CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Similar documents
CORE Security and GLBA

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

PCI DSS Reporting WHITEPAPER

PCI DSS Top 10 Reports March 2011

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Attack Intelligence: Why It Matters

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

IT Security & Compliance. On Time. On Budget. On Demand.

PCI Requirements Coverage Summary Table

GFI White Paper PCI-DSS compliance and GFI Software products

Two Approaches to PCI-DSS Compliance

Passing PCI Compliance How to Address the Application Security Mandates

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance. Top 10 Questions & Answers

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Data Security Standards (DSS)

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

PCI DSS Requirements - Security Controls and Processes

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

PCI Compliance Top 10 Questions and Answers

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

PCI Requirements Coverage Summary Table

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Cisco Advanced Services for Network Security

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

SecurityMetrics Vision whitepaper

How To Test For Security On A Network Without Being Hacked

Overcoming PCI Compliance Challenges

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard

March

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

How To Protect Your Data From Being Stolen

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI DSS Overview and Solutions. Anwar McEntee

How To Protect A Web Application From Attack From A Trusted Environment

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Global Partner Management Notice

LogRhythm and PCI Compliance

PCI Data Security Standards

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Compliance for Cloud Applications

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

THE TOP 4 CONTROLS.

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Cisco Security Optimization Service

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Presented By: Bryan Miller CCIE, CISSP

Network Test Labs (NTL) Software Testing Services for igaming

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI Compliance: Protection Against Data Breaches

Teleran PCI Customer Case Study

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Achieving PCI-Compliance through Cyberoam

Using Skybox Solutions to Achieve PCI Compliance

Becoming PCI Compliant

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

2011 Forrester Research, Inc. Reproduction Prohibited

PCI DSS 3.1 and the Impact on Wi-Fi Security

University of Sunderland Business Assurance PCI Security Policy

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Accelerating PCI Compliance

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

DMZ Gateways: Secret Weapons for Data Security

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

SecurityMetrics Introduction to PCI Compliance

How To Protect Your Credit Card Information From Being Stolen

How To Ensure That Your Computer System Is Safe

Security for PCI Compliance Addressing Security and Auditing Requirements for In-scope Web Applications, Databases and File Servers

Payment Card Industry Data Security Standards.

New PCI Standards Enhance Security of Cardholder Data

05.0 Application Development

Transcription:

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com blog.coresecurity.com

The PCI Data Security Standard: A Mandate for Cardholder Security It s no secret that cardholder data presents a tempting target for cybercrime. That s why the major credit and debit card providers have established the Payment Card Industry Data Security Standard (PCI DSS), which applies to all merchants and service providers that store, process or transmit cardholder data. The PCI Standard mandates basic security best practices that include implementing and ensuring the effectiveness of defenses and procedures including firewalls, anti-virus applications, security patches, intrusion detection and prevention systems (IPS and IDS), and end-user awareness and incidentresponse programs. Security Testing for PCI Validation and Compliance The PCI DSS Standard V2.0 requires the same set of security measures for all merchants and service providers, regardless of transaction volume or card acceptance channel (e.g., in-store vs. e-commerce). Organizations must not only implement these measures but also validate that they are working effectively to achieve PCI compliance. CORE Security offers solutions to follow both the letter and spirit of PCI security mandates. Proactively testing your security measures is one of the easiest things you can do to comply with and validate multiple PCI requirements. CORE solutions enable you to run regular, controlled and safe data breach attempts against your network, endpoint and web application security infrastructure. As a result, you can quickly and easily demonstrate whether your security defenses and response plans are in-place and working as mandated by the PCI Standard. What s more, regular, automated and scalable testing helps ensure the ongoing efficacy of your overall security posture and offers actionable risk assessment back to the auditors and the business. Fulfill the Penetration Testing Requirement and More PCI DSS Requirement 11.3: Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. Many CORE Security customers rely on CORE Impact Pro as a key component of their regular penetration testing initiatives and recognize the solution s role in their successful fulfillment of PCI DSS Requirement 11.3. With CORE Impact, you can conduct automated, repeatable, and documented penetration tests across all systems that handle payment card data. This simplifies the compliance process, whether you need to complete the PCI Self-Assessment Questionnaire or prepare for an external audit by a Qualified Security Assessor. CORE Impact can also be used to validate compliance with a number of additional PCI mandates (see table). 2

