Upload
morgan-powell
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
1
Payment Card Industry (PCI) Data Security Standards (DSS)
Challenges and Issues for zSeries Systems
Vanguard Integrity Professionals
www.go2vanguard.com
October 2012
2
The PCI Data Security Standards apply to any company that transmits, processes or stores credit card “cardholder” data.
While many companies are exempt from PCI, companies are not exempt from protecting their sensitive data which includes customer, company confidential and Personally Identifiable Information (PII).
This presentation provides an overview of the PCI Data Security Requirements, why they evolved, why they are important and how the requirements can leveraged by all companies to improve their overall compliance program. Several of the requirements will be discussed in detail, the “hidden meaning” of the requirement will be revealed, and examples will be provided showing how RACF controls can be implemented, and supporting evidence collected, to demonstrate compliance.
Session Overview
Overview
3
Albert Gonzalez, dubbed his operation: “Operation Get Rich or Die Tryin’”
As long as we have a Black Market for Credit Cards, we’ll continue to have Cardholder Breaches
Convicted for breaches at:TJX Corp (45M)
Heartland Payment Systems (100M)Hannaford Bros Co (4.2M)
7-Eleven (TBD)2 Unidentified Companies (TBD)
The Problem: Credit Card Breaches
Albert also infiltrated these companies for over 40 million cards:BJ's Wholesale ClubBarnes & Noble Inc
Office Max Dave & Buster's
DSW shoe stores Forever 21
4
The Cost of a Credit Card Breach
Forrester Report: Costs Associated with a Credit Card Breach
5
The PCI DSS Infrastructure
The PCI Security Council, Sponsoring Organizations, QSA’s and PFI’s
Qualified Security Assessor (QSA):(264 companies as of August 2011)
PCI Forensic Investigator (PFI):(15 companies as of August 2011)
PCI Security Council &Sponsoring Organizations:
6
Top PCI Challengesfor zSeries Systems
Challenges
1. Interpreting PCI DSS for zSeries Systems
7
Top PCI Challengesfor zSeries Systems
PCI DSS High Level Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
8
“Interpreting PCI DSS for zSeries Systems”Requirement 7.2
Requirement 7: Restrict access to cardholder data by business need to know
PCI DSS Requirement Testing Procedure In Place
Not in Place
Target Date / Comments
7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
This access control system must include the following:
7.2 Examine system settings and vendor documentation to verify that an access control system is implemented as follows:
7.2.1 Coverage of all system components
7.2.1 Confirm that access control systems are in place on all system components.
7.2.2 Assignment of privileges to individuals based on job classification and function
7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
7.2.3 Default “deny-all” setting 7.2.3 Confirm that the access control system has a default “deny-all” setting
9
“Interpreting PCI DSS for zSeries Systems” Navigating PCI DSS
Refer to “Navigating PCI DSS” for guidance for interpreting the intent of a requirement.
Requirement 7.2 Guidance
Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. Use of an automated access control system or mechanism is essential to manage multiple users.
This system should be established in accordance with your organization’s access control policy and processes (including “need to know” and “role-based access control”), should manage access to all system components, and should have a default “deny-all” setting to ensure no one is granted access until and unless a rule is established specifically granting such access.
10
“Interpreting PCI DSS for zSeries Systems” PCI 7.2.3 – “Deny-all” Settings
Requirement 7: Restrict access to cardholder data by business need to know
• The challenge for complying with PCI 7.2.3 is to determine the meaning of a default “deny-all” setting.
7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. This access control system must include the following:
7.2.3 Default “deny-all settings
• For a RACF system, the PROTECTALL feature would be the obvious default “deny-all” setting.
• However, if you stop there, you would be mis-interpreting the requirement.
PCI 7.2.3 Testing Procedure
Confirm that the access control systems have a default “deny-all” setting.
11
“Interpreting PCI DSS for z/OS Software” “Deny-all” Setting
Some examples of RACF “deny-all” settings:
Profiles - Universal Access
Profiles - Warning
Global Access Table
Inactive RACF Classes
ID(*) on an access list with READ or higher
“Deny-All” Settings
12
“Interpreting PCI DSS for zSeries systems”What is a z/OS “System Component” ?
