Derek Boczenowski| Sr. IT Security Analyst| dboczenowski@CompassITC.com
Security Best Practices - How
How Country music helped me
understand security!
Introductions
Who / what is PCI?
How can it help me?
PCI structure / Security BP
Free and Paid Tools
In-house vs. Outsourced Security
Q & A
Agenda
Compass IT Compliance
-
Performs audits and risk assessments
over spanning multiple industries
-
Focus on IT security and compliance
-
Deep knowledge in PCI, HIPAA, and
information security practices and
standards such as COBiT and ISO
27001/2.
• Boston Globe used recycled paper containing credit, debit card, and personal check routing information for printing and for wrapping newspaper bundles for distribution. As many as 240,000 records were potentially exposed.
• A company handling claims for the Georgia Department of Community Health lost a CD in transit containing
2,900,000 individuals' personal information including addresses, birthdates, dates of eligibility, full names,
Medicaid or children's health care recipient identification numbers, and Social Security numbers.
• Just last week, 2.4 million records from Carphone Warehouse, a cell phone vendor in the UK, were compromised due to hackers.
The Payment Card Industry Data Security Standard (PCI DSS) is a
proprietary information security standard.
Developed to provide security best practices around credit and debit cards.
PCI is made up of six goals split into 12 areas. To achieve
compliance, a merchant has to meet a variety of security goals. Business Agnostic.
Periodically reviewed by a PCI Council and updated.
Works in concert with other security standards (COBiT, NIST).
Direct benefits
Compliance means that your systems are secure in the manner approved by the payment card brands that follows best practices. Ongoing compliance means ensuring that all industry-standard
protections are in place to prevent (minimize risk for) security breaches and theft of payment card data.
When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.
Indirect benefits
Overall strengthening of information security posture Better preparedness to comply with other regulations – state
privacy regulations, HIPAA, SOX, etc.
Source: https://www.pcisecuritystandards.org/security_standards/why_comply.php
7
Why is PCI DSS compliance
… it could be disastrous:
Compromised data negatively affects consumers, merchants, and financial institutions
Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future Account data breaches can lead to catastrophic loss of sales
and relationships
Possible negative consequences also include: - Lawsuits - Insurance claims
- Cancelled accounts - Payment card issuer fines - Government fines
Adapted from: https://www.pcisecuritystandards.org/security_standards/why_comply.php
What happens without it?
Best practices guidance.
Provides a basis for corporate security strategy
Can be used across multiple industries of any size. Can assist as a “gap analysis” to improve your IT infrastructure and processes.
Prepares companies for audits and compliance reviews.
PCI DSS v 3.0 - Payment Card Industry Data Security Standard
• Goal #1 – Build and Maintain a secure network.
1. Install and maintain a firewall configuration to protect cardholder data.
• Laptop / PC Firewall free tools – Windows, Zone Alarm.
• Paid tools – Cisco, Barracuda, Checkpoint, Fortinet, Sonicwall 2. Do not use vendor‐supplied defaults for system passwords and other security parameters. • Change all Default passwords upon setup • Every users gets their own login.
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard
• Goal #1 – Build and Maintain a secure network.
1. Install and maintain a firewall configuration to protect cardholder data.
• I put a NASCAR track around my heart to keep riff-raff out!
2. Do not use vendor‐supplied defaults for system passwords and other security parameters.
• All my exes are named Myra, and the alimony is killing me!
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard
• Goal #2 – Protect Cardholder Data
1. Protect stored cardholder data (electronic) • Encrypt all laptops – Windows free tools, paid tools for domains • Set access levels in Windows by job function. 2. Encrypt transmission of cardholder data across open, public networks • Look into secure email if needed (Zix, Axway,) • SFTP rather than FTP (native to Linux and free!)
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard
• Goal #2 – Protect Cardholder Data
1. Protect stored cardholder data (electronic) • There’s a lock on my door and on my heart! 2. Encrypt transmission of cardholder data across open, public networks • You slashed my tires, so I bought a tank!
12 Sections of PCI DSS
13PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #3 – Maintain a Vulnerability Management Program 1. Protect all systems against malware and regularly update anti‐virus software or programs • Free tools include Avast, AVG, Windows defender • Paid tools include Norton, McAfee, Sophos • Implement an IDS – Free tools include Snort, Sagan, Suricata 2. Develop and maintain secure systems and applications • Look at SDLC (System Development Life Cycle) tools.
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #3 – Maintain a Vulnerability Management Program 1. Protect all systems against malware and regularly update anti‐virus software or programs • No matter what your sister says, I didn’t sleep with her, and I’ll go on Jerry Springer to prove it! 2. Develop and maintain secure systems and applications • I built the house of our dreams, but left our backdoor unlocked!
12 Sections of PCI DSS
15PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #4 – Implement Strong Access Control Measures 1. Restrict access to cardholder data by business need to know • Use Active Directory & GPO to restrict Access to folders and systems 2. Identify and authenticate access to system components • Unique Access ID for everyone (No “Administrator” account) • Two‐factor Authentication for remote access 3. Restrict physical access to cardholder data • Locked Server Room, log books, badges, etc.
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #4 – Implement Strong Access Control Measures 1. Restrict access to cardholder data by business need to know • My attorney says the bait shop is not community property! 2. Identify and authenticate access to system components • Just because I met you at a bar doesn’t make you a lawyer! 3. Restrict physical access to cardholder data • I still love you, but the restraining order keeps us apart…
12 Sections of PCI DSS
17PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #5 – Regularly monitor and test networks. 1. Track and monitor all access to network resources and cardholder data • Log Monitoring – Free tools include Splunk, KiwiSyslog, LOGalyze. • Network Monitoring – Free tools include Spiceworks, ManageEngine, PTRG, Nagios 2. Regularly test security systems and processes • Vulnerability Scanners – Free tools include Nexpose, Qualys, MBSA • Penetration testing
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #5 – Regularly monitor and test networks. 1. Track and monitor all access to network resources and cardholder data • I want to trust you, but the videotape with you and my best friend makes me wonder… 2. Regularly test security systems and processes • I didn’t mean to come home drunk with the guys and set off the alarm at 3am honey, it was just a test!
12 Sections of PCI DSS
19PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #6 – Maintain and Information Security Policy. 1. Maintain a policy that addresses information security for all personnel • Information Security Policies and Procedures • Acceptable Use Policy • Backup, Retention, and disposal policies • BCP/DR plans
12 Sections of PCI DSS
PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #6 – Maintain and Information Security Policy. 1. Maintain a policy that addresses information security for all personnel • If you love me, why are you making me sign this pre‐nup?
12 Sections of PCI DSS
21Ask for help! – Use outside sources and companies to
validate your desire for better security.
Get Certified! – Demonstrate how getting a
organization security certified (PCI, ISO, etc.) can be used as a sales and marketing tool.
Online peer groups– Thousands of people have the
same issues that you do! Find groups online that allow questions and answers.
Get Staff Involved – Social Engineering tests and
security awareness training can show staff security is for everyone.
Most Importantly Do Something.
1. Security Awareness Training
2. Antivirus/Antimalware Software
3. Appropriate User Access Control
4. Perimeter Defenses
5. Current Hardware/Software
6. Patch Management
7. Documentation
8. Risk Assessment
9. Incident Response
Free vs. Paid Tools
Free Tools Paid Tools
Free! Can be very costly
Can be time consuming to set up and run; support is often community driven.
Many have easy setup guides; Most have dedicated support.
Updates and bug fixes irregular Often new versions on regular schedule (to keep the money coming in!)
Can be great for smaller shops; sometimes don’t scale well for enterprise rollouts
Can be like swatting a bug with a howitzer, but can be a lifesaver in big companies
Cost – In most cases, it will be cheaper to outsource. 24/7 support– Firewall & network monitoring, Log
management, all can be done 7 by 24 by 365.
Specialists – Access to security specialist without
having to invest in training or retention.
Second set of eyes – Never a bad thing to get a
second opinion.
More Hands-on – Better ability to make decisions and
modifications quickly.
Specialized environment – Might not make business
sense.
Outsourcing Overkill – Don’t kill a fly with a howitzer. Not an all or nothing decision – Like a Chinese
menu, some from column A, some from column B.
Can a third-party supplier provide a better quality of
service than you can provide internally for the same, or lower, cost?
Can the third-party supplier meet all of the compliance requirements that you must abide by?
Are there things you can do internally better than having them outsourced?
What would be the consequences for your organization should the service provider fail to deliver their claims or otherwise fail your needs?
Come by and Visit Us!
As a benefit of attending the summit, we are happy
to provide:
Standard Conference Knick-Knacks
Free 30 Minute (or less) free consultations on-site
at the Compass booth!
The chance to critique and heckle me one on one!
29
Just for you!
Some sources of additional information: - http://www.sans.org - https://www.us-cert.gov/ - http://its.ucsc.edu/security/breaches.html - http://nysac.org/news/nysac-news-springsummer-2012/cyber-risk-a-stealth-threat-for-municipalities/ - http://www.mma.org/resources-mainmenu-182/doc_view/853- technology-s-dark-side-yes-a-data-breach-could-happen-to-your-community
References
Questions?
Derek Boczenowski
Compass IT Compliance, LLC dboczenowski@compassitc.com