Reduce Security Compliance Costs Using Open Source

Similar documents
PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Achieving PCI-Compliance through Cyberoam

The Comprehensive Guide to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance

LogRhythm and PCI Compliance

PCI DSS Requirements - Security Controls and Processes

74% 96 Action Items. Compliance

Becoming PCI Compliant

PCI DSS Compliance Guide

March

Did you know your security solution can help with PCI compliance too?

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

General Standards for Payment Card Environments at Miami University

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

DMZ Gateways: Secret Weapons for Data Security

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Open Source Security Tool Overview

PCI and PA DSS Compliance Assurance with LogRhythm

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

FISMA / NIST REVISION 3 COMPLIANCE

Two Approaches to PCI-DSS Compliance

Presented By: Bryan Miller CCIE, CISSP

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Josiah Wilkinson Internal Security Assessor. Nationwide

Enforcing PCI Data Security Standard Compliance

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI Data Security Standards (DSS)

Linux and Open Source for (Almost) Zero Cost PCI Compliance. Rafeeq Rehman

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Overcoming PCI Compliance Challenges

Catapult PCI Compliance

Complying with PCI Data Security

Achieving PCI DSS Compliance with Cinxi

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI Requirements Coverage Summary Table

So you want to take Credit Cards!

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

Passing PCI Compliance How to Address the Application Security Mandates

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Thoughts on PCI DSS 3.0. September, 2014

PCI DSS v2.0. Compliance Guide

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Payment Card Industry Data Security Standard

Achieving PCI Compliance Using F5 Products

PCI Compliance for Cloud Applications

SANS Top 20 Critical Controls for Effective Cyber Defense

PCI Compliance. Top 10 Questions & Answers

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

A Decision Maker s Guide to Securing an IT Infrastructure

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PCI DSS v3.0. Compliance Guide

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Introduction to PCI DSS

Achieving Compliance with the PCI Data Security Standard

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Technology Innovation Programme

Windows Azure Customer PCI Guide

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments

PCI within the IU Enterprise

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

You Can Survive a PCI-DSS Assessment

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

New Boundary Technologies. The Payment Card Industry (PCI) Security Guide. New Boundary Technologies PCI Security Configuration Guide

The Payment Card Industry Data Security Standard

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI Compliance Top 10 Questions and Answers

PCI DSS Reporting WHITEPAPER

CONTENTS. PCI DSS Compliance Guide

PCI DSS v3.0 Vulnerability & Penetration Testing

CLOUD GUARD UNIFIED ENTERPRISE

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

2: Do not use vendor-supplied defaults for system passwords and other security parameters

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Using Skybox Solutions to Achieve PCI Compliance

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Transcription:

BLUE KAIZEN CENTER OF IT SECURITY Cairo Security Camp 2010 Reduce Security Compliance Costs Using Open Source Subject : This document gives the user an introduction to Information Security Compliance, Why Comply?, Compliance Costs, Open Source Definition, Why Consider Open Source?, Open Source Software useful for Security Compliance, Open Source References and Case Study, Facing Open Source Challenges and Open Source Software Selection Criteria. Author : Mostafa Ibrahim Version : 1.0 Date : July, 2010 Nb pages : 53

Reduce Security Compliance Costs Using Open Source Mostafa Ibrahim Security Meter CTO CISA, ISO 27001 LA, RHCE mostafa.ibrahim@security-meter.com

AGENDA 1 2 3 4 5 6 Information Security Compliance Why Comply? Compliance Costs Open Source Definition Why Consider Open Source? Open Source Software useful for Security Compliance 3

AGENDA 7 8 9 10 Open Source References and Case Study Facing Open Source Challenges Open Source Software Selection Criteria Conclusion 4

AGENDA 1 Information Security Compliance 5

Information Security Compliance Forcing companies to put their infrastructure in order In many cases face stiff penalties if dead line are not met Prescribe Policies and Procedures that > Cover minimum standards for use of IT equipment, > Cover definitions of misuse > Cover rules for enforcing the standards that have been set. > Protect the company's IT equipment, data, and other assets. > Include security and other business policies 6

Standards vs Regulations Standards: Issued by national or international bodies e.g. BSI, ISO. Codes of practice (e.g. ISO 27001, ISO 9001, ISO 20000) Sanctions: none Regulations: Issued by government agencies, markets or sectoral bodies Gov. Agencies e.g. FISMA for U.S. federal government agency Markets Sectorals e.g. Basel II for Banks, HIPAA for Health Care / Insurance, PCI-DSS for Payment Card Industry, SOX for American Public Companies. Sanctions: fines, loss of ability to do business 7

AGENDA 2 Why Comply? 8

Why Comply? Helps management: You can t manage what you can t measure Enables benchmarking internally and with others Builds trust with partners and customers Enables trend analysis: Are things getting better or worse? Audits usually increases visibility on business processes and IT infrastructure Avoid losing business because of being non compliant Avoid being penalized for Noncompliance 9

