Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services



Similar documents
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Payment Card Industry (PCI) Data Security Standard

Application Security in the Software Development Lifecycle

The Value of Vulnerability Management*

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI DSS Reporting WHITEPAPER

PCI Security Scan Procedures. Version 1.0 December 2004

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cisco Security Optimization Service

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

PCI Requirements Coverage Summary Table

A Rackspace White Paper Spring 2010

PCI DSS Top 10 Reports March 2011

Introduction. PCI DSS Overview

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

PCI Requirements Coverage Summary Table

How To Protect A Web Application From Attack From A Trusted Environment

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Using Skybox Solutions to Achieve PCI Compliance

SecurityMetrics Vision whitepaper

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Passing PCI Compliance How to Address the Application Security Mandates

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Payment Card Industry Data Security Standard

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

PCI Data Security Standards (DSS)

Overcoming PCI Compliance Challenges

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

You Can Survive a PCI-DSS Assessment

Achieving Compliance with the PCI Data Security Standard

PCI DSS Requirements - Security Controls and Processes

3. Are employees set as Administrator level on their workstations? a. Yes, if it is necessary for their work. b. Yes. c. No.

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI DSS 3.1 and the Impact on Wi-Fi Security

How To Protect Your Data From Being Stolen

PCI DSS v3.0 Vulnerability & Penetration Testing

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

A Decision Maker s Guide to Securing an IT Infrastructure

GFI White Paper PCI-DSS compliance and GFI Software products

Data Security for the Hospitality

74% 96 Action Items. Compliance

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

How To Test For Security On A Network Without Being Hacked

Security aspects of e-tailing. Chapter 7

Global Partner Management Notice

Checklist for Vulnerability Assessment

THE TOP 4 CONTROLS.

PCI DSS Overview and Solutions. Anwar McEntee

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Patch and Vulnerability Management Program

PCI Compliance for Cloud Applications

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Closing Wireless Loopholes for PCI Compliance and Security

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

What is Penetration Testing?

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Did you know your security solution can help with PCI compliance too?

Payment Card Industry Data Security Standard

IT Security & Compliance. On Time. On Budget. On Demand.

How To Comply With The Pci Ds.S.A.S

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

ABB s approach concerning IS Security for Automation Systems

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

Security Management. Keeping the IT Security Administrator Busy

ASDI Full Audit Guideline Federal Aviation Administration

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Technical Testing. Network Testing DATA SHEET

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

PCI Compliance. Top 10 Questions & Answers

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

March

New PCI Standards Enhance Security of Cardholder Data

Continuous compliance through good governance

Transcription:

Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services

PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult task, especially for smaller merchants or those who are in the early stages of achieving compliance. In this short paper, we will outline the requirements in the PCI DSS that are related to identifying, mitigating, and reporting on security vulnerabilities, and recommend a strategy for maintaining compliance in this regard. Before outlining the strategy, it is important to highlight a few things that are essential to managing vulnerabilities (and compliance in general) in a PCI world. First, be sure to take a risk- based approach to meeting the standard. This requires an understanding, by IT and security managers working with business stakeholders, of the biggest threats to the business and then setting priorities for security and compliance efforts. An added benefit to this approach is that you help to ensure that the security budget is spent wisely a smart move when dealing with the reality of our current economy. Traditional security spending has taken a more tactical approach, with the mindset of more security products will certainly bring better security. This is not the best approach when working towards compliance with a complex standard such as the PCI DSS. Second, understand and approach the standard holistically, instead of addressing each requirement in a vacuum. If you step back from the standard, it is important to remember that the reason it exists in the first place is to protect cardholder data. Too often we see organizations getting wound up in a specific sub- requirement and what the interpretation should be in their case. Each of the requirements must be addressed and ultimately met; however, they should all be seen as a combined effort to protect data. In this paper we focus on vulnerability management, and there are many items in the standard that contribute and work together to achieve the goal of reducing the threat of vulnerabilities. Finally, make sure that your compliance efforts are not static. PCI compliance should be achieved and then maintained. Vulnerability management is no exception. There will be a constant flow of threats to your organization. Managing this environment will require constant vigilance. Whether it is patch management, vulnerability assessment, host hardening techniques, standardization of configurations, training, or policy all will require a continuous effort to be successful. Vulnerability Management and the PCI DSS Now, let s examine some of the PCI requirements related to managing vulnerabilities: Requirement 2.2 states that an organization should Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry- accepted system hardening standards. One of the first defenses against security vulnerabilities involves how hosts or devices are configured. This system hardening involves configuration of system components in such a way that it is specific to task and contains no superfluous components or settings that may be vulnerable now or in the future. This is a great way to eliminate problems before they arise. The threat of attack from malicious code is a daily reality. A key element of protecting against this type of attack is the proper deployment and management of anti- virus software. Requirement 5 specifies that anti- virus

