top pci pitfalls and how to avoid them: the qsa’s perspective
Post on 27-Jul-2015
98 Views
Preview:
TRANSCRIPT
intelligent information securityANITIAN
Adam Gaydosh• Director of Professional Services at Anitian• QSA since 2007• 15+ years of InfoSec experience including auditing, risk
assessment, penetration testing and forensics• Co-developed Anitian’s RiskNow™ - Rapid Risk Assessment
approach • Championed movement toward practical, pragmatic information
security solutions
intelligent information securityANITIAN
Anitian• We enlighten, protect and empower great security leaders. • We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of analysis
Firewall Breaches Data Center Automation
5% Vulnerabilities
95% Misconfiguration
The Security Management Balancing Act
5
Security
Agility
Prevent Cyber Attacks
Enable Business Applications
Resource Time to Provision
Server Minutes
Storage Minutes
Security Access Days/Weeks
Business Applications
Security Infrastructure
Managing Security at the Speed of Business
6
AlgoSec Security Management Suite
Application Owners SecurityNetwork Operations
Faster Connectivity Provisioning for Business Applications
Streamlined and Automated Change Management
Total Visibility and Control of your Security Policy
intelligent information securityANITIAN
What is in the Assessment Scope?The Assessment Scope includes the people, process and technologies of three primary categories:• Cardholder Data Environment (CDE)• Systems connected to the CDE• Systems that can affect the security of the CDE
intelligent information securityANITIAN
What is the Cardholder Data Environment?The follow systems are defined as CDE systems:• Any system that stores, processes, or transmits Cardholder Data (CHD)
• Examples: POS terminals, cardholder databases, payment processing applications, the firewalls, switches, and routers that handle any CHD traffic, etc.
• Any system that shares a network segment with a CDE system (e.g. resides on the same VLAN or subnet as a CDE system)
intelligent information securityANITIAN
What Else Is In Scope?• Other In-Scope Systems• Any system that connects to the CDE (e.g. makes a network connection
into the CDE, or that receives an outbound network connection from a CDE system)• Examples: AD server, DNS server, FIM server, AV console, SIEM, backup server, web proxy, etc.
• Any system that can otherwise affect the security of the CDE• Examples: password repositories, data center physical security systems, managed security
providers (MSPs), etc.
intelligent information securityANITIAN
How to Determine Scope• Map the data flows of all CHD to determine which people, process
and technologies touch CHD• For merchants, this can be done by meeting with the business process
owners of each payment channel• These systems and network devices are in the CDE
• Inventory all network segments with CDE systems• Inventory all systems on those CDE network segments• These systems are in the CDE even if they don’t touch CHD
• Review access control lists (ACLs) to determine which non-CDE systems connect to CDE systems
Automatically Map Application Flows
Confidential 14
Which firewalls are allowing traffic to the CDE?
intelligent information securityANITIAN
What’s In and What’s Out: Segmenting Your Network for Compliance
intelligent information securityANITIAN
Why Implement Network Segmentation• Reduce the cost of compliance• By default, the entire IT environment is considered to be in scope. • Isolating only those systems that touch CHD into dedicated network
segments limits the number of systems that can effect the CDE
intelligent information securityANITIAN
Network Segmentation Strategy• Start with the current Scoping Inventory• All systems that touch CHD• All network segments those CDE systems reside in• All other systems in those CDE segments• All systems connected to those systems
• Isolate those systems that touch CDE by migrating them to dedicated network segments (or removing the other systems)
• Determine the business need for all CDE connectivity• Eliminate all connections where possible to reduce assessment scope
intelligent information securityANITIAN
Network Segmentation Strategy• Enforce segmentation around the CDE network segments using
ACLs• ACLs can be on either a router or firewall, except for Internet-facing DMZ
CDEs and segmenting wireless• ACLs must be discretely defined at the port or protocol level
• Document and maintain updated Assessment Scope
intelligent information securityANITIAN
Network Segmentation StrategyYou will now have 3 types of systems on your network:• CDE systems - Touch cardholder data, and are isolated in dedicated
network segments with ACLs• In-scope systems - Not in the CDE, and don't touch CHD, but
either:• Need access to a CDE system via an ACL• Affect the security of the CDE (password servers, physical access control
systems, etc.)
• Out-of-scope system - Not in the CDE, don't touch CHD, don't have access to a CDE system via an ACL or affect the security of the CDE
Network Segmentation Made Easy
Confidential 21
Proactively ensure network segmentation is enforced change after change…
intelligent information securityANITIAN
Required Security Controls• Host hardening• Antivirus (AV)• Patch & Vulnerability Management• Configuration Management• User and Account Management• Log Management• Change Detection
intelligent information securityANITIAN
Common Security Configurations Challenges• Host hardening standards not consistently deployed• Security patch deployment not comprehensive or timely• Configuration changes not always tracked• Excessive user accounts and rights• Security event logs not appropriately aggregated and reviewed• System change detection monitoring coverage not comprehensive
or not alerting
Policy Audit and Analysis
Confidential 25
Validate changes were performed correctly and identify "cowboy" changes
intelligent information securityANITIAN
Common Questions and Concerns• Can you be PCI Compliant in the cloud?• YES!
• What considerations do I need in choosing a cloud provider?• What are the implications on my assessment scope?
intelligent information securityANITIAN
Choosing a Cloud Provider• Must be PCI DSS compliant• Require them to specifically define what areas of PCI they cover
(responsibility matrix, as required by PCI DSS 3.0)• Applies to MSPs as well as PaaS and SaaS
• Understand the difference of “In the cloud” vs “Of the cloud”• Do not assume you can just “outsource compliance”• You will always have some responsibility
intelligent information securityANITIAN
Implications on Assessment Scope• Pure cloud CDEs• Simplest to manage• Customer environment + PCI compliant cloud infrastructure
• Extended CDEs• Hybrid architectures of cloud + on-prem
• Common for leveraging on-prem security management technologies
• Connection technologies (such as VPN) bridge CDEs between locations• Ensure segmentation is not broken
Automated Compliance Reports
"Now we can get- in a click of a button - what took two to three weeks per firewall to produce manually.”
Marc Silver,Security Manager, Discovery
top related