Upload
jeffgrantinct
View
444
Download
1
Tags:
Embed Size (px)
Citation preview
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200814327_04_2008_c2 2
Self-Defending Network Support for PCI
BRKSEC-2008
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200814327_04_2008_c2
Session Description
This session discusses the Payment Card Industry (PCI) Data Security Standard, and how you use the network to help achieve PCI Compliance.
We will cover the remote location, e-commerce sites, main campus, data center, and the network management for PCI. We will use the Cisco PCI Validated Architecture Solutions as a reference.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKSEC-200814327_04_2008_c2
Agenda
Session Objectives
Compliance and PCI Overview
Applying the Network toward PCI Compliance
Key Takeaways
Q and A
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKSEC-200814327_04_2008_c2
Session Objectives
At the end of the session, you should be able to:Understand the 12 PCI Requirements
Gain knowledge of where PCI applies within your company
Apply technologies to help achieve PCI compliance
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKSEC-200814327_04_2008_c2
PCI Defined and Updates
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKSEC-200814327_04_2008_c2
The PCI Data Security Standard
Published January 2005, version 1.1 released September 7, 2006
Impacts all whoProcess
Transmit
Store: Cardholder data
PCI Security Standards Council maintains the standard and certifications
http://www.pcisecuritystandards.org
Payment Card Industry Data Security Standard
January 2005
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKSEC-200814327_04_2008_c2
PCI Industry Updates
US Level 1 Merchants Deadline was September 30, 2007: 77% are compliant
364 Level 1 Merchants (38 were given September 30, 2008 extension)
US Level 2 Merchant Deadline was December 31, 2007: 62% are compliant
1011 Level 2 Merchants (302 were given December 30, 2008 extension)
Europe Merchants: 2008 deadline
Asia Merchants: 2009 deadline
US Impact of non-compliance Level 1 merchants: $25,000–$100,000 per month fine, and will increase over time
Level 2 merchants: $5,000–$25,000 per month fine
Source: VISA January 2008
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKSEC-200814327_04_2008_c2
PCI Standards Update
New PCI Self-Assessment Questionnaires (SAQ) release
One SAQ four SAQs to reach more merchants
PCI DSS version 1.2 coming October 2008Two Information Supplements released April 22, 2008
11.3 Penetration testing6.6 Web Application Firewall
List of Qualified Security Assessors (QSA) continuously updatedList of Approved Scan Vendors (ASV) continuously updated
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKSEC-200814327_04_2008_c2
VISA PCI Categories –US Merchants
Level 1 Merchants
Category Criteria
Level 2 Merchants
Level 4 Merchants
More Than Six Million Visa/ MasterCard/American Express/ Discover Transactions per Year
One Million to Six Million Transactions per Year
Less Than 20,000 e-commerce Transactions per Year
Requirement
Any Merchant that Has Suffered a Hack or an Attack that Resulted in an Account Data Compromise
Level 3 Merchants
20,000 to One Million e-commerce Transactions per Year
Annual Onsite PCI Data Security Assessment
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network Scan
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network ScanAnnual Self-Assessment
Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_management/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKSEC-200814327_04_2008_c2
VISA PCI Categories -Canadian Merchants
Level 1 Merchants
Category Criteria
Level 2 Merchants
Level 4A Merchants
More than Six Million Visa/ MasterCard/American Express/ Discover Transactions per Year
150,000 to Six Million e-commerce Transactions per Year
One Million to Six Million Transactions per Year
Requirement
Any Merchant that Has Suffered a Hack or an Attack that Resulted in an Account Data Compromise
Level 3 Merchants
20,000 to 150,000 e-commerce Transactions per Year
Annual Onsite PCI Data Security Assessment
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network Scan
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network ScanAnnual Self-Assessment
Level 4A Merchants
Less than 20,000 e-commerce Transactions per Year
Quarterly Network ScanAnnual Self-Assessment
Source: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKSEC-200814327_04_2008_c2
VISA PCI Categories -Europe Merchants
Level 1 Merchants
Category Criteria
Level 2 Merchants
Level 4 Merchants
Processed > 6,000,000 Visa Transactions per Year, Compromised in the Last Year, Identified as Level 1 by Another Card Brand
One Million to Six Million Transactions per Year
Less than 20,000 e-commerce Transactions per Year
Requirement
Level 3 Merchants
20,000 to One Million e-commerce Transactions per Year
Annual Onsite PCI Data Security Assessment
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network Scan
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network ScanAnnual Self-Assessment
Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKSEC-200814327_04_2008_c2
VISA PCI Categories -Latin America Merchants
Level 1 Merchants
Category Criteria
Level 2 Merchants
High Risk Merchants with 80% Transaction Volume (Capable of Storing Credit Card Data)E-commerce Merchants with 80% Transaction VolumeAny Merchant that Has Suffered Hack or an Attack Resulting in Account Data Compromise
High Risk Merchants with Remaining 20% of Transaction Volume
E-commerce Merchants with Remaining 20% of Transaction Volume
Requirement
Level 3 Merchants
20,000 to One Million e-commerce Transactions per Year
Annual Onsite PCI Data Security Assessment
Quarterly Network Scan
Annual Self-Assessment
Quarterly Network Scan
