PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Transcription

1 CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

2 BENCHMARKS, STANDARDS, FRAMEWORKS AND REGULATIONS WHAT S THE DIFFERENCE? The majority of IT security guidance to industry can be placed into one of these categories: benchmarks, standards, frameworks and regulations. Most address specific security issues and offer advice based on experience, collaborated information, authorities and activities (best practices) which have proven effective. They each offer in-depth guidance on how to apply security, how to build an effective security program and how to measure security investments. COMPARING SECURITY FRAMEWORKS LEADS TO STRATEGIC INSIGHTS TO HELP ORGANIZATIONS Adjust their security programs and better address overall cybersecurity Understand and communicate the value of security and regulatory compliance investments»» Relate cybersecurity to business objectives The challenge is how to navigate the myriad source materials, identify the most salient and effective components of each document, and then use that information to build the most effective security program for the organization. Tripwire offers this comparison of the Payment Card Industry Data Security Standards (PCI DSS) and the Council on CyberSecurity s Critical Security Controls (CSC) documents to help you and your organization understand the benefits and values of each, and to help you take advantage of them within your organization. ANALYSIS: PCI DSS AND THE CSC This analysis provides an overview and comparison of the PCI DSS the security standard framework created for all merchants who accept credit cards, and the CSC framework a best practices document with prioritized cybersecurity procedures. BUSINESS IMPACT The business imperative that drives both of these frameworks is to reduce the risk to businesses from improperly designed and operated technology. They specifically address the challenge of how to instill security essentials, such as security practices of asset control, vulnerability assessment and security hardening. Regardless of being compelled (due to contractual and audit compliance with PCI) or advised through best practices (such as with the CSC), these essential tasks are frequently overlooked. THREAT ORIENTATION Both frameworks are also threat oriented, meaning they prescribe specific actions, controls and activities known to eliminate or reduce common threat vectors. However, without considering the associated risks and the overall relevance of these recommendations to your organization, these frameworks can create a false sense of security. Adopted controls should match potential threat, and risk and mitigation measures adjusted accordingly. PROACTIVE RISK MITIGATION The reason why a business should look at one or both of these frameworks is to reinforce the decision to address cybersecurity in a proactive manner. The documents outline common, if not necessarily consistent, programmatic elements. They use security language but do not assume the reader is a security expert. The advice or prescription is based on current and real world risks and the response measures that will mitigate them. While the response measures prescribe specific outcomes, they are not product- or solution-specific. However, working from these documents will give most readers some idea of the type of skills and resources they will need to address security within their specific environment. 2 Comparing Security Frameworks Series: PCI 3.0 and the CSC

3 BENCHMARK Designed for specific environments; Specific Prescriptive Controls STANDARDS Provides detailed technology implementation guidance from standards body FRAMEWORK Outlines Security Program Requirements and may include prescriptions, methods and REGULATION Typically an enforced guideline with prescribed repercussions (penalties) CIS Benchmarks 4 DISA Checklists 4 Vendor Security Guidance 4 ISA/IEC (Formerly ISA-99) 4 ISO / Common Criteria 4 ISO and NIST TOP 20 CSC 4 4 COBIT v.5 4 HIPAA 4 4 PCI 4 4 NERC CIP 4 4 SOX 4 GLBA 4 Comparing Security Frameworks Series: PCI 3.0 and the CSC 3

