Download SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
Document related concepts

Deep packet inspection wikipedia , lookup

Authentication wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Cyberattack wikipedia , lookup

Network tap wikipedia , lookup

Information security wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Mobile security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Unix security wikipedia , lookup

Access control wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
SAQ D Compliance
Scott St. Aubin
Senior Security Consultant
QSA, CISM, CISSP
Ground Rules
• WARNING: Potential Death by PowerPoint
• Interaction
– Get clarification
– Share your institution’s questions, challenges,
and solutions
– What have you learned along the way
SAQ D Compliance Key Points
• Remediation Strategies Recap
• Applying the Requirements
• Requirements Discussion
Remediation Strategies Recap
• Preliminary Steps
– Review PCI activities to minimize CHD and
simplify business processes
• Can you move to a SAQ C or even a SAQ B?
– Outsource PCI activities
– Use compliant payment applications
• Compliant as SAQ C or SAQ D?
• Segmentation
Remediation Strategies Recap
• Prioritized Approach
– Remove sensitive authentication data and limit
data retention
– Protect the perimeter, internal, and wireless
networks
– Secure payment card applications
– Monitor and control access to your systems
– Protect stored cardholder data
– Finalize remaining compliance efforts, and
ensure all controls are in place
Applying the Requirements
• Each Requirement is Unique
• Interpretations
• Compensating Controls
– What are they
– When / How can they be used
• Costs
– Open-source solutions should be available
Requirement 1: Install and maintain a
firewall configuration to protect CHD
• At each Internet connection AND between the
DMZ and internal network
• Which devices should be in the PCI Island?
– Jump host for administrators
• Are VLANs and ACLs sufficient? Maybe.
• Network Traffic Access Control: Minimized,
Documented, and Proxied (inbound and
outbound)
Requirement 1: Install and maintain a
firewall configuration to protect CHD
• Misc
– Review ACL rules every six months
– RFC 1918 – private IP addresses
– Change management
– Current network diagram
• Include systems/areas that handle CHD
• Cost
– New firewall if necessary
Requirement 2: Do not use vendor supplied
defaults blah blah blah… HARDEN YOUR
SYSTEMS
• Develop configuration standards
– Center for Internet Security (cisecurity.org)
• Level 1 vs. Level 2
– National Institute of Standards Technology /
NIST (nist.gov)
– SysAdmin Audit Network Security / SANS
(sans.org)
Requirement 2: Do not use vendor supplied
defaults blah blah blah… HARDEN YOUR
SYSTEMS
• Wireless
– Strong Encryption
• WPA/WPA2
• NOT WEP (prohibited after June 30th)
– One function per server
• What about virtualization?
• Cost
– Additional systems to meet ‘one function’
requirement
Requirement 3: Protect stored CHD
• Most of the requirement can be met by using
compliant software
• It may be impossible / infeasible to verify
requirements on non-compliant software
• Potential to use a compensating control
• Institution must create an institution data
retention and disposal policy
• Cost
– Compliant software or compensating control
Requirement 4: Encrypt transmission of
CHD across open, public networks
• Encrypted CHD is still CHD
– Exception: When there is no way to decrypt the data at the
facility (e.g. public keys)
• Use strong cryptography and protocols
• Do not use end-user messaging technologies to send
unencrypted PANs
– E.g. e-mail, IM, chat
– Effective solutions may differ, depending on the number of
individuals impacted
• Small org – policy may be sufficient
• Large org – policy and technology may be necessary for
enforcability
Requirement 6: Develop and maintain
secure systems and applications
• Apply critical patches within one month of release
• Process to identify newly discovered
vulnerabilities AND update configuration
standards
• Change control process
– Document impact
– Management sign-off
– Testing of operational funcationality
– Back-out procedures
Requirement 5: Use and regularly update
anti-virus software or programs
• It’s not just anti-virus… you must address all
known types of malware
• Required on “All systems commonly affected
by malicious software”
– Windows: yes
– Linux/Mac: no… at least not right now
• Automatic updated, “periodic” scans, logs
generated
• Cost
Requirement 6: Develop and maintain
secure systems and applications
• Public-facing web apps - options
– Evaluate annually
• By an organization that specializes in application
security
• Either internal or external organization
• Must be independent and qualified
– Protect by a web-application firewall
• Cost
– Patch management software
– Web-app assessment or firewall
Requirement 7: Restrict access to CHD by
business need-to-know
• Role-based access control
– Access is assigned based on job function
– Least privileges needed for job responsibilities
• Signed authorization form
• Automated system to enforce privileges
– Default deny-all
• Cost
Requirement 8: Assign a unique ID to each
person with computer access
• Unique ID and password / passphrase / 2nd factor
– No group, shared, or generic accounts
• Including administrators
• Proper management of user IDs
– Authorization forms for add, delete, modify
– Verify identity prior to password resets
– Unique first-time passwords
– Immediately revoke access for terminated users
– Remove / disable inactive accounts (90 days max)
Requirement 8: Assign a unique ID to each
person with computer access
• Remote access
– Off-campus, not off-VLAN
– Two-factor authentication required for access
to network
• RADIUS / TACACS with tokens
• VPN with individual certificates
• Costs
– Two-factor authentication solution
Requirement 8: Assign a unique ID to each
person with computer access
• Proper management of user IDs (cont)
