© 2006 Cisco Systems, Inc. All rights reserved.Cisco PulbicPresentation_ID 1 Compliance and the Intelligent Information Network Fred Colacchio, CISSP Security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PulbicPresentation_ID 1

Compliance and theIntelligent Information Network

Fred Colacchio, CISSP

Security Specialist

[email protected]

October 3, 2007


Agenda

Compliance

Mapping IIN to CompliancePCI Prescriptive

Summary

Reference


Compliance


The Four Main Themes in Compliance: Think “CIAA”

1. Confidentiality - Keep it Secret

2. Integrity of Data - Protect against improper alteration or destruction

3. Audit/reporting/monitoring/logging - Security activity must be tracked and auditable to demonstrate compliance and incident investigation

4. Availability - Regulated data must be available to authorized users/consumers


Compliance Drivers

U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (“Sarbanes-Oxley”)

Protects investors by improving the accuracy and reliablity of corporate disclosures.

The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley”)Provides a framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers. Establishes the Financial Privacy Rule and the Safeguards Rule.

Health Insurance Portability and Accounting Act of 1996Improve portability and continuity of health insurance coverage; combat waste, fraud, and abuse in health insurance and health care delivery; promote the use of medical savings accounts; improve access to long-term care services and coverage; simplify the administration of health insurance

California SB 1386Requires any entity that conducts business in California to disclose any breach of the security of any data which includes personal information


Compliance Drivers

Family Educational Rights and Privacy ActProtects the privacy of student educational records.

Payment Card Industry Data Security StandardsApplies to all merchants and service providers that store, process, or transmit credit card data, and provides the tools and measurements needed to protect against cardholder data exposure and compromise

Notification of Risk to Personal Data Act (S. 1350, pending)Would require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information


RegulationDate of

EnforcementFine Imprisonment Industry

HIPAA 1996 $250,000 10 years Health

GLBA 1999 $100,000 per incident 5 years Financial

SOX 2002 $22 million per violation (Former Gemstar CEO, May 9, 2006)

20 years Information Security

CA SB 1386

2003 Any customer injured by a violation of this act may institute a civil action to recover damages

None—Customers must be notified

Personal Information

PCI 2005 $500k per incident + $100k if VISA is not notified

None—Rescind the right to accept credit card payments

Credit Card Security

Sanctions for Regulatory Non-Compliance


S-OX

Applies to public companies

Section 302 compliance – Attestation to validity of public reports

Section 404 compliance – Attestation to the effectiveness of internal control structures

Section 409 compliance – “real time” public disclosure of material changes in the financial conditions or operations of a company


GLBA

Applies to “Financial Institutions”Includes not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers (student loans)

Financial Privacy RuleGoverns the collection and disclosure of customers' personal financial information

Safeguards RuleRequires all financial institutions to design, implement and maintain safeguards to protect customer information.


In summary, the objectives of GLBA are to:

• Protect the security and confidentiality of customers' nonpublic personal information

• Institute administrative, technical, and physical safeguards

• Protect against anticipated threats and hazards to information security

• Protect against unauthorized access to or use of information

A further objective is to establish a continuous risk-based information security program with:

• Board oversight

• Assessment of threats and vulnerabilities

• Risk management and controls

• Training and testing

• Vendor oversight

• Monitoring, auditing, adjusting, and reporting


Who is affected by GLBA?Banks, securities firms, and insurance companies

• Mortgage lenders or brokers

• Check cashers and payday lending services

• Credit counseling service and other financial advisors

• Medical-services providers with long-term, interest-bearing payment plans for a significant number of its patients

• Financial or investment advisory services including tax planning, tax preparation, and individual financial management

• Retailers that issue their own credit cards

• Auto dealers that lease or finance purchases

• Higher education institutions providing financial aid or student loans

• Collection agencies

• Government entities that provide financial products such as student loans or mortgages


HIPAA

Applies to health care providers, clearinghouses, and plans

The Privacy RuleIncludes standards to protect the privacy of individually identifiable health information

The Security RuleSpecifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information


Who is affected by HIPPA?