1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator
Master Catalog SDSF The RACF Database Dataset Profiles
APF Authorized Datasets Session Managers Copies of the RACF database
General Resource Profiles
LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes
User Catalogs WebSphere RACF CDT Group Connect Authorities
RACF Database JES2 / JES3 RACF Classes Role Based Access
Parmlib Datasets OMEGAMON General Resource Profiles
Database Administrator
Multi-User Access Systems
WebSphere MQ Encryption Keys IMS Databases
z/OS Security Patches DFSMS Group Membership DB2 Databases
System Proclibs SVC’s Privileged Userids DB2 Table Trace
Started Tasks CICS System Datasets RACF Exits Oracle Databases
SYS1.Parmlib DB2 System Datasets RACF Tables RACF Classes for DB2
SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS
System Exits Vendor Security Products Logging Parameters QSA & Compliance Officers
ICSF Encryption Keys Magnetic Tape ?
13
Top PCI Challengesfor zSeries Systems
Challenges
1. Proper Interpretation of the Requirements
2. Reducing Scope
14
“Reducing Scope”Current SMF Data Flow Diagram
SYS1.SMFMANxxSYSA.PARMLIB
(SMFPRM00)
PROD.SMF.WKLY(+1)
SEC.RACF.SMFW(+1)
SYS2.SMF.UNLOAD
SEC.RACF.SMFD(+1)
BKUP.SMF.WKLYY(+1)
SMF.DAILY(+1)
SEC.RACF.SMFM(+1)
ONLINE Reports
SAR.SEC.VIOL(+1)SAR.SEC.ACCESS(+1)SAR.RACF.CMDS(+1)
SAR.LOGONS(+1)
RACF Compliance Reports (stored on DASD volumes)
RACF Covering Profiles
SYSA.* SYS1.SMFMAN* SYS2.SMF* SMF.** PROD.SMF.** BKUP.SMF.** SEC.RACF.* SAR.**
RETPD: 10 days
RETPD: 20 days
RETPD: 60 days
RETPD: 180 days OFFSITE
RETPD: 1 day
RETPD: 60 days
RETPD: 30 days
SMF Data Flow Based on an “Interview”
15
“Reducing Scope”Reduced SMF Data Flow Diagram
SMF Data Flow Diagram
SMF.SMFMANxxSMF.PARMLIB(SMFPRM00)
SMF.WKLY(+1)
SMF.UNLOAD
SMF.RACF.SMFD(+1)
SMF.DAILY(+1)
RACF Covering Profiles
SMF.**
RACF Compliance Reports
RETPD: 14 days,
onsite
RETPD: 365 daysOffsite
RETPD: 90 days, onsite
RETPD: 1 day
Remediation Activities
1. Eliminated unnecessary SMF extract files
2. Renamed datasets to eliminate 7 RACF dataset profiles
3. Remediated the new RACF dataset profile to be PCI complaint
4. Increased the offsite retention period to from 180 to 365 days
5. Increased the onsite availability from 60 to 90 days
6. Created an SMF Data Flow Diagram to document the process
PCI 10.7.B
PCI 7.2.1PCI 7.2.2PCI 7.2.3
PCI 10.2.3 PCI 10.5.1 PCI 10.5.2
PCI 10.5.3
PCI 10.6
PCI 10.7.B
PCI 10.5.3
16
Top PCI Challengesfor zSeries Systems
Challenges
1. Proper Interpretation of the Requirements
2. Reducing Scope
3. Identifying “Not in Place” Requirements
17
“Identifying Not in Place Requirements”Vanguard’s Findings Mapped to PCI Requirements
Vanguard’s Top 10 RACF Findings
Rank Description of Finding Percent Occurrence of Finding
PCIRequirement
1 Excessive Number of User IDs with No Password Interval 67% 8.5.9
2 Data Set Profiles with UACC Greater than READ 52% 7.2.2 / 7.2.3
3 Inappropriate Usage of z/OS UNIX Superuser Privilege UID(0) 52% 7.2.2
4 Started Task IDs are not Defined as PROTECTED IDs 44% 2.2.3
5 Production Batch Jobs have Excessive Resource Access 39% 7.2.2
6 Excessive Access to APF Libraries 37% 7.2.2
7 Data Set Profiles with UACC of READ 36% 7.2.2 / 7.2.3
8 Excessive Number of User IDs with the OPERATIONS Attribute 35% 7.2.2
9 RACF Database is not Adequately Protected 32% 7.2.2
10 Excessive Number of User IDs with the Special Attribute 31% 7.2.2
18
“Identifying “Not in Place” Requirements”Is this Dataset Profile PCI Compliant?
