Jordan Levesque - Keeping your Business Secure

• Review of PCI

• Benefits of hosting with RCS

• File Integrity Monitoring

• Two Factor

• Log Aggregation

• Vulnerability Scanning

• Configuration Management andContinuous Deployment

Overview of PCIDSS

• Payment Card Industry Data Security Standard

• Mandated by card brands

• Framework for applying good security posture

What's new in 3.2?

• Greater focus on Multifactor Authentication

– All remote access must have MFA

– All local administrator access must have MFA

• PAN masking requirements

• Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018

Why is PCI important?

Risk Overview

62% more breaches in 2013 than in 2012,

over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594%

2012

2013

= 20 million

Risk Overview

Threats are becoming more advanced, and attacks are becoming more frequent

Breach Overview

Average time to detection of a breach

197 daysJan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Avg cost per record for retailers

$172Avg cost per breach

$4 million

Jan 1 Jul 17

What are the 12 Standards?

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open, public

networks• Requirement 5: Use and regularly update anti-virus software or programs• Requirement 6: Develop and maintain secure systems and applications• Requirement 7: Restrict access to cardholder data by business need to know• Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data• Requirement 10: Track and monitor all access to network resources and cardholder

data• Requirement 11: Regularly test security systems and processes• Requirement 12: Maintain a policy that addresses information security for all

personnel

Benefits of Hosting with RCS

Shared Responsibilityof PCI sub-requirements

RCS

362Admin Credentials

NCR Counterpoint

Managed Firewalls

Application Whitelisting

2FA

Security policy

Hosting

You

49Credentials

POS maintenance

Security policy

Cost, Time, Expertise

RCS Security personnel are trained in the use of security applications, and

become subject-matter experts

RCS has dedicated personnel to handle day-to-day operations of security applications

(the apps are very needy)

More cost-effective for RCS to manage security applications in bulk vs smaller deployments

Cost, Time, Expertise

File Integrity Monitoring (FIM)&

Application Whitelisting (AW)

FIM / Application Whitelisting

• Goes beyond traditional AV

– Signature-less, vs AV which is signature-based

– Analyzes patterns in file activity, not just file hashes or signatures

Hash / SignatureString of a fixed size which is used to identify data of an arbitrary size.

This is a one-way function.

“HelloWorld”

CryptoHashFunc.

3e25960a79dbc69b674cd4ec67a72c62

FIM / AW: Rule Abstraction

Signature-less rule example:

IF [any file hash]

SIGNED BY [LogMeIn]

EXECUTES AT [C:\%APPDATA%\local\logmein rescue unattended],

ALLOW EXECUTION

FIM / AW: File Report Example

FIM / AW: Control Models

Low

• Operates on a blacklist– Unapproved files allowed

– Banned files blocked

• Low potential for false positives

• Monitors file propagation

• Custom rules enforced for fine-tuning of allowed or disallowed file activity

High

• Operates on a whitelist– Unapproved files blocked

– Banned files blocked

• High potential for false positives

• Monitors file propagation

• Custom rules enforced for fine-tuning of allowed or disallowed file activity

Two-Factor Authentication(2FA)

Authentication Factors

Something you know

Password

Something you have

RSA TokenDigital Certificate

YubiKeyPhone & Duo Security

Something you are

IrisFingerprint

Voice

2FA: Our Solutions

YubiKeys

• Primary uses:– POS users– Back office users– Admin users

• Token is plugged in, and the center button is pressed at the 2FA prompt

Duo Push

• Primary uses:– Back-office

– Admin users

• A push is requested from the 2FA prompt, which is sent to the corresponding smartphone

2FA: Where does it apply?

During the Remote Desktop login

Security Information& Event Manager (SIEM)

SIEM: Why does it matter?

• Local event logs can be manipulated, SEIM provides forensically-sound archival of events

• Local event logs are overwritten when space runs out

• Can be mined / queried for deep security intelligence about any and all systems reporting in

Vulnerability Scanning

Vulnerability Scanning:HOLY VULNERABILITIES, BATMAN!

• Evaluates a system for open ports, missing patches, and other potential attack vectors or points of weakness

• Provides actionable intelligence and recommendations

Example from vendor’s website

Vulnerability Scanning:Breakdown Example

Configuration Management (CM)&

Continuous Deployment (CD)

CM&CD: The Challenge

How the heck do you enforce a change on X amount of servers without touching each one individually?

CM&CD: The Solution

Something akin to the Starkiller base,

but like… for the good guys. All seeing, all reaching.

CM&CD: How it works

Deployments are delivered to clusters of servers within defined maintenance windows

Windows Updates

AV Updates

Applications

Config Rules

CM&CD: Benefits

Well that’s all fine and dandy,

but what does that get me?

• Quick response to updates in best-practices

• Faster deployment of critical patches

• High compliance = high stability