Embed Size (px)
Citation preview
5/10/2016
1
1
…but are we secure?
Michael Carr, JD, CISSP, CIPPChief Information Security OfficerUniversity of KentuckyJune 2016
PCI Compliant
2
Disclaimer
The content, discussion, or materials presented are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem or advice. Use of and access to this information or material does not create an attorney-client relationship between Michael Carr and you, the conference attendee. The opinions expressed during this presentation are the opinions of the author and do not reflect the opinions or advice of the SCCE, the University of Kentucky, the Commonwealth of Kentucky or anyone else on planet Earth.
Any rebroadcast, retransmission, or account of this presentation, without the express written consent of Major League Baseball, er…, I mean, SCCE, is strictly prohibited. This presentation is meant for educational purposes only. Any resemblance to real persons, living or dead is purely coincidental. Void where prohibited. Do not use while operating a motor vehicle or heavy equipment. You must be present to win. Subject to change without notice. Disclaimer includes misuse, accident, lightning, flood, tornado, tsunami, volcanic eruption, earthquake, hurricanes and other Acts of God, neglect, damage from improper reading, incorrect line voltage, improper or unauthorized reading, broken antenna or marred cabinet, missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations, customer adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or taking on water, motor vehicle crashing, dropping the item, falling rocks, leaky roof, broken glass, mud slides, forest fire, or projectile (which can also include, but not be limited to, arrows, bullets, shot, BB's, shrapnel, lasers, napalm, torpedoes, or emissions of X-rays, Alpha, Beta and Gamma rays, knives, stones, head slaps, nasty tones, mean looks or thoughts, etc.)
3
Show of hands . . .
Barry Nelson1954: Casino Royale
David Niven1967: Casino Royale
Sean Connery1962‐1983
George Lazenby1969: On Her Majesty’s Service
Roger Moore1973‐1985
Timothy Dalton1987‐1989
Pierce Brosnan1995‐2002
Daniel Craig2006‐
…got a favorite?
5/10/2016
2
4
Show of hands . . .…Always as cool & collected?
5
Show of hands . . .…or do you feel like this?
Juggling Chainsawson a Tightrope
6
PCI Compliant…but are we secure?
Agenda
• Using Target Dept Store’s breach as a backdrop
What does it means to be PCI Compliant?
PCI Compliance ≠ Secure
What can be done to ensure both
5/10/2016
3
7
…November-December 2013
About 12M people in common 98M unique customers
8
…post-breach
• ~$248M in data beach costs (across ‘13 & ‘14) Payments to Visa, MasterCard and Banks Offset by insurance payments of $90M
• ‘07: TJ Max: 94M customers & payment card info• ‘09: Heartland: 130M payment card records• ’13: Adobe: 152 customers & payment card info• ‘14: Home Depot: 56M payment cards
9
Anatomy of the Target Breach
5/10/2016
4
10
Anatomy of the Target Breach
ContractorPortal
11
Anatomy of the Target Breach
ContractorPortal
Firewall
Target’s Corporate Network
12
Anatomy of the Target Breach
ContractorPortal
Firewall
Target’s Corporate Network
5/10/2016
5
13
Anatomy of the Target Breach
ContractorPortal
Firewall
Target’s Corporate Network
14
Anatomy of the Target Breach
ContractorPortal
Firewall
Target’s Corporate Network
15
…post-breach
• There were a number of missteps.• Some human error; some technical failings
• But Target was PCI Compliant ! ? !• TrustWave was their Qualified Security Assessor (QSA)• FireEye was monitoring their network• Alarms were ignored
5/10/2016
6
16
PCI Compliant
• Let’s not get ahead of ourselves . . .
What is a QSA?
What does it means to be PCI Compliant?
…what does that mean?
17
PCI Compliant
• Way back in early 2000s . . .
AmEx, Discover, JCB, MasterCard and Visa PCI Data Security Standard (DSS) Proprietary information security standard Ver 1.0: December ’04 Ver 3.2: anytime now
…what does that mean?
18
PCI Compliant
Similar to being audited, PCI Compliance is a point‐in‐time assessment
of an organization’s adherenceto the PCI Data Security Standards (PCI DSS)
…what does that mean?
A QSA is similar to an external auditor
5/10/2016
7
19
PCI DSS Isn’t it a bunch of technical gobbledygook?
• Yes and No . . .
It’s a prescriptive standard/framework
12 Requirements (aka “digital dozen”) within6 Main Categories• Each has sub‐points, testing procedures & “guidance”
Requires documenting environment & issuing a Report on Compliance (RoC)
20
PCI DSS…technical gobbledygook?
High Level Overview
I. Build & maintain secure network1. Install/maintain firewall configuration…2. Don’t use vendor‐supplied defaults…
II. Protect Cardholder Data3. Protect stored cardholder data4. Encrypt . . . cardholder data…
III. Maintain vulnerability mgmt program5. Protect systems against malware…6. Develop & maintain secure systems…
21
PCI DSS…technical gobbledygook?
