5 Under-utilized PCI Requirements and how you can leverage them

By – Praveen Joseph Vackayil

5 Under-utilizedPCI Requirements

Praveen Joseph VackayilCISSP, CCNA, ISO 27001 LA, former PCI QSA, MS (Warwick), BE

AND HOW YOU CAN FULLY LEVERAGE THEM


DISCLAIMER


• Mobile phones – you know what to do! • Questions are welcome• Share your knowledge

Ground Rules


• Quick Introduction to PCI DSS–CHD and SAD–PCI Requirements

• 5 Under-utilized PCI Requirements

Agenda


A Quick Introduction to PCI DSS


The Payment Card Industry Data Security Standards are a set of security standards created to protect credit and debit card data.

What is PCI?


• One of the most precise and granular information security standards out there.• 12 broad requirements, 300+ sub-

requirements• People (10%) – Processes (30%) –

Technology (60%)

What is PCI?


Cardholder Data:• Card Number• Cardholder Name• Service Code (not shown

in image)• Expiry Date

Cardholder Data


Sensitive Authentication Data:• CVV• Track data (Magnetic

Stripe data or Chip data)• PINs or PIN blocks

123

Sensitive Authentication Data


What does PCI say about CHD and SAD?


Stored card numbers must be encrypted, truncated, hashed, or protected with one time pads.

In Other Words

1aM3fz9eo0F1idqKq2Z23i0F3akdjl53f32F23k3qsaf

4757 2828 9290 2929


CVV, Track/Chip and PIN data must never be stored.

In Other Words

“July_Customer_CVV.xlsx”


The PCI Requirements

Ref: PCI DSS v3.0


Requirement 1 - FirewallsFormal Change Management

Updated Network Diagram

Firewall config vs Business Justification Document

NATting

Check incoming packets for IP Spoofing

Internal Zone-> DMZ->External Zone

Firewall Rule Review


Requirement 2 – Device Configuration

Change all vendor supplieddefaults

Remove all unnecessary scripts, drivers, servers and other functionalities

One primary function per server

Non-console admin access must be encrypted

Hardening standards based on CIS, SANS, NIST, etc.


Requirement 3 – Protect Stored CHD

Do not store any SAD

Mask PAN when displayed

Render stored PAN un-readable

Key Management

Drive Awareness

Review stored PAN via quarterly data discovery scans

Minimize stored PAN


Requirement 4 – Protect Transmitted CHD

Encrypt PAN sent over wireless. Eg. IEEE 802.11i(No WEP, SSL v2.0)

Encrypt PAN sent on open public networks

Encrypt PAN if sent over email, chat, etc.

Drive Awareness


Requirement 5 – Use Anti-Malware SoftwareIf AV exists, deploy it

Do RA to identify threats for Mainframes or other systems without AV

Periodic ScansAutomatic UpdatesAnti-virus logs


Requirement 6 – SDLCIdentify new security vulnerabilities from external sources

Patch Management

Secure SDLCWAF or App VA for public facing web apps


Requirement 7 – Need to KnowAccess to CHD based on job-based need to know

Default deny-all setting in access provisioning


Requirement 8 – Accountability

User ID settings

Two-factor authentication for remote connections

Password settings

Session time-out settings


Requirement 9 – Physical SecurityPhysical Access Controls:-CCTV and/or-Access control mechanism

Visitor Management

Media Management

Physical Security of POS devices


Requirement 10 – Log ManagementWhat should be logged

What a log should contain

Log Retention

Log Review

FIM on logs

Time synchronization

Access to Logs


Requirement 11 – Testing and Monitoring

Wireless Scan IDS/IPS

Penetration Testing

Vulnerability Assessment

Change Detection Software


Requirement 12 – Documentation

Risk Assessment

Human Resources-NDA-BGV

Service Provider Management

Incident Management

Policies and Procedures- Information Security- Acceptable Usage, etc.


5 Under-utilized PCI Requirements


?WHICH REQUIREMENTS DO YOU THINK WILL BE DISCUSSED?


Typical Challenge Areas in PCI Maintenance


5 Under-utilized PCI Requirements

• Firewall Rule Review• Log Review• Penetration Testing• Risk Assessment• Service Provider Management





1.1.7 Review firewall and router rule sets at least once every six months

WHAT IT IS


Firewall Rule ReviewHOW PEOPLE TEND TO DO IT

“Nipper gives a lot of false positives, you know?”

“We need ICMP for troubleshooting”

-We ran a Nipper scan.-And?-That’s it!


A Good Rule Review Will Achieve• Re-validation of all business requirements (and nothing else)

being met through the firewall• Review/removal of ACLs which are convenient for firewall

device management but not for network security.• Protection from new attack vectors (especially public facing

firewalls)• Checking for incorrectly configured rules• Clean-up of obsolete rules and user ids on firewall• Revoke of “temporary” access requests on expiry• Firewall performance tuning• More accurate responses from network administrator during

external audit.


Suggested Firewall Review Methodology

Prerequisites- Network Diagram- Device Inventory- Updated DFD- Firewall Rules Business Justification Document

Shortlist the firewalls to be reviewed - eg. Internet FW, Internal FW

- Review the network diagram, DFD- Validate the FW configuration against approved services, ports, protocols

What to Look For:- Obsolete ACLs- Inconsistencies with BJD- Insecure services, ports, protocols - FTP, Telnet, SNMP.