PCI DSS Requirement Requirement 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. How CORE Impact can help CORE Impact Pro can be used as a key tool for complying with the network-layer penetration testing section of Requirement 11.3. It also assists with the mandate s web application testing elements, offering real-world assessment capabilities that address all OWASP Top 10 vulnerabilities, including SQL Injection, OS Command Injection, Cross-Site Scripting, and others. *The PCI Standard allows you to perform in-house penetration testing, regardless of your merchant or service provider level. Requirement 11.1 Test for presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. CORE IMPACT Pro offers many capabilities for identifying and assessing wireless networks, including: Discovery of both known and unauthorized Wi-Fi networks and access points Information gathering on network strength, security protocols and connected devices Attack and penetration of networks encrypted with WEP, WPA-PSK and WPA2-PSK Automated traffic sniffing for finding streams of sensitive data Capabilities for joining cracked networks and testing backend system Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Scanning applications provide a key component to the vulnerability management process by offering an understanding of your organization s potential vulnerabilities. Penetration testing with CORE Impact Pro builds on this process by identifying which vulnerabilities are real and determining if and how they can be exploited. Test results are presented in Impact Pro s Vulnerability Validation report, which can help you prioritize remediation efforts, effectively allocate security resources, and satisfy auditing requirements. Requirement 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems... Keep all intrusion detection and prevention While intrusion detection and prevention systems can detect and block unwanted network traffic, they require ongoing, custom configuration and regular updates (e.g., new attack signatures) to be effective. CORE Impact Pro allows you to test the effectiveness of these defensive 3

PCI DSS Requirement engines up-to-date. How CORE Impact can help technologies and gives you the information you need to configure them to properly detect and protect against the latest threats. Requirement 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. Your security posture constantly shifts as store, franchise and e-commerce infrastructure evolves. With CORE Impact, you stay on top of potential security exposures created by new network connections and changes to firewalls and other defensive infrastructure. Requirement 2.2 Develop configuration standards for all system components and assure that the standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards. CORE Impact Pro is continually updated with the latest commercial-grade exploits designed to safely test your organization s exposure to newly discovered vulnerabilities in operating systems and services. Each exploit tests as many target OS configurations and methods of attack as possible. You can also test live cardholder systems with confidence, since exploits are designed to prevent service disruptions or alert you when disruptions could occur. Requirement 5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against malicious software. Requirement 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. You can test the effectiveness of your entire security infrastructure, including anti-virus programs and other PCI-mandated applications, with CORE Impact Pro. In addition, the product makes it easy to tune security applications by testing them against specific attacks and generating reports that help you identify necessary patches and configuration issues. Impact Pro also documents each test with audit trails that you can compare against those from security applications to determine if attacks are being detected as expected. Requirement 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor supplied security patches installed. Install critical security patches within one month of release CORE Impact Pro gives you confidence in the integrity and effectiveness of all patches. After installing a patch, you can test its effectiveness by using CORE Impact to safely execute the attack that the patch was designed to stop. In addition, you can ensure that customer data remains protected by re-testing your entire network for new vulnerabilities potentially exposed by the patch. 4

PCI DSS Requirement How CORE Impact can help Requirement 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Notes: Risk ranking should be based on industry best practices. CORE Impact makes it easy to pinpoint, document and track critical vulnerabilities in your environment. Impact vulnerability reports include industry-standard rankings such as the Common Vulnerability Scoring System (CVSS), which can inform your internal risk rating system. In addition, CORE Impact offers industry-leading postexploitation, evidence gathering, and pivoting capabilities that can reveal the true business risk of specific vulnerabilities in your environment. Requirement 6.5.1 Injection flaws; particularly SQL injection. Also consider OS Command injection, LDAP and Xpath Injections flaws as well as other injection flaws. Requirement 6.5.7 Cross site scripting Requirement 6.5.9 Cross-site request forgery CORE Impact Pro offers web application penetration testing capabilities that address elements of all OWASP Top 10 vulnerabilities, including those listed in this Requirement: SQL Injection - Traditional and Blind (OWASP A1) OS Command Injection (OWASP A1) Cross-Site Scripting (OWASP A2), including reflective, persistent and Adobe Flash XSS vulnerabilities Cross-Site Request Forgery (OWASP A5) Requirement 6.6 For public facing web applications address new threats and vulnerabilities on an ongoing basis and ensure that these applications are protected against known attacks by either of the following methods. - Reviewing public facing web applications via manual or automated application vulnerability assessment tools at least annually and after any changes. - Installing a web application firewall in front of public facing web application. CORE Impact Pro enables you to proactively assess your web applications, plus firewalls and other defenses, against today s most pressing threats, including those referenced in the OWASP Top 10 Web Application Vulnerabilities. In addition to replicating actual attacks against your web applications, Impact reveals the implications web application vulnerabilities by uncovering what data and backend infrastructure would be exposed if the vulnerability were to be compromised. Requirement 12.9.2 Implement an incident response plan and test it annually CORE Impact enables you to simulate a full range of data incidents and evaluate how defensive infrastructure, employees and contractors react. 5

About CORE Security CORE Security is the leading provider of predictive security intelligence solutions. We help more than 1,400 customers worldwide preempt critical security threats and more effectively communicate business risk. Our award-winning enterprise solutions are backed by over 15 years of expertise from the company s CORE Labs research center. Learn more at www.coresecurity.com. 41 Farnsworth Street Boston, MA 02210 USA Ph: +1 617.399.6980 www.coresecurity.com Blog: blog.coresecurity.com Twitter: @coresecurity Facebook: CORE Security LinkedIn: CORE Security 2012 CORE Security and the CORE Security logo are trademarks or registered trademarks of CORE SDI, Inc. All other brands & products are trademarks of their respective holders. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information