Observations from the Trenches CSO Breakfast Club Retail and PCI Security Forum May 2010 Olivia Rose Jenkins, CISSP, QSA Sr. Security Consultant
Agenda Conversations with CXO s PCI and Your Security Program ~ Oil and Water? PCI and Your Security Program ~ DIY Wrap Up/ Questions
Agenda Conversations with CXO s PCI and Your Security Program ~ Oil and Water? PCI and Your Security Program ~ DIY Wrap Up/ Questions
Conversations with CXO s THINGS I HAVE TO DO Protect our customers / Retain our customers THINGS I M WORRIED ABOUT Risk, risk, and more risk THINGS I WANT TO DO Have my security practice support my company s operations, business, and growth
THINGS I HAVE TO DO Conversations with CXO s Protect our customers / Retain our customers PCI Other regulatory requirements Internal and external audit mandates Company Board mandates Third-party and customer contractual requirements
About Retaining Customers Consumer Goods Forum Survey Jan 2010 Issue % Choosing Issue 2010 Ranking 2009 Ranking The economy and consumer demand (energy costs, demographic change, consumer trends) 50.4 1 = 1 Corporate social responsibility (sustainability, social standards, corporate governance) 38.1 2 3
Conversations with CXO s THINGS I AM WORRIED ABOUT Risk! How do I protect our brand image? How do I meet future PCI requirements? How to I respond to specific risks? How do I keep up with our competitors?
Conversations with CXO s Things I want to do Support and meet company initiatives Support revenue targets Reduce costs to the business Have security seen as critical Help improve my company s business
Agenda Conversations with CXO s PCI and Your Security Program ~ Oil and Water? PCI and Your Security Program ~ DIY Wrap Up/ Questions
ISO 27002 and PCI PCI Requirement 12 ISO 27002 Security Policy Employee-facing Technologies Roles and Responsibilities Security Awareness Background Checks Third-Parties Incident Response 5.1 Information Security Policy 11.7 Mobile computing and teleworking 6.1 Internal organization 8.2 During employment 8.1 Prior to employment 10.2 Third-party service delivery management 13.2 Management of information security incidents and improvements
Spending Dynamics in 2010 PCI! Source: Gartner 2010
Agenda Conversations with CXO s PCI and Your Security Program ~ Oil and Water? PCI and Your Security Program ~ DIY Wrap Up/ Questions
#1: Identity Management PCI Testing Procedure 7.1 Obtain and examine written policy for data control, and verify that the policy incorporates the following: 7.1.1 Confirm that access rights for privileged user IDs are restricted to least privileges necessary to perform job responsibilities. 7.1.2 Confirm that privileges are assigned to individuals based on job classification and function (also called role-based access control or RBAC). 7.1.3 Confirm that an authorization form is required for all access, that it must specify required privileges, and that it must be signed by management. 7.1.4 Confirm that access controls are implemented via an automated access control system. 7.2 Examine system settings and vendor documentation to verify that an access control system is implemented as follows: 7.2.1 Confirm that access control systems are in place on all system components. 7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function. 7.2.3 Confirm that the access control systems has a default deny-all setting. Translation: 1. Document your access control practices 2. Restrict to individuals who actually need access 3. Track with a form signed by management 4. Control access with an automated system 5. Ensure it is used on all systems in-scope 6. Deny access to anyone or anything without permissions
The PCI Council Says The PCI DSS security requirements apply to all system components. System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.
Your QSA says Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications. PLUS Every computer (laptop, desktop), Every backup tape, Every Point-of-sale (POS), Every portable device and external-facing technology, Every physical location which processes, transmits, and/stores cardholder data (whether printed or electronic), and Every individual (whether employed by your organization or a third-party) who views, touches, and works with the systems in-scope, For any systems which are in this cardholder data environment AND/OR process, transmit, and/store cardholder data.
1) Discover your Data Flows 10 stores in NorthEast, 25 in South www.atvsrockmyworld.com Catalog with order form Internal employee orders Call center
2) Perform Scoping Exercise Take each dataflow, then determine: Systems Locations Third-parties Connections Users Other Purpose, vendor, version, location, users, etc. For data centers, and any location with CHD Who have physical and technical access Ingoing, outgoing, internal, external, wireless Who has access to CHD systems anywhere Paper? Call center?