In general, the requirements, standards, and implementation specifications of the HIPAA Security Rule apply to the following entities:

• Covered Health Care Providers-Any provider of medical or other health services or supplies, who transmits any health information in electronic form in connection with a transaction

• Health Plans-Any individual or group plan that provides or pays the cost of medical care, including certain specifically listed governmental programs

• Health Care Clearinghouses-A public or private entity that processes another entity's healthcare transactions from a standard formation to a nonstandard one, or vice versa

• Medicare Prescription Drug Card Sponsors-A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act


Family Educational Rights and Privacy Act

Applies to all schools that receive funds under an applicable program of the U.S. Department of Education

Establishes:Inspection right

Correction right

Restrictions on disclosure

Notification obligation


Addressing Compliance


“ An entire organization, despite its best efforts to prevent wrongdoing in its ranks, can still be held criminally liable for any of its employees’ illegal actions.”

Paula DesioDeputy General Counsel

United States Sentencing Commission

An Overview of the Organizational Sentencing Guidelines


“ [The Sentencing Commission] attempted to alleviate the harshest aspects of...institutional vulnerability...by mitigating the potential fine...if an organization can demonstrate that it had put in place an effective compliance program.”

Paula DesioDeputy General Counsel

United States Sentencing Commission

An Overview of the Organizational Sentencing Guidelines


Three Pieces of the Puzzle

People

Process

Technology


Why use PCI for our discussion?

Regulatory programs open to interpretation

May require teams of experts: General Counsel, Finance, Risk, etc. to determine organizational compliance requirements, “fuzzy”

PCI is the most prescriptive and easily to map against and measure

The PCI DSS embodies information security best practices

The process of complying with PCI can benefit and likely transfer over to other compliance programs, GLBA, HIPPA, etc.

Demonstrating controls in place with regards to data protection, regardless if that data is corporate, personal, financial, health, or in the case of PCI, credit card information can be leveraged

PCI Compliance may prove “due care”


General Security Recommendations Store Less Data

–Reduce the scope–Justify why you’re storing critical data

Understand the Flow of Data–Diagrams, understanding where data is stored, how far it travels

Encrypt Data Address Application and Network Vulnerabilities

–Update your software with patches as they are released.–Have a third party conduct an application test and code review

Improve Security Awareness and Training Monitor Systems for Intrusions and Anomalies

–Place IDS devices near the assets you want to protect.–Establish a centralized server for reviewing, correlating, andmanaging IDS logs.

Segment Data Sensitive Networks and Control Access to Them Change default passwords immediately


Payment Card Industry (PCI) Solution &Prescriptive


PCI Defined


The PCI Data Security Standard

Published January 2005 Impacts all who:

Process

Transmit

Store cardholder data

Developed by MasterCard and Visa, endorsed by the other payment brands

Pertinent for all industries and company size

SMB to large enterprise and service providers

Global in nature

PCI Data Security Standard

January 2005

Visa says approximately 22% of Tier 1 Merchants are currently compliant. Computerworld, July 10, 2006.


The PCI Data Security Standard

PCI applies to all companies that handle credit card information—not just credit card processing

Merchants are tiered based on transaction volume and each level has different requirements

Penalties associated with the levels

Applies globally to all environments including physical, electronic commerce, wireless, etc.

PCI covers systems, policies, and procedures


It’s About Good Business Practices

Providing a secure shopping environment whether in the store or online

Prevention of identity theft for customers

Securely and reliably protecting brand image and assets

Mitigating financial risk associated with fines and penalties due to failure in compliance (and breach!)


Category Criteria RequirementLevel 1 Merchants

6,000,000 Visa/MC transactions per year.*

*Any merchant that has suffered a hack or an attack that resulted in an account data compromise

Annual onsite PCI Data Security Assessment

Quarterly network scan

Level 2 Merchants

1 million – 6 million

transactions per year.Quarterly networks scan

Annual self-assessment

Level 3 Merchants

20K –1 million e-commerce transactions per year

Quarterly network scan Annual self-

assessment

Level 4 Merchants

< 20,000 VISA e-commerce transactions per year

Quarterly network scan Annual self-assessment

Categories of Merchants


Critical Role of the Network for PCI Compliance

PCI Data Security Standard Requirements

Build and Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords

and other security parameters

3. Protect stored data4. Encrypt transmission of cardholder data and sensitive

information across public networks

5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications

7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security


Where Most Assessments Are FailingPCI Requirement

Percentage of Assessments Failing

Requirement 3: Protect Stored Data 79%

Requirement 11: Regularly Test Security Systems and Processes

74%

Requirement 8: Assign a Unique ID to Each Person with Computer Access

71%

Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

71%

Requirement 1: Install and Maintain a Firewall Configuration to Protect Data

66%

Requirement 2: Do Not Use Vendor-supplied Defaults for System Passwords and Other Security Parameters

