SlideShare a Scribd company logo

Achieving PCI-DSS compliance with network security implementations - April 2011

EQS Group
EQS Group

This document summarizes Marco Ermini's presentation on achieving PCI-DSS compliance through network security implementations. The presentation discusses using network-based approaches to meet various PCI-DSS requirements, including using network security scanners to verify password security, patch management, and system hardening. It also addresses using intrusion detection/prevention systems, web application firewalls, and database activity monitors to help meet encryption, access control, and logging requirements.

1 of 21
Achieving PCI-DSS compliance with network security implementations Marco Ermini Vodafone Group Network Security 14 April 2011 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
W this is about hat …and what is not about! This presentation is not about… > …what my company has done. This is personal point of view (of course based on experience) > …explaining what are the various network security devices. You know them. If not, you need other BrightTalks to get better informed > …choosing vendors/brands – even if we may lean towards network security vendors versus “host based” vendors, when this makes sense > …discussing if you need a network security device or not, or which technology you do need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s PCI -DSS” - it will do the job! > I assume you need and want PCI-DSS compliance > I assume you care about security, as much as compliance > I will only touch the main points. The argument is really wide What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about. However I am not a compliance expert – Do not ask me about compliance, but about technology > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort or nmap. It’s not about that > I have a realistic view about network security technology > Yes, I have been under a real attack. And not just once! > I am a customer of network security technology. I evaluate, test, deploy, implement, use them. But I don’t sell them. I will never try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view > Yes, I will compare host/agent-based against network-based approaches, and I prefer the second You are not drinking from the fountain of truth. Never ever!  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security officer, security manager, or compliance manager, and need to… – of course achieve PCI-DSS compliance > You are a security or network engineer, or compliance manager, and need to… – possibly bring “real” value from your investment – are thinking/need about the network security approach for PCI-DSS > You are a PCI-DSS auditor, and need to… – understand if network security approach is valid > You are just curious… – graduate student, and/or future PCI-DSS auditor, getting into the security job’s World – experienced security or network personnel trying to understand network security appliances You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is required by PCI-DSS? hat It is in many senses, a technical compliance standard W is PCI-DSS different from other compliance requirements? hy > Differently from others, it goes into the nitty-gritty details of technical specifications > For this reason, it has already required a couple of updates > However, like any requirement, you can have documented exceptions, if needed (i.e. NAT) > We are concentrating on the latest version, PCI DSS v 2.0 – Changes from latest version (1.2.1) are mainly about virtualisation and several clarifications > There are several standards: – Data Security Standard: how to protect cardholders’ data – Requirement and Security Assessment Procedures: about how to assess the environment – PIN Transaction Security – Various supporting documents focusing on roles like merchants, service providers, and so on 5 The argument is extremely wide!!! level on title master Presentation title in footer Confidentiality January 3, 2013 Department on title master Version number on title master
W use network-based approach? hy In many cases it is easier to implement W should I stop securing with the PCI-DSS environment? hy > Although it is necessary by requirement to isolate the zone where cardholders’ data are processed, in many cases it is easier to implement many of the requirements to the whole DC > You can leverage the investment to apply best practices to a wider zone > In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI DSS zone?!?) > In many cases, network security appliances can be used in multiple zones and it is just a matter of license how many systems you protect – Caveat: management stations (we will see this later) > It is much easier to leverage this investment when using network-based approaches > In some cases, there is no choice but use network security devices – for instance when the requirements specify it If you are forced to invest in security, make the most of it! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Let’s see the requirements Requirement 2 “Do not use vendor-supplied defaults for system passwords and other security parameters” > You can use network security scanners and compliance scanners to verify that this is in place – Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not needed daemons…) have been implemented, through scanning of the environment – Some network scanners can login to the systems and verify that policies are implemented. This is very often a much better approach than deploying agent- based solutions – Be sure that the vendor supports both servers and network devices – You need to verify for instance wireless devices, if present – Scan virtualisation technologies: this seems to suggest that we must verify hypervisors – Only documented daemons/services must be running > Must verify that newer installed systems are compliant – This is much better done with a scanner, that detects when new systems are installed 7 Presentation title in footer a network title master January 3, 2013 Confidentiality level on title master I do prefer by a great extent Version number onbased, agent-free solution for hardening Department on title master
Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Tricky pitfalls for network security devices, let’s see why > Keep data retention to a minimum, do not store authentication/authorisation data and credit cards – If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the WAF often cannot see them – However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic, they may also see authentication/authorisation data, or even credit card data – If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the transaction > How to address this? – Have a geographically/topologically localised management station in the zone (“manager of the manager” issue)? – Disable packet capture/logging? – Special policy for PCI-DSS IDS/IPS/WAF? – Disk encryption on the management station? – How security operation people handle packet captures of signatures? It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Management of encryption keys – Do you need HSM devices/modules? – Do your IDS/IPS/WAF supports HSM modules? – How are crypto keys stored on your device? – How are crypto keys distributed? – Do you implement “split knowledge” for key management? – Do you monitor