PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com
Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence
High Profile Hacks in the News
Breach Stats Source: Verizon, 2012 Data Breach Investigations Report 4
Breach Characteristics 5 Source: Verizon, 2012 Data Breach Investigations Report
Customer Challenge Evolving Risk New Threat Vectors & System Complexity Organizational Complexity Threat Environment Now Professional, Capable & Motivated Prioritization to meet business goals is complex GRC 6
Payment Card Industry Data Security Standard Council formed in 2004:Visa, Master Card, American Express and JCB developed and ratified the PCI Standard. Objective is to protect card companies, merchants, and consumers from financial and data loss anywhere in the payment eco-system Largely applies to IT systems and applications, but also processes Includes banks, merchants, and service providers who accept, capture, store, transmit or process credit card data of any of the 5 If your company accepts credit cards for payments, then PCI compliance applies to you regardless of size The compliance applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce Common sense policies
PCI entities 8
PCS DSS Design for Success PCI DSS achieves its security goals in two general areas: Integrity of system components all the parts of the payment process both logical and physical attack Protecting the confidentiality stored cardholder data in a given environment cardholder and authentication data when transmitted over an open or public network 9
PCI Requirements by Merchant 10
PCI DSS - 6 Sections - 12 Requirements 6 logically related groups, called "control objectives 12 requirements for compliance
Attack Vectors sniffer attack SQL injection malware / trojan database Staff, turnover, processes From DBA s to contractors
Key Takeaways PCI DSS: neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants Not a onetime process it is an ongoing process Quarterly scanning is mandatory for all merchants (Level 1-4) by a PCI SSC Approved Scanning Vendor (ASV) Applicable to all connected systems, i.e. not separated from cardholder data environment by firewall Need to embed process and documentation into change management procedures Sometimes the biggest threat is ourselves: new technology, new process, new staff, complacency 13
Rapid7 Compliance Dashboard and Resources PCI Compliance Dashboard helps organizations manage and prepare for PCI compliance: https://community.rapid7.com/docs/doc-1512 PCI Guide and detailed list of where we help with PCI compliance: http://www.rapid7.com/docs/pci-guide.pdf For more information on our PCI products and services: http://www.rapid7.com/services/pci-compliance-testing.jsp 14
Who is Rapid7 15
Rapid7 at a Glance Company Background Founded in 2000, HQ in Boston Nexpose commercial launch in 2004 VC funding from Bain Capital ($9M) and from Technology Crossover Ventures ($50M) Metasploit Acquisition in 2009 #1 Fastest Growing Vendor within Market Sector 900%+ Growth over last 4 Years Offices in Boston, Los Angeles, Toronto, Austin, London, Hong Kong, Sydney (Dubai coming soon) 16 Leader
Satisfied Customers deployed in more than 65 Countries Technology/ Communication 17 Retail/ Wholesale Energy Financial Services Healthcare & Life Sciences Manufacturing Media & Entertainment Government Public Sector Other
Closed Loop Security Risk Intelligence Platform Verified (but not Validated) Risk Risk Validation Risk Assessment Vulnerability Management & Security Configuration Assessment Penetration Testing & Threat and Risk Validation Real (Validated, Contextual) Risk
NeXpose Vulnerability Management 19
Rapid7 NeXpose - Vulnerability Management Broadest, Deepest, Unified Coverage Most Accurate Results Risk Approach Lowest Cost of Ownership 20
NeXpose: Broadest, Deepest, Unified Vulnerability Coverage Most comprehensive Vulnerability DB Only NeXpose offers Vulnerability Chaining NeXpose scans Web2.0 21
Some specific areas of PCI Compliance Rapid7 s PCI Compliance Solutions helps to meet data security standards required for merchants and service providers Performing quarterly internal and external vulnerability scans - Rapid7 is a certified Approved Scanning Vendor (ASV) by the PCI Security Standards Council, authorizing us to help you achieve compliance with the PCI Data Security Standard (DSS). (11.2) Performing Rapid7 PCI Gap Analysis - For a detailed audit of your networked environment, web application development secure coding policies, physical security control policies, training polices, and personnel policies, in addition to providing guidance on network segmentation to show you how to reduce the scope of your PCI audit and limit your cardholder segment. (6.5) Performing Web application assessment testing - To identify vulnerabilities based on the OWASP Top 10 vulnerability list, in addition to providing Security Awareness Training, OWASP web development training and CEH/Penetration test training on request. (6.6) Providing assistance in completing the appropriate PCI Self-Assessment Questionnaire (SAQ) - When required for PCI certification. 22
Metasploit Penetration Testing 23
Metasploit Pro Today 24 Largest exploit database No.1 pen test solution Automation, workflow Reporting Web scanning / pen testing Validation to NeXpose Lower TCO
Metasploit High Level 25
Rapid7 Metasploit Rapid7 Metasploit is a penetration testing solution tests how well your perimeter holds up against real world attacks. In the context of PCI, Metasploit helps to: Comply with requirement 11.3 Perform annual internal and external penetration testing s Test the external and internal boundaries defenses of the scope Test the level of accessibility and exploitability of critical cyber assets Test the efficiency of your access control systems and policies within the scope Audit password length and complexity and authentication methods Determine the exploitability of identified vulnerabilities Determine if a hacker could access and steal electronic protected information through Web applications Support their incident responses by providing details on vulnerabilities and misconfigurations that were exploited, as well as remediation steps to prevent future exploits
Mobilisafe 27
High Number of Mobile Vulnerabilities
Mobilisafe Capabilities
Best in Class
Rapid7 Mobilisafe Rapid7 Mobilisafe helps organizations subjected to PCI compliance to manage the risk associated with their mobile devices in three main ways: Visibility - Discover who your users are and what devices they are bringing into the organization and using to access company data. Mobilisafe provides immediate visibility to specific device attributes including name, model, manufacturer, operating system type and version, along with each device s connection history. Management - Monitor, assess and automatically identify the vulnerability risk of each device. Real-time vulnerability mapping identifies devices susceptible to emerging risks. Mobilisafe issues a TrustScore for every device your employees use so you can easily determine how trustworthy a device is for your company data. Action - Define and deploy policies that easily mitigate mobile risk, e.g. block devices with a low trust score from accessing the network or wipe all data from lost devices. Deliver an easy mechanism for employees to automatically update their devices to the latest available firmware to mitigate risk. Automate communication to mobile users and related policies based on device attributes, vulnerability severity level and employee profile.
Market Position 32
Recognized Market Leader Source: Forrester Wave for Vulnerability Management, Q2/2010
Thank You 34