Why Comply? TJX Scandal One of the biggest retailers dealing with more than 60 banks Considered to be the largest data breach ever. At least 94 million Visa and MasterCard accounts may have been exposed The company reported a spend of $202 million in response to the breach Wireless Security Issue in one of its remote branches Heartland Data Breach One of the largest processors of credit and debit card transactions in the U.S Estimates of more than 100 million accounts may have been exposed Planting a malware capable of sniffing out payment card data as it moved across the company's network, and then to have spirited it out of Heartland's systems in encrypted data streams. 10

Path to Compliance 1. Determine the scope precisely (In terms of assets and business processes) 2. Reduce scope by segmenting the network 3. Baseline your environment against the standard to identify gaps. 4. For all gaps determine remediation actions with associated effort. 5. Develop a prioritized plan to address gaps. 6. Execute ( but with management support). 11

AGENDA 3 Compliance Costs 12

Cost of Compliance U.S. public companies are spending $4.36 million each, on average, to comply with Section 404 of Sarbanes- Oxley (March 2005 survey conducted by Financial Executives International). Entities are typically spending between at $2 and $8 million each to comply with PCI-DSS. (From our experience in the region) Security Compliance is very expensive 13

AGENDA 4 Open Source Definition 14

What exactly Open Source Software? Open Source Definition Open Source is about granting users the freedom to run, copy, distribute, study, change and improve the software. OSS is any software that provided the following freedoms. The freedom to: Run the program, for any purpose (freedom 0) Study how the program works, and adapt it to your needs (freedom 1). Redistribute copies so you can help your neighbor (freedom 2) Improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). The OSS makes sure that software and their derivative works stay free through adequate license obligations. 15

Open Source vs. Other Types Closed Source The source is private and owned by someone. Usually you d have to pay for the source code if its even for sale. Freeware Free software. It has nothing to do with the source code being available or not. Source Available The source is available to look at, but not modify or distribute. Allows users to understand how the software is working. 16

AGENDA 5 Why Consider Open Source? 17

Why Consider Open Source? Avoid Vendor Lock In Open Source allows for many people to find and fix security or efficiency problems Ease of Customization Deep Understanding for underlying Technology Lower TCO (No License Cost) 18

AGENDA 6 Open Source Software useful for Security Compliance 19

20 Open Source Software Useful for Security Compliance Firewall Network IDS / IPS File Integrity Monitoring / HIDS Web Application Firewall Log Management Encryption (at Rest, Motion) Change Management Vulnerability Scanning Penetration Testing Business Continuity Alerting System Configuration Management Database Monitoring

Firewall PCI-DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data ISO 27k A 10.6.1 Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. 21

Open Source Firewalls Netfilter / Iptables http://www.netfilter.org Endian Firewall http://www.endian.com ClearOS http://www.clearfoundation.com/ Zeroshell http://www.zeroshell.net 22

IDS / IPS PCI-DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic ISO 27k A 10.6.1 Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. 23

Snort Open Source IDS / IPS Snort has become the de facto standard for IPS http://www.snort.org Base Basic Analysis and Search Engine http://base.secureideas.net Web Interface for Snort providing a reporting, analysis capabilities to Snort Sguil http://sguil.sourceforge.net intuitive GUI that provides access to realtime events, session data, and raw packet capture 24

HIDS / File Integrity Monitoring PCI-DSS Requirement 11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. ISO 27k A.10.4 Protection against malicious and mobile code Objective: To protect the integrity of software and information. 25

Open Source HIDS / File Integrity Monitoring OSSEC Runs on almost all popular OS Linux, MacOS, Solaris, HP-UX, AIX and Windows. Has its own web interface http://www.ossec.net Samhain Osiris Beltane is an intuitive Web Interface for Samhain http://www.la-samhna.de/ http://osiris.shmoo.com/ 26

Web Application Firewall PCI-DSS Requirement 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by Installing a web-application firewall in front of public-facing web applications 27

Open Source Web Application Firewall ModSecurity The most widely used Web Application Firewall Over 10,000 deployment http://www.modsecurity.org 28

PCI-DSS Log Management Requirement 10.2 Implement automated audit trails for all system components. 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts ISO 27k A.10.10.1 Audit logging security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. A.10.10.3 Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access. 29

Open Source Log Management Solutions Syslog-NG http://sourceforge.net/projects/syslog-ng/ Php-syslog-ng Web Interface for Syslog-NG http://sourceforge.net/projects/php-syslog-ng Snare Collecting windows logs and send them as a syslog messages http://www.intersectalliance.com OSSIM Open Source Security Information Management. Much more than a basic log Management Solution http://www.alienvault.com 30

PCI-DSS Encryption 3.4 Render PAN, at minimum, unreadable anywhere it is stored 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. ISO 27k A.12.3 Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means. 31

