Upload
jonathan-care
View
238
Download
0
Embed Size (px)
Citation preview
8/13/2019 DC4420 - Hack the Qsa
1/90
hack the qsa : inside pci dss
jonathan care
@arashiyama
8/13/2019 DC4420 - Hack the Qsa
2/90
@arashiyama
hackers and pci dss : wtf?
8/13/2019 DC4420 - Hack the Qsa
3/90
@arashiyama
kill off misconceptions
8/13/2019 DC4420 - Hack the Qsa
4/90
@arashiyama
get past the sales talk
8/13/2019 DC4420 - Hack the Qsa
5/90
8/13/2019 DC4420 - Hack the Qsa
6/90
@arashiyama
three faces of information security
8/13/2019 DC4420 - Hack the Qsa
7/90
@arashiyama
compliance
8/13/2019 DC4420 - Hack the Qsa
8/90
@arashiyama
most of the action
8/13/2019 DC4420 - Hack the Qsa
9/90
8/13/2019 DC4420 - Hack the Qsa
10/90
@arashiyama
large documentation trees
8/13/2019 DC4420 - Hack the Qsa
11/90
@arashiyama
happy audit teams. yay.
8/13/2019 DC4420 - Hack the Qsa
12/90
@arashiyama
based on ancient threats
8/13/2019 DC4420 - Hack the Qsa
13/90
@arashiyama
being breached when compliant
can be shocking
8/13/2019 DC4420 - Hack the Qsa
14/90
@arashiyama
business enablement
8/13/2019 DC4420 - Hack the Qsa
15/90
@arashiyama
board happy
8/13/2019 DC4420 - Hack the Qsa
16/90
@arashiyama
enhance reputation
8/13/2019 DC4420 - Hack the Qsa
17/90
@arashiyama
gain sales
8/13/2019 DC4420 - Hack the Qsa
18/90
@arashiyama
innovate new products
8/13/2019 DC4420 - Hack the Qsa
19/90
@arashiyama
new ways of working
8/13/2019 DC4420 - Hack the Qsa
20/90
@arashiyama
sounds great, mostly hot air
8/13/2019 DC4420 - Hack the Qsa
21/90
@arashiyama
doesnt pass investmentanalysis
8/13/2019 DC4420 - Hack the Qsa
22/90
@arashiyama
rarely continues after first year
8/13/2019 DC4420 - Hack the Qsa
23/90
@arashiyama
real infosec
8/13/2019 DC4420 - Hack the Qsa
24/90
@arashiyama
current risks and threats,
8/13/2019 DC4420 - Hack the Qsa
25/90
@arashiyama
not last years audit actions
8/13/2019 DC4420 - Hack the Qsa
26/90
@arashiyama
speak up
8/13/2019 DC4420 - Hack the Qsa
27/90
@arashiyama
pull the plug on insecure systems
8/13/2019 DC4420 - Hack the Qsa
28/90
@arashiyama
send project managers back to the
drawing board
8/13/2019 DC4420 - Hack the Qsa
29/90
8/13/2019 DC4420 - Hack the Qsa
30/90
@arashiyama
and potentially unemployable
8/13/2019 DC4420 - Hack the Qsa
31/90
@arashiyama
and since we mentioned SCADA
8/13/2019 DC4420 - Hack the Qsa
32/90
@arashiyama
Note: I will not visit you in prison if you
get into trouble trying out this stuff.
Also, SCADA systems control thingsthat are IMPORTANTand should not
be fscked with lightly
8/13/2019 DC4420 - Hack the Qsa
33/90
8/13/2019 DC4420 - Hack the Qsa
34/90
@arashiyama
http://bit.ly/jTlKsL(What temperature would we like their HVAC today?)
8/13/2019 DC4420 - Hack the Qsa
35/90
@arashiyama
anyway, back to the PCI
8/13/2019 DC4420 - Hack the Qsa
36/90
@arashiyama
fact #1: PCI DSS applies to you if you
store, process or transmit cards
but we.
8/13/2019 DC4420 - Hack the Qsa
37/90
@arashiyama
fact #2: PCI DSS is basic stuff
You mean you dont patch?You mean you dont (more in a moment)
8/13/2019 DC4420 - Hack the Qsa
38/90
@arashiyama
fact #3: PCI compliance securitydamage limitation, but not for you
8/13/2019 DC4420 - Hack the Qsa
39/90
@arashiyama
PCI has the concept of levels
8/13/2019 DC4420 - Hack the Qsa
40/90
@arashiyama
merchants vs service providers
8/13/2019 DC4420 - Hack the Qsa
41/90
@arashiyama
merchant levels (mostly) determined
by sales volume
8/13/2019 DC4420 - Hack the Qsa
42/90
@arashiyama
service providers driven by volume
and whether they want to be listed
8/13/2019 DC4420 - Hack the Qsa
43/90
@arashiyama
higher levels get assessed
8/13/2019 DC4420 - Hack the Qsa
44/90
@arashiyama
what is a QSA, anyway?