62%

Requirement 12: Maintain a Policy That Addresses Information Security

60%

Requirement 9: Restrict Physical Access to Cardholder Data 59%

Requirement 6: Develop and Maintain Secure Systems and Applications

56%

Requirement 4: Encrypt Transmission of Cardholder Data and Sensitive Information Across Public Networks

45%

Source: VeriSign. “Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them.”


Compliance Is Still an Issue

Forrester Research: Self-assessment in payment card security is not enough

Forrester concludes: “Information security (or a lack of it) is not an area in which banks and retailers should try to save money or compete.”

Gartner: The PCI Data Security Standard was created in 2001, yet the card-accepting industry still struggles to demonstrate compliance with it, let alone protect cardholder data in many cases

The Logic Group, September 27, 2006: Survey reveals alarmingly low levels of compliance for PCI DSS—Only 3% of merchants were ready

PC-Based Point of Sale Systems Experienced

the Largest Percentage of Compromises in

2005 in the US PC POS84%

Mainframe 1%

Backend2%Shopping Cart

12%Physical1%


The Risks are Real

1/06 University of Delaware

1/06 Pittsburg University Medical

1/06 Illinois Education Assoc

1/06 Oregon Dept of Revenue

1/06 California National Guard

1/06 Atlantis Resort-Kerzner

1/06 People’s Bank

1/06 NYC Teachers’ Retirement

1/06 Presbyterian Health Care

1/06 Notre Dame University

1/06 Ken State University

1/06 City of San Diego

1/06 State of Washington Health

1/06 Honeywell International

1/06 Ameriprise financial1/06 Boston Globe

1/06 FedEx Freight West

2/06 Blue Cross Blue Shield NC

2/06 Ernst & Young

2/06 US Agriculture Department

2/06 Blue Cross Blue Shield FL

2/06 Deloitte & Touche / McAfee

3/06 American International Group

3/06 University of Michigan

3/06 Verizon Communications

3/06 General Motors

3/06 Fidelity Investments4/06 Nationwide Retirement Services

4/06 US Department of Defense

4/06 Iron Mountain

4/06 Fifth Third Bank

4/06 University of South Carolina

4/06 Ross-Simons

4/06 University of Alaska, Fairbanks

4/06 Boeing

4/06 University of Virginia

4/06 State of Georgia

4/06 Union Pacific corporation

5/06 Internal Revenue Service

5/06 Equifax

5/06 Northwestern University

5/06 Hotels.com

5/06 Wells Fargo

5/06 Mercantile Bankshares

5/06 Minnesota Revenue Dept

5/06 Frost Bank

5/06 YMCA

5/06 VyStar Credit Union

6/06 Federal Trade Commission

6/06 US Navy Recruiting

6/06 Fluor Hanford

6/06 Humana Health Plans

6/06 Royal Ahold USA

6/06 Barnard College

Over 192 disclosed security breaches through October 2006, potentially affecting more than 12 million individuals

6/06 Department of Energy

6/06 Minnesota State Auditor

6/06 ING

6/06 VA Bureau of Insurance

6/06 ADP TotalSource

6/06 Visa USA

6/06 National Institute on Health Federal Credit Union

7/06 US Citizenship and Immigration Services

7/06 Riverside City Hall (CA)

7/06 US Navy

7/06 Moraine Park Technical College

7/06 Mississippi Secretary of State

7/06 PSA Healthcare

7/06 Hampton Roads, VA Circuit Court

7/06 Helnet, Inc.

9/06 Madrona medical Group

8/06 Hospital corporation of America

8/06 Williams Sonoma, Inc.