4 TOP 20 CRITICAL SECURITY CONTROLS CRITICAL SECURITY CONTROLS (CSC) For detailed information on sub-controls, refer to Tripwire s Sub-control Mapping brief CSC1: Inventory H/W Assets, Criticality & Location CSC2: Inventory S/W Assets, Criticality & Location CSC3: Secure Configuration Servers CSC4: Vulnerability Assessment & Remediation CSC5: Malware Protection CSC6: Application Security CSC7: Wireless Device Control CSC8: Data Recovery CSC9: Security Skills Assessment CSC10: Secure Config-Network CSC11: Limit and Control Network Ports, Protocols & Services CSC12: Control Admin Privileges CSC13: Boundary Defense CSC14: Maintain, Monitor, and Analyze Audit Logs CSC15: Need-to-Know Access CSC16: Account Monitoring & Control CSC17: Data Loss Prevention CSC18: Incident Response CSC19: Secure Network Engineering (secure coding) CSC20: Penetration Testing & Red Team Exercises NSA RANK Very High Very High Very High Very High High/Medium High High Medium Medium High/Medium High/Medium High/Medium High/Medium Medium Medium Medium Medium/Low Medium Low Low WHAT THE CSC DOES The Top 20 Critical Security Controls (previously known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) are now governed by the Council on CyberSecurity, an international, independent, expert, notfor-profit organization with a global scope and specific, public goals. The development of this set of standards was first undertaken in 2008 by the National Security Agency at the behest of the U.S. Secretary of Defense in an effort to efficiently direct resources toward combating the most common network vulnerabilities that resulted in the greatest number of attack vectors. With its beginnings as an annual list of threats and vulnerabilities, the CSC is the result of a broad number of federal and commercial enterprise inputs and continues to evolve as a list of security best practices. The resulting list provides a list of practical security advice that applies to most IT operations. The CSC provides a prioritized list of security practices as well as a practical approach to implementation. It also offers tips for managing these controls on an ongoing basis. While the Controls are not industry-specific, they were developed and validated by the U.S. Federal government. Their application and efficacy in the government lends them big organization and federal agency credibility. Because the CSC offers a relatively short list of controls that have been pre-prioritized, it appeals to business managers and security practioners alike. The framework provides guidance for those in the early stages of developing an information security program, and also offers guidance and advice for those with 4 Comparing Security Frameworks Series: PCI 3.0 and the CSC

5 mature ones. The framework provides quick wins for organizations looking for easy, fast ways to reduce risk, as well as in depth guidance for each control. Quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment. They also provide substantial controls against the most common attack vectors, therefore most organizations prioritize the implementation of these controls. Visibility and attribution measures improve the process, architecture and technical capabilities of organizations to monitor their networks and computer systems making it possible to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers activities and gain information about the sources of an attack. Improved information security configuration and hygiene reduces the number and magnitude of security vulnerabilities and improve the operations of networked computer systems. Secure configurations make systems more difficult to compromise and dramatically reduce security risks. Advanced sub-controls that require the use of new technologies are clearly identified. These controls may be harder or more expensive to deploy. In addition, the CSC includes notational network architecture references, test tools and suggested tests that can be used to verify that the controls are in place and effective. This additional guidance can help organizations evaluate and improve their security programs. WHAT THE CSC DOESN T DO The Critical Security Controls document is a voluntary measure there is no policing, audit or fines for not implementing the advice or implementing it incorrectly. The Controls are constantly being re-assessed and change based on the advice and feedback of an advisory schedule. These changes are expected occur on a regular basis. Although the committee represents business, government and various industries, they may not cover specific business or industry needs and concerns. The Controls are not intended to cover every risk. The objective of the framework is to identify the security controls that are most effective against the most common attack vectors. Your company and/or your industry may have specific, unique risks that are not adequately addressed by the Controls. The CSC does not prescribe a method to verify and examine the risks that correlate to each control. Although the CSC includes basic explanations, each organization needs to evaluate the security risks of their specific organization, determine if the control is appropriate and sufficient and then evaluate the decision to implement the control. Finally, CSC is not an in-depth or process-oriented framework. It may require some technical effort to fit technical solutions into the specific systems at each organization. uuthe great thing about the Top 20 Critical Security Controls is it helps most any organization at any point in their maturity curve with knowing where to start what s the most important thing to do right now. u JANE HALL LUTE, CEO OF THE COUNCIL ON CYBERSECURITY, FORMER DEPUTY SECRETARY OF THE DEPARTMENT OF HOMELAND SECURITY WHAT THE PCI DSS DOES The Payment Card Industry Data Security Standard was created by an industry consortium with the goal of creating security standards for the payment card industry to guide credit card processors, merchants and banks to protect cardholder data and improve security of systems used to store, track and manage the credit card payment and authorization systems. The PCI DSS is a widely adopted security standard and has become one of the most international security standards. Because PCI DSS is enforced by the industry consortium, and failing a third party audit entails serious business consequences and can also involve fines or other penalties, the standard is unique. The PCI DSS is very straightforward: it is designed to identify and protect the systems that contain cardholder information as well as protect that data wherever it is transmitted, processed or stored. The standard ensures a minimum level of information security for any organization that processes credit cards. Comparing Security Frameworks Series: PCI 3.0 and the CSC 5

