Download SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Deep packet inspection wikipedia , lookup

Authentication wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Cyberattack wikipedia , lookup

Network tap wikipedia , lookup

Information security wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Mobile security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Unix security wikipedia , lookup

Access control wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript
SAQ D Compliance
Scott St. Aubin
Senior Security Consultant
QSA, CISM, CISSP
Ground Rules
• WARNING: Potential Death by PowerPoint
• Interaction
– Get clarification
– Share your institution’s questions, challenges,
and solutions
– What have you learned along the way
SAQ D Compliance Key Points
• Remediation Strategies Recap
• Applying the Requirements
• Requirements Discussion
Remediation Strategies Recap
• Preliminary Steps
– Review PCI activities to minimize CHD and
simplify business processes
• Can you move to a SAQ C or even a SAQ B?
– Outsource PCI activities
– Use compliant payment applications
• Compliant as SAQ C or SAQ D?
• Segmentation
Remediation Strategies Recap
• Prioritized Approach
– Remove sensitive authentication data and limit
data retention
– Protect the perimeter, internal, and wireless
networks
– Secure payment card applications
– Monitor and control access to your systems
– Protect stored cardholder data
– Finalize remaining compliance efforts, and
ensure all controls are in place
Applying the Requirements
• Each Requirement is Unique
• Interpretations
• Compensating Controls
– What are they
– When / How can they be used
• Costs
– Open-source solutions should be available
Requirement 1: Install and maintain a
firewall configuration to protect CHD
• At each Internet connection AND between the
DMZ and internal network
• Which devices should be in the PCI Island?
– Jump host for administrators
• Are VLANs and ACLs sufficient? Maybe.
• Network Traffic Access Control: Minimized,
Documented, and Proxied (inbound and
outbound)
Requirement 1: Install and maintain a
firewall configuration to protect CHD
• Misc
– Review ACL rules every six months
– RFC 1918 – private IP addresses
– Change management
– Current network diagram
• Include systems/areas that handle CHD
• Cost
– New firewall if necessary
Requirement 2: Do not use vendor supplied
defaults blah blah blah… HARDEN YOUR
SYSTEMS
• Develop configuration standards
– Center for Internet Security (cisecurity.org)
• Level 1 vs. Level 2
– National Institute of Standards Technology /
NIST (nist.gov)
– SysAdmin Audit Network Security / SANS
(sans.org)
Requirement 2: Do not use vendor supplied
defaults blah blah blah… HARDEN YOUR
SYSTEMS
• Wireless
– Strong Encryption
• WPA/WPA2
• NOT WEP (prohibited after June 30th)
– One function per server
• What about virtualization?
• Cost
– Additional systems to meet ‘one function’
requirement
Requirement 3: Protect stored CHD
• Most of the requirement can be met by using
compliant software
• It may be impossible / infeasible to verify
requirements on non-compliant software
• Potential to use a compensating control
• Institution must create an institution data
retention and disposal policy
• Cost
– Compliant software or compensating control
Requirement 4: Encrypt transmission of
CHD across open, public networks
• Encrypted CHD is still CHD
– Exception: When there is no way to decrypt the data at the
facility (e.g. public keys)
• Use strong cryptography and protocols
• Do not use end-user messaging technologies to send
unencrypted PANs
– E.g. e-mail, IM, chat
– Effective solutions may differ, depending on the number of
individuals impacted
• Small org – policy may be sufficient
• Large org – policy and technology may be necessary for
enforcability
Requirement 6: Develop and maintain
secure systems and applications
• Apply critical patches within one month of release
• Process to identify newly discovered
vulnerabilities AND update configuration
standards
• Change control process
– Document impact
– Management sign-off
– Testing of operational funcationality
– Back-out procedures
Requirement 5: Use and regularly update
anti-virus software or programs
• It’s not just anti-virus… you must address all
known types of malware
• Required on “All systems commonly affected
by malicious software”
– Windows: yes
– Linux/Mac: no… at least not right now
• Automatic updated, “periodic” scans, logs
generated
• Cost
Requirement 6: Develop and maintain
secure systems and applications
• Public-facing web apps - options
– Evaluate annually
• By an organization that specializes in application
security
• Either internal or external organization
• Must be independent and qualified
– Protect by a web-application firewall
• Cost
– Patch management software
– Web-app assessment or firewall
Requirement 7: Restrict access to CHD by
business need-to-know
• Role-based access control
– Access is assigned based on job function
– Least privileges needed for job responsibilities
• Signed authorization form
• Automated system to enforce privileges
– Default deny-all
• Cost
Requirement 8: Assign a unique ID to each
person with computer access
• Unique ID and password / passphrase / 2nd factor
– No group, shared, or generic accounts
• Including administrators
• Proper management of user IDs
– Authorization forms for add, delete, modify
– Verify identity prior to password resets
– Unique first-time passwords
– Immediately revoke access for terminated users