for keys substitution/replacement? – Best practices for keys’ custodians Again, it can be tricky so we must plan this in advance. And choose the right devices 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Let’s see the requirements Requirement 4 “Encrypt transmission of cardholder data across open, public networks” > Are considered public networks in scope: – Internet – Wireless technologies in general – GSM/GPRS networks as well > You must implement encryption, and take care that IDS/IPS/WAF supports: – inspection of HTTPS if necessary, or placed after reverse-proxies – GTP traffic, if this makes sense for you – Must implement wireless scanners, if this makes sense for you I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > As per requirement 2, you can use network security scanners and compliance scanners – Verify that patches are installed – both with vulnerability and compliance scanners – Verify that undocumented or “custom” applications/services are removed – Verify that there are no development tools installed in production > Use Web Application Scanners to scan application for SQL injection, buffer overflows, XSS, CSRF, and so on – Suggestion: focus on OWASP top 10 – Ensure your vendor covers the PCI-DSS requirements but also OWASP – PCI-DSS inspired by OWASP I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > It is required that for externally-facing web sites, either a review is done, or a Web Application Firewall (WAF) is in use > About reviews: – can be performed with “automated” tools (Web Application Scanners) or manually – however they must be done at least annually, and anyway after any change – if you find a vulnerability, you must correct it; this means you are deploying a change, so this means you must review again the application! – therefore it is better to plan for an automated tool anyway > About Web Application Firewalls (WAF) – you do not need to review your application – anyway, experience shows that it is better than you do it. Do not use WAF as scapegoat to avoid application reviews. Heard about Barracuda Networks recently? I suggest to have both W and assess the applications, as having the W simplify AF AF the application patching too – catch 22 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > FAQ: can I use an IDS/IPS as WAF? – I cannot go into great extent into this, however I discourage it – They are inheritely different technologies – All of the IDS/IPS vendors have web protection functionality, however they are not the same as a Web Application Firewall – Although you may argue about that with an auditor, if you care about real security and not just compliance, do not take the shortcut – Please feel free to ask me about details on that off line if you care. I suggest to have both W and IDS/ AF IPS. Do not use shortcuts unless you are on a budget 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 7/8 “Restrict access to cardholder data by business need to know” > Use vulnerability and compliance scanners to assess that servers and network devices have proper RBAC set up in place > Firewalls and Access Control Systems set up with a final “deny all” rule – May look trivial, but sometimes it is not  “Assign a unique ID to each person with computer access” > Two factors authentication in place for all of the remote accesses > This is also valid for security appliance management! > If you have not implemented good practices for security appliance management, now you must do it! In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 8 “Assign a unique ID to each person with computer access” > Database protection > Restrict access to the databases, restrict direct user accesses, review database applications, do not use application IDs outside of applications > This can be achieved with a Database Activity Monitor (DAM) technology > Agent or Agent-less solution > I strongly suggest a combination of both, where the focus is on the agent-less solution > For specific questions contact me off line Database Activity Monitors are a good practice, along with proper set up of database management for the environment 15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 9 “Restrict physical access to cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > If you have not implemented good physical security practices for security appliance management, now you must do it! > This includes camera surveillance, badge systems and practices, logs and physical escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on > Usually part of the DC practices, but it may be different for security monitoring In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 16 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 10 “Track and monitor all access to network resources and cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > You must implement audit logs on accessing to the management systems of the security devices – You must implement single users and not use generic or default users – You must use a time server (NTP), and verify against company’s LDAP/AD > You must off-load logs to a syslog/logging server – Logs for IPS/IDS/firewalls/and so on – Best to use a SEM/SIEM if you are not doing it already > Use file integrity monitoring tool – Agent-less solutions are again my favourite Again, in many cases security appliances have a very simple management model, and SEM/ SIEM are not in use 17 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > It goes without saying, internal network vulnerability and compliance scanners are often the best solution for test of systems from the internal network > Many scanners can scan themselves too > Ensure scanners also supports security systems and appliances – Some systems like IDS/IPS and possibly WAF, are only available for scan on the management network – Ensure scanners can also reach management networks, and networks for hypervisor’s management Ensure scanners can internally reach the whole environment and they support a wide range of checks 18 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > External vulnerability scanning is a requirement > Can be done with external or internal resource, but it must be “qualified” > There are requirements clearly defined for external resources, a bit less for internals > Generally easier to use a qualified external supplier > Tricky for security: vulnerabilities are stored outside of company’s network, this can be a problem for some organisation’s policy – Some vendors offer solutions for that – Some vendors have not secure enough external solutions Ensure you are using a qualified vendor and you are not violating your own policies or compromising your security using an external vendor 19 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > Ensure you have IDS/IPS systems at the perimeter – You must verify “all the traffic at the perimeter”, but nothing prohibits to check the internal network too – You must ensure proper management of IDS/IPS – Must verify that they can see decrypted traffic (after reverse-proxies) and packet captures are properly treated for the data retention requirements already explained > File integrity monitors Again, in many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 20 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Thank you 21 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