8/06 Weyerhaeuser

8/06 Louisiana State University

8/06 Transportation Security Admin

8/06 Linden Lab

8/06 Toyota

8/06 Columbus Income Tax Division

8/06 MI Dept of Community Health

8/06 Dept of Veteran Affairs

8/06 Illinois Dept of Corrections

8/06 Adams State College 8/06 University of Texas

8/06 CA Dept of Mental Health

8/06 US Department of Education

8/06 Sovereign Bank

8/06 Federal Motor Carrier Safety

8/06 AT&T

8/06 University of Colorado

8/06 PortTix

9/06 Berry College

9/06 North Carolina Division of Motor Vehicles

9/06 Purdue College of Science

9/06 Louisiana State University

9/06 Kentucky Personnel Cabinet

9/06 US Census Bureau

9/06 Nikon world Magazine

9/06 Erlanger Hospital

9/06 DePaul medical Center

9/06 Life is Good, Inc.

9/06 General Electric Co.

9/06 University of Texas

9/06 University of Iowa

10/06 Lexis Nexis

10/06 Cumberland County, PA Government

10/06 Chicago Board of Elections

10/06 Colorado Dept of Human Services

Source: www.idtheftcenter.org

2007 Breach List:9/25/2007

Breaches: 297 Exposed: 75,926,667


Implications of Non-Compliance

Fines levied by the PCI Data Security Standards BodyUp to $500K per incident for any merchant or SP not compliant at the time of the compromise

Increased transaction costs

Restrictions on card acceptance: Temporary suspension with possible permanent implications

Consumer confidence and retailer brand integrity compromised by data security breach

Loss of cardholder data due to network attack

Liable for cleanup & notification costs**


Differences between PCI DSS 1.0 and 1.1 PCI DSS 1.1 went into effect on October 1, 2006.

All QSA and Network scans as of Jan 1, 2007 must use 1.1

Some specific changes:

Section 6.6 – Added requirement for application code review or application firewall to be used

Section 11.1 Clarified that wireless analyzers should be used periodically, even if wireless is not currently deployed.

Section 12 Added requirement for a policy to manage connected entities, including maintaining a list, implementing appropriate due diligence, ensuring connected entities are PCI DSS compliant, and having an established process to connect and disconnect entities.

NEW appendices that were added:

Appendix A: PCI DSS Applicability for Hosting Providers

Appendix B: Compensating Control – with example for stored data encryption

For the specific 1.1 difference see: https://www.pcisecuritystandards.org/pdfs/pci_summary_of_pci_dss_changes_v1-1.pdf


Cisco and PCI


How Cisco Is Helping Retailers

Provide an end-to-end secured solution to address PCI requirements

Provide a set of recommended architectures for small, medium, and large footprint stores

Ensuring data security as you build out advanced capabilities in your network


Our Partners for PCI Solution for Retail

We are working with leading industry partners to join us in providing recommended network architectures to meet compliance

Audit and remediation servicesCybertrust

AmbironTrustWave

Hardware and software partners

POS: IBM, Wincor Nixdorf

Handheld devices: Intermec

Anti-virus software: TrendMicro


Recommended Architectures

Cisco worked with PCI auditors to develop architectures that address the requirements of PCI compliance

Lab tested and audited architectures to provide guidance on the best configuration of various network products

Tested architectures provide guidance to maximize integration with various technology partners

Reduce the amount of complexity for retailers configuring networks for PCI compliance

Mapping of Cisco products directly to PCI requirements

The Benefits of Recommended Architectures


Applying theIntelligent Information Network to PCI DSS


Internet

Credit cardstorage

Sample Network Environment

Desktop

POS terminal

Wireless POS

Policies

POS Server

REMOTE LOCATION INTERNETEDGE

ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA

DATA CENTERMAIN OFFICE

LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

LWAPP

IronportPostx


PCI DSS Requirement 1


PSS DSS Requirement 1 (continued)


Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 1: Install and maintain a firewall configuration to protect data

Requirement 1

CSA

CSA

LWAPP

IronportPostx




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 2: Do not use vendor-supplied defaults for system settings

CSA

CSA

LWAPP

Requirement 1Requirement 2

IronportPostx




PCI DSS Requirement 3 (continued)


Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 3: Protect Stored Data

CSA

CSA

LWAPP

Requirement 1Requirement 2Requirement 3

IronportPostx




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600VPN/FW

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 4: Encrypt transmission of cardholder data across public networks

CSA

CSA

LWAPP


Requirement 4

IronportPostx




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 5: Use and Regularly update anti-virus software

CSA

CSA

LWAPP



IronportPostx


PCI Requirement 6




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 6: Develop and maintain secure systems and applications

CSA

CSA

LWAPP



IronportPostx

ACE ACE XML




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 7: Restrict access to data by business need-to-know

