Achieving PCI-DSS compliance with network security implementations - April 2011

Achieving PCI-DSS compliance with
network security implementations
Marco Ermini
Vodafone Group Network Security

14 April 2011

1 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master

W this is about
hat
…and what is not about!

This presentation is not about…
> …what my company has done. This is personal point of view (of course based on
experience)
> …explaining what are the various network security devices. You know them. If not,
you need other BrightTalks to get better informed
> …choosing vendors/brands – even if we may lean towards network security vendors
versus “host based” vendors, when this makes sense
> …discussing if you need a network security device or not, or which technology you
do need (maybe a short note…)
> … “off the shelves” or “vendor provided” best practices
– you can just Google for “be s t p ra c tic e s PCI
-DSS” - it will do the job!
> I assume you need and want PCI-DSS compliance
> I assume you care about security, as much as compliance
> I will only touch the main points. The argument is really wide

What you are looking for, are best practices to make your investment worth

2 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master

W is speaking?
ho
This is not a bio…

W are you listening to me? – 1
hy
> I am supposed to know what I am talking about. However I am not a compliance
expert
– Do not ask me about compliance, but about technology
> Yes, that’s my daily job. No, I am not a trainer or something like that
> No, this is not academia or pure science. There is hardly here!
> I know what the market offers. Everyone can download Snort or nmap. It’s not about
that
> I have a realistic view about network security technology
> Yes, I have been under a real attack. And not just once!
> I am a customer of network security technology. I evaluate, test, deploy, implement,
use them. But I don’t sell them. I will never try to contact you and sell you anything 
> Yes, this will be my personal, partial, questionable, but realistic point of view
> Yes, I will compare host/agent-based against network-based approaches, and I
prefer the second

You are not drinking from the fountain of truth. Never ever! 

W is this for?
ho
Why do you care?

W are you listening to me? – 2
hy
> You are a security officer, security manager, or compliance manager, and need to…
– of course achieve PCI-DSS compliance
> You are a security or network engineer, or compliance manager, and need to…
– possibly bring “real” value from your investment
– are thinking/need about the network security approach for PCI-DSS
> You are a PCI-DSS auditor, and need to…
– understand if network security approach is valid
> You are just curious…
– graduate student, and/or future PCI-DSS auditor, getting into the security job’s
World
– experienced security or network personnel trying to understand network security
appliances

You are welcome to share your expectation, doubts, questions!


W is required by PCI-DSS?
hat
It is in many senses, a technical compliance standard

W is PCI-DSS different from other compliance requirements?
hy
> Differently from others, it goes into the nitty-gritty details of technical specifications
> For this reason, it has already required a couple of updates
> However, like any requirement, you can have documented exceptions, if needed (i.e.
NAT)
> We are concentrating on the latest version, PCI DSS v 2.0
– Changes from latest version (1.2.1) are mainly about virtualisation and several
clarifications
> There are several standards:
– Data Security Standard: how to protect cardholders’ data
– Requirement and Security Assessment Procedures: about how to assess the
environment
– PIN Transaction Security
– Various supporting documents focusing on roles like merchants, service
providers, and so on

5 The argument is extremely wide!!! level on title master
Presentation title in footer
Confidentiality
January 3, 2013

W use network-based approach?
hy
In many cases it is easier to implement

W should I stop securing with the PCI-DSS environment?
hy
> Although it is necessary by requirement to isolate the zone where cardholders’ data
are processed, in many cases it is easier to implement many of the requirements to
the whole DC
> You can leverage the investment to apply best practices to a wider zone
> In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI
DSS zone?!?)
> In many cases, network security appliances can be used in multiple zones and it is
just a matter of license how many systems you protect
– Caveat: management stations (we will see this later)
> It is much easier to leverage this investment when using network-based approaches
> In some cases, there is no choice but use network security devices
– for instance when the requirements specify it

If you are forced to invest in security, make the most of it!