Recommended

Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010
EQS Group
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case study
ashu6
 
Importance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat ProtectionImportance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat Protection
HTS Hosting
 
Network and network security
Network and network securityNetwork and network security
Network and network security
Ruchi Gupta
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
Nuuko, Inc.
 
Day1
Day1Day1
Day1
Jai4uk
 
Wireless Networking
Wireless NetworkingWireless Networking
Wireless Networking
GulshanAra14
 

Recommended

Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010
EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010
EQS Group
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case study
ashu6
 
Importance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat ProtectionImportance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat Protection
HTS Hosting
 
Network and network security
Network and network securityNetwork and network security
Network and network security
Ruchi Gupta
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
Nuuko, Inc.
 
Day1
Day1Day1
Day1
Jai4uk
 
Wireless Networking
Wireless NetworkingWireless Networking
Wireless Networking
GulshanAra14
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
Intro
IntroIntro
Intro
JustineJohn3
 
Network Security
Network Security Network Security
Network Security
Vipul Mosaic
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich
 
Day4
Day4Day4
Day4
Jai4uk
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people make
Anton Chuvakin
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
Jai4uk
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
Miguel Rebollo
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Fat-Thing Gabriel-Culley
 
Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...
master student
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
Symantec
 
Domains of network security
Domains of network securityDomains of network security
Domains of network security
KeithThai1
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Deris Stiawan
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
Mako PCI Presentation
Mako PCI PresentationMako PCI Presentation
Mako PCI Presentation
Adrian_Pearce
 
White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014
Brett Farley
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 

More Related Content

What's hot

It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
Intro
IntroIntro
Intro
JustineJohn3
 
Network Security
Network Security Network Security
Network Security
Vipul Mosaic
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich
 
Day4
Day4Day4
Day4
Jai4uk
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people make
Anton Chuvakin
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
Jai4uk
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
Vallie Joseph
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
Miguel Rebollo
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Fat-Thing Gabriel-Culley
 
Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...
master student
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
Symantec
 
Domains of network security
Domains of network securityDomains of network security
Domains of network security
KeithThai1
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Disha Bedi
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Deris Stiawan
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 

What's hot (18)