CSA

CSA

LWAPP



Requirement 7

IronportPostx




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 8: Assign a unique ID to each person with computer access

CSA

CSA

LWAPP




ACS




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 9: Restrict physical access to cardholder data

CSA

CSA

LWAPP




ACS

Digital VideoSurveillance

Requirement 9




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 10: Track and Monitor all access to network and cardholder data

CSA

CSA

LWAPP




ACS


Requirement 9

Requirement 10

IronportPostx




Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 11: Regularly test security systems and processes

CSA

CSA

LWAPP




ACS


Requirement 9


IronportPostx






Internet

Credit cardstorage

Desktop

POS terminal

Wireless POS

Policies

POS Server


ISR4500switch

ASA

6500/7600FWSM

CS-MARS

NACAppliance

CSA

CSA


LAN switch

CSA

CSA

WAP

On-Line store

ASA

CSA

ASA

CSMNCM/CAS

Requirement 12: Maintain a policy that addresses information security

CSA

CSA

LWAPP




ACS


Requirement 9


IronportPostx


Applying IIN Components to PCI Product Details


Cisco Security Routers:Addressing PCI Requirements

Applies to PCI Requirements 1, 2, 4, 6, 10, 11

Integrates PCI Control into Network Infrastructure

Reduces ComplexityLess products to manage

Enables future business initiatives

Cisco® Security Routers: Core Platform for PCI

SSL and IPSec VPN

WAN Backup

Network Admission

ControlApplication

FirewallIntrusion

Prevention

Network Foundation ProtectionWireless

IP Telephony

URL Filtering


Cisco Security Routers:Addressing PCI: Core Platform

Cisco® Security Routers: Core Platform for PCI

SSL and IPSec VPN

WAN Backup

Network Admission

ControlApplication

FirewallIntrusion

Prevention

Network Foundation ProtectionWireless

IP Telephony

URL Filtering

Applies to PCI Requirement 1, 2, 4, 6, 10, 11

Encrypt transmission of all cardholder data

Limit access to cardholder resourcesHide Internal IP addresses (NAT)Stateful firewall between wired & wirelessBlock unused ports

Network IDS/IPS

Reduce devices w/integral WAP

All Systems Secured-AutoSecure-Secure Management

Business Resiliency

IntegratedCall ManagerVoIP

WPA


Secure Router

Addresses PCI Requirement 1, 2, 4, 6, 10, 111. Stateful IOS firewall separates wired and wireless networks2. Apply NSA guidelines for secure router configuration with one click

AutoSecure (or network-wide with NCM)4. Provides high-performance encryption of sensitive data6. Offers secure device management (HTTPS, SSH, SCP, etc.)10. Provides forensic logging using NetFlow and syslog 11. Integrates IPS for wired and wireless networks

Application inspection and URL filtering, exceeding PCI requirementsIntegrated with other advanced technologies – VoIP & wireless in the

same platform


ASA

Addresses PCI Requirement 1, 2, 4, 6, 10, 111. Stateful IOS firewall separates wired and wireless networks2. GUI Device manager to change system default passwords4. Provides high-performance encryption of sensitive data, ideal at headend and

at larger remote locations that need dedicated security device6. Offers secure device management (HTTPS, SSH, SCP, etc.)10. Anti-X capabilities protect against malicious attempts11. Integrates IPS for wired and wireless networks

Application inspection and URL filtering, exceeding PCI requirements


Catalyst 6500/Cisco 7600 Security Service Modules

Addresses PCI Requirements 1,2,3,6,11,12Similar to ASA, appropriate for large enterprises and service providers


Cisco Security AgentPC and Server Protection

Desktop Protection:• Distributed Firewall• Day Zero Virus/Worm Protection• File Integrity Checking• Application security• Policy Enforcement

Server Protection:• Host-based Intrusion Prevention• Day Zero Virus/Worm Protection• Operating System Hardening• Web Server Protection• Security for other applications• Application Data Protection


Cisco Security Agent

Addresses PCI Requirements 1,2,3, 5, 6, 7,10,11,121. Personal firewall on end devices

2. Disables unnecessary and insecure services, protocols and functionality on servers

3. Data Theft Prevention Rule protects stored data on servers and clients, as well as prohibits copying/tampering of information

5. Augments anti-virus software via Day Zero protection

6. Protects devices during security patch testing and enables effective patch management process

7. Data Theft Prevention Rule allows only authorized users access to information

10. Can maintain per-system audit logs, providing a forensic behavior trail

11. Provides host-based intrusion prevention, and performs file integrity monitoring & protection against unauthorized modification


Network Admission Control

(Clean Access Server)

(Clean Access Manager)

AuthenticationServer

NAC Appliance

NAC Appliance

Wired

Wireless

VPN

IPSec/SSL

Network Access Device

1. End user attempts to access a Network

Network access is blocked until end user provides login information.