6 THE PCI DSS 3.0 Control Objectives Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know Implement Strong Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 6 Comparing Security Frameworks Series: PCI 3.0 and the CSC

7 Because the PCI DSS was developed to address common security issues, other industries can use it for basic security guidance. Merchants and financial services organizations have also found that applying the standards to those systems not directly involved with processing cardholder data can dramatically reduce security risk. This has improved the IT security standing of many organizations. WHAT PCI DSS DOESN T DO Because the PCI framework is designed only to protect cardholder data, its controls are usually designed and described for these specific systems and devices that process that specific data. While the standard evolved to focus only on cardholder data as a way to limit the cost of compliance, an unintended consequence maybe that one area of the network is strongly protected but others are left open to attack. The PCI DSS was not developed to address a specific risk associated with the loss of cardholder data and the resulting fraud. However, the threat vector can and does change rapidly. Organizations with large data sets may require greater protection that the standard requires. New, more advanced controls should be carefully considered and should calibrated to the level of risk. The challenge for all security standards is to strike and appropriate balance compliance requirements and the cost of implementation. Every standard is trying to acheive the greatest possible risk reduction for the lowest possible investment. SIMILARITIES OF CSC AND PCI There are plenty of similarities between the two frameworks. From examining of the previous chart, one can see that other than missing a control specifically for coverage of physical security the Controls line up fairly consistently with the PCI DSS Requirement and Objectives areas. This is expected since the focus of both documents is fairly consistent: shoring up IT technology security solutions and practices across a network to protect assets, data or equipment. NOT OVERLY COMPLEX While some technologies are prescribed, both documents recognize that security is a process, not a single product or single skillset. This is important because it underscores a common misperception that security is only a product away (or, conversely, too complex) to understand. In reality, usually the best response to a specific threats is unique to each environment. Also, while these frameworks are designed to distill requirements and provide advice, they try to avoid an overly simplistic approach. Both PCI DSS and the CSC mention the relative complexity of specific problems and solutions and both mention the need for specific skills. Both standards attempt to provide enough guidance to be useful and enough detail to avoid being distilled into a checklist. Security practioners will likely find that the practices in both documents are cross-referential, meaning that the efforts and artifacts from one practice area typically inform other security practices. Each organization should examine both the PCI DSS and the CSC to make sure they have carefully evaluated each control and are implementing them at the level appropriate for their organization. This strategy is the basis of a well-rounded cybersecurity program. KEY TAKEAWAYS Strong alignment exists between PCI DSS 3.0 Objectives 1 and 6 and a number of the Contols: PCI 3.0 OBJECTIVE 1: BUILD AND MAINTAIN A SECURE NETWORK CSC COVERAGE: CSC 3 Secure Configurations on all Hardware and Software for all Mobile Devices, Laptops, Workstations, and Servers (this would include POS devices) CSC 10 Boundary Defense CSC 11 Limitation and Control of Network Ports, Protocols, and Services CSC 13 Secure Configurations for all Network Devices such as Firewalls, Routers, and Switches CSC 19 Secure Network Engineering PCI 3.0 OBJECTIVE 6: MAINTAIN AN INFORMATION SECURITY POLICY CSC COVERAGE: CSC 9 Security Skills Assessment & Training CSC 1 Inventory of Authorized and Unauthorized Devices CSC 2 - Inventory of Authorized and Unauthorized Software CSC 18 Incident Response & Management Comparing Security Frameworks Series: PCI 3.0 and the CSC 7