It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Intro
IntroIntro
Intro
 
Network Security
Network Security Network Security
Network Security
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
 
Day4
Day4Day4
Day4
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people make
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
 
Domains of network security
Domains of network securityDomains of network security
Domains of network security
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 

Viewers also liked

Mako PCI Presentation
Mako PCI PresentationMako PCI Presentation
Mako PCI Presentation
Adrian_Pearce
 
White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014
Brett Farley
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
Simone Tino
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
Nhat Phan Canh
 
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivBuilding PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Amazon Web Services
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
Firewalls
FirewallsFirewalls
Firewalls
Ram Dutt Shukla
 

Viewers also liked (10)

Mako PCI Presentation
Mako PCI PresentationMako PCI Presentation
Mako PCI Presentation
 
White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivBuilding PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Firewalls
FirewallsFirewalls
Firewalls
 

Similar to Achieving PCI-DSS compliance with network security implementations - April 2011

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
EQS Group
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
Pa Al
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
Greg Swedosh
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
Thomas Burg
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
Ulf Mattsson
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
nanderoo
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
ITExamAnswers.net
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
mishogelashvili28
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
Ulf Mattsson
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
Fahad Al-Hasan
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
RedZone Technologies
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
BabyBoy55
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
Onomi
 
Project Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docxProject Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docx
briancrawford30935
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
PACE-IT: Network Hardening Techniques (part 2)
PACE-IT: Network Hardening Techniques (part 2)PACE-IT: Network Hardening Techniques (part 2)
PACE-IT: Network Hardening Techniques (part 2)
Pace IT at Edmonds Community College
 
Matrix
MatrixMatrix
Matrix
Sashank Dara
 

Similar to Achieving PCI-DSS compliance with network security implementations - April 2011 (20)

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 
Project Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docxProject Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docx
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
PACE-IT: Network Hardening Techniques (part 2)
PACE-IT: Network Hardening Techniques (part 2)PACE-IT: Network Hardening Techniques (part 2)
PACE-IT: Network Hardening Techniques (part 2)
 
Matrix
MatrixMatrix
Matrix
 

More from EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
EQS Group
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
EQS Group
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
EQS Group
 

More from EQS Group (6)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 

Recently uploaded

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 

Recently uploaded (20)