2. User is redirected to a login page

User login validated. Device scanned to assess vulnerabilities and posture

3a. Device is noncompliant

User is denied network access. Assigned to a quarantine role. Device remediation takes place.

3b. Device is compliantMachine gets on “clean list”and is granted access to network.

Posture Assessment

Compliant Not compliant

Quarantine

Please enter username:

devicesecurity

networksecurity

identity

SiSi SiSi

NACNAC


Cisco NAC Appliance

Addresses PCI Requirements 5, 6, 11, 125. Checks that anti-virus software on end point is up to date and

consistent with current security policy

6. Checks to ensure that all relevant security patches are installed on end device

11. Prevents unauthorized access to the network from the inside


Intellectual Property Protection (NPI Data)Policy rules for specific senders/recipients

Block messages containing confidential data

Acceptable Use Policy EnforcementBlock profanity

Email attachment controls (size, type, content)

Legal disclaimers on specific messages

Archive specific messages

Regulatory ComplianceScan for PHI/NPI and block infractions

Secure business partner communication

Compliance quarantines for remediation policies

IronPort Email & Content Security At WorkIronPort Customer Use Cases


IronPort Content SecurityOverview

Powerful attachment scanning technology for Intellectual Property Protection (NPI Data)

Complete on-box or off-box end user to end user Encryption capability

Turnkey solution for Regulatory Compliance (HIPPA, SOX, etc)

Flexible system for creating and enforcing corporate Acceptable Use Policy


IronPort Email EncryptionThe Easiest Path to Protecting Confidential Email

Universal ReachUniversal Reach: send to any email user

Auditable Policy EnforcementAuditable Policy Enforcement Content scanning at gateway drives encryption

Does not rely on or require user action

Easiest to useEasiest to useTransparent to sender

No client software for sender or receiver

Easiest to Deploy and ManageEasiest to Deploy and ManageNo client software

Hosted key management system


IronPort

Addresses PCI requirement 4, 7, 10, 124. Enforces encryption of confidential information

7. Restricts access to cardholder data

Data Theft Prevention Rule allows only authorized users to access/send/open confidential information

10. Tracks and Monitors access to cardholder data

12. Demonstrates/maintains security policy


Cisco Wireless Access Points

Addresses PCI Requirements 2,4,6,11,122. WPA encryption support

4. WPA encryption support

11.Wireless intrusion detection support within Wireless access points


Cisco Secure MARSMonitor, Analysis and Response System

Multi-vendor

Powerful monitoring, analysis, response system

Multi-vendor support

Correlate events frommultiple sources suchas vulnerabilityassessment and NetFlowdata to detect anomalies

Visualization Reduced Complexity

Lower TCOAppliance based

Simple to install solution

Simple licensing, nosoftware agents

Mitigation of Attacks

Mitigate attacks by isolatingswitch ports and applyingACLs closest to source

Know “what, where, and how” of threats

Leverage the intelligencein the network to enforce security policies

Visualize attack paths andidentify network hot spots

Identifies valid incidentsand minimizes falsepositives

Higher network availabilityIdentify day-zero attacks, reduce resolution time


CS-MARS

Multi-vendor event correlation

Network-wide security monitoring, attack visualization and response

Addresses PCI Requirements 10, 11, 12Receives logs, alerts, audit trails from systems throughout the network and creates reports to use for compliance

Must review device logs. Provides correlation, aggregation and comparisons of information

Gather/Analyze NetFlow data

Generate incident reports

Immediate incident response: CS-MARS defines appropriate mitigation response


CS-MARS

Addresses PCI Requirements 10, 11, 12

10. Receives logs, alerts, audit trails from systems throughout the network and creates reports to use for compliance

Creates operational efficiencies for log review

11. Provides correlation, aggregation and comparisons of information

CS-MARS is the primary tool for reducing costs and increasing reporting efficiencies around maintaining compliance