software be deployed to all systems commonly affected by malicious software. Proper deployment and management of the anti- virus software will involve keeping the software up- to- date, making sure it cannot be disabled by the user, and monitoring and retaining the log files. Requirement 6.1 reads Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor- supplied security patches installed. Install critical security patches within one month of release. The standard goes on to state how a risk- based approach can be used to prioritize patch deployments. As a part of the initial hardening of a system, and then throughout its lifecycle, each system should be patched fully to address known vulnerabilities. A risk- based approach is crucial: For example, a public- facing web server in the DMZ will be constantly probed and attacked. This host should arguably be patched much sooner than an intranet server that is only accessible from the core network. By the same measure, an internal server that stores critical private data will not necessarily be bright on the attack radar screen, but should be among the first to be patched. Requirement 6.1 is followed up by 6.2 stating, Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. The standard itself is relating things that you learn as a result of complying with 6.2 to actions that you are taking to be compliant with other requirements such as 2.2 and 11.2. Requirement 6.2 is vital to vulnerability management. The evolution of requirement 6.2 in the 2.0 version of the PCI DSS moved from simply stating that we must identify newly discovered security vulnerabilities to requiring that we define a process that ranks vulnerabilities according to risk. It also states that the process should be based on industry best practices. 6.2.a becomes a requirement (instead of being considered a best practice) at the end of June 2012. So to stay on track, we should monitor vendor security alerts relevant to our own systems and subscribe to security advisories. Finally, evaluate how these vulnerabilities affect the cardholder data environment. Requirement 6.3.2 states that an organization should perform a Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Additionally, 6.5 states Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes. As if securing your web applications isn t difficult enough, 6.6 requires that "For public- facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either" reviewing public- facing web applications via manual or automated application vulnerability security assessment tools - or- installing a web- application firewall. The standard gives the merchant a choice of performing a review of the application or deploying an application- layer firewall. The argument could easily be made that using these complementary approaches together would achieve the highest level of security. The intent, however, is that, in the case of a review, the merchant will also have an annual application vulnerability assessment performed. This assessment would fall short of being a penetration test, in that none of the vulnerabilities would be exploited. Corrections should be made and confirmed with re- evaluation until there is an all clear. These assessments can be performed by either an internal or external party, however, internal reviewers should be qualified to assess application- layer security, and be organizationally independent from the developers of the application. The other choice is to protect the web applications using an application- layer firewall. These complex

deployments are configured specifically for each application, and can address many of the weaknesses inherent in web applications. At a minimum, this device should protect the application from the OWASP Top Ten. 11.1, 11.2. and 11.3 require an organization to Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use, Run internal and external network vulnerability scans at least quarterly and after any significant change in the network, and perform external and internal (network- layer and application- layer) penetration testing at least annually and after any significant infrastructure or application upgrade or modification. Internal tests for rogue wireless access points can be performed adequately by internal staff knowledge of wireless testing tools, and some basic software and hardware is all that is required. The ultimate goal here is to discover anything connected to your network that isn t authorized, and which may present a threat to the cardholder environment. Requirement 11.2 defines the all too familiar quarterly scanning that must be done by your Approved Scanning Vendor. 11.3 requires application- layer and network- layer penetration testing in an effort to determine whether the cardholder data can be compromised. Penetration testing takes steps beyond vulnerability testing by exploiting the vulnerabilities to determine whether a compromise of data is possible. This process may include internal and external attack vectors, packet sniffing, manual manipulation of operating systems and applications, and social engineering. The standard does not intend that tests be performed that potentially could cause a denial of service. Vulnerability scanning should be complementary to the patch management process both in terms of feeding information to patch deployment efforts (what should be patched) and as a confirmation of what has been patched. Finding qualified penetration testers can be difficult to find (Secure Enterprise Computing provides this service) as it is often not likely that an organization will have this expertise on staff. An internal resource would have to be organizationally independent from those who manage the networking and resources. Finally, 12.5.2 requires that you Monitor and analyze security alerts and information, and distribute to appropriate personnel. Security is a moving target, and staying abreast of current threats and vulnerabilities is a very important element when managing security. This applies to policy as well. Focusing on this often overlooked element can bring more benefits than a high- tech patch management system. Weak security policy should be considered a vulnerability too, and one that scanning will not discover. In Conclusion The ongoing effort required to maintain PCI compliance requires much work and planning to be successful. Managing vulnerabilities in any environment requires more than a monthly patch routine. It requires policy, patch deployment, standardization, and testing at a minimum. An organization must intelligently prioritize and fix discovered vulnerabilities, whether by patching or other means, just to stay afloat. Hardening techniques can help reduce future vulnerabilities and prevent and protect against zero day exploits. It s very important that these technologies and efforts coordinate with one another so that the ultimate goal, protection of critical data, can be achieved.

A Checklist for Vulnerability Management So let s look at how these requirements translate into a strategy of scheduled events that can help keep vulnerabilities at bay and your organization in compliance with these concerns. Daily / Ongoing Maintain configuration standards Monitor alert services such as SANS @Risk and applicable vendor resources Use secure coding techniques and review code for security flaws Monthly Perform vulnerability scanning of critical servers Apply critical patches based on risk Quarterly Engage with an Approved Scanning Vendor to perform External Vulnerability Scans Perform internal vulnerability scans of the cardholder data environment and resolve all high and medium risk vulnerabilities Scan the environment for rogue access points connected to the network Annually Perform application- layer and network- layer penetration tests Perform an annual Risk Assessment

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information