1 final secnet_pci

Mostafa MoraadSecurity Solution Consultant

Vulnerability Management & PCI-DSS Compliance

April 10, 2023 Mostafa Moraad - SecNet L.L C. 2

Agenda

• Vulnerability Management Lifecycle• Why Vulnerability Management

– Definitions– Concepts– Sample Security Report (Cisco 2014)– Best Practice

• PCI-DSS Introduction– PCI-DSS is …– PCI-DSS Role Players– Requirement– Validation Challenges– Integration of efforts

• SecNet Sol#1 (Qualys)• SecNet Sol#2 (Tenable)• Deliverables• Benefits & ROI


Setup & Discovery

Network Devices

PlanningPrioritize Assets &

check Policy

Vulnerability Assessment

Report

Remediate

VerifySummary Report

Monitor

Vulnerability Management Lifecycle


Definitions

• Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that may result in a security breach or a violation of the system's security policy.

• Threat: The potential for a specific vulnerability to be exercised either intentionally or accidentally

• Control: Measures taken to prevent, detect, minimize, or eliminate risk to protect the Integrity, Confidentiality, and Availability of information.

• Vulnerability Assessment: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.


Concepts• Vulnerabilities come from many things including

i. Flaws in softwareii. Faulty configurationiii. Weak passwordsiv. Human error

• Inappropriately assigned permission levels• System inappropriately placed in infrastructure/environment

• Vulnerability Assessment is the most important subset of Vulnerability Management

• Attackers have a natural advantage over the defenders. they are smart, dedicated and persistent thus No single security approach can be sufficient to stop them

• New Vulnerabilities come out everyday and they don’t go away by themselves


Sample Security Report (Cisco 2014)


Best Practice

• Proactive VS. Reactive

• Vulnerability Management is a repetitive process

• Create official purpose and procedures

• Decide on schedule

• Think in terms of risk

• Document everything

• Know your environment

• Always be prepared


PCI-DSS INTRODUCTION(Payment Card Industry Data Security Standard)

How to Apply this in Financial organizations?


PCI-DSS is…• A security standard that includes requirements for security

management (Vulnerability management), policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data.

• Primarily concerned with the Processing, Storage and Transmission of the Primary Account Number (PAN) on the front of every Debit and Credit Card, and its protection

• A joint effort of (VISA International, MasterCard Worldwide, American Express, Discover Financial Services, JCB)

• Meant for Systems (H/W, S/W), Merchants, Service Providers and any organization that Stores, Transmits or Processes cardholder data in any kind of transaction


PCI-DSS Role Players


Requirements (1)12 Requirements divided into 6 Categories

Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data.2. Do not use vendor-supplied defaults for system passwords and

other security parameters.Protect Cardholder Data3. Protect stored data.4. Encrypt transmission of cardholder data and sensitive

information across public networks.Maintain a Vulnerability Management Program5. Use and regularly update antivirus software.6. Develop and maintain secure systems and applications


Requirements (2)

Implement Strong Access Control Measures7. Restrict access to data by business need-to-know.8. Assign a unique ID to each person with computer access.9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks10. Track and monitor all access to network resources and

cardholder data.11. Routinely test security systems and processes.

Maintain an Information Security Policy.12. Establish high-level security principles and procedures.


Validation Challenges

• Annual Assessment Questionnaire• Security Vulnerability Scan – Quarterly• Fully understand and document the processes and payment environment• Tracking and monitoring of access to payments card systems and data• Controlling logical access to systems containing payment card data• Security event monitoring across a various environment• Limited security capabilities (authentication, monitoring etc…) of legacy

systems• Remediation of controls across large (legacy) distributed environments• Encryption of payment card data• Putting PCI language in place for third party service providers


QUALYSGUARDSolution #1

IT SECURITY & COMPLIANCE SUITE


Qualys at a Glance

• Founded in 1999 Build as a Software as a Service (SaaS) implementation from inception

• Financials$65M in Funding - Last round of funding in Dec 2004

• Subscriber Base4,000+ active subscribers (very diversified customer base)42% Fortune 100, 22% Fortune 1000 and 15% Global Forbes Global 2000Americas 70% - EMEA 25% - Asia Pacific 5%

• Global Strategic PartnershipsMSSPs: Symantec, IBM, BT, SecureWorks, Savvis, Verizon Business, Tata, NTT, Telus, Orange Business SystemsSecurity Consulting Organizations: IBM, HP, Cisco, HCL, Wipro , Fishnet, Accuvant, Deloitte, PwC, Computacenter


QualysGuardIT Security & Compliance Suite

• QualysGuard Vulnerability Management- Globally Deployable, Scalable Security Risk and Vulnerability

Management

• QualysGuard Policy Compliance- Define, Audit, and Document IT Security Compliance

• QualysGuard PCI Compliance- Automated PCI Compliance Validation for Merchants and

Acquiring Institutions

• QualysGuard Web Application Scanning- Automated Web Application Security Assessment and

Reporting that Scales with your Business

• QualysGuard Malware Detection (New)- Free Malware Detection Service for Web Sites

• Qualys GO SECURE (New)- Web Site Security Testing Service and Security Seal that

Scans for Vulnerabilities, Malware and SSL Certificate Validation


Software-as-a-Service (SaaS)

• SaaS applications can easily be deployed globally

• SaaS simplifies security

• SaaS enables a shorter time from development to delivery of application enhancements

• SaaS allows for easier integration between point solutions and transparent delivery for the user

• SaaS business model has security built-in

• SaaS Model allows short Sales Cycle with extremely quick PoC Turnaround time.