TrueCrypt Open Source Encryption Solutions Disk Encryption Windows 7/Vista/XP, Mac OS X, and Linux http://www.truecrypt.org OpenSwan IPSec VPN http://www.openswan.org OpenVPN SSL VPN http://www.openvpn.net OpenSSH Sftp, SSH (Encrypted alternative for Telnet and FTP) http://www.openssh.org/ 32

Change Management PCI-DSS Requirement 6.4 Follow change control procedures for all changes to system components. ISO 27k A.12.5.1 Change control procedures. The implementation of changes shall be controlled by the use of formal change control procedures. 33

Open Source Change Management Solution OTRS Open source Ticket Request System ITIL-compatible change management system http://www.otrs.org 34

Vulnerability Scan PCI-DSS Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). ISO 27k A.12.6 Technical Vulnerability Management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. 35

Open Source Vulnerability Scanner The short and wrong answer is Nessus This is valid before 2005. However they are still having a free version. http://www.nessus.org OpenVAS Nessus Open Source Replacement http://www.openvas.org/ Nmap Security Scanner http://nmap.org 36

Penetration Testing PCI-DSS 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). ISO 27k A.12.6.1 Control of technical vulnerabilities systems being used shall be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. 37

Metasploit Open Source PenTesting Tools The world's largest database of public, tested exploits http://www.metasploit.com Nikto http://cirt.net/nikto2 W3af Web Application Attack and Audit Framework http://w3af.sourceforge.net/ Backtrack Complete Linux Distribution Focused on Penetration Testing. Almost all Open Source Security Testing Tools http://backtrack.offensivesecurity.com Write your own exploit using ready made frameworks or libraries 38

Business Continuity BS25999 The whole standard is talking about Business Continuity ISO 27k A.14 Business continuity management 39

Open Source Tools for Business Continuity Linux HA High Availability Cluster http://www.linux-ha.org Linux Virtual Server Load Balancing and High Availability Clusters for Web Servers or Web Application Servers http://www.linuxvirtualserver.org/ 40

41 Open Source Software Useful for Security Compliance Firewall Network IDS / IPS File Integrity Monitoring / HIDS Web Application Firewall Log Management Encryption (at Rest, Motion) Change Management Vulnerability Scanning Penetration Testing Business Continuity Alerting System Configuration Management Database Monitoring

AGENDA 7 Open Source References and Case Study 42

Snort IDS/IPS Open Source References Has 300,000 Registered Users 4 million downloads DARPA, FBI, Pentagon, Other US Government Agencies are using snort Amazon Cloud Computing using snort OTRS Supports 27 languages Used by 80,000 corporate Lot of European Banks Bitdefender is using OTRS 43

Open Source Case Study Advanced Operations Technology Application Service Provider hosting 12 Saudi brokers Having more than 400 Servers running Open Source solutions over Linux OS 22 servers running Firewall (Iptables), IPS (Snort), VPN (OpenSwan). 11 Pairs of High Availability Cluster using (keepalived) 11 Web Load Balancer (Linux Virtual Server) Modsecurity Web Application Firewall installed on all Web Servers. OTRS is used as ticketing system and change management system OSSEC HIDS is installed on all servers and managed from a centralized console 44

Open Source Case Study Advanced Operations Technology Syslog-NG, Php-Syslog-NG acting as centralized log management collecting logs from all systems, network devices, applications. OpenLDAP acting as centralized directory service I-DOIT acting as a centralized CMDB for all system configurations. Nagios provides performance monitoring for all systems and network devices Trucrypt is being used to encrypt disks having confidential data stored OpenSSH for remote login and secure FTP. Using 2 factor authentication (key file and passphrase) ISCSI Enterprise Target acting as an IPSAN storage 45

AGENDA 8 Facing Open Source Challenges 46

Facing Open Source Challenges Major Challenges are lake of Professional services, Support, and Training. Facing these challenges can only be through: Hire and build a highly qualified open source team Able to dig into sourcecode when needed Able to deal with open-source communities and mailing lists Build a LAB / Testing environment and have a small R&D department (one or 2 guys) Short list the companies providing open source PS, Support, and Consulting Service. Without reaching an adequate level of competency in dealing with open source software forget about it. 47

AGENDA 9 Open Source Software Selection Criteria 48

Open Source Software Selection Criteria Reputation Ongoing effort Standards and interoperability Support (Community / Commercial) Version Documentation Skill set License 49

AGENDA 10 Conclusion 50

Conclusion Extreme claims OSS is always more secure Proprietary is always more secure Reality: Neither OSS nor proprietary always better Some specific OSS programs are more secure than their competing proprietary competitors Include OSS options when acquiring, then evaluate 51

Conclusion We are not open source fans We are not claiming that open source is better than closed source in all aspects We are just trying to convince you to consider open source and you will never loose. 52

Thank You Mostafa Ibrahim Security Meter CTO CISA, ISO 27001 LA, RHCE mostafa.ibrahim@security-meter.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information