Compliance Solu.ons with a Budget in Mind

Size: px

Start display at page:

Download "Compliance Solu.ons with a Budget in Mind"

Gwen Williamson
8 years ago
Views:

1 Compliance Solu.ons with a Budget in Mind complex, expensive PCI requirements tools to aid in mee7ng these requirements These tools will cost you exactly

2 Open Source / Free Caveats May require more technical exper.se Not covered under any SLA At the mercy of the developer group Ac7ve development may slow Support may be harder to source Can have more features, but may be less polished May at any point be bought by a for- profit organiza7on May be more secure, and will most likely have deeper source code review

slow Support may be harder to source Can have more features, but may be less polished May

3 The Requirements for Today 6.6: Web applica.on firewall 8.3: Two- factor authen7ca7on 10.2.(2, 3, 4, 5, 6, 7): Audi7ng, logging, monitoring cardholder data access 10.5.(2, 3, 5, 6): Log security (who watches the watchers)- > : Internal vulnerability scanning 11.4: Intrusion detec7on / preven7on 11.5: File integrity monitoring

(2, 3, 4, 5, 6, 7): Audi7ng, logging, monitoring cardholder data access 10.5.(2, 3, 5, 6): Log security (who watches the watchers)- > 11.

4 The interwebs: the least trusted network PCI- DSS Requirement 6.6

5 The interwebs: the least trusted network PCI- DSS Requirement 6.6 mod_security Open- source but owned by corporate en7ty Works on all three major webservers IIS, apache, nginx Signature (rule) based Commercial rules/support available Most widely deployed

on all three major webservers IIS, apache, nginx Signature

6 The interwebs: the least trusted network WebKnight Open- source Works on IIS / Windows only Operates as an ISAPI filter (low- overhead) Filter based Rules do not require frequent upda7ng Can catch unknown asacks Historically well maintained

filter (low- overhead) Filter based Rules do not require

7 The interwebs: the least trusted network naxsi (Nginx An7 Xss Sql Injec7on) Open- source OWASP project Works on nginx only Filter based Looks for unusual characters in raw requests White list based on learning- mode ini7aliza7on Also works out of the box

Filter based Looks for unusual characters in raw requests White

8 Installing NAXSI sudo ap7tude install nginx- naxsi

9 Installing NAXSI

10 NAXSI Demo

11 Your phone: Not just for angry birds anymore PCI DSS Requirement 8.3 Two- factor authen7ca7on using google- authen.cator Works on ios, Android and even blackberry Uses industry standard TOTP and HOTP codes PAM (pluggable authen7ca7on module) for GNU Linux / SSH access Key provisioning via QR code Requires mobile security policy / BYOD may increase complexity Hardware tokens / FOBs are available

cator Works on ios, Android and even blackberry Uses industry standard TOTP and HOTP codes PAM

12 google- authen.cator DEMO

13 The Bane of Malware FIM PCI DSS Requirement 10.2.x, 10.3.x, 10.5, 10.6, 11.5 OSSEC Open Source SECurity Host based intrusion detec7on with log analysis, file integrity monitoring, aler7ng, ac7ve response Works on Windows, GNU Linux, most *nix, ESX, MacOSX Supports network devices via syslog DB monitoring for MySQL, PostgreSQL (Oracle, MSSQL coming soon) Can also monitor individual applica7on logs Generates reports and alerts based on logged behavior Owned by corporate en7ty Ac7ve development Configura7on is very simple

Works on Windows, GNU Linux, most *nix, ESX, MacOSX Supports network devices via syslog DB monitoring for MySQL, PostgreSQL

14 Find them before they do, your vulnerabili.es PCI DSS Requirement OpenVAS Fork of the last open- source Nessus Signature based vulnerability scanner Two op7ons for signatures OpenVAS community (free) Network Vulnerability Tests (NVTs) 33k tests as of Dec 2013 Greenbone Security Feed Commercial NVTs with SLA Vulnerability tracking built- in

Two op7ons for signatures OpenVAS community (free) Network Vulnerability Tests (NVTs)

15 One Tool to Rule Them All PCI DSS Requirement - many Security Onion Linux distro based on ubuntu Many open- source tools baked- in Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many others Tools pre- configured to play nicely This is huge Ac7ve development No corporate entanglements (yet) Also means no SLA s available Incorporate other tools presented in this talk OSSEC, NAXSI, OpenVAS Can be used as the heart of your Security Opera7ons Center (SOC)

to play nicely This is huge Ac7ve development No corporate entanglements (yet) Also means no SLA s available Incorporate

16 Security Onion DEMO show all tools from this demo integrated and showing alerts Demo other features of included so`ware

17 References Naxsi OWASP Page: hsps:// Source: hsps://github.com/nbs- system/naxsi Webknight hsp:// mod_security hsp:// Google- authen7cator Source / Docs: hsps://code.google.com/p/google- authen7cator/ Play Store: hsps://play.google.com/store/apps/details?id=com.google.android.apps.authen7cator2&hl=en OSSEC hsp:// OpenVAS hsp:// Security Onion Docs / Blog: hsp://blog.securityonion.net/ Docs / wiki: hsps://code.google.com/p/securityonion/wiki/installa7on PCI- DSS hsps://

apps.authen7cator2&hl=en OSSEC hsp://www.ossec.net/ OpenVAS hsp://www.openvas.org/ Security Onion Docs / Blog: hsp://blog.securityonion.net/ Docs / wiki: hsps://code.google.

18 Contact Erich Ficker LinkedIN: hsp://

S N O R T I D S B L A S T C O U R S E

S N O R T I D S B L A S T C O U R S E General Description In this course, we will use the Security Onion operating system. Security Onion is based on Ubuntu Linux distro. It contains the Snort IDS, Suricata,