INFORMATION FOR DATASET PCI.CREDIT.DATA (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ---------- ---------- ------------------------------- -------------- ---------- 00 PCI READ YES NO AUDITING -------------- FAILURES(READ) NOTIFY ----------- NO USER TO BE NOTIFIED
ID ACCESS -------- ------- * READUSER1 READPCIGRP READ ID ACCESS CLASS ENTITY NAME -------- ------- -------- --------------------------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST
PCI 7.2.2 Role Based Access
PCI 10.2.1 Log all access to cardholder data
PCI 9.10.2 Render cardholder data unrecoverable
PCI 7.2.3 PCI 7.2.3
PCI 7.2.3
Requirement Not in Place
7.2.2 User ids on access list
7.2.3 UACC not set to a deny-all setting
7.2.3 WARNING not set to a deny-all setting
7.2.3 ID(*) READ not set to a deny-all setting
9.10.2 ERASE not set to (YES)
10.2.1 AUDIT not set to (ALL)
11.5.b NOTIFY not used to send alerts
PCI 11.5.b
19
“Identifying “Not in Place” Requirements”PCI RACF Mini-Review
Making Management aware.
Why do I need a PCI z/OS RACF Mini Readiness Review?
The mini assessment is designed to give the administrator and their management a real-time view (health check) of the integrity of their system. The Mini assessment is an engagement that investigates areas in which we frequently find problems. Each problem is then mapped to the applicable PCI requirement.
This no charge offering, with an investment of only a few hours time, provides you with insight that there are z/OS RACF “Not in Place” conditions that need to be addressed. Mini Readiness Reviews can help you develop the justification management needs to allocate resources to address the issues identified.
20
Top PCI Challengesfor zSeries Systems
Challenges
1. Proper Interpretation of the Requirements
2. Reducing Scope
3. Identifying “Not in Place” Requirements
4. Proving Compliance
21
Report “Date and Time”
CPU ID
Report Masking Criteria
Version # Product Name
Watermark
Report Name
“Proving Compliance”Supporting Documentation
Profile Names
7.2.3 Deny-All Settings
Vanguard AdministratorTM
22
“Proving Compliance”Supporting Documentation
7.2 Establish an access control system for systems components Exhibit 7.2 – Cardholder Data Flow Diagram Exhibit 7.2 – RACF Data Flow Diagram Exhibit 7.2 – SMF Data Flow Diagram7.2.1 Coverage of all system components Exhibit 7.2.1 – RACF Databases
7.2.2 Assignment of privileges based on job classification and function RACF Group Profiles Exhibit 7.2.2 – RBAC Supporting Documentation RACF User ID Profiles Exhibit 7.2.2 – User IDs with System Level Administrative Privileges Exhibit 7.2.2 – User IDs on Access Lists RACF Dataset Profiles Exhibit 7.2.2 – Cardholder Dataset Profiles System Data Set Profiles Exhibit 7.2.2 – Authorized Program Facility (APF) Data Sets Exhibit 7.2.2 – DASD Volume Backup Data Sets Exhibit 7.2.2 – LINKLIST Data Sets
23
Top PCI Challengesfor zSeries Systems
Challenges and Solutions
1. Proper Interpretation of the Requirements
2. Reducing Scope
3. Identifying “Not in Place” Requirements
4. Proving Compliance
5. Staying Compliant
24
“Staying Compliant”Ongoing Readiness Reviews
Requirement 7.2.3System Settings
PROTECTALL Feature
Profile SettingsWARNING AttributeUniversal Access – UACC(NONE) AttributeID(*) on an Access ListGlobal Access Settings (GAC)
General Resource Back-Stop Profiles
Inactive General Resource Classes Profiles that can bypass a “deny-all” Setting
TAPEDSN FeatureICHBLP ProfileRACF Dataset Conversion TableRACF Exits
25
1. User issues a supported RACF command
“Continuous Monitoring and Policy Enforcement” of RACF Commands:
a) Validates that the command issuer is authorized to issue the command
b) Validates that the command is compliant with user-defined policies
c) Modifies commands to comply with written policies prior to execution
d) Fails non-compliant commands (e.g. unauthorized changes to the PCI.CREDIT.DATA profile)
e) Log all command activity to System Management Facility (SMF)
“Staying Compliant”Continuous Monitoring Tools - Intrusion Prevention
PCI 10.2.2PCI 10.2.7
Vanguard Policy ManagerTM
PCI 7.2.3
26
“Staying Compliant”Continuous Monitoring Tools - Intrusion Prevention
Monitor and Fail Non-Compliant RACF Commands
PCI 11.4.a
27
“Staying Compliant”Continuous Monitoring Tools - Intrusion Detection
Monitoring RACF “Insufficient Access” Events
28
“Staying Compliant”Continuous Monitoring Tools - Intrusion Detection
Vanguard Enforcer TM and Vanguard Advisor TM - Real-Time Alerts
PCI 11.4.b PCI 11.4.b
29
References
PCI Security Standards CouncilPayment Card Industry (PCI) Data Security Standards and Navigating PCI DSS 2.0https://www.pcisecuritystandards.org/
NIST - National Checklist Program Repository, zSeries RACF STIGhttp://web.nvd.nist.gov/view/ncp/repository?page_num=1
