A Deeper Dive on the Digital Dozen
Prepared by:
Protiviti Incorporated
Presented by:
Lance Wright
Protiviti Phoenix
© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Agenda
Knowledge Check (Oh no, not a test)
A Deeper Look at 12 of the More Challenging Requirements
Case Study
Network Segmentation (Limiting the scope of PCI)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2
Quick Knowledge Check
Take 10 minutes to answer the questions.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
3
Test Review
1) True – 1.1.9, 2.2
2) True – 2.2.1
3) True – 3.2
4) False – 4.1.1
5) False – 5.1
6) True – 6.3.1
7) True – 7.1
8) False – 8.5.5
9) True – 9.8
10)True – 10.6
11)True – 11.3
12)True – 12.7
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
4
Common Obstacles / Challenges
Common obstacles / challenges for merchants and service providers
facing compliance with PCI DSS.
- Areas where we have consistently seen clients struggle to develop or
implement solutions to meet the requirements.
- Based on anecdotal evidence
- Not comprehensive (that would take a lot longer than 2 hours)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
5
Section 1
1.1.5 Documented list of services and ports necessary for business
1.1.6 Justification and documentation for any available protocols besides
hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure
shell (SSH), and virtual private network (VPN)
1.1.7 Justification and documentation for any risky protocols allowed (for
example, file transfer protocol (FTP), which includes reason for use of protocol
and security features implemented
Firewall configuration review
Ensure consistent comments in firewall rule set
Improved change management (turn it off when you don’t need it)
Network segmentation
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
6
Section 2
2.2 Develop configuration standards for all system components. Assure that
these standards address all known security vulnerabilities and are consistent
with industry-accepted system hardening standards as defined, for example,
by SysAdmin Audit Network Security Network (SANS), National Institute of
Standards Technology (NIST), and Center for Internet Security (CIS).
“…all known security vulnerabilities…” - not the top 10 or 20
“ …all system components…” - not just routers and firewalls (section 1)
The very definition of a standard is that it is industry accepted.
What is your “standard” based on?
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
7
Section 3
3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data
on portable digital media, backup media, in logs, and data received from or
stored by wireless networks) by using any of the following approaches
• Strong one-way hash functions (hashed indexes)
• Truncation • Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes or
procedures
The MINIMUM account information that must be rendered unreadable is the
PAN.
Recognized as the basic tenet of PCI. “Thou shalt encrypt.”
Unfortunately, not very easy to implement, especially in well established
environments.
Tokenization may limit scope to some degree
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
8
Tokenization
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
9
Section 4
4.2 Never send unencrypted PAN by e-mail.
E-mail can be easily intercepted by packet-sniffing during delivery traversal
across internal and public networks.
Data / content monitoring solution (one time or continuous)
Policy / User training
Encryption solution (PGP, etc.)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
10
Section 5
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and
protecting against other forms of malicious software, including spyware and
adware.
It is important to protect against ALL types and forms of malicious software.
Make sure the AV solution you use containing an anti-spyware component or
module and that it is running and generating logs.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
11
Section 6
6.5 Develop all web applications based on secure coding guidelines. such as the
Open Web Application Security Project Guidelines. Review custom application
code to identify coding vulnerabilities. Cover prevention of common coding
vulnerabilities in software development processes, to include the following:
1) Unvalidated input
2) Broken access control (for example, malicious use of user IDs)
3) Broken authentication and session management (use of account credentials and session cookies)
4) Cross-site scripting (XSS) attacks
5) Buffer overflows
6) Injection flaws (for example, structured query language (SQL) injection)
7) Improper error handling
8) Insecure storage
9) Denial of service
10) Insecure configuration management
Web application scanner prior to movement of any code to production.
Ensure the scanner covers all 10 areas.
Based on 2006 version of OWASP top 10 (not current: CSRF, insecure cryptographic
storage and communications and failure to restrict URL access are all new and important).
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
12
Section 7
7.2 Establish a mechanism for systems with multiple users that restricts access
based on a user’s need to know, and is set to “deny all” unless specifically
allowed.