High Level Overview (continued)
IV. Implement Access Control Measures7. Restrict access to cardholder data…8. Identify & authenticate access…9. Restrict physical access to cardholder data
V. Regularly Monitor & Test Networks10. Track & monitor access…11. Regularly test security systems…
V. Maintain Information Security Policy12. Maintain policy that addresses InfoSec for all personnel…
5/10/2016
8
22
PCI DSS…technical gobbledygook?
Sub‐points, Testing Procedures & “Guidance”
I. Build & maintain secure network1. Install/maintain firewall configuration…
Requirement Testing Procedure Guidance
1.3.5 Permit only “established”
connections into the network
1.3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal
network and denies any inbound connections not associated with a previously established session.
A firewall that maintains the "state" (or the status) for each connection through the firewall knows whether an apparent response to a previous connection is actually a valid, authorized response (since it retains each connection’s status) or is malicious traffic trying to trick the firewall into allowing the connection.
Example:
23
PCI DSS…technical gobbledygook?
Sub‐points, Testing Procedures & “Guidance”
I. Build & maintain secure network1. Install/maintain firewall configuration…
Requirement Testing Procedure Guidance
1.3.5 Permit only “established”
connections into the network
1.3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal
network and denies any inbound connections not associated with a previously established session.
A firewall that maintains the "state" (or the status) for each connection through the firewall knows whether an apparent response to a previous connection is actually a valid, authorized response (since it retains each connection’s status) or is malicious traffic trying to trick the firewall into allowing the connection.
Example:
24
PCI DSS…technical gobbledygook?
Validation Reqmt depends on Merchant Level
Merchant Level
Trx Level Validation Requirement
1 >6M trx/yrAnnual ROC by a QSA &
Qtrly n/w scan by approved vendor
2 1M ↔ 6M trx/yrAnnual Self‐Assessment (SAQ) &
Qtrly n/w scan . . .
3 20,000 ↔ 1M trx/yr same
4 <20,000 trx/yr same
5/10/2016
9
25
PCI DSS…technical gobbledygook?
What’s in a RoC?
If satisfactory, Attestation of Compliance (AoC)
Similar to an external audit… Assimilate PCI‐related policies & procedures Amass
• Documentation, • Configuration Stds & Reports,• Penetration (aka ‘pen’) Test & Scan Results,• Confirmation of controls,• Etc.
26
Compliant ≠ Secure?…that seems odd?
27
Compliant ≠ Secure?
1. Reconnaissance
2. Get someone to give you keys
3. Exploit vulnerabilities (quietly)
4. Don’t stay long
…that seems odd?
Review of Target’s Breach
5/10/2016
10
28
Compliant ≠ Secure?
1. Reconnaissance
Microsoft case study of Target’s servers
Target’s online list of supplier/vendors
Google + metadata Naming Convention
…that seems odd?
(none of which are addressed by PCI DSS)
29
Compliant ≠ Secure?
2. Get someone to give you keys
HVAC Co. used free anti‐malware
Unclear if HVAC Co. access was still needed
HVAC Co. was from PA; Hackers: Russia
…that seems odd?
(neither specific anti‐malware software nor
context‐based security is addressed by PCI DSS)
30
Compliant ≠ Secure?
3. Exploit vulnerabilities (quietly)
Admin logins weren’t monitored
Creation of new VMs wasn’t monitored
Network‐to‐network traffic was allowed
…that seems odd?
(okay… PCI DSS should have caught these)
5/10/2016
11
31
Compliant ≠ Secure?
4. Don’t stay long
No alert re: changes made to POS server
Traffic from a new server not monitored
Alerts from security vendor ignored
…that seems odd?
(damages could have been minimized)
32
Can we ensure both?PCI Compliance & Secure
Secure [si‐kyoo r]free from or not exposed to danger or harm.
free from care; without anxiety.
Like compliance & auditing,“secure” is a point in time
Security is a continuous‐improvement process(not a project)
33
PCI Compliance & Secure
• InfoSec Frameworks are great But… don’t treat like a checklist Consider them as “baseline”
• It’s all about Risk Management! Requires continuous assessments
and regular adjustments
Can we ensure both?
5/10/2016
12
34
PCI Compliance & Secure
• Annual Assessmentshave gone the way of . . .
Can we ensure both?
35
A compliant & “secure” system todaymay be identified as having a multitudeof exploitable vulnerabilities tomorrow
PCI Compliance & Secure
• Systems and network complexity• Warrant continuous updates & patching• Which, in turn, introduce uncertainty &
increase risk
Can we ensure both?
36
PCI Compliant…but are we secure?
Re‐cap
• Using Target Dept Store’s breach as a backdrop
Better understanding of “PCI Compliance”
Kinda understand why PCI Compliance ≠ Secure
See the need for eternal vigilance
5/10/2016
13
37
…but are we secure?
PCI Compliant
Questions? Discussion?
38
…but are we secure?
PCI Compliant
www.pciSecurityStandards.org
www.sans.org/critical‐security‐controls
39
Michael Carr, JD, CISSP, CIPPChief Information Security OfficerUniversity of KentuckyJune 2016
Thank You
