Using Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes

Transcription

1 Using Skybox Solutions to Ensure PCI Compliance Achieve efficient and effective PCI compliance by automating many required controls and processes

2 WHITEPAPER Executive Summary The Payment Card Industry (PCI) established the Data Security Standard (DSS) in order to reduce the risk organizations and consumers face in relation to credit card fraud, hacking and various other security issues. A company processing, storing or transmitting credit card numbers must be PCI DSS compliant or it risks losing the ability to process credit card payments. The penalties and sanctions for non-compliance are severe. PCI DSS requirements cover all aspects of information security: network security, data security, vulnerability management, access control, security monitoring and information security policy best practices. The requirements for data security demanded by PCI are compatible with many other security best practices, but they impose significant hurdles to security teams. Penalties associated with non-compliance are steep financially and legally and the costs to meet and maintain compliance are high due to the large amount of resources required from both a technology and staffing standpoint. The solution: incorporating a platform into your network and information security workflows that provides holistic understanding of your attack surface and allows you to easily visualize, prioritize and solve compliance issues. The platform should: > > Minimize the assessment scope to the relevant network segments only > > Utilize compensating controls to reduce the amount of patches > > Automate labor intensive tasks such as the analysis of complex firewall configurations

3 WHITEPAPER Contents Executive Summary Payment Card Industry Data Security Standard (PCI DSS) Overview PCI DSS Requirements and Their Challenges Skybox Solutions: Automated Vulnerability and Compliance Management to Support PCI DSS Efficient and Effective PCI DSS Compliance with Skybox Assessment Scope Requirement 1: Install and Maintain a Firewall to Protect Cardholder Data Requirement 6: Develop and Maintain Secure Systems and Applications Requirement 11: Regularly Test Security Systems and Processes Requirement 12: Maintain a Policy that Addresses Information Security Summary 10 References Appendix A: Detailed List for Skybox-Enabled PCI DSS Tasks About Skybox Security

4 Payment Card Industry Data Security Standard (PCI DSS) Overview WHITEPAPER PCI DSS was developed by the major credit card companies as a guideline to help organizations that process credit card payments prevent fraud, hacking and various other security issues. A company processing, storing or transmitting credit card numbers must be PCI DSS compliant or risk fines of up to $500,000, increased auditing requirements or even loss of the ability to process credit card transactions. These requirements apply to organizations and corporations in many industries, such as retail, banking, travel and entertainment services, telecommunication services and many others. The Data Security Standard requirements apply to all system components in the IT stack, defined as any network component, server, computing device or application included in or connected to the cardholder data environment. These include both physical and virtual devices such as: > > Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances and other security appliances > > Servers include but are not limited to Web, database, authentication, Domain Name Service (DNS), mail, proxy and Network Time Protocol (NTP) > > Applications include all purchased and custom applications, including internal and external applications Each affected organization needs to be either audited or self-assessed on an annual basis, depending on the number of credit card transactions processed in a given year. Merchants that process 6 million transactions or more per year must have an annual on-site audit by a certified third-party auditor. Merchants with less than 6 million transactions are required to perform an annual self-assessment process. In either case, in order to become compliant, organizations need to perform the required security tasks, then maintain a workflow for checking their systems with compliance rules on an on-going basis. PCI DSS Requirements and Their Challenges The PCI DSS outlines twelve requirements which must be followed by each and every organization that stores, processes or transmits cardholder data. The requirements for PCI DSS compliance are compatible with many other security best practices like those published by ISO and NIST, but they put organizations at risk of significant financial and legal penalties for non-compliance. Maintaining a compliant system also requires significant labor resources and heavy technology investments. For example, the first requirement of PCI DSS is to maintain proper firewall configurations as set by PCI. Meeting this requirement is incredibly challenging, especially for large organizations 4

