Security Best Practices - How PCI can Help. Derek Boczenowski Sr. IT Security Analyst

Derek Boczenowski| Sr. IT Security Analyst| dboczenowski@CompassITC.com

Security Best Practices - How



How Country music helped me

understand security!



Introductions



Who / what is PCI?



How can it help me?



PCI structure / Security BP



Free and Paid Tools



In-house vs. Outsourced Security



Q & A

Agenda

Compass IT Compliance

-

Performs audits and risk assessments

over spanning multiple industries

-

Focus on IT security and compliance

-

Deep knowledge in PCI, HIPAA, and

information security practices and

standards such as COBiT and ISO

27001/2.

• Boston Globe used recycled paper containing credit, debit card, and personal check routing information for printing and for wrapping newspaper bundles for distribution. As many as 240,000 records were potentially exposed.

• A company handling claims for the Georgia Department of Community Health lost a CD in transit containing

2,900,000 individuals' personal information including addresses, birthdates, dates of eligibility, full names,

Medicaid or children's health care recipient identification numbers, and Social Security numbers.

• Just last week, 2.4 million records from Carphone Warehouse, a cell phone vendor in the UK, were compromised due to hackers.

The Payment Card Industry Data Security Standard (PCI DSS) is a

proprietary information security standard.

Developed to provide security best practices around credit and debit cards.

PCI is made up of six goals split into 12 areas. To achieve

compliance, a merchant has to meet a variety of security goals. Business Agnostic.

Periodically reviewed by a PCI Council and updated.

Works in concert with other security standards (COBiT, NIST).

Direct benefits

 Compliance means that your systems are secure in the manner approved by the payment card brands that follows best practices.  Ongoing compliance means ensuring that all industry-standard

protections are in place to prevent (minimize risk for) security breaches and theft of payment card data.

 When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.

Indirect benefits

 Overall strengthening of information security posture  Better preparedness to comply with other regulations – state

privacy regulations, HIPAA, SOX, etc.

Source: https://www.pcisecuritystandards.org/security_standards/why_comply.php

7

Why is PCI DSS compliance

… it could be disastrous:

 Compromised data negatively affects consumers, merchants, and financial institutions

 Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future  Account data breaches can lead to catastrophic loss of sales

and relationships

 Possible negative consequences also include: - Lawsuits - Insurance claims

- Cancelled accounts - Payment card issuer fines - Government fines

Adapted from: https://www.pcisecuritystandards.org/security_standards/why_comply.php

What happens without it?

Best practices guidance.

Provides a basis for corporate security strategy

Can be used across multiple industries of any size. Can assist as a “gap analysis” to improve your IT infrastructure and processes.

Prepares companies for audits and compliance reviews.

PCI DSS v 3.0 - Payment Card Industry Data Security Standard

• Goal #1 – Build and Maintain a secure network.

1. Install and maintain a firewall configuration to  protect cardholder data.

• Laptop / PC Firewall free tools – Windows, Zone Alarm.

• Paid tools – Cisco, Barracuda, Checkpoint, Fortinet, Sonicwall 2. Do not use vendor‐supplied defaults for system  passwords and other security parameters. • Change all Default passwords upon setup • Every users gets their own login.

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard

• Goal #1 – Build and Maintain a secure network.

1. Install and maintain a firewall configuration to  protect cardholder data.

• I put a NASCAR track around my heart to keep riff-raff out!

2. Do not use vendor‐supplied defaults for system  passwords and other security parameters.

• All my exes are named Myra, and the alimony is killing me!

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard

• Goal #2 – Protect Cardholder Data

1. Protect stored cardholder data (electronic) • Encrypt all laptops – Windows free tools, paid tools for domains • Set access levels in Windows by job function. 2. Encrypt transmission of cardholder data across  open, public networks • Look into secure email if needed (Zix, Axway,) • SFTP rather than FTP (native to Linux and free!)

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard

• Goal #2 – Protect Cardholder Data

1. Protect stored cardholder data (electronic) • There’s a lock on my door and on my heart! 2. Encrypt transmission of cardholder data across  open, public networks • You slashed my tires, so I bought a tank!

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #3 – Maintain a Vulnerability Management  Program 1. Protect all systems against malware and regularly  update anti‐virus software or programs • Free tools include Avast, AVG, Windows defender • Paid tools include Norton, McAfee, Sophos • Implement an IDS – Free tools include Snort, Sagan, Suricata 2. Develop and maintain secure systems and  applications • Look at SDLC (System Development Life Cycle) tools.

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #3 – Maintain a Vulnerability Management  Program 1. Protect all systems against malware and regularly  update anti‐virus software or programs • No matter what your sister says, I didn’t sleep with her, and I’ll go on  Jerry Springer to prove it! 2. Develop and maintain secure systems and  applications • I built the house of our dreams, but left our backdoor unlocked!

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #4 – Implement Strong Access Control Measures 1. Restrict access to cardholder data by business need  to know • Use Active Directory & GPO to restrict Access to folders and systems 2. Identify and authenticate access to system  components • Unique Access ID for everyone (No “Administrator” account) • Two‐factor Authentication for remote access 3. Restrict physical access to cardholder data • Locked Server Room, log books, badges, etc.

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #4 – Implement Strong Access Control Measures 1. Restrict access to cardholder data by business need  to know • My attorney says the bait shop is not community property! 2. Identify and authenticate access to system  components • Just because I met you at a bar doesn’t make you a lawyer! 3. Restrict physical access to cardholder data • I still love you, but the restraining order keeps us apart…

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #5 – Regularly monitor and test networks. 1. Track and monitor all access to network resources  and cardholder data • Log Monitoring – Free tools include Splunk, KiwiSyslog, LOGalyze. • Network Monitoring – Free tools include Spiceworks, ManageEngine,  PTRG, Nagios   2. Regularly test security systems and processes • Vulnerability Scanners – Free tools include Nexpose, Qualys, MBSA • Penetration testing

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #5 – Regularly monitor and test networks. 1. Track and monitor all access to network resources  and cardholder data • I want to trust you, but the videotape with you and my best friend  makes me wonder… 2. Regularly test security systems and processes • I didn’t mean to come home drunk with the guys and set off the alarm at 3am honey, it was just a test!

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #6 – Maintain and Information Security Policy. 1. Maintain a policy that addresses information  security for all personnel • Information Security Policies and Procedures • Acceptable Use Policy • Backup, Retention, and disposal policies • BCP/DR plans

12 Sections of PCI DSS

PCI DSS v 3.0 - Payment Card Industry Data Security Standard • Goal #6 – Maintain and Information Security Policy. 1. Maintain a policy that addresses information  security for all personnel • If you love me, why are you making me sign this pre‐nup?

12 Sections of PCI DSS

Ask for help! – Use outside sources and companies to

validate your desire for better security.

Get Certified! – Demonstrate how getting a

organization security certified (PCI, ISO, etc.) can be used as a sales and marketing tool.

Online peer groups– Thousands of people have the

same issues that you do! Find groups online that allow questions and answers.

Get Staff Involved – Social Engineering tests and

security awareness training can show staff security is for everyone.

Most Importantly Do Something.

1. Security Awareness Training

2. Antivirus/Antimalware Software

3. Appropriate User Access Control

4. Perimeter Defenses

5. Current Hardware/Software

6. Patch Management

7. Documentation

8. Risk Assessment

9. Incident Response

Free vs. Paid Tools

Free Tools Paid Tools

Free! Can be very costly

Can be time consuming to set up and run;  support is often community driven.

Many have easy setup guides; Most have  dedicated support.

Updates and bug fixes irregular Often new versions on regular schedule (to  keep the money coming in!)

Can be great for smaller shops; sometimes  don’t scale well for enterprise rollouts

Can be like swatting a bug with a howitzer,  but can be a lifesaver in big companies

Cost – In most cases, it will be cheaper to outsource. 24/7 support– Firewall & network monitoring, Log

management, all can be done 7 by 24 by 365.

Specialists – Access to security specialist without

having to invest in training or retention.

Second set of eyes – Never a bad thing to get a

second opinion.

More Hands-on – Better ability to make decisions and

modifications quickly.

Specialized environment – Might not make business

sense.

Outsourcing Overkill – Don’t kill a fly with a howitzer. Not an all or nothing decision – Like a Chinese

menu, some from column A, some from column B.

Can a third-party supplier provide a better quality of

service than you can provide internally for the same, or lower, cost?

Can the third-party supplier meet all of the compliance requirements that you must abide by?

Are there things you can do internally better than having them outsourced?

What would be the consequences for your organization should the service provider fail to deliver their claims or otherwise fail your needs?

Come by and Visit Us!

As a benefit of attending the summit, we are happy

to provide:

 Standard Conference Knick-Knacks

 Free 30 Minute (or less) free consultations on-site

at the Compass booth!

 The chance to critique and heckle me one on one!

29

Just for you!

 Some sources of additional information: - http://www.sans.org - https://www.us-cert.gov/ - http://its.ucsc.edu/security/breaches.html - http://nysac.org/news/nysac-news-springsummer-2012/cyber-risk-a-stealth-threat-for-municipalities/ - http://www.mma.org/resources-mainmenu-182/doc_view/853- technology-s-dark-side-yes-a-data-breach-could-happen-to-your-community

References

Questions?

Derek Boczenowski

Compass IT Compliance, LLC dboczenowski@compassitc.com