8 WHAT S DIFFERENT? The most important difference between the two documents is that the PCI DSS is compulsory for merchants, whereas the CSC is best practice. A regulation has accompanying audit guidance and typically undergoes a regular review of its prescriptions to affect change on the target community. Again, while PCI DSS is not a regulation per se, merchants must comply with the standard and regular third party audits are conducted to ensure that the controls are applied correctly and are effective. REGULATORY COMPLIANCE Organizations that must comply with a regulation often find that the management of the compliance program is a risk or constraint in itself. For instance, failure to comply may equate to fees or fines, and cost of compliance is typically taken from the security budget. ADVISORY FRAMEWORK In contrast, the CSC document has made an important stretch into providing its best practices with possible ways to implement and measure the value of any of its prescriptions. It is an important point that the CSC is actively promoting a ROI or value proposition to the reader. This will align with business managers more than an audit guideline, although they are attempting similar goals: providing the organization with a way to measure and understand if the guidance is working. Also the CSC document provides relative prioritization of the control areas. This means that an organization starting at 1 can move forward through the list in a manner that should best address the threat areas and support the security program development. This fills a need that clearly has been missing for organizations looking to regulations as a starting point for their security programs. However, many organizations do not start with CSC-1, and may instead choose something that has been seen to be more highly prioritized such as CSC-13, Boundary Defense, or with CSC-20 Penetration Tests (as part of an initial Security Assessment to form a good starting point for current security posture). Still, if organizations have a choice, completing CSC 1 4 in that order can speed the implementation of the remaining Controls. THE GAP The question of what is similar or different often does not help organizations recognize what s actually missing. In this case, both documents miss a number of important cybersecurity issues that illustrate the limitations of similar documents, and as well as other issues that any organization will want to address. RAPIDLY EVOLVING THREAT vs. AGING GUIDANCE An issue for some organizations will be the age of the guidance. In the case of PCI, the guidance is on a three year update cycle which means that it takes a number of years for certain practices, techniques and controls to be included. In addition, further time is often allowed for full audit compliance which can even further extend and accentuate the difficulty with aging guidance. An example of this is that PCI DSS 3.0 has been finalized since November 2013, and went into effect on January 1, However, PCI DSS 2.0 remains active until December 31, So if organizations are still working under PCI 2.0, they won t have to immediately change. Also, compensating controls may be often used when compliance isn t possible, but other controls may be used to acceptably mitigate per audit findings. The CSC advisory has been updated more frequently, but the council behind the Controls is voluntary and consensual, and therefore unlikely to be held to a schedule for updates. So the answer is to not rely entirely on either guide for the source of most current controls, practices or threat information. CONTINUOUS MONITORING An excellent example of an underrepresented control is the concept of continuous monitoring (CM), now also referred to in government as Continuous Diagnostics & Mitigation (CDM). CM is the logical conclusion that a monitoring control mechanism must be in place to improve awareness, react to incident and to constantly validate that the control (sensor) mechanism itself is actually working. A principle characteristic of this monitoring should be determined based on the relative risk of an incident and how long the business would be like to wait until notified. Most businesses would like this interval to be as close to real time as possible, but it is challenging for many to determine the best technology, methodology and investment to make in terms of CM. RISK MANAGEMENT Another issue is that both programs skirt around the topic of risk management (RM), a practice that incorporates the identification, prioritization and remediation of business specific risks. This is because the RM practice is challenging to perform well. Getting risk assessment wrong or prescribing a poor methodology are both risks unto themselves. However, risk determination is actually very important in order to mature and manage your security programs. Starting with best practices is an excellent baseline, but to truly address the needs of the 8 Comparing Security Frameworks Series: PCI 3.0 and the CSC