Remediation


Sample Firewall Review Sheet

Ref: SANS - Methodology for Firewall Reviews for PCICompliancehttp://www.sans.org/reading-room/whitepapers/auditing/methodology-firewall-reviews-pci-compliance-34195


Log Review


Log ReviewSCOPE10.6 Review logs and security events for all system components

FREQUENCY10.6.1 Review the following at least daily:• All security events • Logs of all system components that store, process, or transmit CHD/SAD• Logs of all critical system components• Logs of security devices - firewalls, IPS, etc.10.6.2 Review logs of all other system components periodically as determined by a risk assessment.

REMEDIATION10.6.3 Follow up anomalies identified during the review process.

WHAT IT IS


Log ReviewHOW PEOPLE TEND TO DO IT

“It is not possible to investigate all alerts. There are tons of false positives.”

-We manually review logs everyday. Surprisingly, we have no incidents so far.-You mean NOT surprisingly


Good Log Review Principles

Log Review

Central Log Storage for easy access and review

Continuous and Automated Monitoring

“Do Not Show Again” configuration to reduce false positives

Qualified personnel who know what kind of logs to look for

Timely Response Mechanism


Penetration Testing


Penetration Testing

Requirements for PT in PCI v2.011.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. These penetration tests must also include application and network layer penetration tests.

WHAT IT IS


Penetration TestingHOW PEOPLE TEND TO DO IT

“We fixed all the VA findings. So there are no vulnerabilities to exploit, meaning there is no point in a PT.”

(hence proved)

“We ran a PT scan. Here is the report.”


Penetration Testing• PT Methodology

– A methodology will bring structure and consistency to the testing approach– Provide standardized documentation– Assist in training and KT between staffEg. N/w PT – OSSTM (from Institute for Security and Open Methodologies), NIST SP 800-115 App PT - OWASP Testing Project for App PT

• External and Internal PT

WHAT HAPPENED IN V3.0 HAS BEEN NOTHING SHORT OF RADICAL

Outside Inside

Has no access to systemsNo knowledge about the systems

Has at least general user access, may have some knowledge on the systems

Begins with reconnaissance (public information) and enumeration (network discovery, port scanning)

Begins with user privilege escalation (eg. General to admin user)


Penetration Testing• PT must validate network segmentation

methods used to isolate the CDE– Router or Firewall ACLs– VLANs configured on L3 switches

Eg. Port scanning to check for any open ports on the router through which one can connect from a trusted but non-CDE network.

• PT must be on-going – Remediation must be validated by re-testing


SAMPLE TESTS• Database security audit• SQL injection techniques • Network traffic eavesdropping• Access control testing • Network intrusion testing • Network stress testing• DoS attacks• Manipulating user input data• Web application penetration

testing

OSSTM PT WorkflowInduction Phase:- Decide on test timelines- Shortlist the tests to be done

Interaction Phase:- Network Discovery-Select target systems for each test

Inquest Phase:Find out as much data as possible about target systems

Intervention Phase:Verify functionality of security and alerting mechanisms

• Web server, DB Server• Firewall, etc.

• Which ports are open• What services are

running• Device configuration

vulnerabilities

• Log alerts• FIM alerts• IPS alerts


Risk Assessment


Risk AssessmentPCI Req 12.2Implement a risk-assessment process that:Frequency:• Is performed at least annually and upon significant changes to

the environment (for example, acquisition, merger, relocation, etc.)

Entities:• Identifies critical assets, threats, and vulnerabilities, Methodology:• Results in a formal risk assessment

WHAT IT IS


Risk AssessmentHOW PEOPLE TEND TO DO IT

This is an example of a compliance RA. Not a security RA


Risk Assessment

A PCI Risk Assessment must be:• Formal:– Measurable– Comparable– Repeatable

• Focusing on card data as the central asset• Emphasizing security and not compliance

WHAT IT IS


Risk Assessment

Risk Assessment can be used to• Tailor the PCI requirement to the unique

nature of the organization’s CDE• Reduce the overall cost of compliance

and security maintenance• Assist in scope reduction


Suggested PCI RA WorkflowScope

Assets

Threat

VulnerabilityRisk Score

Risk Management-Treat, Transfer,

Terminate, Tolerate

Documentation

E-Commerce Website

Primary Asset – CHDSupporting Assets– People, Technology

Disclosure of CHD via compromise of perimeter firewall by external entity

No defined frequency for firewall rule review

Medium

Treat:Firewall config to be reviewed every quarter by Security team. Corrective action to be taken by Network team.


Service Provider Management


Service Provider Management: Typical Concerns

No knowledge on– the extent to which service provider can access client’s systems and

information– service provider’s information security controls and how effective they

are – how they verify employees’ backgrounds

No defined ownership of applicable PCI requirementsEg. Application hosted at client’s site, but developed remotely by a third party organization:

– 6.4.1 Separate development/test environments from production environments ->Client

– 6.4.2 Separation of duties between development/test and production -> Service Provider


Service Provider Management12.8: Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data• Maintain a list of service providers• Due diligence in selecting service providers• MSA: Service providers are responsible for the security of

cardholder data they possess or otherwise store, process or transmit on behalf of the customer

• Annually monitor their PCI compliance• Classify PCI requirements as per client - service providers’

responsibility and get mutual agreement

WHAT IT IS


?


Stay in Touch

• www.linkedin.com/in/vackayil

• [email protected]

THANK YOU

http://www.linkedin.com/in/vackayil

mailto:[email protected]

Date post:	26-Jun-2015
Category:	Documents
Upload:	praveen-vackayil
View:	177 times
Download:	0 times

5 Under-utilized PCI Requirements and how you can leverage them

Documents