– Remove / disable inactive accounts (90 days max)
Requirement 8: Assign a unique ID to each
person with computer access
• Remote access
– Off-campus, not off-VLAN
– Two-factor authentication required for access
to network
• RADIUS / TACACS with tokens
• VPN with individual certificates
• Costs
– Two-factor authentication solution
Requirement 8: Assign a unique ID to each
person with computer access
• Proper management of user IDs (cont)
– Maintenance accounts only enabled when needed
– Passwords
• Required change every 90 days, minimum of 7
characters, alpha-numeric
• Disallow last four passwords
• Account lockout after no more than six attempts,
locked out for 30 minutes
• Authentication required after 15 minutes of inactivity
Requirement 9: Restrict physical access to
CHD
• Facility entry controls to access CHD
– Badge readers, lock/key
– Video camera or other device to monitor
INDIVIDUAL access – retained for three
months
– Restrict access to publically accessible
network jacks, access points, gateways, handheld devices, etc (in CHD environment)
Requirement 9: Restrict physical access to
CHD
• Distinguish between employees and visitors
– Authorized prior to entering CHD area
– Identification as a non-employee
– Visitor log retained for three months
• Off-site backups are stored securely
• Paper and electronic media physically
secured
Requirement 9: Restrict physical access to
CHD
• Maintain strict control over media with CHD
– Classified
– Media sent off-site is authorized by management,
sent by secure courier, and tracked
– Inventory media at least annually
• Properly destroyed when no longer needed
• Cost
– Facility access controls, physical storage
Requirement 10: Track and monitor all
access to network resources and CHD
• Audit trails – Log the following:
– Individual access to CHD
– All actions taken by individuals with
root/administrative privileges
– Access to all audit trails
– Invalid logical access attempts
– Use of identification and authentication
mechanisms
– Initialization of the audit logs
– Creation and deletion of system-level objects
Requirement 10: Track and monitor all
access to network resources and CHD
• Detail required for each event:
– User ID
– Type of event
– Date/Time
– Success/Failure
– Origin of event
– Identity or name of affected data, system
component, or resource
Requirement 10: Track and monitor all
access to network resources and CHD
• Log Management Requirements
– All critical system clocks and times are synchronized
– Secure audit trails so they cannot be altered
– Review logs at least daily (e.g. IDS, AAA). Tools may
be used!!
– Retain at least one year history – three months
immediately available for analysis
• Costs
– Centralized logging system, storage space, monitoring
tools
Requirement 11: Regularly test security
systems and processes
• Wireless
– Test quarterly for rogue access points
(NetStumbler, Kismet, etc); or
– Deploy a wireless IDS/IPS
• IDS/IPS
– Monitoring in the PCI Island
– Configured to alert of suspected compromises
Requirement 11: Regularly test security
systems and processes
• Network Vulnerability Scans
– Internal
• Quarterly and after significant changes
• Can be performed by internal staff
– External
• Quarterly and after significant changes
• Quarterly scans must be performed by an Approved
Scanning Vendor (ASV) qualified by the PCI SSC
• Scans after changes can be performed by internal
staff
Requirement 11: Regularly test security
systems and processes
•
Network Penetration Tests
– External and internal tests required
– Annually and after significant changes
– Network layer and application layer
– Can us a qualified internal resource or third party; must be
organizationally independent
•
File Integrity Monitoring
– Alert personnel to unauthorized changes of system files,
configuration files, content
– Perform comparisons at least weekly
•
Costs
– Wireless IDS/IPS, IDS/IPS, ASV Scans, Pen-tests, FIM
Requirement 12: Maintain a policy that
addresses information security for
employees and contractors
• Technical Guideline (Draft) includes items that can be
centralized
• Institutions must create policies and procedures
– Complete an annual risk assessment
– Document information security responsibilities
• Establishing, documenting, and distributing security policies
and procedures
• Monitoring, analyzing, and distributing security alerts and
information
• Create an Incident Response Plan (Template available)
• Administrative accounts
• Access to data
Requirement 12: Maintain a policy that
addresses information security for
employees and contractors
• Institutions must create policies and procedures
(cont)
– Awareness training
– Signed acknowledgements of security policies
– Conduct background checks for anyone that has
access to more than one credit card number at a
time
– Maintain a list of computer devices and personnel
with access
• Label with owner, contact information, and purpose
Requirement 12: Maintain a policy that
addresses information security for
employees and contractors
• Service provider management
– List of providers
– Acknowledgement of responsibilities for PCI
data
– Due diligence prior to engagement
– Monitor PCI DSS compliance
• Costs
Summary
• Remediation Strategies Recap
• Applying the Requirements
• Requirements Discussion
Questions for the QSA?
NetSPI
800 Washington Avenue North
Suite 670
Minneapolis, Minnesota 55401
Direct: 612-695-0661
[email protected]
www.netspi.com