Policy Administration

Centrally provision policies for firewalls , VPN’s and IPS

Very scalable

Policy Inheritance feature enables consistent policies across enterprise

Powerful device grouping Options

Role-based access: Change Control

Configure policies for ASA, PIX, FW SM and IOS

Single rule table for all platforms

Intelligent analysis of policies

Sophisticated rule table editing

Compresses the number of access rules required

VPN Administration

VPN Wizard setup Site-to-Site, hub-spoke and full mesh VPN’s with a few mouse clicks

Configure remote-access VPN, DMVPN, and Easy VPN devices

Superior Usability

Administer policiesvisually on tables ortopology map

Jumpstart help: an extensive animated learning tool

Flexible management views:- Policy-based - Device-based - Map-based- VPN based

IPS Administration

Automatic updates to theIPS Sensors

Support for Outbreak Prevention Services

Firewall Administration

Cisco Security ManagerMulti-product, multi-technology configuration


Cisco Security Manager (CSM)

Addresses PCI Requirements 11, 1211. Provides comparisons of configurations (diffs)

12. Maintains a Security Policy (FW, IDS, VPN, Switches)


Cisco Secure Access Control Server (ACS)

AAA logging/Audit: Who, What, When

Support strong password requirements/change mgmt.

Two-Factor authentication

Administration authentication, access rights

Network device authentication


Cisco Access Control Server

Addresses PCI Requirements 8, 10, 128. Provides authentication, authorization, and accounting (AAA) for network devices through TACACS+. Provides unique username for all users

10. Maintains a forensic audit trail of who accessed the network, what they did, and when they did it


Network Compliance Manager

Addresses PCI Requirements 10, 1210. Maintains a forensic audit trail of who accessed the network, what they did, and when they did it

Alerts on configuration modifications, deviations

Full Audit trail

Validates Config. against NSA, SAFE, best practice

Tracks system compliance metrics

Demonstrable controls


Audit Processand Lessons Learned


Audit ProcessAssessment and ROC

The QSA’s Assessment report is the written response to the audit process.

For areas that do not pass, they will recommend compensating controls

Remediation services are typically required after the audit.

After audit and remediation, the retailer can submit their Report of Compliance for review by a PCI Company (e.g., Visa, MasterCard) for final approval.


Audit Process Best Practices for Retailers

Be proactive - Collecting information required for the audit in advance can shorten the process

Study a sample ROC – shows the whole spec and helps clarify focus on areas

Centralized network management tools save time and costs in managing remote device configurations

Partner with your Qualified Security Assessor (QSA)The QSA is strategic to becoming PCI compliant.

Most companies will not pass on the first try

Understand the QSA’s process and their approach to the audit and remediation.


Design Validation Lessons learned

ISR is ideal for retail because it addresses many PCI requirements in a single device –Router, FW, IDS

MARS reduces labor requirements for event correlation

Wireless scanning for rouge AP detection is required – whether a WLAN is installed or not. (PCI 11.1b)

WCS, ACS and MARS require compensating controls for administrative authentication

“CSA was impressive” – it ensures file integrity of audit logs on systems that had no file integrity system

Source: Cybertrust auditor Dec 2006


Summary Enterprises are still struggling with compliance, as

evidenced with fines, lawsuits, and breaches The IIN plays a critical role in addressing various

compliance programs…Internal, Regulatory, or Commercial PCI DSS can be leveraged for other compliance programs Cisco continues provide customers with a framework for

compliance



Reference & Supplemental Material


Links

Compliance related on Cisco.com

http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=compliance&accessLevel=Guest&language=en&country=US&Search+All+Cisco.com=cisco.com

Cisco’s PCI for Retail architectures

http://www.cisco.com/web/strategy/retail/pci.htmlRelated

VISA CISP website

http://usa.visa.com/merchants/risk_management/cisp.html SANS

www.sans.org


PCI SolutionProduct Alignment

Solution Feature PCI Value

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Integrated Service Router (ISR) Network security (firewall segmentation/filtering), stateful filtering

CiscoWorks (LMS), CSM Configuration management/secure configurations

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

ISRs, switches, wireless devices, WCS, ACS, CiscoWorks (LMS), CSA, CSM

Vendor defaults changed

WCS/wireless controllers Wireless security (WPA/WPA2, SSID broadcast disabled)

ISRs, switches, wireless controllers (CSA Manager, CSM, CiscoWorks (LMS)

Best practice security parameters enabled

ISRs, switches, wireless controllers (CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS)

Non-console encrypted administrative access

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Wireless controllers WPA wireless security

Requirement 5: Use and regularly update anti-virus software or programs.

