1 / 50

Surviving A PCI External Scan

Overview. Quick review of PCI compliancePCI -vs- COV ITRM standard SEC501-01What is

gus
Download Presentation

Surviving A PCI External Scan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Surviving A PCI External Scan Chris Harper Vice President, Technical Services

    2. Overview Quick review of PCI compliance PCI -vs- COV ITRM standard SEC501-01 What is “in-scope” The PCI scanning process Focus on common causes of failure Q&A This presentation will focus not on particular vulnerabilities – they come and go. It will focus on areas and common pitfalls that will consistently cause problems.This presentation will focus not on particular vulnerabilities – they come and go. It will focus on areas and common pitfalls that will consistently cause problems.

    3. The PCI Data Security Standard Published January 2005 Version 1.1 released Sept, 2006 Impacts ALL who process, transmit, or store cardholder data (Primary Account Number) Developed by MasterCard and Visa Endorsed by the other payment brands

    4. The Payment Card Industry Universe

    5. PCI DSS

    6. Where to Start What level of merchant are we? Which Self Assessment Questionnaire? What is in scope?

    7. Level 1 Merchant

    8. Level 2 Merchant

    9. Level 3 Merchant

    10. Level 4 Merchant

    11. Self Assessment Questionnaire v1.1 (SAQ)

    12. Self Assessment Questionnaire A E-commerce or mail/telephone-order transactions Do not store, process, or transmit any cardholder data - rely entirely on a third party to handle these functions Only paper reports or receipts with cardholder data are retained

    13. Self Assessment Questionnaire B Imprint machines are not connected to phone lines or the Internet Standalone, dial-out terminals (connected to phone lines) are not connected to any other systems or the Internet Retain only paper copies of receipts Do not store cardholder data in electronic format

    14. Self Assessment Questionnaire C The payment application system is on a personal computer that is connected to the Internet for browsing or to transmit cardholder data Payment application system and an Internet connection on the same device Payment application system/Internet device is not connected to any other systems within the environment Retain only paper reports or paper copies of receipts Do not store cardholder data in electronic format

    15. Self Assessment Questionnaire D Some sections pertaining to wireless networks and custom applications may be excluded

    16. Determining the Scope PCI DSS requirements apply to all system components that are included in or connected to the cardholder data environment The cardholder data environment is the part of the network that possesses cardholder data or sensitive authentication data, including network components, servers and applications

    17. Determining the Scope Networks can be segmented to reduce the scope: Physical segmentation between the segment handling cardholder data and other segments Appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments

    18. PCI DSS Highlights

    19. PCI DSS Highlights Requirement 1: Install and Maintain a Firewall

    20. PCI DSS Highlights Requirement 2: Do Not Use Vendor-supplied Defaults

    21. PCI DSS Highlights Requirement 3: Protect Stored Cardholder Data

    22. PCI DSS Highlights Requirement 4: Encrypt Transmission of Cardholder Data Across Public Networks

    23. PCI DSS Highlights Requirement 5: Use and Update Anti-Virus

    24. PCI DSS Highlights Requirement 6: Develop and Maintain Secure Systems and Applications

    25. PCI DSS Highlights Requirement 7: Implement Strong Access Control Measures

    26. PCI DSS Highlights Requirement 8: Assign a Unique ID to Each Person with Computer Access

    27. PCI DSS Highlights Requirement 9: Restrict Physical Access to Cardholder Data

    28. PCI DSS Highlights Requirement 10: Track and Monitor Access to Network Resources

    29. PCI DSS Highlights Requirement 11: Regularly Test Security Systems and Processes

    30. PCI DSS Highlights Requirement 12: Maintain Policy That Addresses Security for Employees and Contractors

    31. PCI Assessment Strategy Requirement 11: Regularly test security systems and processes 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification … These penetration tests must include the following: 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests

    32. SEC501 Assessment Strategy 2.7 IT Security Audits 2.7.2 Requirements For each agency-owned IT system classified as sensitive, the agency shall: Require that the IT systems undergo an IT Security Audit as required by and in accordance with the IT Security Audit Standard (COV ITRM Standard SEC502-00). Assign an individual to be responsible for managing the IT Security Audits.

    33. PCI Scanning Process

    34. Quarterly Scan by ASV Clearly defined process – very little room for interpretation Strictly a “scan of vulnerabilities” – no manual probes or pen testing Results in a pass or fail – Passing reports are submitted to acquiring bank with SAQ

    35. The Scanning Process Select an ASV from the approved list https://www.pcisecuritystandards.org/pdfs/asv_report.html ASV procedures prohibit operational impact; also prohibit penetration or alteration of the customer environment Must be performed quarterly in accordance with PCI DSS Requirement 11.2

    36. The Scanning Process Define the network Provide the ASV with a list of all Internet-facing IP addresses and/or ranges Provide the ASV with a list of all domains

    37. The Scanning Process Make arrangements for IDS / IPS IDS / IPS must not impede the scanning process ASV provides source addresses to ignore / accept

    38. The Scanning Process The ASV probes the IP space for live devices and performs the scan – must include:

    39. The Scanning Process Follow each payment card company’s respective compliance reporting requirements Scan reports follow a common format, however, the results must be submitted according to payment card company’s requirements Contact the acquiring bank or check each payment card company’s regional web site to determine to whom results should be submitted

    40. Common Causes of Failure

    41. Ranking Vulnerabilities

    42. What Causes Failure? Issues often affect fully patched versions of “weak” security controls Features that are supported by the system, but not used Configuration / design choices do not meet PCI DSS requirements Fully patched: SSL Examples Supported not used: SMTP Auth Reconfiguration: Firewall Spoof ProtectionFully patched: SSL Examples Supported not used: SMTP Auth Reconfiguration: Firewall Spoof Protection

    43. Common Causes for Failure Example 1: Mail Server Accepts Plaintext Credentials Server accepts PLAIN or LOGIN as one of the AUTH parameters Many mail servers support this feature, however, requirement 8.4 says no

    44. Common Causes for Failure Example 2: SSL Encryption Strength Commonly found in most web servers, support for encryption ciphers with less than 128 bit key length will not fly Requirement 4.1 specifies strong encryption protocols (SSL v2 support is also not acceptable) Show of hands - Web Server? Show of hands - SSL encryption? Show of hands – fully patched? Show of hands – SSLv2 disabled? Show of hands - Web Server? Show of hands - SSL encryption? Show of hands – fully patched? Show of hands – SSLv2 disabled?

    45. Common Causes for Failure Example 3: Web Server Uses Plain-Text Form Based Authentication Remember requirement 8.4? Rule of thumb: if login is required, it must be encrypted (think about Telnet and FTP also)

    46. Common Causes for Failure Example 4: Predictable Session IDs Poor session handling in web applications can allow unauthorized access to data Requirement 6.5.3 requires proper authentication and session management coding techniques

    47. Common Causes for Failure Other Examples: IP spoof protection not configured on the firewall (requirement 1.3.2) SNMP Exposed with default community string (requirement 2.1)

    48. Understanding Your Scan Results PCI Scoring: Compliant or Non-Compliant False Positives

    49. (safe) Verification Techniques Is it a vulnerable version? – Scanners often make assumptions Does it add up? – is the vulnerable software available on the operating system you have confirmed, etc? Phone Call

    51. Questions / Follow-Up For more information, contact: Chris Harper charper@secure-enterprise.com Laurie Leigh lleigh@secure-enterprise.com Thank you for joining us today!

More Related