  • 44. Laney Dale NuOpus
  • 45. Agenda  Types of testing  Vulnerability vs. Penetration Testing  Internal vs. external  Finding a qualified tester
  • 46. Types of Testing – What is Required?  Security / Risk Assessments  Vulnerability Testing  Penetration Testing  Wireless Testing
  • 47. Security / Risk Assessments  Looks at the security environment and risks  Performed using one of the following techniques:  Interview Talking to staff,  Etc.   Re-Performance Actually do the task   Observation Watch someone else doing something   Examination Look at evidence  Configurations,  Policies,  Etc. 
  • 48. Wireless Testing  Test for the presence of unauthorized wireless devices.  Must be done Quarterly
  • 49. Vulnerability Testing  Internal and External  Quarterly  After any changes  External must be done by an ASV
  • 50. Penetration Testing  Hacking Your Systems  Internal and External  Must be done annually  After any significant changes  Network penetration  Application penetration
  • 51. Vulnerability vs Penetration Testing  Vulnerability testing is generally automated  Nessus  GFI Languard  Qualys  Etc.  Penetration testing follows common hacking techniques  Done by a person  Uses manual techniques and tools
  • 52. Finding a qualified tester  For Vulnerability scans use an ASV  Required for external  For Penetration tests look for a boutique firm that specializes in this practice.  Can be an internal resource if qualified and independent.