compliance programs
advertisement
Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic Assurance Services LLC X9F4 Working Group Information Assurance Consortium Payment Card Industry (QSA) Agenda • Standards Organizations • Authentication Case Studies – – – – TG-3 PIN Compliance SET Brand CA Compliance WebTrust for CA Compliance PCI DSS Compliance • Other Standards • Summary…………………. 1 Standards Organizations Informal Organizations Formal Organizations ISO ANSI USA Member IETF JTC1 US TAG INCITS NIST TC68 US TAG X9 CABF ISO: International Standards • 172 countries • 248 Technical Committees • ~3000 standards ANSI: USA National Body • 820 organizations • 284 accredited groups IETF: Internet • (?) individuals • 118 subgroups • 5734 specifications TC68: Financial Services • 63 countries • 11 Subgroups • 50 standards X9: Financial Services • 150 organizations • 15 subgroups • 115 standards NIST: Federal Government • ~30 subgroups • +10,000 documents INCITS: Information Technology • 1700 organizations • 40 subgroups • (?) standards CA Browser Forum • 42 members • 5 documents JTC1: Information Technology • 85 countries • 19 Subgroups • 357standards 2 Case Studies • TG-3 PIN Compliance – TG-3 Compliance – TG-3 Assessments • SET Brand CA Compliance – SET Brand CA Compliance – SET Brand CA “audits” • WebTrust for CA Compliance • Two slides per topic – Compliance program – Compliance effort • Four case studies – Facts – Issues – Stories – WebTrust for CA Compliance – WebTrust for CA Evaluations • PCI DSS Compliance – PCI Compliance – PCI (QSA) Assessments 3 TG-3 PIN Compliance • X9 TG-3 (TR-37) Retail Financial Services Compliance Guideline for Online PIN Security and Key Management – ANSI X9.8 PIN Management and Security – ANSI X9.24 Retail Financial Services – Symmetric Key Management • Part 1: Using Symmetric Techniques • Part 2: Using Asymmetric Techniques for Distribution of Symmetric Keys • Adopted by EFT Networks in 1996 – Pulse; wholly owned subsidiary of Discover Financial Services – STAR; wholly owned subsidiary of First Data Resources (FDR) – NYCE; wholly owned subsidiary of Metavante – Certified TG-3 Assessor (CTGA) • ISO 9564 PIN Management and Security • ISO 11568 Banking – Key Management – Retail • EMV Integrated Circuit Card Specification for Payment System (offline) 4 TG-3 Assessments • Prescriptive checklist – – – – – • Symmetric Keys – – – – Reviews Interviews Inspections Observations Tests • Asymmetric Keys Exception Exception Yes No N/A Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Control Objective General Security Controls TRSM Controls General Key Management Additional Key Management – – – – – General Asymmetric Controls Asymmetric Controls Mutual Authentication Credential Management Additional Asymmetric Controls 5 SET Brand CA Compliance • Secure Electronic Transaction (SET) – – – – Root Book 1: Business Description Book 2: Programmer’s Guide Book 3: Formal Protocol Definition Visa and MasterCard: 1995 – 2003 • Participants MC – – – – – JCB; Japan MasterCard (MC); USA PBS; Denmark Visa; USA Cyber-Comm (CC); France CA Brand CA Visa Regional R Geo-Political CA U M PG User CA Merchant CA Payment Gateway CA – 16+ companies involved – 50+ key individuals involved • Brand CA SET User M PG 6 SET Brand CA “Audits” • Brand CA Control Objectives (TG-3) • ANSI X9.79 PKI Policy and Practices – – – – – – – • Policy Authority (PA) Certificate Issuer (CI) Certificate Manufacturer (CM) Registration Authority (RA) Repository (Rep) JCB Subscriber (Sub) Relying Party (RP) RA PKI Standards – WebTrust for CA – ISO 21188 CM Sub Exception Exception PA CI PA Merchant Y e s _ _ N / A _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ N o MC CA of Japan Bank of Japan Fujitsu SET Control Objective Procedure s… Procedure s… Procedure s… Procedure s… Procedure s… Procedure s… Procedure s… Procedure s… Procedure s… Rep Sumitomo Bank RA Consumer RP Rep 7 WebTrust for CA Compliance • ANSI X9.79 PKI Policy and Practices Organization – CA control criteria submitted to AICPA and CICA – Redeveloped as WebTrust for CA • Auditing standard: WebTrust for CA – Licensed in 37 countries by CPA (or equivalent) – Mandated by most states as SAS 70 criteria – Mandated by all Browser Vendors • CA Browser Forum Auditor X Out Sourced SAS 70 X Auditor Service Provider – Extended Validation (EV) Audit Criteria – EV Certificate Issuance and Management Guide – EV Certificate Usage Guide • ISO 21188 PKI Policy and Practices 8 WebTrust for CA Evaluations • Audit performed by licensed CPA (or equivalent) – – – – American Institute of Certified Public Accountants Canadian Institute of Chartered Accountants WebTrust for CA WebTrust for CA Extended Validation (EV) Public Key Certificate • Evaluation is “Readiness” Check for Audit – – – – – – Validate CP and CPS (RFC 3647) Validate X.509 certificates (RFC 5280) Validate Subscriber (EV) Agreement Validate Operational Procedures Controls over Root CA (offline) and Subordinate CA (online) Controls over SSL and VPN implementations 9 PCI Compliance • Payment Card Industry Security Standards Council (PCI SSC) – Expansion of the Visa Cardholder Information Security Program (CISP) – Visa, MasterCard, Amex, Discover, JCB established in 2006 – 500+ Participating Organizations • PCI Data Security Standard (DSS) – – – – Qualified Security Assessor (QSA) Company Approved Scanning Vendor (ASV) Company Penetration Tester qualifications and test results undefined Wireless controls scattered throughout requirements • PCI Payment Application Data Security Standard (PA-DSS) – Payment Application Qualified Security Assessor (PA-QSA) Company • PCI PIN Transaction Security (PTS) – Formerly PIN Encryption Device (PED) compliance program – Visa and MasterCard PIN compliance programs 10 PCI (QSA) Assessments • PCI DSS v1.2 “protect cardholder data” – – – – – – – – – – – – Requirement 1: Install and maintain a firewall Requirement 2: Do not use vendor-supplied defaults Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data Requirement 5: Manage anti-virus software Requirement 6: Software assurance Requirement 7: Restrict access by business need to know Requirement 8: Assign a unique ID Requirement 9: Restrict physical access Requirement 10: Track and monitor all access Requirement 11: Regularly test security systems Requirement 12: Maintain information security policy • Wireless controls scattered throughout requirements 11 Other Authentication Standards • ANSI Standards – X9.84 Biometric Management and Security – X9.95 Trusted Time Stamps (TSA) – X9.112 Wireless Management and Security (802.11x) • Work in Progress – X9.117 Mutual Authentication – X9.112 Wireless – Part 3: Mobile Banking (TSM) • Gaps: no password standard – Green Book CSC-STD-002-85 (1985) Password Management – FIPS 112 (1985) Password Usage withdrawn 2005 – ANSI X9.26 (1990) Financial Institution Sign-On Authentication for Wholesale Transactions withdrawn 1999 12 Summary • Many standards to choose from • Many technologies to choose from • Many compliance programs to follow – Many today; more tomorrow – Change is inevitable • Watch out for technology transitions – Mergers and acquisitions – New vulnerabilities – Technology breakthroughs • Compliance is a journey, not a destination 13