Without a mechanism to restrict access based on user’s need to know, a user
may unknowingly be granted access to cardholder data.
User reviews, segregation of duties, strong user access management
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
13
Section 8
8.3 Implement two-factor authentication for remote access to the network by
employees, administrators, and third parties. Use technologies such as remote
authentication and dial-in service (RADIUS) or terminal access controller
access control system (TACACS) with tokens; or VPN (based on SSL/TLS or
IPSEC) with individual certificates.
Two-factor authentication technologies provide a one-time password, to be used
when an additional authentication item is needed for higher-risk accesses, like
from outside your network. For additional security, your organization can also
consider using two-factor authentication when accessing networks of higher
security from networks of lower security (for example, from corporate desktops
(lower security) to production servers/databases with cardholder data (high
security)).
Most common solution is key fob (RSA SecureID) although SSL certificates can
be used as well.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
14
Section 9
9.6 Physically secure all paper and electronic media (including computers,
electronic media, networking and communications hardware,
telecommunication lines, paper receipts, paper reports, and faxes) that contain
cardholder data.
Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it
is unprotected while it is on portable media, printed out, or left on someone’s
desk. Consider procedures and processes for protecting cardholder data on
media distributed to internal or external users. Without such procedures data
can be lost or stolen and used for fraudulent purposes.
Most often overlooked by IT since they often times do not oversee the paperwork
side of credit card transactions.
Paperless environments (as much as possible) puts the control back with IT
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
15
Section 10
10.5.3 Promptly back up audit trail files to a centralized log server or media that
is difficult to alter.
Adequate protection of the audit logs includes strong access control (limit access
to logs based on “need to know” only) and use of internal segregation (to
make the logs harder to find and modify).
Several industry solutions (Log Logix, RSA enVision, etc.)
Don’t forget to include any wireless access points
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
16
Section 11
11.5 Deploy file integrity monitoring software to alert personnel to unauthorized
modification of critical system or content files; and configure the software to
perform critical file comparisons at least weekly.
File integrity monitoring systems check for changes to critical files, and notify
when such changes are noted. There are both off-the-shelf and open source
tools available for file integrity monitoring. If not implemented and the output
monitored, a hacker or user with malicious intent could alter file contents or
steal data undetected.
Note – critical system or content files
Common industry solutions (Tripwire, CA Auditor, Cisco MARS, etc.)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
17
Section 12
12.8 Contractually require all third parties with access to cardholder data to
adhere to payment card industry security requirements.
If a merchant or service provider shares cardholder data with a service provider,
then the service provider receiving the cardholder data should sign a legal
document that holds them responsible for complying with cardholder data
security policies, and has them acknowledge this responsibility. This helps
ensure that the continued protection of this data will be enforced by outside
parties.
All vendors and contractors who have access must also be in compliance.
Language must be added to existing contracts.
Many times vendors are seeking the same language as well.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
18
Case Study – HACKED!!
Read the narrative provided
Attempt to identify PCI DSS requirements not “In Place” that led to the data
breach.
Attempt to identify corresponding remediation steps for each item that is not “In
Place” that may have thwarted John the Hacker.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
19
PCI Sections
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
20
Some Answers
User Training
12.6 - Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
Hostess and manager should be trained on security policies and procedures to protect cardholder data.
Visitor badge and logging
9.4 - Use a visitor log to maintain a physical audit trail of visitor activity.
9.3.2 - Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees.
Implement a visitor handling policy and procedures to include logging and badges
Video Monitoring
9.1.1 – Use cameras to monitor sensitive areas
Install video surveillance
File integrity monitoring
11.5 - Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to
perform critical file comparisons at least weekly.
Install file integrity monitoring agent on all payment application servers.
Firewall configuration
1.1.5 - Documented list of services/ports necessary for business.
How did port 31337 get open?
Firewall and Router rule set review to disallow unneeded ports / protocols
Computer logged in
8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
Update GPO to ensure session lockout occurs.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
21
Fact or Fiction?
Wired Magazine - The government said the Dave & Buster's hackers illegally
accessed 11 of the national chain's servers and installed packet sniffers at
each location. The sniffers vacuumed up "Track 2" data from the credit card
magstripes as it traveled from the restaurant's servers to Dave & Buster's
headquarters in Dallas, according to the indictment.