8/13/2019 DC4420 - Hack the Qsa
45/90
@arashiyama
type #1: reassuringly expensive
8/13/2019 DC4420 - Hack the Qsa
46/90
@arashiyama
I want to do a forensic analysis of all
your servers
8/13/2019 DC4420 - Hack the Qsa
47/90
@arashiyama
I want you to buy military standard
shredders
8/13/2019 DC4420 - Hack the Qsa
48/90
@arashiyama
I want you to buy my payment service
gateway
8/13/2019 DC4420 - Hack the Qsa
49/90
@arashiyama
type #2: kwallity sekurity assesser
8/13/2019 DC4420 - Hack the Qsa
50/90
@arashiyama
email me your firewall config
8/13/2019 DC4420 - Hack the Qsa
51/90
@arashiyama
fill in the online tool
8/13/2019 DC4420 - Hack the Qsa
52/90
@arashiyama
buy my payment service gateway
8/13/2019 DC4420 - Hack the Qsa
53/90
@arashiyama
type #3: just about right?
8/13/2019 DC4420 - Hack the Qsa
54/90
@arashiyama
8/13/2019 DC4420 - Hack the Qsa
55/90
@arashiyama
working in PCI means
8/13/2019 DC4420 - Hack the Qsa
56/90
@arashiyama
your mum will have heard of your
clients
8/13/2019 DC4420 - Hack the Qsa
57/90
@arashiyama
entrepreneurs tough on suppliers
8/13/2019 DC4420 - Hack the Qsa
58/90
@arashiyama
comparative risk of pwn vs theft
8/13/2019 DC4420 - Hack the Qsa
59/90
@arashiyama
ever wondered why companies fail?
8/13/2019 DC4420 - Hack the Qsa
60/90
@arashiyama
install and maintain a firewall configuration
66% fail
8/13/2019 DC4420 - Hack the Qsa
61/90
@arashiyama
do not use vendor default passwords
62% fail
8/13/2019 DC4420 - Hack the Qsa
62/90
@arashiyama
protect stored data
79% fail
8/13/2019 DC4420 - Hack the Qsa
63/90
@arashiyama
encrypt sensitive data flowing across public networks
45% fail
8/13/2019 DC4420 - Hack the Qsa
64/90
@arashiyama
develop and maintain secure systems and applications
56% fail
8/13/2019 DC4420 - Hack the Qsa
65/90
@arashiyama
unique IDs for each person
71% fail
8/13/2019 DC4420 - Hack the Qsa
66/90
@arashiyama
restrict physical access to cardholder data
59% fail
8/13/2019 DC4420 - Hack the Qsa
67/90
@arashiyama
track and monitor access
71% fail
8/13/2019 DC4420 - Hack the Qsa
68/90
@arashiyama
regularly test systems and processes
74% fail
8/13/2019 DC4420 - Hack the Qsa
69/90
@arashiyama
maintain a policy that addresses information security
60% fail
8/13/2019 DC4420 - Hack the Qsa
70/90
@arashiyama
Good news! Most people install AV
8/13/2019 DC4420 - Hack the Qsa
71/90
@arashiyama
timelines for a breach investigation
8/13/2019 DC4420 - Hack the Qsa
72/90
@arashiyama
Day 0: Youve been breached
8/13/2019 DC4420 - Hack the Qsa
73/90
@arashiyama
Identify a forensic company : 5 days
8/13/2019 DC4420 - Hack the Qsa
74/90
@arashiyama
Sign forensics contract : 10 days
8/13/2019 DC4420 - Hack the Qsa
75/90
@arashiyama
Investigator onsite: 15 days
8/13/2019 DC4420 - Hack the Qsa
76/90
@arashiyama
Preliminary forensic report: 20 days
8/13/2019 DC4420 - Hack the Qsa
77/90
@arashiyama
Any delays are met with (more) fines
8/13/2019 DC4420 - Hack the Qsa
78/90
@arashiyama
What goes in the report?
(and who gets it)
8/13/2019 DC4420 - Hack the Qsa
79/90
@arashiyama
Questions for your QSA
8/13/2019 DC4420 - Hack the Qsa
80/90
@arashiyama
Have you worked in $sector before?
8/13/2019 DC4420 - Hack the Qsa
81/90
@arashiyama
How many assessments have you
done?
8/13/2019 DC4420 - Hack the Qsa
82/90
@arashiyama
do you social engineer?
8/13/2019 DC4420 - Hack the Qsa
83/90
@arashiyama
(hope so)
8/13/2019 DC4420 - Hack the Qsa
84/90
@arashiyama
do you pen test?
8/13/2019 DC4420 - Hack the Qsa
85/90
@arashiyama
(this is not a pen test)
8/13/2019 DC4420 - Hack the Qsa
86/90
@arashiyama
If they claim to be a Payment Systems
Expert
8/13/2019 DC4420 - Hack the Qsa
87/90
@arashiyama
ISO 8583
8/13/2019 DC4420 - Hack the Qsa
88/90
@arashiyama
which comes first, the law or PCI
8/13/2019 DC4420 - Hack the Qsa
89/90
@arashiyama
do you know my PCI person at $bank
8/13/2019 DC4420 - Hack the Qsa
90/90
Thank you
@arashiyama