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 

Achieving PCI-DSS compliance with network security implementations - April 2011

  • 1. Achieving PCI-DSS compliance with network security implementations Marco Ermini Vodafone Group Network Security 14 April 2011 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  • 2. W this is about hat …and what is not about! This presentation is not about… > …what my company has done. This is personal point of view (of course based on experience) > …explaining what are the various network security devices. You know them. If not, you need other BrightTalks to get better informed > …choosing vendors/brands – even if we may lean towards network security vendors versus “host based” vendors, when this makes sense > …discussing if you need a network security device or not, or which technology you do need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s PCI -DSS” - it will do the job! > I assume you need and want PCI-DSS compliance > I assume you care about security, as much as compliance > I will only touch the main points. The argument is really wide What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 3. W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about. However I am not a compliance expert – Do not ask me about compliance, but about technology > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort or nmap. It’s not about that > I have a realistic view about network security technology > Yes, I have been under a real attack. And not just once! > I am a customer of network security technology. I evaluate, test, deploy, implement, use them. But I don’t sell them. I will never try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view > Yes, I will compare host/agent-based against network-based approaches, and I prefer the second You are not drinking from the fountain of truth. Never ever!  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 4. W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security officer, security manager, or compliance manager, and need to… – of course achieve PCI-DSS compliance > You are a security or network engineer, or compliance manager, and need to… – possibly bring “real” value from your investment – are thinking/need about the network security approach for PCI-DSS > You are a PCI-DSS auditor, and need to… – understand if network security approach is valid > You are just curious… – graduate student, and/or future PCI-DSS auditor, getting into the security job’s World – experienced security or network personnel trying to understand network security appliances You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 5. W is required by PCI-DSS? hat It is in many senses, a technical compliance standard W is PCI-DSS different from other compliance requirements? hy > Differently from others, it goes into the nitty-gritty details of technical specifications > For this reason, it has already required a couple of updates > However, like any requirement, you can have documented exceptions, if needed (i.e. NAT) > We are concentrating on the latest version, PCI DSS v 2.0 – Changes from latest version (1.2.1) are mainly about virtualisation and several clarifications > There are several standards: – Data Security Standard: how to protect cardholders’ data – Requirement and Security Assessment Procedures: about how to assess the environment – PIN Transaction Security – Various supporting documents focusing on roles like merchants, service providers, and so on 5 The argument is extremely wide!!! level on title master Presentation title in footer Confidentiality January 3, 2013 Department on title master Version number on title master
  • 6. W use network-based approach? hy In many cases it is easier to implement W should I stop securing with the PCI-DSS environment? hy > Although it is necessary by requirement to isolate the zone where cardholders’ data are processed, in many cases it is easier to implement many of the requirements to the whole DC > You can leverage the investment to apply best practices to a wider zone > In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI DSS zone?!?) > In many cases, network security appliances can be used in multiple zones and it is just a matter of license how many systems you protect – Caveat: management stations (we will see this later) > It is much easier to leverage this investment when using network-based approaches > In some cases, there is no choice but use network security devices – for instance when the requirements specify it If you are forced to invest in security, make the most of it! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 7. Let’s see the requirements Requirement 2 “Do not use vendor-supplied defaults for system passwords and other security parameters” > You can use network security scanners and compliance scanners to verify that this is in place – Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not needed daemons…) have been implemented, through scanning of the environment – Some network scanners can login to the systems and verify that policies are implemented. This is very often a much better approach than deploying agent- based solutions – Be sure that the vendor supports both servers and network devices – You need to verify for instance wireless devices, if present – Scan virtualisation technologies: this seems to suggest that we must verify hypervisors – Only documented daemons/services must be running > Must verify that newer installed systems are compliant – This is much better done with a scanner, that detects when new systems are installed 7 Presentation title in footer a network title master January 3, 2013 Confidentiality level on title master I do prefer by a great extent Version number onbased, agent-free solution for hardening Department on title master
  • 8. Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Tricky pitfalls for network security devices, let’s see why > Keep data retention to a minimum, do not store authentication/authorisation data and credit cards – If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the WAF often cannot see them – However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic, they may also see authentication/authorisation data, or even credit card data – If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the transaction > How to address this? – Have a geographically/topologically localised management station in the zone (“manager of the manager” issue)? – Disable packet capture/logging? – Special policy for PCI-DSS IDS/IPS/WAF? – Disk encryption on the management station? – How security operation people handle packet captures of signatures? It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 9. Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Management of encryption keys – Do you need HSM devices/modules? – Do your IDS/IPS/WAF supports HSM modules? – How are crypto keys stored on your device? – How are crypto keys distributed? – Do you implement “split knowledge” for key management? – Do you monitor for keys substitution/replacement? – Best practices for keys’ custodians Again, it can be tricky so we must plan this in advance. And choose the right devices 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 10. Let’s see the requirements Requirement 4 “Encrypt transmission of cardholder data across open, public networks” > Are considered public networks in scope: – Internet – Wireless technologies in general – GSM/GPRS networks as well > You must implement encryption, and take care that IDS/IPS/WAF supports: – inspection of HTTPS if necessary, or placed after reverse-proxies – GTP traffic, if this makes sense for you – Must implement wireless scanners, if this makes sense for you I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 11. Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > As per requirement 2, you can use network security scanners and compliance scanners – Verify that patches are installed – both with vulnerability and compliance scanners – Verify that undocumented or “custom” applications/services are removed – Verify that there are no development tools installed in production > Use Web Application Scanners to scan application for SQL injection, buffer overflows, XSS, CSRF, and so on – Suggestion: focus on OWASP top 10 – Ensure your vendor covers the PCI-DSS requirements but also OWASP – PCI-DSS inspired by OWASP I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 12. Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > It is required that for externally-facing web sites, either a review is done, or a Web Application Firewall (WAF) is in use > About reviews: – can be performed with “automated” tools (Web Application Scanners) or manually – however they must be done at least annually, and anyway after any change – if you find a vulnerability, you must correct it; this means you are deploying a change, so this means you must review again the application! – therefore it is better to plan for an automated tool anyway > About Web Application Firewalls (WAF) – you do not need to review your application – anyway, experience shows that it is better than you do it. Do not use WAF as scapegoat to avoid application reviews. Heard about Barracuda Networks recently? I suggest to have both W and assess the applications, as having the W simplify AF AF the application patching too – catch 22 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 13. Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > FAQ: can I use an IDS/IPS as WAF? – I cannot go into great extent into this, however I discourage it – They are inheritely different technologies – All of the IDS/IPS vendors have web protection functionality, however they are not the same as a Web Application Firewall – Although you may argue about that with an auditor, if you care about real security and not just compliance, do not take the shortcut – Please feel free to ask me about details on that off line if you care. I suggest to have both W and IDS/ AF IPS. Do not use shortcuts unless you are on a budget 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 14. Let’s see the requirements Requirement 7/8 “Restrict access to cardholder data by business need to know” > Use vulnerability and compliance scanners to assess that servers and network devices have proper RBAC set up in place > Firewalls and Access Control Systems set up with a final “deny all” rule – May look trivial, but sometimes it is not  “Assign a unique ID to each person with computer access” > Two factors authentication in place for all of the remote accesses > This is also valid for security appliance management! > If you have not implemented good practices for security appliance management, now you must do it! In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 15. Let’s see the requirements Requirement 8 “Assign a unique ID to each person with computer access” > Database protection > Restrict access to the databases, restrict direct user accesses, review database applications, do not use application IDs outside of applications > This can be achieved with a Database Activity Monitor (DAM) technology > Agent or Agent-less solution > I strongly suggest a combination of both, where the focus is on the agent-less solution > For specific questions contact me off line Database Activity Monitors are a good practice, along with proper set up of database management for the environment 15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 16. Let’s see the requirements Requirement 9 “Restrict physical access to cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > If you have not implemented good physical security practices for security appliance management, now you must do it! > This includes camera surveillance, badge systems and practices, logs and physical escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on > Usually part of the DC practices, but it may be different for security monitoring In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 16 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 17. Let’s see the requirements Requirement 10 “Track and monitor all access to network resources and cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > You must implement audit logs on accessing to the management systems of the security devices – You must implement single users and not use generic or default users – You must use a time server (NTP), and verify against company’s LDAP/AD > You must off-load logs to a syslog/logging server – Logs for IPS/IDS/firewalls/and so on – Best to use a SEM/SIEM if you are not doing it already > Use file integrity monitoring tool – Agent-less solutions are again my favourite Again, in many cases security appliances have a very simple management model, and SEM/ SIEM are not in use 17 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 18. Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > It goes without saying, internal network vulnerability and compliance scanners are often the best solution for test of systems from the internal network > Many scanners can scan themselves too > Ensure scanners also supports security systems and appliances – Some systems like IDS/IPS and possibly WAF, are only available for scan on the management network – Ensure scanners can also reach management networks, and networks for hypervisor’s management Ensure scanners can internally reach the whole environment and they support a wide range of checks 18 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 19. Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > External vulnerability scanning is a requirement > Can be done with external or internal resource, but it must be “qualified” > There are requirements clearly defined for external resources, a bit less for internals > Generally easier to use a qualified external supplier > Tricky for security: vulnerabilities are stored outside of company’s network, this can be a problem for some organisation’s policy – Some vendors offer solutions for that – Some vendors have not secure enough external solutions Ensure you are using a qualified vendor and you are not violating your own policies or compromising your security using an external vendor 19 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 20. Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > Ensure you have IDS/IPS systems at the perimeter – You must verify “all the traffic at the perimeter”, but nothing prohibits to check the internal network too – You must ensure proper management of IDS/IPS – Must verify that they can see decrypted traffic (after reverse-proxies) and packet captures are properly treated for the data retention requirements already explained > File integrity monitors Again, in many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 20 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 21. Thank you 21 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master