xBridge Systems - Achieving PCI Compliance on the Mainframe – White Paperhttp://www.xbridgesystems.com/products/whitepapers/Xbridge_White_Paper_Achieving_PCI_Compliance_on_the_Mainframe_April_2011.pdf
Verizon Business - Verizon 2010 Payment Card Industry Compliance Report http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf
Gartner Research Note - "Why Your IBM zSeries Mainframe May Not Be as Secure as You Think It Is and What You Can Do About It."http://www.go2vanguard.com/gartner_request.php
Verisign Global Security Consulting Services - Compliance and the cost of a credit card breach http://www.verisign.com/static/PCI_REASONS.pdf
COMPUTERWORLD - January 6, 2010 Update: Heartland breach shows why compliance is not enoughhttp://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough
Ponemon Institute - PCI DSS Trends 2010: QSA Insights Report
http://www.ponemon.org/data-security
30
PCI Testing Procedures Referenced in this Presentation
7.2.1 Confirm that access control systems are in place on all system components.
7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
7.2.3 Confirm that the access control systems have a default “deny-all” setting.
10.2.2 Verify actions taken by any individual with root or administrative privileges are logged
10.2.3 Verify access to all audit trails is logged.
10.2.7 Verify creation and deletion of system level objects are logged.
10.5.1 Verify that only individuals who have a job-related need can view audit trail files.
10.5.2 Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms
10.5.3 Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
10.6 Through observation and interviews, verify that regular log reviews are performed for all system components.
10.7.b Verify that audit logs are available for at least one year and processes are in place to immediately restore at least the last three months’ logs for analysis.
10.2.3 Verify access to all audit trails is logged.
11.4.a Verify the use of intrusion-detection systems and/or intrusion-prevention systems and that all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment is monitored.
11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.
References
31 ©2011 Vanguard Integrity Professionals, Inc.
Thank You
Grazie
Japanese
MerciFrench
Russian
DankeGerman
Italian
GraciasSpanish
ObrigadoBrazilian Portuguese
Arabic
Simplified Chinese
Traditional Chinese
HindiTamil
Thai
Korean
About Vanguard Integrity Professionals
Vanguard Integrity Professionals is the world’s leading solutions provider in the field of RACF®. Leveraging its robust suite of security administration and auditing tools, a development and professional services team comprised of more than 30 of the top RACF experts in the world, and a proven history of providing market leading solutions for over 20 years, Vanguard has established a reputation as the best in the industry. Vanguard offers the most comprehensive suite of security software solutions, professional services, and training of any vendor in the world. More than 500 customers have partnered with Vanguard to ensure and protect the integrity of Information Systems and the confidentiality of sensitive production data in the nation's largest financial, healthcare, retail organizations and government agencies. Vanguard is also the developer and sponsor of Vanguard Security and Compliance™ (formerly, the Vanguard Enterprise Security Expo), the most prominent and insightful security conference in the industry, which has trained more than 8,000 security experts since 1987. Vanguard Professional Services provides customers with the industry's most comprehensive set of enterprise professional service offerings in the RACF z/OS®, distributed and Network/Internet markets. Vanguard consultants, with an average of 25 years experience, offer strategic consulting and training tailored to meet an organization’s unique business requirements, and can assist in the process of managing risks to protect the integrity of information systems and confidentiality of your data. Vanguard consultants are highly regarded and considered the best-of-the-best in their field. Vanguard’s Software Solutions offer a robust set of tools for z/OS Security Server and Resource Access Control Facility (RACF) that dramatically improve the efficiency of security administration and management, and address the demands of regulatory compliance and reporting. The Security Server is transformed into a real-time intrusion detection and policy enforcement platform, extending System z® security and audit capabilities across the enterprise. With Vanguard's solutions users are empowered to make immediate and informed security decisions.
32