Let’s see the requirements
Requirement 2

“Do not use vendor-supplied defaults for system passwords and other security
parameters”
> You can use network security scanners and compliance scanners to verify that this
is in place
– Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not
needed daemons…) have been implemented, through scanning of the
environment
– Some network scanners can login to the systems and verify that policies are
implemented. This is very often a much better approach than deploying agent-
based solutions
– Be sure that the vendor supports both servers and network devices
– You need to verify for instance wireless devices, if present
– Scan virtualisation technologies: this seems to suggest that we must verify
hypervisors
– Only documented daemons/services must be running
> Must verify that newer installed systems are compliant
– This is much better done with a scanner, that detects when new systems are
installed

7 Presentation title in footer a network title master January 3, 2013
I do prefer by a great extent Version number onbased, agent-free solution for hardening

Requirement 3
“Protect stored cardholder data”
> Tricky pitfalls for network security devices, let’s see why
> Keep data retention to a minimum, do not store authentication/authorisation data and credit cards
– If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the
WAF often cannot see them
– However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic,
they may also see authentication/authorisation data, or even credit card data
– If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the
transaction
> How to address this?
– Have a geographically/topologically localised management station in the zone (“manager of the
manager” issue)?
– Disable packet capture/logging?
– Special policy for PCI-DSS IDS/IPS/WAF?
– Disk encryption on the management station?
– How security operation people handle packet captures of signatures?

It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible


Requirement 3

“Protect stored cardholder data”
> Management of encryption keys
– Do you need HSM devices/modules?
– Do your IDS/IPS/WAF supports HSM modules?
– How are crypto keys stored on your device?
– How are crypto keys distributed?
– Do you implement “split knowledge” for key management?
– Do you monitor for keys substitution/replacement?
– Best practices for keys’ custodians

Again, it can be tricky so we must plan this in advance. And choose the right devices


Requirement 4

“Encrypt transmission of cardholder data across open, public networks”
> Are considered public networks in scope:
– Internet
– Wireless technologies in general
– GSM/GPRS networks as well
> You must implement encryption, and take care that IDS/IPS/WAF supports:
– inspection of HTTPS if necessary, or placed after reverse-proxies
– GTP traffic, if this makes sense for you
– Must implement wireless scanners, if this makes sense for you

I do prefer by a great extent a network based, agent-free solution for hardening
checks!!!

10 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013

Requirement 6

“Develop and maintain secure systems and applications”
> As per requirement 2, you can use network security scanners and compliance
scanners
– Verify that patches are installed – both with vulnerability and compliance scanners
– Verify that undocumented or “custom” applications/services are removed
– Verify that there are no development tools installed in production
> Use Web Application Scanners to scan application for SQL injection, buffer
overflows, XSS, CSRF, and so on
– Suggestion: focus on OWASP top 10
– Ensure your vendor covers the PCI-DSS requirements but also OWASP
– PCI-DSS inspired by OWASP

I do prefer by a great extent a network based, agent-free solution for hardening
checks!!!


Requirement 6

> It is required that for externally-facing web sites, either a review is done, or a Web
Application Firewall (WAF) is in use
> About reviews:
– can be performed with “automated” tools (Web Application Scanners) or manually
– however they must be done at least annually, and anyway after any change
– if you find a vulnerability, you must correct it; this means you are deploying a
change, so this means you must review again the application!
– therefore it is better to plan for an automated tool anyway
> About Web Application Firewalls (WAF)
– you do not need to review your application
– anyway, experience shows that it is better than you do it. Do not use WAF as
scapegoat to avoid application reviews. Heard about Barracuda Networks
recently?

I suggest to have both W and assess the applications, as having the W simplify
AF AF
the application patching too – catch 22


Requirement 6

> FAQ: can I use an IDS/IPS as WAF?
– I cannot go into great extent into this, however I discourage it
– They are inheritely different technologies
– All of the IDS/IPS vendors have web protection functionality, however they are not
the same as a Web Application Firewall
– Although you may argue about that with an auditor, if you care about real security
and not just compliance, do not take the shortcut
– Please feel free to ask me about details on that off line if you care.

