top pci pitfalls and how to avoid them: the qsa’s perspective

intelligent information securityANITIAN


Adam Gaydosh• Director of Professional Services at Anitian• QSA since 2007• 15+ years of InfoSec experience including auditing, risk

assessment, penetration testing and forensics• Co-developed Anitian’s RiskNow™ - Rapid Risk Assessment

approach • Championed movement toward practical, pragmatic information

security solutions


Anitian• We enlighten, protect and empower great security leaders. • We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of analysis

Managing Security at the Speed of Business

Firewall Breaches Data Center Automation

5% Vulnerabilities

95% Misconfiguration

The Security Management Balancing Act

5

Security

Agility

Prevent Cyber Attacks

Enable Business Applications

Resource Time to Provision

Server Minutes

Storage Minutes

Security Access Days/Weeks

Business Applications

Security Infrastructure

Managing Security at the Speed of Business

6

AlgoSec Security Management Suite

Application Owners SecurityNetwork Operations

Faster Connectivity Provisioning for Business Applications

Streamlined and Automated Change Management

Total Visibility and Control of your Security Policy


Less is More: Demystifying the Scope of a PCI Audit


What is in the Assessment Scope?The Assessment Scope includes the people, process and technologies of three primary categories:• Cardholder Data Environment (CDE)• Systems connected to the CDE• Systems that can affect the security of the CDE


What is the Cardholder Data Environment?The follow systems are defined as CDE systems:• Any system that stores, processes, or transmits Cardholder Data (CHD)

• Examples: POS terminals, cardholder databases, payment processing applications, the firewalls, switches, and routers that handle any CHD traffic, etc.

• Any system that shares a network segment with a CDE system (e.g. resides on the same VLAN or subnet as a CDE system)


What Else Is In Scope?• Other In-Scope Systems• Any system that connects to the CDE (e.g. makes a network connection

into the CDE, or that receives an outbound network connection from a CDE system)• Examples: AD server, DNS server, FIM server, AV console, SIEM, backup server, web proxy, etc.

• Any system that can otherwise affect the security of the CDE• Examples: password repositories, data center physical security systems, managed security

providers (MSPs), etc.


How to Determine Scope• Map the data flows of all CHD to determine which people, process

and technologies touch CHD• For merchants, this can be done by meeting with the business process

owners of each payment channel• These systems and network devices are in the CDE

• Inventory all network segments with CDE systems• Inventory all systems on those CDE network segments• These systems are in the CDE even if they don’t touch CHD

• Review access control lists (ACLs) to determine which non-CDE systems connect to CDE systems

Automatically Map Application Flows

Confidential 13

Which applications connect to the CDE?

Automatically Map Application Flows

Confidential 14

Which firewalls are allowing traffic to the CDE?


What’s In and What’s Out: Segmenting Your Network for Compliance


Why Implement Network Segmentation• Reduce the cost of compliance• By default, the entire IT environment is considered to be in scope. • Isolating only those systems that touch CHD into dedicated network

segments limits the number of systems that can effect the CDE


Network Segmentation Strategy• Start with the current Scoping Inventory• All systems that touch CHD• All network segments those CDE systems reside in• All other systems in those CDE segments• All systems connected to those systems

• Isolate those systems that touch CDE by migrating them to dedicated network segments (or removing the other systems)

• Determine the business need for all CDE connectivity• Eliminate all connections where possible to reduce assessment scope


Network Segmentation Strategy• Enforce segmentation around the CDE network segments using

ACLs• ACLs can be on either a router or firewall, except for Internet-facing DMZ

CDEs and segmenting wireless• ACLs must be discretely defined at the port or protocol level

• Document and maintain updated Assessment Scope


Network Segmentation StrategyYou will now have 3 types of systems on your network:• CDE systems - Touch cardholder data, and are isolated in dedicated

network segments with ACLs• In-scope systems - Not in the CDE, and don't touch CHD, but

either:• Need access to a CDE system via an ACL• Affect the security of the CDE (password servers, physical access control

systems, etc.)

• Out-of-scope system - Not in the CDE, don't touch CHD, don't have access to a CDE system via an ACL or affect the security of the CDE

Network Segmentation Made Easy

Confidential 20

Network segmentation easily defined and enforced

Network Segmentation Made Easy

Confidential 21

Proactively ensure network segmentation is enforced change after change…


Best Practices for Configuring Your Security Infrastructure


Required Security Controls• Host hardening• Antivirus (AV)• Patch & Vulnerability Management• Configuration Management• User and Account Management• Log Management• Change Detection


Common Security Configurations Challenges• Host hardening standards not consistently deployed• Security patch deployment not comprehensive or timely• Configuration changes not always tracked• Excessive user accounts and rights• Security event logs not appropriately aggregated and reviewed• System change detection monitoring coverage not comprehensive

or not alerting

Policy Audit and Analysis

Confidential 25

Validate changes were performed correctly and identify "cowboy" changes

Ensure Correct Configuration

Confidential 26

Define and enforce baseline configuration compliance


PCI in the Public Cloud – It’s Not an Oxymoron


Common Questions and Concerns• Can you be PCI Compliant in the cloud?• YES!

• What considerations do I need in choosing a cloud provider?• What are the implications on my assessment scope?


Choosing a Cloud Provider• Must be PCI DSS compliant• Require them to specifically define what areas of PCI they cover

(responsibility matrix, as required by PCI DSS 3.0)• Applies to MSPs as well as PaaS and SaaS

• Understand the difference of “In the cloud” vs “Of the cloud”• Do not assume you can just “outsource compliance”• You will always have some responsibility


Implications on Assessment Scope• Pure cloud CDEs• Simplest to manage• Customer environment + PCI compliant cloud infrastructure

• Extended CDEs• Hybrid architectures of cloud + on-prem

• Common for leveraging on-prem security management technologies

• Connection technologies (such as VPN) bridge CDEs between locations• Ensure segmentation is not broken

Unified Management Across Every Environment

Physical Private Cloud Public Cloud

5

Unify Policy Management

32

Single pane of glass across cloud, virtual and physical

Unify Policy Management

33

Efficiently manage cloud security controls

Piecing it All Together

Automated Compliance Reports

"Now we can get- in a click of a button - what took two to three weeks per firewall to produce manually.”

Marc Silver,Security Manager, Discovery

Where do you want your compliance to be?

Point in Time Continuous

38

Thank You

EMAIL: [email protected]: www.anitian.comBLOG: blog.anitian.comCALL: 888-ANITIAN

EMAIL: [email protected]: www.algosec.comBLOG: blog.algosec.comCALL: 888-358-3696

top pci pitfalls and how to avoid them: the qsa’s perspective

Software

security agility

growth security

security policy

cde examples

cde system examples

cde inventory

scope systems

cde network segments