FOX News - Eleven Dave & Buster's restaurants at various locations around the United States
were hit in the scheme, including one in Islandia, on Long Island, where information was
stolen on 5,000 credit and debit cards, causing at least $600,000 in losses, federal
prosecutors said.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
22
Interesting Reads
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
23
Network Segmentation
• Network Segmentation within the PCI context refers to the separation of card
holder information from other systems using physical and logical controls.
This zone consists solely of systems used to process and store credit card
information.
• PCI version 1.1 states that network segmentation can be used as a means of
limiting the scope of PCI compliance and as a compensating control.
• Achieving PCI Compliance when internal networks do not have physical or
logical controls separating cardholder systems from other systems is more
complex because all systems are in scope.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
24
PCI Scope Considerations
• PCI incorporates two components:
– Data Security Standards (DSS)

Focused on the internal policies and procedures in place for protecting credit card data.

Scope of the DSS is concerned with systems that process, transmit, and/or store cardholder
information
– Penetration Testing/Quarterly Scans

Focused on validating the external network perimeter controls

Scope of the scans is all external systems access points connected to the network. These
access points include wireless networking and Internet connectivity.
• The following slides are examples of an “non-segmented” network, and two
variations of a “segmented” network.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
25
Non-Segmented Network
All devices would be in scope for audit and scans. All devices need to comply with
PCI DSS requirements
Internet
Internal App Servers
Internal DB Servers
`
`
All Web
Facing Servers
`
User Base
PCI DSS Scope
PCI Scan Scope
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
26
Partially Segmented Network
Only devices which are within the “PCI Segment” would be in scope and need to comply with PCI
DSS Audit requirements, however all externally accessible systems will still be in scope for
PCI Scan Requirements.
`
`
`
User Base
Internet
Internal App Servers
Internal DB Servers
Non-eCommerce
Web Servers
eCommerce/Web
Facing Servers
Cardholder Servers
PCI DSS Scope
PCI Scan Scope
“Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from
those that do not, may reduce the scope of the cardholder data environment.“ - PCI DSS
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
27
Segmented Network
Only devices which are within the discrete “PCI Segment” would be in
scope and need to comply with PCI DSS Audit and Scan Requirements.
`
`
`
User Base
Internet
Internal App Servers
Internal DB Servers
Web Facing Servers
Note: No trust
relationship exists
between the corporate
network and the PCI
Segment. Users will
access and
maintenance will be
performed via remote
access such as VPN
tunnels with two factor
authentication.
Cardholder Servers
Internet
Cardholder DB Servers
PCI DSS Scope
eCommerce/Web
Facing Servers
PCI Scan Scope
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
28
Segmentation Benefits, Costs, Challenges
Benefits
• Reduced scope for compliance and validation (and lower associated cost for assessment)
• Thorough identification of all associated devices handling cardholder data
• Minimized risk footprint
• Can potentially eliminate compliance issues (ex. wireless)
Costs
• Time to identify servers / network infrastructure handling cardholder data
• Project costs associated with re-engineering of PCI network segment
• Increased initial administrative costs
Challenges
• Providing routine services such as DNS/directory services, time synchronization, intrusion
detection, backup and file integrity monitoring to systems within the cardholder data environment
• Maintaining integration of systems and ongoing management of two discrete networks
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
29
PCI Qualifications
Protiviti has the following PCI Qualifications
– PCI Security Council, Qualified Security Assessor
– PCI Security Council, Approved Scanning Vendor
– Visa, Qualified Payment Application Security Company
Fewer than 15% of the PCI assessment companies hold all 3
qualifications
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
30
My Info
PCI Qualifications
Lance Wright
QSA, CISA, CCNA, Security+, Network+
Senior Consultant
Protiviti, Inc.
Lance.Wright@Protiviti.com
(602) 683 – 4117 Office
(602) 631 – 9800 Cell
https://www.pcisecuritystandards.org/ ( Lots of great info here)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
31
Thank You for Listening
Questions?
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
32