I suggest to have both W and IDS/
AF IPS. Do not use shortcuts unless you are on a
budget


Requirement 7/8

“Restrict access to cardholder data by business need to know”
> Use vulnerability and compliance scanners to assess that servers and network
devices have proper RBAC set up in place
> Firewalls and Access Control Systems set up with a final “deny all” rule
– May look trivial, but sometimes it is not 

“Assign a unique ID to each person with computer access”
> Two factors authentication in place for all of the remote accesses
> This is also valid for security appliance management!
> If you have not implemented good practices for security appliance management,
now you must do it!

In many cases security appliances have a very simple management model, this must
be reviewed for PCI-DSS!!!


Requirement 8

“Assign a unique ID to each person with computer access”
> Database protection
> Restrict access to the databases, restrict direct user accesses, review database
applications, do not use application IDs outside of applications
> This can be achieved with a Database Activity Monitor (DAM) technology
> Agent or Agent-less solution
> I strongly suggest a combination of both, where the focus is on the agent-less
solution
> For specific questions contact me off line

Database Activity Monitors are a good practice, along with proper set up of database
management for the environment


Requirement 9

“Restrict physical access to cardholder data”
> Again, if your security appliances enters into PCI-DSS scope, you must apply the
same requirements to them
> If you have not implemented good physical security practices for security appliance
management, now you must do it!
> This includes camera surveillance, badge systems and practices, logs and physical
escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on
> Usually part of the DC practices, but it may be different for security monitoring

In many cases security appliances have a very simple management model, this must
be reviewed for PCI-DSS!!!


Requirement 10

“Track and monitor all access to network resources and cardholder data”
> Again, if your security appliances enters into PCI-DSS scope, you must apply the
same requirements to them
> You must implement audit logs on accessing to the management systems of the
security devices
– You must implement single users and not use generic or default users
– You must use a time server (NTP), and verify against company’s LDAP/AD
> You must off-load logs to a syslog/logging server
– Logs for IPS/IDS/firewalls/and so on
– Best to use a SEM/SIEM if you are not doing it already
> Use file integrity monitoring tool
– Agent-less solutions are again my favourite

Again, in many cases security appliances have a very simple management model, and
SEM/ SIEM are not in use


Requirement 11

“Regularly test security systems and processes”
> It goes without saying, internal network vulnerability and compliance scanners are
often the best solution for test of systems from the internal network
> Many scanners can scan themselves too
> Ensure scanners also supports security systems and appliances
– Some systems like IDS/IPS and possibly WAF, are only available for scan on the
management network
– Ensure scanners can also reach management networks, and networks for
hypervisor’s management

Ensure scanners can internally reach the whole environment and they support a wide
range of checks


Requirement 11

> External vulnerability scanning is a requirement
> Can be done with external or internal resource, but it must be “qualified”
> There are requirements clearly defined for external resources, a bit less for internals
> Generally easier to use a qualified external supplier
> Tricky for security: vulnerabilities are stored outside of company’s network, this can
be a problem for some organisation’s policy
– Some vendors offer solutions for that
– Some vendors have not secure enough external solutions

Ensure you are using a qualified vendor and you are not violating your own policies or
compromising your security using an external vendor


Requirement 11

> Ensure you have IDS/IPS systems at the perimeter
– You must verify “all the traffic at the perimeter”, but nothing prohibits to check the
internal network too
– You must ensure proper management of IDS/IPS
– Must verify that they can see decrypted traffic (after reverse-proxies) and packet
captures are properly treated for the data retention requirements already
explained
> File integrity monitors

Again, in many cases security appliances have a very simple management model, this
must be reviewed for PCI-DSS!!!


Thank you

21 Presentation title in footer Confidentiality level on title master January 3, 2013

Achieving PCI-DSS compliance with network security implementations - April 2011

More Related Content

What's hot

Viewers also liked

Similar to Achieving PCI-DSS compliance with network security implementations - April 2011

More from EQS Group

Recently uploaded

Achieving PCI-DSS compliance with network security implementations - April 2011