Cisco Security Agent Anti-virus protection, malware/spyware protection, alerting

Requirement 6: Develop and maintain secure systems and applications.

CiscoWorks (LMS), CSM (Workflow mode) Change control


PCI SolutionProduct Alignment

Requirement 7: Restrict access to cardholder data by business need-to-know.

ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS

Least-privilege, role-based access

Requirement 8: Assign a unique ID to each person with computer access.

ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS, WCS

Unique user IDs, authenticated access, encrypted passwords, no group/shared IDs/passwords

ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS

Password strength requirements

ISRs, switches, wireless controllers CSA Manager, CSM, CiscoWorks (LMS), CS-MARS, ACS

Account lockout requirements

Requirement 10: Track and monitor all access to network resources and cardholder data.

ISRs, switches, wireless devices, WCS, ACS, CiscoWorks (LMS) CSA

Audit trails, time synchronization

Requirement 11: Regularly test security systems and processes.

Wireless controllers Rogue wireless AP/device detection

ISRs (sensor), CSM (policy, signature updates) Network IDS

CSA Host-based IDS

CSA File integrity


GLBA Financial Privacy The Gramm-Leach Bliley Act The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes

provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC. For more information on the types of financial activities covered, click here.

The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."


Which Cisco Products and Solutions Help Address the SOX Requirements?

Intrusion Detection and Prevention—Cisco IPS 4200 Series Sensors, Cisco Integrated

Integrated Services Routers with Security Bundle, Cisco ASA 5500 Series Adaptive Security

Appliances, Cisco Catalyst® Security Services Modules Logging, Authentication, Access Control—Cisco Secure Access Control Server

(ACS), Cisco Security Agent, Cisco Security Mitigation, Analysis and Response System

(MARS) Antivirus Policy—Cisco ASA 5500 Series, Cisco Firewall Services Module,

Integrated Services Routers, Cisco IPS 4200 Series, Cisco Security Agent Remote-Access Policy—Cisco ASA 5500 Series, Cisco Integrated Services

Routers Configuration Policy—Cisco Security Device Manager (Security Bundles), Cisco

Security Network Compliance Manager Agent, Cisco Security MARS, Cisco Security Manager, Network Admission Control Regular Vulnerability Assessment


Which Cisco Products and Solutions Help Address the GLBA Requirements?

Protect Against Unauthorized Access

Cisco Access Control Servers, 802.1x, Network Admission Control, Cisco Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security Appliances

Secure Data Exchange with Affiliates and Service Providers

VPNs (such as those using IP Security, DMVPN, and Secure Sockets Layer VPN technologies), Cisco ASA 5500 Series & ISRs, IronPort PostX

Detecting, Preventing, and Responding to Attacks and Intrusions

Cisco Security Monitoring, Analysis and Response System, Cisco IPS solutions, Cisco Security Agent, Cisco Security Manager

Implement, Test, and Adjust a Security Plan on a Continuing Basis

Cisco Network Compliance Manager, Configuration Assurance Solution, Cisco Security Posture Assessment, and Penetration Testing Services


Which Cisco Products and Solutions Help Address the HIPAA Requirements?

Protect Against Unauthorized Access

Cisco Access Control Server, 802.1x, Network Admission Control, Cisco Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security Appliances

Secure Data Exchange with Affiliates and Service Providers

VPNs (such as those using IP Security, DMVPN, and Secure Sockets Layer VPN technologies), IronPort PostX

Detecting, Preventing, and Responding to Attacks and Intrusions

Cisco Security Monitoring, Analysis and Response System, Cisco Intrusion Prevention System solutions, Cisco Security Agent, Cisco Security Manager

Implement, Test, and Adjust a Security Plan on a Continuing Basis

Cisco Security Posture Assessment and Penetration Testing Services, Network Compliance Manager, Configuration Assurance Manager

Documents

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PulbicPresentation_ID 1 Compliance and the Intelligent Information Network Fred Colacchio, CISSP Security