QualysGuard Global Infrastructure

Annual Volume of Scans: 200+ million IP audit scans (maps and scans) with 7,000 scanner appliances in over 85 countries with 6 Sigma scanning accuracy (less than 3.4 defects per million scans)

The world's largest VM enterprise deployment: at a Forbes Global 50 with 223 scanner appliances deployed in 52 countries scanning over 750,000 IPs


IT Security + Compliance Posture Actionable Reporting for all Stakeholders

SECURITYAUDITORS

MANAGEMENT

OPERATIONS


QualysGuardVulnerability Management

Reduce Security Risks to the Business by Operationalizing the Management of Network Vulnerabilities

–Discover and prioritize all network assets with no software to install or maintain

–Identify security vulnerabilities

–Distribute and audit remediation

–Integrate with 3rd party and customer applications


QualysGuardPolicy Compliance

Provides a Comprehensive Compliance Posture of the Global IT Infrastructure – Distributes and Audits Remediation

–Identify policy violations remotely across all network assets–Supports multiple regulatory initiatives and mandates–Controls Library mapped directly to frameworks such as COBIT, ISO, HIPAA, Basel II, etc.–Detailed reporting tailored to the unique needs of auditors, IT security and compliance users


QualysGuard® Policy Compliance (Audit Results & Reports)

• Automated Compliance Reporting– Report Templates– Compliance to Policy by Asset Group or by

Host– Trend of remediation efforts– Effectiveness of compliance programs– Identify areas that need to be addressed

quickly

• Built-in Exception Management– Create and manage exceptions– Track remediation SLA


QualysGuard® PCISaaS Platform for ASVs and QSAs to perform PCI DSS Certification and for Acquiring Banks to audit their merchants

–Complete annual PCI DSS “Self-Assessment Questionnaire”–Pass network security scans every 90 days by an approved scanning vendor–Document and submit proof of compliance to acquiring banks–Meet requirement 6.6 by performing automated Web Application Scanning


QualysGuard in the Market

• Financial Services • Chemical• Insurance

• Portals/Internet • Retail • Technology • Consulting

• Financial Services


TENABLE SECURITY CENTERSolution #2


About Tenable (Nessus)

Growth CapitalTenable receives $50M in growth capital from Accel Partners to accelerate company growth.

ACASTenable receives the ACAS award from DISA to become the standard for active and passive monitoring across the DOD and Intelligence Community

Seamless SolutionTenable is the only vendor to deliver real-time vulnerability, threat and compliance management for mobile, cloud and virtual infrastructure by combining active scanning, patented passive monitoring.

PCI Approved Scanning Vendor (PCI ASV)Tenable becomes a PCI ASV, allowing Nessus Perimeter Service customers to scan their perimeter networks and submit PCI scans for quarterly validation.

• Founded in 2002• Creator of Nessus®, de facto standard for

vulnerability management– Over 15,000 customers– Over 2 million Nessus users

• Highest Gartner rating• Profitable with 19 consecutive quarters

of growth

4 years 552% Annual Revenue Growth


Security Center

Enterprise Level Vulnerability Scanning and

Configuration Auditing

>Vulnerability and Patch Auditing

>Web Application auditing

>Configuration Auditing

>Botnet detection


SC Continuous View

System Analysis> Continuous Asset

Discovery> Server Vulnerabilities> Client Side Vulnerabilities> SSL Certificate Auditing> File Share Listings> Social Network Application > Trust Relationships> Mobile Device Identification

Create New Logs That Don’t Exist> Log administration sessions

for SSH, VNC and Windows Remote Desktop

> Log all SSL sessions> Log all files transferred

via HTTP, SMB, NFS, FTP and SMTP

> Log all DNS queries and web requests

> Convert SQL queries to log statements

> Identify new hosts and new ports in real-time

> Identify interactive and encrypted network sessions

Events Sources> System

Logs> Firewalls> NIDS> File Integrity> Mainframes

> Netflow> Anti Virus> Web Logs> Logins> Honeypots> Email Logs

Correlations> Threatlist connections> Intrusion Events that target

Vulnerabilities> Tracking all events by User ID> Statistical increases in events> First time seen events> Continuous event stream

Active System Analysis> Asset Discovery> Vulnerability Auditing> Web Application Testing> Patch Auditing> Configuration Auditing> Sensitive Data At Rest > Botnet Identification> Software Enumeration> User Enumeration> Anti Virus Agent Auditing


Reports Samples


PCI Compliance Report


3D Network Visualization


Benefits & ROI

• Protect customers’ personal data

• Boost customer confidence through a higher level of data security

• Lower exposure to financial losses and remediation costs

• Maintain customer trust and safeguard the reputation of the brand

• Provide a complete “health check” for any business that stores or transmit

customer information

Thank You

Date post:	15-Jan-2015
Category:	Technology
Upload:	mosyas
View:	75 times
Download:	0 times