9 organization will require some level of risk analysis and assessment of organizational risk appetite. Again, advice here is that the organization should not rely on generic guidance for translating risk context. The organization must address its risk in a way that meets the needs of the business and the managers who run it. It is important to take a long-term approach to risk management as a discipline within the organization to bridge the communications gap that often accompanies cybersecurity practices. When a senior manager agrees on the level of risk and accompanying mitigations are well deployed, the organization can address the business issues of investment and return on investment. MATURITY CYCLE Another challenge is that of assessing the as-is investment in security program controls. That is, most organizations do not need to start from scratch, but actually build on current programs, perhaps only to refine an existing control to meet or exceed the security needs. This is a technical/security evaluation challenge and a management challenge and is not addressed by these advisories. It is a huge challenge to determine the relative maturity of a security program. This is compounded in part by the fact that most organizations in your business sector are unlikely to share security capability with one another. Plan for this management challenge because it will set the stage for strong governance and business management of security operations. CONCLUSION The value of both the PCI DSS and the Critical Security Controls is that they cover and reinforce the necessary practices for protecting against common threats to the business. In addition, there is a useful overlap between the two that can achieve both audit compliance as well as security. The advice? Consider the practices as a baseline for any risk-based security management program. Assure yourself that the overlap is due to the commonality of the threat and effectiveness of the practices promoted. Most organizations will either have a regulatory standard or suggested guidance for their industry (e.g. organization-specific standards and policy or industry regulations like PCI, GLBA, NERC, SOX, and HIPAA). However, many organizations realize over time that the required security compliance programs will not and cannot address all cybersecurity issues (such as new threats, risks and vulnerabilities, changing laws, aging guidelines and new technology) at their organization. Finally, remember that strong security is a business value, not just a cost. With the public examples emerging virtually every week, this has never been more easy to substantiate. Make security investments and defenses as relevant as possible to maximize the potential return, and like our overlap between these two frameworks, find the most strategic investments you can make that will achieve both your business and your security requirements. After all, they re beginning to look more and more the same every day. Comparing Security Frameworks Series: PCI 3.0 and the CSC 9

10 CONTROL FRAMEWORKS MAP: PCI DSS 3.0 AND THE CSC The following table maps the two frameworks together with a view to seeing what specific activities make the most sense for your organization as you work toward PCI DSS 3.0 compliance. OBJECTIVE BUILD AND MAINTAIN A SECURE NETWORK PROTECT CARDHOLDER DATA MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM PCI DSS REQUIREMENT 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendorsupplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly afftected by malware 6. Develop and maintain secure systems and applications CRITICAL CONTROL CRITICAL CONTROL 13: Boundary Defense CRITICAL CONTROL 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CRITICAL CONTROL 8: Data Recovery Capability CRITICAL CONTROL 7: Wirelress Device Control CRITICAL CONTROL 5: Malware Defenses CRITICAL CONTROL 4: Continuous Vulnerability Assessment and Remediation CRITICAL SECURITY CONTROLS CRITICAL CONTROL CRITICAL CONTROL CRITICAL CONTROL 10: Secure Configurations for Network Devices such as Firewalls, Routers and Switches CRITICAL CONTROL 11: Limitation and Control of Network Ports, Protocols, and Services CRITICAL CONTROL 19: Secure Network Engineering CRITICAL CONTROL 17: Data Loss Prevention CRITICAL CONTROL 6: Application Software Security CRITICAL CONTROL 10 Comparing Security Frameworks Series: PCI 3.0 and the CSC

11 OBJECTIVE IMPLEMENT STRONG ACCESS CONTROL MEASURES REGULARLY MONITOR AND TEST NETWORKS MAINTAIN AN INFORMATION SECURITY POLICY PCI DSS REQUIREMENT 7. Restrict access to cardholder data by business need-to-know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel CRITICAL CONTROL CRITICAL CONTROL 15: Controlled Access Based on the Need to Know CRITICAL CONTROL 12: Controlled Use of Administrative Privileges CRITICAL CONTROL 14: Maintenance, Monitoring, and Analysis of Audit Logs CRITICAL CONTROL 20: Penetration Tests and Red Team Exercises CRITICAL CONTROL 9: Security Skills Assesment and Training to Fill Gaps CRITICAL SECURITY CONTROLS CRITICAL CONTROL CRITICAL CONTROL CRITICAL CONTROL 16: Account Monitoring and Control CRITICAL CONTROL 1: Inventory of Authorized and Unauthorized Devices CRITICAL CONTROL 2: Inventory of Authorized and Unauthorized Software CRITICAL CONTROL CRITICAL CONTROL 18: Incident Response and Management uuillustration of sections from the PCI DSS and the CSC documents. The PCI DSS version 3.0 (November 2013) is available at pcisecuritystandards.org/security_standards/documents.php Find the CSC at Comparing Security Frameworks Series: PCI 3.0 and the CSC 11

12 u Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation through enterprise integration. Tripwire s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW ON TWITTER 2014 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPPCICSC1a