5 where managing hundreds of firewalls and many access changes every month is often the full-time job of several security professionals. The manual process of ensuring that these firewalls are always configured according to the required policy may cost millions of dollars and can directly affect the bottom line of the business. Another requirement that demands significant resources is requirement 6, which requires that all system components must have the latest vendor-supplied security patches installed within one month of the release of the patch. Though this requirement appears reasonable on paper, often major security patches require unforeseen resources and time, as well WHITEPAPER as potential system outages and downtime to implement. The examples listed are only a few of a long list of challenges routinely faced by organizations. When those requirements apply to the entire enterprise network, the compliance cost and burden is enormous. Therefore, minimizing the scope of the audit becomes a critical component of the compliance work. Is there a solution for this unbearable trade-off between non-compliance penalties and excessive cost of compliance? Skybox Solutions: Automated Vulnerability and Compliance Management to Support PCI DSS Skybox is the leader in automated vulnerability and compliance management and can help manage several aspects of the complex requirements for PCI DSS compliance, as well as save at least 75 percent of the resources required for maintaining compliance. Skybox solutions specifically help to: > > Shrink the scope of the audit by proving that proper segmentation of the PCI-related networks is properly configured > > Reduce the number of patches required by proving that compensating controls are mitigating the potential exposure of critical vulnerabilities > > Automate firewall and network configuration compliance requirements. The Skybox Security Suite allows customers to find and address critical security, compliance and availability exposures within minutes, even on the most complex IT networks. Each module of the suite ensures effective PCI DSS compliance in unique ways: SKYBOX VULNERABILITY CONTROL > > Pinpoints critical IT risks and vulnerabilities and finds effective remediation alternatives > > Predicts potential attack scenarios with a visual model of network topology, vulnerabilities, device configurations and potential threats SKYBOX FIREWALL ASSURANCE > > Examines settings for your entire firewall architecture, automatically identifying compliance and risk exposures > > Alerts your IT operations team to resolve mis-configurations, fix conflicting firewall rules and optimize firewall configurations 5

6 SKYBOX CHANGE MANAGER > > Ends risky changes with network-aware planning and risk assessment > > Ensures network security and in continuous compliance with policies even during changes SKYBOX NETWORK ASSURANCE > > Reduces network configuration exposures through network mapping and analysis in the context of your current network controls WHITEPAPER > > Balances security, compliance and availability needs SKYBOX THREAT MANAGER > > Consolidates threat intelligence sources > > Identifies relevant advisories in the context of your attack surface More information about the Skybox Security Suite can be found on our website. Efficient and Effective PCI DSS Compliance with Skybox As a starting point, below are some specific PCI challenges that Skybox solutions expertly address. Each of the challenges and solutions are further explained in a dedicated sub-section. PCI DSS REQUIREMENT Assessment scope definition 1: Install and maintain a firewall to protect cardholder data 6: Develop and maintain secure systems and applications 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security CHALLENGES SOLVED BY SKYBOX > > Hard to prove that minimal scope for compliance is sufficient > > Costly compliance burden due to unnecessarily large and sometime enterprise-wide scope for audit > > Costly, non-scalable and error-prone firewall audits > > Tough to maintain current network diagrams > > > Need to demonstrate on-going firewall change assurance > Need to demonstrate network access policy consistent with PCI guidelines > > Costly and sometimes dangerous patch deployment process > > Need to provide proof that compensating controls achieve acceptable risk mitigation, in order to avoid the implementation of infinite number of patches > > Non-scalable vulnerability and threat alert management process > > Non-scalable change management requirements for impact analysis and documentation > > Costly, non-scalable testing of network security controls for attack mitigation > > Costly and limited penetration testing process > > Need to provide proof that vulnerability management for all layers of the IT stack is performed per requirements (quarterly and after every major change) > > Formal risk assessment is required annually > > Formal policy is required for network security configurations and vulnerability and threat management > > For service providers effective and efficient way to ensure PCI compliance for connected entities 6

7 Assessment Scope WHITEPAPER According to the PCI DSS Security Assessment Procedures document, the security requirements apply to all system components. A system component is defined as any network component, server or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process or transmit cardholder data from the rest of the network, may reduce the scope of the cardholder data environment. Skybox Network Assurance performs full network modeling and visualization. It provides information on all possible access routes in the network given routing tables, firewall rules and NAT rules for heterogeneous network environments. These capabilities allow organizations to prove proper network segmentation of and access to cardholder data environments and therefore to reduce significantly the audit scope. Requirement 1: Install and Maintain a Firewall to Protect Cardholder Data CHALLENGE Costly, non-scalable and error-prone audit of the access rulesets of firewalls Tough to maintain updated network diagrams SOLUTION Firewall Assurance performs fully automated firewall configuration audits and rule usage analysis according to the PCI access requirements and corporate policies. Skybox solutions can save 75 percent or more of required resources. Network Assurance fully visualizes the network in an automatically updated model. This model provides information on all possible access routes in the network given routing tables, firewall rules, and NAT tables for heterogeneous network environments. The map can be exported for use in audits and compliance checks to prove adequate segmentation of your network. Need to demonstrate ongoing firewall change assurance Firewall Assurance and Change Manager automate and document the change assurance workflow from the receipt of change request to post-deployment validation. This process automation can save 75 percent or more of the resources required for typical PCI audits. A detailed list of Skybox-enabled solutions for Requirement 1 can be found in Appendix A. 7