3) Assign Owners Systems Locations Third-parties Connections Users Administrators for databases, servers, desktops, backup tapes, encryption, etc. Points of contacts at each location Vendor managers and/or Legal Network administrators/security managers HR, HelpDesk
Scoping Exercise Store Mgr. Aloha 6.5 Sun server w/ Solaris 10 Bank (Authorization) Systems In-Scope Locations In-Scope Connections In-Scope Users In-Scope Third-Parties In-Scope Store Radiant Cisco firewall Microsoft Zuckerberg Sun Cisco firewall Tim in Sales Corporate Data Center Microsoft Sun server w/ Solaris 10 Stored for 30 days on Oracle database Bank (Settlement) System Admin
Apply Requirements to the Scope PCI Testing Procedure 7.1 Obtain and examine written policy for data control, and verify that the policy incorporates the following: 7.1.1 Confirm that access rights for privileged user IDs are restricted to least privileges necessary to perform job responsibilities. 7.1.2 Confirm that privileges are assigned to individuals based on job classification and function (also called role-based access control or RBAC). 7.1.3 Confirm that an authorization form is required for all access, that it must specify required privileges, and that it must be signed by management. 7.1.4 Confirm that access controls are implemented via an automated access control system. 7.2 Examine system settings and vendor documentation to verify that an access control system is implemented as follows: 7.2.1 Confirm that access control systems are in place on all system components. Systems In-Scope Aloha POS Sun servers w/solaris Cisco firewalls Microsoft XP workstations Oracle database Wireless 7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function. 7.2.3 Confirm that the access control systems has a default deny-all setting. Translation: 1. Document your access control practices 2. Restrict to individuals who actually need access 3. Track with a form signed by management 4. Control access with an automated system 5. Ensure it is used on all systems in-scope 6. Deny access to anyone or anything without permissions
#8: Security Information and Event Management PCI Testing Procedure 10.1 Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components. 10.2 Through interviews, examination of audit logs, and examination of audit log settings, perform the following: (requirements 10.2.1 10.2.7) and 10.3 Through interviews and observation, for each auditable event (from 10.2), perform the following: (requirements 10.3.1. 10.3.6) 10.5 Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered as follows: 10.5.1 Verify that only individuals who have a job-related need can view audit trail files. 10.5.2 Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation. 10.5.3 Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter. Systems In-Scope Aloha POS Sun servers w/solaris Cisco firewalls 10.5.4 Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media. 10.5.5 Verify the use of file-integrity monitoring or change-detection software for logs by examining system settings and monitored files and results from monitoring activities. 10.6.a Obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required and 10.6.b Through observation and interviews, verify that regular log reviews are performed for all system components. 10.7.a Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year and 10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months logs for immediate analysis. Translation: 1. Track all access to systems inscope 2. Capture requirements 10.2 and 10.3 3. Restrict access to log files to individuals who actually need access Microsoft XP workstations 4. Control access with access control mechanisms Oracle database 5. Back up log files and retain for Wireless one year (3 months readily available) 6. Identify unauthorized changes to log files with file integrity management 7. Review logs daily
The Next Step PCI Testing Procedure 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. 5.1.1 For a sample of system components, verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits). 5.2 Verify that all anti-virus software is current, actively running, and capable of generating logs by performing the following: Systems In-Scope 5.2.a Obtain and examine the policy and verify that it requires updating of anti-virus software and definitions. 5.2.b Verify that the master installation of the software is enabled for automatic updates and periodic scans. 5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled. 5.2.d For a sample of system components, verify that antivirus software log generation is enabled and that such logs are retained in accordance with PCI DSS Requirement 10.7 10.7.a Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year and 10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months logs for immediate analysis. Translation: 1. Implement anti-virus on all systems in-scope (as possible) 2. Ensure anti-virus protects against what it needs to and is a Aloha POS current version Sun servers w/solaris 3. Document requirements for antivirus and that it needs to be Cisco firewalls updated Microsoft XP workstations Oracle database Wireless 4. Update anti-virus automatically and set to perform scans 5. Retain log files for one year (3 months readily available)
Does your AV Do This? Testing Procedure 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. Translation: Implement anti-virus on all systems in-scope (as possible) Security Admin Response 5.1 We use XYZ vendor antivirus software on the following systems: Aloha POS The Sun servers in the stores and data center The Microsoft computers for anyone who can access those systems The computers belonging to all users who connect to our network The Oracle database where we store CHD for 30 days
Does your AV Do This? Testing Procedure 5.1.1 For a sample of system components, verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits). 5.2 Verify that all anti-virus software is current, actively running, and capable of generating logs by performing the following: Security Admin Response 5.1.1 XYZ vendor antivirus software performs all these actions. 5.2 The AV is version 1.2.3 which is the latest version, and I checked that it is actively running on three user laptops. It is set to capture logs. Translation: Ensure anti-virus protects against what it needs to and is a current version
Does your AV Do This? Testing Procedure 5.2.a Obtain and examine the policy and verify that it requires updating of anti-virus software and definitions. Translation: Document requirements for anti-virus Security Admin Response 5.2.a We don t have a documented policy for AV and that it needs to be updated
Does your AV Do This? Testing Procedure 5.2.b Verify that the master installation of the software is enabled for automatic updates and periodic scans. 5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled. Security Admin Response 5.2.b Yes, it is automatically updated nightly and scans are set for every week. 5.2.c See the attached screenshots showing that the AV is updated nightly and scans are set for every week for the systems in 5.1 Translation: Update anti-virus automatically and set to perform scans
Does your AV Do This? Testing Procedure 5.2.d For a sample of system components, verify that antivirus software log generation is enabled and that such logs are retained in accordance with PCI DSS Requirement 10.7 10.7.a Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year and 10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months logs for immediate analysis. Security Admin Response 5.2.d AV log generation is enabled; however have concern about logs needing to be retained for one year. We can store the three months on hand online, but will need to discuss storage options for the remaining nine months. Translation: Retain log files for one year (3 months readily available)
Summary to Meet PCI Req 5. In Place: 5.1 5.1.1 5.2 5.2 b 5.2 c Not in Place: 5.2 a Follow-Up 5.2 d For which: Systems Locations Users
Agenda Conversations with CXO s PCI and Your Security Program ~ Oil and Water? PCI and Your Security Program ~ DIY Wrap Up/ Questions