– Maintenance accounts only enabled when needed
– Passwords
• Required change every 90 days, minimum of 7
characters, alpha-numeric
• Disallow last four passwords
• Account lockout after no more than six attempts,
locked out for 30 minutes
• Authentication required after 15 minutes of inactivity
Requirement 9: Restrict physical access to
CHD
• Facility entry controls to access CHD
– Badge readers, lock/key
– Video camera or other device to monitor
INDIVIDUAL access – retained for three
months
– Restrict access to publically accessible
network jacks, access points, gateways, handheld devices, etc (in CHD environment)
Requirement 9: Restrict physical access to
CHD
• Distinguish between employees and visitors
– Authorized prior to entering CHD area
– Identification as a non-employee
– Visitor log retained for three months
• Off-site backups are stored securely
• Paper and electronic media physically
secured
Requirement 9: Restrict physical access to
CHD
• Maintain strict control over media with CHD
– Classified
– Media sent off-site is authorized by management,
sent by secure courier, and tracked
– Inventory media at least annually
• Properly destroyed when no longer needed
• Cost
– Facility access controls, physical storage
Requirement 10: Track and monitor all
access to network resources and CHD
• Audit trails – Log the following:
– Individual access to CHD
– All actions taken by individuals with
root/administrative privileges
– Access to all audit trails
– Invalid logical access attempts
– Use of identification and authentication
mechanisms
– Initialization of the audit logs
– Creation and deletion of system-level objects
Requirement 10: Track and monitor all
access to network resources and CHD
• Detail required for each event:
– User ID
– Type of event
– Date/Time
– Success/Failure
– Origin of event
– Identity or name of affected data, system
component, or resource
Requirement 10: Track and monitor all
access to network resources and CHD
• Log Management Requirements
– All critical system clocks and times are synchronized
– Secure audit trails so they cannot be altered
– Review logs at least daily (e.g. IDS, AAA). Tools may
be used!!
– Retain at least one year history – three months
immediately available for analysis
• Costs
– Centralized logging system, storage space, monitoring
tools
Requirement 11: Regularly test security
systems and processes
• Wireless
– Test quarterly for rogue access points
(NetStumbler, Kismet, etc); or
– Deploy a wireless IDS/IPS
• IDS/IPS
– Monitoring in the PCI Island
– Configured to alert of suspected compromises
Requirement 11: Regularly test security
systems and processes
• Network Vulnerability Scans
– Internal
• Quarterly and after significant changes
• Can be performed by internal staff
– External
• Quarterly and after significant changes
• Quarterly scans must be performed by an Approved
Scanning Vendor (ASV) qualified by the PCI SSC
• Scans after changes can be performed by internal
staff
Requirement 11: Regularly test security
systems and processes
•
Network Penetration Tests
– External and internal tests required
– Annually and after significant changes
– Network layer and application layer
– Can us a qualified internal resource or third party; must be
organizationally independent
•
File Integrity Monitoring
– Alert personnel to unauthorized changes of system files,
configuration files, content
– Perform comparisons at least weekly
•
Costs
– Wireless IDS/IPS, IDS/IPS, ASV Scans, Pen-tests, FIM
Requirement 12: Maintain a policy that
addresses information security for
employees and contractors
• Technical Guideline (Draft) includes items that can be
centralized
• Institutions must create policies and procedures
– Complete an annual risk assessment
– Document information security responsibilities
• Establishing, documenting, and distributing security policies
and procedures
• Monitoring, analyzing, and distributing security alerts and
information
• Create an Incident Response Plan (Template available)
• Administrative accounts
• Access to data
Requirement 12: Maintain a policy that
addresses information security for
employees and contractors
• Institutions must create policies and procedures
(cont)
– Awareness training
– Signed acknowledgements of security policies
– Conduct background checks for anyone that has
access to more than one credit card number at a
time
– Maintain a list of computer devices and personnel
with access
• Label with owner, contact information, and purpose
Requirement 12: Maintain a policy that
addresses information security for
employees and contractors
• Service provider management
– List of providers
– Acknowledgement of responsibilities for PCI
data
– Due diligence prior to engagement
– Monitor PCI DSS compliance
• Costs
Summary
• Remediation Strategies Recap
• Applying the Requirements
• Requirements Discussion
Questions for the QSA?
NetSPI
800 Washington Avenue North
Suite 670
Minneapolis, Minnesota 55401
Direct: 612-695-0661
[email protected]
www.netspi.com
Related documents
PCI - Lessons Learned
PCI - Lessons Learned
Key Genetic Risk Factor for Heart Disease:
Key Genetic Risk Factor for Heart Disease:
Chapter 21 – Nutrition and Disorders of the Heart and Blood Vessels
Chapter 21 – Nutrition and Disorders of the Heart and Blood Vessels
1: Clin Infect Dis - hem
1: Clin Infect Dis - hem
Play your cards right!
Play your cards right!
目 錄
目 錄
Causes of disease
Causes of disease
Cardiovascular Disease
Cardiovascular Disease
modern methods of diagnosing coronary heart disease
modern methods of diagnosing coronary heart disease
Пульсоксиметрия как скрининговый метод ранней диагностики
Пульсоксиметрия как скрининговый метод ранней диагностики
arrhythmias in adult congenital heart disease
arrhythmias in adult congenital heart disease
Epidemiologic Transition: Changes of fertility and mortality with
Epidemiologic Transition: Changes of fertility and mortality with