8 Requirement 6: Develop and Maintain Secure Systems and Applications WHITEPAPER CHALLENGE Costly and sometimes dangerous patch deployment Need to provide proof that compensating controls achieve acceptable risk Non-scalable vulnerability and threat alert management Non-scalable change management requirements for impact analysis SOLUTION Skybox attack simulation capabilities can reduce patching pressure by assessing where the actual risks are (i.e., where no compensating controls exist) and therefore focus the patching work only where needed, saving up to 90 percent of required resources. Skybox attack simulation capabilities allows for path analysis from both internal and external sources to any asset, automatically assessing the effectiveness of the technical and compensating controls and whether they mitigate the critical risk. Threat Manager automates the threat alert handling process by first normalizing threat alerts, then guiding remediation and tracking the effective completion of required remediation, saving 75 percent or more of resources required. All modules of the Skybox Security Suite support what-if modeling. This capability enables scalable impact analysis for every change in the IT environment before the change is implemented. A detailed list of Skybox-enabled solutions for Requirement 6 can be found in Appendix A. Requirement 11: Regularly Test Security Systems and Processes CHALLENGE Costly, non-scalable testing of network security controls for attack mitigation Costly and limited penetration testing process Need to provide proof that vulnerability management for all layers of the IT stack is performed per requirements (quarterly and after every major change) SOLUTION Vulnerability Control automatically simulates all attack vectors given threats, vulnerabilities, network topology and the compensating controls (such as firewalls and IPS). This simulation validates that all relevant high-risk attacks can be mitigated. Vulnerability Control automatically simulates all attack vectors given threats, vulnerabilities, network topology and the compensating controls (such as firewalls and IPS). The results of the simulation provide a very wide and deep virtual penetration testing without touching or affecting the actual network. Vulnerability Control normalizes all vulnerability and patch data, and provides security metrics and trends for the vulnerability and remediation program within the organization. Vulnerability Control provides complete documentation for all current and historical vulnerabilities and remediation. Vulnerability Control receives its input from any vulnerability scanner and patch management applications. A detailed list of Skybox-enabled solutions for Requirement 11 can be found in Appendix A. 8

9 Requirement 12: Maintain a Policy that Addresses Information Security WHITEPAPER CHALLENGE Formal risk assessment is required annually Formal policy is required for network security configurations and vulnerability For Processors and Service Providers effective and efficient way to ensure PCI compliance for SOLUTION Vulnerability Control performs automated risk assessment based on industry standard methodologies such as NIST SP and others. Firewall Assurance and Network Assurance provide documentation for the network access policies in the organization. Vulnerability Control captures the vulnerability level and remediation latency policy of the organization. All modules of the Skybox Security Suite are available also in an ad-hoc Project Mode, which allows service providers to audit the connected entities for the compliance with the PCI DSS requirements. A detailed list of Skybox-enabled solutions for Requirement 12 can be found in Appendix A. 9

10 Summary WHITEPAPER Companies that process, store or transmit credit card numbers face real day-to-day challenges in implementing the security requirements as specified by the PCI DSS. Today s manual techniques introduce an unbearable trade-off to these organizations severe penalties for noncompliance or heavy cost in becoming compliant. The critical ingredients of a cost-effective PCI DSS compliance program are: > > Minimizing the assessment scope to the cardholder environments only, with the assistance of Skybox Network Assurance > > Proving the effectiveness of existing compensating controls in mitigating the exploitation of critical vulnerabilities, with the assistance of Skybox Vulnerability Control > > Automating firewall and network compliance analysis process, with the assistance of Skybox Firewall Assurance, Change Manager and Network Assurance Skybox Security is the only vendor that provides an automated, comprehensive suite of solutions that address many of the challenges in PCI DSS, turning them into an easy-to-manage process and useful, proactive security management best practices. References > > Payment Card Industry (PCI) Data Security Standard - Version 3.1 (Release: April 2015) > > Payment Card Industry (PCI) Standards Council Document Library > > PCI Security Standards Council website > > Skybox Security website 10

