-
8/13/2019 DC4420 - Hack the Qsa
1/90
hack the qsa : inside pci dss
jonathan care
@arashiyama
-
8/13/2019 DC4420 - Hack the Qsa
2/90
@arashiyama
hackers and pci dss : wtf?
-
8/13/2019 DC4420 - Hack the Qsa
3/90
@arashiyama
kill off misconceptions
-
8/13/2019 DC4420 - Hack the Qsa
4/90
@arashiyama
get past the sales talk
-
8/13/2019 DC4420 - Hack the Qsa
5/90
-
8/13/2019 DC4420 - Hack the Qsa
6/90
@arashiyama
three faces of information security
-
8/13/2019 DC4420 - Hack the Qsa
7/90
@arashiyama
compliance
-
8/13/2019 DC4420 - Hack the Qsa
8/90
@arashiyama
most of the action
-
8/13/2019 DC4420 - Hack the Qsa
9/90
-
8/13/2019 DC4420 - Hack the Qsa
10/90
@arashiyama
large documentation trees
-
8/13/2019 DC4420 - Hack the Qsa
11/90
@arashiyama
happy audit teams. yay.
-
8/13/2019 DC4420 - Hack the Qsa
12/90
@arashiyama
based on ancient threats
-
8/13/2019 DC4420 - Hack the Qsa
13/90
@arashiyama
being breached when compliant
can be shocking
-
8/13/2019 DC4420 - Hack the Qsa
14/90
@arashiyama
business enablement
-
8/13/2019 DC4420 - Hack the Qsa
15/90
@arashiyama
board happy
-
8/13/2019 DC4420 - Hack the Qsa
16/90
@arashiyama
enhance reputation
-
8/13/2019 DC4420 - Hack the Qsa
17/90
@arashiyama
gain sales
-
8/13/2019 DC4420 - Hack the Qsa
18/90
@arashiyama
innovate new products
-
8/13/2019 DC4420 - Hack the Qsa
19/90
@arashiyama
new ways of working
-
8/13/2019 DC4420 - Hack the Qsa
20/90
@arashiyama
sounds great, mostly hot air
-
8/13/2019 DC4420 - Hack the Qsa
21/90
@arashiyama
doesnt pass investmentanalysis
-
8/13/2019 DC4420 - Hack the Qsa
22/90
@arashiyama
rarely continues after first year
-
8/13/2019 DC4420 - Hack the Qsa
23/90
@arashiyama
real infosec
-
8/13/2019 DC4420 - Hack the Qsa
24/90
@arashiyama
current risks and threats,
-
8/13/2019 DC4420 - Hack the Qsa
25/90
@arashiyama
not last years audit actions
-
8/13/2019 DC4420 - Hack the Qsa
26/90
@arashiyama
speak up
-
8/13/2019 DC4420 - Hack the Qsa
27/90
@arashiyama
pull the plug on insecure systems
-
8/13/2019 DC4420 - Hack the Qsa
28/90
@arashiyama
send project managers back to the
drawing board
-
8/13/2019 DC4420 - Hack the Qsa
29/90
-
8/13/2019 DC4420 - Hack the Qsa
30/90
@arashiyama
and potentially unemployable
-
8/13/2019 DC4420 - Hack the Qsa
31/90
@arashiyama
and since we mentioned SCADA
-
8/13/2019 DC4420 - Hack the Qsa
32/90
@arashiyama
Note: I will not visit you in prison if you
get into trouble trying out this stuff.
Also, SCADA systems control thingsthat are IMPORTANTand should
not
be fscked with lightly
-
8/13/2019 DC4420 - Hack the Qsa
33/90
-
8/13/2019 DC4420 - Hack the Qsa
34/90
@arashiyama
http://bit.ly/jTlKsL(What temperature would we like their HVAC
today?)
-
8/13/2019 DC4420 - Hack the Qsa
35/90
@arashiyama
anyway, back to the PCI
-
8/13/2019 DC4420 - Hack the Qsa
36/90
@arashiyama
fact #1: PCI DSS applies to you if you
store, process or transmit cards
but we.
-
8/13/2019 DC4420 - Hack the Qsa
37/90
@arashiyama
fact #2: PCI DSS is basic stuff
You mean you dont patch?You mean you dont (more in a moment)
-
8/13/2019 DC4420 - Hack the Qsa
38/90
@arashiyama
fact #3: PCI compliance securitydamage limitation, but not for
you
-
8/13/2019 DC4420 - Hack the Qsa
39/90
@arashiyama
PCI has the concept of levels
-
8/13/2019 DC4420 - Hack the Qsa
40/90
@arashiyama
merchants vs service providers
-
8/13/2019 DC4420 - Hack the Qsa
41/90
@arashiyama
merchant levels (mostly) determined
by sales volume
-
8/13/2019 DC4420 - Hack the Qsa
42/90
@arashiyama
service providers driven by volume
and whether they want to be listed
-
8/13/2019 DC4420 - Hack the Qsa
43/90
@arashiyama
higher levels get assessed
-
8/13/2019 DC4420 - Hack the Qsa
44/90
@arashiyama
what is a QSA, anyway?
-
8/13/2019 DC4420 - Hack the Qsa
45/90
@arashiyama
type #1: reassuringly expensive
-
8/13/2019 DC4420 - Hack the Qsa
46/90
@arashiyama
I want to do a forensic analysis of all
your servers
-
8/13/2019 DC4420 - Hack the Qsa
47/90
@arashiyama
I want you to buy military standard
shredders
-
8/13/2019 DC4420 - Hack the Qsa
48/90
@arashiyama
I want you to buy my payment service
gateway
-
8/13/2019 DC4420 - Hack the Qsa
49/90
@arashiyama
type #2: kwallity sekurity assesser
-
8/13/2019 DC4420 - Hack the Qsa
50/90
@arashiyama
email me your firewall config
-
8/13/2019 DC4420 - Hack the Qsa
51/90
@arashiyama
fill in the online tool
-
8/13/2019 DC4420 - Hack the Qsa
52/90
@arashiyama
buy my payment service gateway
-
8/13/2019 DC4420 - Hack the Qsa
53/90
@arashiyama
type #3: just about right?
-
8/13/2019 DC4420 - Hack the Qsa
54/90
@arashiyama
-
8/13/2019 DC4420 - Hack the Qsa
55/90
@arashiyama
working in PCI means
-
8/13/2019 DC4420 - Hack the Qsa
56/90
@arashiyama
your mum will have heard of your
clients
-
8/13/2019 DC4420 - Hack the Qsa
57/90
@arashiyama
entrepreneurs tough on suppliers
-
8/13/2019 DC4420 - Hack the Qsa
58/90
@arashiyama
comparative risk of pwn vs theft
-
8/13/2019 DC4420 - Hack the Qsa
59/90
@arashiyama
ever wondered why companies fail?
-
8/13/2019 DC4420 - Hack the Qsa
60/90
@arashiyama
install and maintain a firewall configuration
66% fail
-
8/13/2019 DC4420 - Hack the Qsa
61/90
@arashiyama
do not use vendor default passwords
62% fail
-
8/13/2019 DC4420 - Hack the Qsa
62/90
@arashiyama
protect stored data
79% fail
-
8/13/2019 DC4420 - Hack the Qsa
63/90
@arashiyama
encrypt sensitive data flowing across public networks
45% fail
-
8/13/2019 DC4420 - Hack the Qsa
64/90
@arashiyama
develop and maintain secure systems and applications
56% fail
-
8/13/2019 DC4420 - Hack the Qsa
65/90
@arashiyama
unique IDs for each person
71% fail
-
8/13/2019 DC4420 - Hack the Qsa
66/90
@arashiyama
restrict physical access to cardholder data
59% fail
-
8/13/2019 DC4420 - Hack the Qsa
67/90
@arashiyama
track and monitor access
71% fail
-
8/13/2019 DC4420 - Hack the Qsa
68/90
@arashiyama
regularly test systems and processes
74% fail
-
8/13/2019 DC4420 - Hack the Qsa
69/90
@arashiyama
maintain a policy that addresses information security
60% fail
-
8/13/2019 DC4420 - Hack the Qsa
70/90
@arashiyama
Good news! Most people install AV
-
8/13/2019 DC4420 - Hack the Qsa
71/90
@arashiyama
timelines for a breach investigation
-
8/13/2019 DC4420 - Hack the Qsa
72/90
@arashiyama
Day 0: Youve been breached
-
8/13/2019 DC4420 - Hack the Qsa
73/90
@arashiyama
Identify a forensic company : 5 days
-
8/13/2019 DC4420 - Hack the Qsa
74/90
@arashiyama
Sign forensics contract : 10 days
-
8/13/2019 DC4420 - Hack the Qsa
75/90
@arashiyama
Investigator onsite: 15 days
-
8/13/2019 DC4420 - Hack the Qsa
76/90
@arashiyama
Preliminary forensic report: 20 days
-
8/13/2019 DC4420 - Hack the Qsa
77/90
@arashiyama
Any delays are met with (more) fines
-
8/13/2019 DC4420 - Hack the Qsa
78/90
@arashiyama
What goes in the report?
(and who gets it)
-
8/13/2019 DC4420 - Hack the Qsa
79/90
@arashiyama
Questions for your QSA
-
8/13/2019 DC4420 - Hack the Qsa
80/90
@arashiyama
Have you worked in $sector before?
-
8/13/2019 DC4420 - Hack the Qsa
81/90
@arashiyama
How many assessments have you
done?
-
8/13/2019 DC4420 - Hack the Qsa
82/90
@arashiyama
do you social engineer?
-
8/13/2019 DC4420 - Hack the Qsa
83/90
@arashiyama
(hope so)
-
8/13/2019 DC4420 - Hack the Qsa
84/90
@arashiyama
do you pen test?
-
8/13/2019 DC4420 - Hack the Qsa
85/90
@arashiyama
(this is not a pen test)
-
8/13/2019 DC4420 - Hack the Qsa
86/90
@arashiyama
If they claim to be a Payment Systems
Expert
-
8/13/2019 DC4420 - Hack the Qsa
87/90
@arashiyama
ISO 8583
-
8/13/2019 DC4420 - Hack the Qsa
88/90
@arashiyama
which comes first, the law or PCI
-
8/13/2019 DC4420 - Hack the Qsa
89/90
@arashiyama
do you know my PCI person at $bank
-
8/13/2019 DC4420 - Hack the Qsa
90/90
Thank you
@arashiyama
