1 SECURELY ENABLING BUSINESS PCI Data Security Standard 3.0 Training Strategies That Work Presented by Doug Hall May 20, 2014
2 AGENDA PCI DSS 3.0 Training Strategies That Work PCI DSS 3.0 Overview PCI Training Identified o 6.5, 9.9.3, 12.6 and Free PCI & Training Resources
3 PCI DATA SECURITY SYSTEM Why was PCI DSS Developed? To enhance cardholder data security and facilitate the global adoption of consistent data security measures Who the standards apply to: All organizations that store, process or transmit cardholder data including web, face-to-face stores, and phone sales transactions
4 WHO DEFINES COMPLIANCE? PCI DSS Enforcement by the founding members of the PCI Security Standards Council: American Express Discover Financial Services JCB International MasterCard Worldwide Visa
5 THE PCI DSS IS NOT NEW The PCI DSS is a combined effort using an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. Initial Release: Dec 15, 2004 Latest Update: November, 2013
6 PCI DSS 3.0 HIGH LEVEL OVERVIEW Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know Implement Strong Access Control Measures 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel https://www.pcisecuritystandards.org/security_standards/documents.php
7 DSS 3.0 CHANGE HIGHLIGHTS 84 changes from PCI DSS 2.0, all 12 sections affected Clarified responsibilities, requirements, and reporting Timing begins in 2014, some actions effective in 2015 New section provides business as usual (BAU) guidance for implementing security into business activities to maintain ongoing PCI DSS compliance
8 DID YOU KNOW? 80% of malicious viruses are unintentionally brought into the corporate network by staff It has become important that we learn to protect our personal and business information daily. This is not a suggestion - it has become a way of life.
9 HOW DO THREATS ARRIVE? MOBILE DEVICES SOCIAL MEDIA MALWARE and GUI s
10 PCI TRAINING IDENTIFIED PCI DSS Requirements 6.5 Address common coding vulnerabilities in software-development processes as follows: Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at through were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. Testing Procedures 6.5.a Examine software-development policies and procedures to verify that training in secure coding techniques is required for developers, based on industry best practices and guidance. 6.5.b Interview a sample of developers to verify that they are knowledgeable in secure coding techniques. 6.5.c Examine records of training to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. 6.5.d. Verify that processes are in place to protect applications from, at a minimum, certain known vulnerabilities.
11 SOLUTION FishNet Security offers a series of Developer courses that meet this requirement: OWASP Top10 Java &.NET Secure Coding Application Security Web 2.0 Secure Coding Mobile Security Linux Secure Coding
12 APPLICATION SECURITY TRAINING The Application Security course trains developers to modify, create and design safe and secure webbased applications by exploring eight common attacks Hackers use that can result in fraud, theft, compromise of sensitive information or data destruction.
13 THE OWASP TOP 10 The OWASP Top 10 course explores what each attack is, how each works, with detailed examples of each attack. Remediation steps and best practices that can be easily incorporated into everyday coding. The Open Web Application Security Project (OWASP) Top 10 regularly provides the most frequent and dangerous security vulnerabilities organizations deal with every day.
14 SECURE CODING The Secure Coding curriculum is composed of eight total modules (four are.net and four are Java modules). Each module covers basic coding information in the first segment before diving deeper into language-specific content.
15 LINUX SECURITY The Linux Security elearning Solution teaches how to get the most out of Linux systems. Written by Linux expert and author Ralph Bonnell, training contains twelve different chapters that cover security concepts, commands, strategies, and useful programs.
16 WEB 2.0 SECURE CODING As HTML5 and other technologies become widely implemented and draw closer to maturity, attackers are focusing their attention on finding exploits and attacking Web 2.0 services, technologies and languages. This program teaches developers how to avoid common pitfalls and follow best practices in six courses.
17 MOBILE SECURITY TOP 11 In today s mobile environment, there is a drive for developers to quickly create mobile applications for a variety of devices. Developers must know how to secure both the application and the web services that power the app. This 1.5-hour course covers the important topics developers need to understand, regardless of platform or language.