11 Appendix A: Detailed List for Skybox-Enabled PCI DSS Tasks WHITEPAPER Skybox solutions solve many of the challenges outlined by PCI DSS. These solutions assist in automation, verification and/or documentation for the requirements checked in the table below: REQUIREMENT 1: INSTALL AND MAINTAIN A FIREWALL TO PROTECT CARDHOLDER DATA SKYBOX ENABLED 1.1 Establish firewall configuration standards that include the following: A formal process for approving and testing all external network connections and changes to the firewall configuration A current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks Current diagram that shows all cardholder data flows across systems and networks Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Description of groups, roles and responsibilities for management of network components Documentation and business justification for use of all services, protocols and ports allowed, including documentation of security features implemented for those protocols considered to be insecure Requirement to review firewall and router rulesets at least every six months Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment 11

12 WHITEPAPER REQUIREMENT 1: INSTALL AND MAINTAIN A FIREWALL TO PROTECT CARDHOLDER DATA 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment SKYBOX ENABLED Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports Limit inbound Internet traffic to IP addresses within the DMZ Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet Implement stateful inspection, also known as dynamic packet filtering (i.e., only established connections are allowed into the network) Place system components that store cardholder data (such as a database) in an internal network zone segregated from the DMZ and other untrusted networks Do not disclose private IP addresses and routing information to unauthorized parties 1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (e.g., laptops used by employees), and which are also used to access the network 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use and known to all affected parties 12

13 WHITEPAPER REQUIREMENT 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as high, medium, or low ) to newly discovered security vulnerabilities. 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. SKYBOX ENABLED 6.3 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. [List omitted as irrelevant for Skybox] 6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following: Separate development/test environments from production environments, and enforce the separation with access controls. (include For network changes) below checkbox) Separation of duties between development/test and production environments For network changes Production data (live PANs) are not used for testing or development (no checkbox) For network changes Removal of test data and accounts before production systems become active (no checkbox) Change control procedures for the implementation of security patches and software modifications must include the following: Documentation of impact Documented change approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures 6.5 Coding vulnerabilities in software development 6.6 Addressing threats in custom-built web applications 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use and known to all affected parties 13

14 WHITEPAPER REQUIREMENT 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES 11.1.x Wireless Access Point discovery and validation 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) Perform quarterly internal vulnerability scans and rescans as needed, until all high-risk vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel SKYBOX ENABLED Skybox isn t a scanner, but a consolidator of vulnerability data from many sources Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel Implement a methodology for penetration testing that includes the following: > > Is based on industry-accepted penetration testing approaches (e.g., NIST SP ) > > Includes coverage for the entire CDE perimeter and critical systems > > Includes testing from both inside and outside the network > > Includes testing to validate any segmentation and scope-reduction controls > > Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 > > Defines network-layer penetration tests to include components that support network functions as well as operating systems > > Includes review and consideration of threats and vulnerabilities experienced in the last 12 months > > Specifies retention of penetration testing results and remediation activities results Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment or a Web server added to the environment) Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment or a Web server added to the environment) Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE. Skybox performs highly scalable virtual penetration testing without affecting/touching the actual IT environment. 14

15 WHITEPAPER REQUIREMENT 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. SKYBOX ENABLED Skybox includes IPS as a critical compensating control in models REQUIREMENT 12: MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY SKYBOX ENABLED 12.1 Establish, publish, maintain and disseminate a security policy. For network access policy Review the security policy at least annually and update the policy when the environment changes. According to the checks in this appendix 12.2 Implement a risk-assessment process that: > > Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.) > > Identifies critical assets, threats and vulnerabilities, and > > Results in a formal, documented analysis of risk 12.3 Develop usage policies for critical technologies and define proper use of these technologies 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel 12.5.x Assign to an individual or team the following information security management 12.6.x Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources (examples of background checks include previous employment history, criminal record, credit history and reference checks) 12.8.x Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data Skybox solutions can help MSPs maintain compliance with PCI DSS on the same level as an individual entity 15

16 REQUIREMENT 12: MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes or transmits on behalf of the customer, or to the extent that they could impact the security of the customer s cardholder data environment x Establish an incident response plan. Be prepared to respond immediately to a system breach. SKYBOX ENABLED Skybox can help you prepare for and simulate attacks on your systems, create a secure CDE and manage the systems in place to maintain that security About Skybox Security Skybox arms security teams with a powerful set of security management solutions that extract insight from traditionally siloed data to give unprecedented visibility of the attack surface, including all Indicators of Exposure (IOEs). With Skybox, security leaders can quickly and accurately prioritize and address vulnerabilities and threat exposures. info@skyboxsecurity.com Copyright 2016 Skybox Security, Inc. All rights reserved. Skybox is a trademark of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners