A Deeper Dive on the Digital Dozen Prepared by: Protiviti Incorporated Presented by: Lance Wright Protiviti Phoenix © 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. Agenda Knowledge Check (Oh no, not a test) A Deeper Look at 12 of the More Challenging Requirements Case Study Network Segmentation (Limiting the scope of PCI) © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 2 Quick Knowledge Check Take 10 minutes to answer the questions. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 3 Test Review 1) True – 1.1.9, 2.2 2) True – 2.2.1 3) True – 3.2 4) False – 4.1.1 5) False – 5.1 6) True – 6.3.1 7) True – 7.1 8) False – 8.5.5 9) True – 9.8 10)True – 10.6 11)True – 11.3 12)True – 12.7 © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 4 Common Obstacles / Challenges Common obstacles / challenges for merchants and service providers facing compliance with PCI DSS. - Areas where we have consistently seen clients struggle to develop or implement solutions to meet the requirements. - Based on anecdotal evidence - Not comprehensive (that would take a lot longer than 2 hours) © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 5 Section 1 1.1.5 Documented list of services and ports necessary for business 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) 1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented Firewall configuration review Ensure consistent comments in firewall rule set Improved change management (turn it off when you don’t need it) Network segmentation © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 6 Section 2 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). “…all known security vulnerabilities…” - not the top 10 or 20 “ …all system components…” - not just routers and firewalls (section 1) The very definition of a standard is that it is industry accepted. What is your “standard” based on? © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 7 Section 3 3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches • Strong one-way hash functions (hashed indexes) • Truncation • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key management processes or procedures The MINIMUM account information that must be rendered unreadable is the PAN. Recognized as the basic tenet of PCI. “Thou shalt encrypt.” Unfortunately, not very easy to implement, especially in well established environments. Tokenization may limit scope to some degree © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 8 Tokenization © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 9 Section 4 4.2 Never send unencrypted PAN by e-mail. E-mail can be easily intercepted by packet-sniffing during delivery traversal across internal and public networks. Data / content monitoring solution (one time or continuous) Policy / User training Encryption solution (PGP, etc.) © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 10 Section 5 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. It is important to protect against ALL types and forms of malicious software. Make sure the AV solution you use containing an anti-spyware component or module and that it is running and generating logs. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 11 Section 6 6.5 Develop all web applications based on secure coding guidelines. such as the Open Web Application Security Project Guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: 1) Unvalidated input 2) Broken access control (for example, malicious use of user IDs) 3) Broken authentication and session management (use of account credentials and session cookies) 4) Cross-site scripting (XSS) attacks 5) Buffer overflows 6) Injection flaws (for example, structured query language (SQL) injection) 7) Improper error handling 8) Insecure storage 9) Denial of service 10) Insecure configuration management Web application scanner prior to movement of any code to production. Ensure the scanner covers all 10 areas. Based on 2006 version of OWASP top 10 (not current: CSRF, insecure cryptographic storage and communications and failure to restrict URL access are all new and important). © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 12 Section 7 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. User reviews, segregation of duties, strong user access management © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 13 Section 8 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Two-factor authentication technologies provide a one-time password, to be used when an additional authentication item is needed for higher-risk accesses, like from outside your network. For additional security, your organization can also consider using two-factor authentication when accessing networks of higher security from networks of lower security (for example, from corporate desktops (lower security) to production servers/databases with cardholder data (high security)). Most common solution is key fob (RSA SecureID) although SSL certificates can be used as well. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 14 Section 9 9.6 Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on portable media, printed out, or left on someone’s desk. Consider procedures and processes for protecting cardholder data on media distributed to internal or external users. Without such procedures data can be lost or stolen and used for fraudulent purposes. Most often overlooked by IT since they often times do not oversee the paperwork side of credit card transactions. Paperless environments (as much as possible) puts the control back with IT © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 15 Section 10 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only) and use of internal segregation (to make the logs harder to find and modify). Several industry solutions (Log Logix, RSA enVision, etc.) Don’t forget to include any wireless access points © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 16 Section 11 11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly. File integrity monitoring systems check for changes to critical files, and notify when such changes are noted. There are both off-the-shelf and open source tools available for file integrity monitoring. If not implemented and the output monitored, a hacker or user with malicious intent could alter file contents or steal data undetected. Note – critical system or content files Common industry solutions (Tripwire, CA Auditor, Cisco MARS, etc.) © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 17 Section 12 12.8 Contractually require all third parties with access to cardholder data to adhere to payment card industry security requirements. If a merchant or service provider shares cardholder data with a service provider, then the service provider receiving the cardholder data should sign a legal document that holds them responsible for complying with cardholder data security policies, and has them acknowledge this responsibility. This helps ensure that the continued protection of this data will be enforced by outside parties. All vendors and contractors who have access must also be in compliance. Language must be added to existing contracts. Many times vendors are seeking the same language as well. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 18 Case Study – HACKED!! Read the narrative provided Attempt to identify PCI DSS requirements not “In Place” that led to the data breach. Attempt to identify corresponding remediation steps for each item that is not “In Place” that may have thwarted John the Hacker. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 19 PCI Sections © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 20 Some Answers User Training 12.6 - Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. Hostess and manager should be trained on security policies and procedures to protect cardholder data. Visitor badge and logging 9.4 - Use a visitor log to maintain a physical audit trail of visitor activity. 9.3.2 - Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees. Implement a visitor handling policy and procedures to include logging and badges Video Monitoring 9.1.1 – Use cameras to monitor sensitive areas Install video surveillance File integrity monitoring 11.5 - Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly. Install file integrity monitoring agent on all payment application servers. Firewall configuration 1.1.5 - Documented list of services/ports necessary for business. How did port 31337 get open? Firewall and Router rule set review to disallow unneeded ports / protocols Computer logged in 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Update GPO to ensure session lockout occurs. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 21 Fact or Fiction? Wired Magazine - The government said the Dave & Buster's hackers illegally accessed 11 of the national chain's servers and installed packet sniffers at each location. The sniffers vacuumed up "Track 2" data from the credit card magstripes as it traveled from the restaurant's servers to Dave & Buster's headquarters in Dallas, according to the indictment. FOX News - Eleven Dave & Buster's restaurants at various locations around the United States were hit in the scheme, including one in Islandia, on Long Island, where information was stolen on 5,000 credit and debit cards, causing at least $600,000 in losses, federal prosecutors said. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 22 Interesting Reads © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 23 Network Segmentation • Network Segmentation within the PCI context refers to the separation of card holder information from other systems using physical and logical controls. This zone consists solely of systems used to process and store credit card information. • PCI version 1.1 states that network segmentation can be used as a means of limiting the scope of PCI compliance and as a compensating control. • Achieving PCI Compliance when internal networks do not have physical or logical controls separating cardholder systems from other systems is more complex because all systems are in scope. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 24 PCI Scope Considerations • PCI incorporates two components: – Data Security Standards (DSS) Focused on the internal policies and procedures in place for protecting credit card data. Scope of the DSS is concerned with systems that process, transmit, and/or store cardholder information – Penetration Testing/Quarterly Scans Focused on validating the external network perimeter controls Scope of the scans is all external systems access points connected to the network. These access points include wireless networking and Internet connectivity. • The following slides are examples of an “non-segmented” network, and two variations of a “segmented” network. © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 25 Non-Segmented Network All devices would be in scope for audit and scans. All devices need to comply with PCI DSS requirements Internet Internal App Servers Internal DB Servers ` ` All Web Facing Servers ` User Base PCI DSS Scope PCI Scan Scope © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 26 Partially Segmented Network Only devices which are within the “PCI Segment” would be in scope and need to comply with PCI DSS Audit requirements, however all externally accessible systems will still be in scope for PCI Scan Requirements. ` ` ` User Base Internet Internal App Servers Internal DB Servers Non-eCommerce Web Servers eCommerce/Web Facing Servers Cardholder Servers PCI DSS Scope PCI Scan Scope “Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment.“ - PCI DSS © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 27 Segmented Network Only devices which are within the discrete “PCI Segment” would be in scope and need to comply with PCI DSS Audit and Scan Requirements. ` ` ` User Base Internet Internal App Servers Internal DB Servers Web Facing Servers Note: No trust relationship exists between the corporate network and the PCI Segment. Users will access and maintenance will be performed via remote access such as VPN tunnels with two factor authentication. Cardholder Servers Internet Cardholder DB Servers PCI DSS Scope eCommerce/Web Facing Servers PCI Scan Scope © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 28 Segmentation Benefits, Costs, Challenges Benefits • Reduced scope for compliance and validation (and lower associated cost for assessment) • Thorough identification of all associated devices handling cardholder data • Minimized risk footprint • Can potentially eliminate compliance issues (ex. wireless) Costs • Time to identify servers / network infrastructure handling cardholder data • Project costs associated with re-engineering of PCI network segment • Increased initial administrative costs Challenges • Providing routine services such as DNS/directory services, time synchronization, intrusion detection, backup and file integrity monitoring to systems within the cardholder data environment • Maintaining integration of systems and ongoing management of two discrete networks © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 29 PCI Qualifications Protiviti has the following PCI Qualifications – PCI Security Council, Qualified Security Assessor – PCI Security Council, Approved Scanning Vendor – Visa, Qualified Payment Application Security Company Fewer than 15% of the PCI assessment companies hold all 3 qualifications © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 30 My Info PCI Qualifications Lance Wright QSA, CISA, CCNA, Security+, Network+ Senior Consultant Protiviti, Inc. Lance.Wright@Protiviti.com (602) 683 – 4117 Office (602) 631 – 9800 Cell https://www.pcisecuritystandards.org/ ( Lots of great info here) © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 31 Thank You for Listening Questions? © 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party. 32