18 PCI TRAINING IDENTIFIED PCI DSS Requirements Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: Testing Procedures a Review training materials for personnel at pointof-sale locations to verify they include training in the following: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer). Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices) Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
19 SOLUTION Uncover the tactics intruders use to gain access to the vital business data within the walls of your organization in the WORKPLACE SECURITY course. 1. How to Prevent Tailgating 2. Physical Security Awareness 3. Avoiding External Media (USB) Threats 4. How to Secure Your Work Area 5. Employee Office Guidelines
20 PCI TRAINING IDENTIFIED PCI DSS Requirements 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. Testing Procedures 12.6.a Review the security awareness program to verify it provides awareness to all personnel about the importance of cardholder data security b Examine security awareness program procedures and documentation and perform the following: a Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions) b Verify that personnel attend security awareness training upon hire and at least annually c Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually, that they have read and understand the information security policy.
21 SOLUTION It is vital that all organizations train their workforce including all staff, with content aimed at the general workforce, programmers and Executives to protect information and meet compliance regulations. Do you want to change behavior, or check the compliance box? Are you able to prove training compliance?
22 SECURITY AWARENESS TRAINING FishNet Security has created Interactive elearning featuring using CyberBOT to help any organization meet PCI compliance requirements using focused training for all staff, including executives. 8 Interactive training modules that are 15 minutes or less Over 60 topics using over 50 interactions 19 scenarios based on real-world threats Passwords Malicious downloads Mobile Security Social Engineering Workplace Security Outside the Office Social Media Executives
23 SECURITY AWARENESS FOR EXECUTIVES With access to more company systems and information, executive and management are often targets of cyber attacks. This course is designed specifically to help Executives recognize and avoid such attacks and prevent other cyber threats from impacting the workplace.
24 INTRODUCTION TO THE PCI The Introduction to PCI elearning course was created with everyone who interacts with credit or debit card data in mind. This includes everyone from cashiers to traveling sales staff to system administrators. The course concisely and clearly explains what the PCI is, how employees interact with its regulations, and the penalties for not complying.
25 PCI FOR CREDIT CARD HANDLERS This multi-occupational, interactive security training course will educate employees on credit card security, best practices and why it matters. Employees who handle customer credit cards on a daily basis can become an asset to security, rather than a liability.
26 PCI SCOPING The PCI Scoping program guides your organization through the complicated requirements defined by the Payment Card Industry. It helps you understand how you fit within the PCI and covers the different roles and responsibilities of different entities in 5 sections: Defining and Storing Cardholder Data Discovering Your Scope Determining Your Entity Type Determining Your Level Choosing the Correct SAQ
27 THE PCI DSS Made up of six principles and 12 requirements, the PCI DSS standards can be overwhelming to those not prepared. Managers, developers, system or network engineers and C-Level Executives need to understand exactly what the standards are and how they can meet each of them.
28 PCI EXECUTIVE WORKSHOP Goal: To provide a high-level understanding of your company s PCI obligations. This engagement typically focuses three areas: PCI Awareness, Cardholder data environment scope and Key Controls Awareness/Compliance. The QSA will focus on education, scope or a specific item, the QSA is also available to support the client s PCI compliance needs for the engagement duration.
29 PCI TRAINING IDENTIFIED PCI DSS Requirements Testing Procedures Designate specific personnel to be available on a 24/7 basis to respond to alerts Verify through observation, review of policies, and interviews of responsible personnel that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes Provide appropriate training to staff with security breach response responsibilities Verify through observation, review of policies, and interviews of responsible personnel that staff with responsibilities for security breach response are periodically trained.
30 SOLUTION An Incident Response course provides the knowledge you need to effectively become incidentready, while helping you plan to prevent incidents and stay a step ahead. The methodologies taught focus strongly on preparation and prevention, such as having the right people and tools in place, but also dig deeply into the proper response objectives.
31 6LABS Providing free resources to help meet PCI compliance objectives: White papers Blogs Webinars
32 NEXT STEPS Contact your Account Executive to arrange a no obligation online demonstration of our elearning curriculum and Free 45-day access to our elearning library. NOTE: June 4, 2014: Fighting Today's Cybercrime Presented jointly by Voltage Security and FishNet Security
33 THANK YOU Doug Hall Director, StS Training; Western Region FishNet Security