Quarterly Network Scan
Annual Self-Assessment
Source: VISA AIS Program http://www.visalatam.com/e_merchant/ais3.jsp
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKSEC-200814327_04_2008_c2
VISA PCI Categories –AsiaPac Merchants
Level 1 Merchants
Category Criteria
Level 2 Merchants
Level 4 Merchants
Processed > 6,000,000 Visa Transactions per Year
One Million to Six Million Transactions per Year
Process < 20,000 e-commerceTransactions and < One Million Transactions Regardless of Channel
Requirement
Level 3 Merchants
20,000 to One Million e-commerce Transactions per Year
Annual Onsite PCI Data Security Assessment
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network Scan
Quarterly Network ScanAnnual Self-Assessment
Quarterly Network ScanAnnual Self-Assessment
Source: VISA http://www.visa-asia.com/ap/au/merchants/riskmgmt/ais_how.shtml
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKSEC-200814327_04_2008_c2
VISA PCI Categories - US, Europe and Canada Service Providers
Level 1 Service Providers
Category Criteria
Level 2 Service Providers
All VisaNet Processors (Member and Nonmember) and All Payment Gateways
Any Service Provider that Is Not in Level 1 and Stores, Processes, or Transmits More than 1,000,000 Visa Accounts/Transactions Annually
Requirement
Level 3 Service Providers
Any Service Provider that Is Not in Level 1 and Stores, Processes, or Transmits Fewer than 1,000,000 Visa Accounts/Transactions Annually
Quarterly Network Scan
Annual Onsite PCI Data Security Assessment
Quarterly Network Scan
Quarterly Network Scan
Annual Self-Assessment
Annual Onsite PCI Data Security Assessment
Source: VISA http://usa.visa.com/merchants/risk_management/cisp_service_providers.html?it=c|/merchants/risk_management/cisp.html|Defining%20Your%20Service%20Provider%20Level#anchor_3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKSEC-200814327_04_2008_c2
The Payment Card Industry (PCI) Data Security Standard
Build and Maintain a Secure Network
Protect Cardholder Data
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software6. Develop and maintain secure systems
and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKSEC-200814327_04_2008_c2
Applying Self-Defending Network to PCI
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-200814327_04_2008_c2
Cisco PCI Validated Architectures
Recommended architectures for networks, payment data at rest and data in-transitTesting in a simulated retail enterprise which include POS terminals, application servers, wireless devices, Internet connection and security systemsConfiguration, monitoring, and authentication management systemsArchitectural design guidance and audit review provided by PCI audit and remediation partners
PCI Audit Partner:
Retail Solution Partners:
Validated DesignSmall Retail Store
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-200814327_04_2008_c2
Cisco Validated Design includes:
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKSEC-200814327_04_2008_c2
Internet
PCI Solution for Retail End-to-End Architecture
Retail Store
Mobile Payments
Cisco Integrated Services Router
Authentication
Monitoring
Security SystemManagement
DatabaseServers
POS Transaction
KeyManagement
Network Management
Network Services
MDS 9000 SAN Switches
Disk Arrays
Tape Storage
WANAggregation
Core
ServiceAggregation
VPN
DMZ
Cisco Catalyst®Switches
Cisco Catalyst Switcheswith Service Modules
Store WAN Routers
WEB Application
Firewall
WEB Servers
Cisco Catalyst Switches
Edge Routers
TeleworkersCustomersPartners
Adaptive Security
Appliance
VPN
VPN
Desktop PCs and Laptops
POS Electronic
Cash Register
POSServer
Payment Devices
Cisco Catalyst Switch Cisco Aironet®
Wireless LAN Access Point
WAN
Data Center Internet Edge
StorageServer Access
VPN
Remote
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKSEC-200814327_04_2008_c2
Data Center Architecture
WAN RoutersSecurity services and QoS limit traffic in from business network
If the WAN connects to a public network, Virtual Private Network encryption is required
IPSec tunnels encrypt traffic to store routers
Core SwitchesHigh-speed switching and segmentation between the other layers
Service Aggregation SwitchesApplication services include quality of service, contentfiltering, and load balancing
Security services include access control, firewall, intrusion prevention
WAN Aggregation
Core
ServiceAggregation
Store WAN RoutersWAN
Authentication
Monitoring
Security SystemManagement
Network Management
Network Services
Server AccessMDS 9000 SAN Switches
Disk Arrays
Tape Storage
Storage
Data Center
Cisco Catalyst Switches with Service Modules
Cisco Catalyst Switches
Overview
DatabaseServers
POS Transaction
KeyManagement
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKSEC-200814327_04_2008_c2
Service Aggregation
Data Center CoreCisco Catalyst Switches
Cisco Catalyst Switches with
Service Modules
Cisco Catalyst Switches
Internet Edge
DMZ
External Web
Servers
Web Application
Server
ACE XMLGateway
Cisco Catalyst Switches
Adaptive Security Appliances
VPN
Outside
Inside
PCI Solution
Edge RoutersAccess Lists limit the traffic allowed in from the internet
IPSec and secure web traffic is allowed in from the Internet
Service Aggregation SwitchesApplication services include quality of service, content filtering, and load balancing
Security services include access control, firewall, intrusion prevention
De-Militarized Zone (DMZ)Creates a limited access zone
Connects web servers and e-commerce application servers
Virtual Private Network (VPN)Connects IPSec tunnels from employee, partners or store routers
Teleworker Partners,
Employees
Customers,e-Commerce
Internet
Store BackupNetwork
Edge Routers
Internet Edge
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKSEC-200814327_04_2008_c2
Retail Store
PCI Solution for Retail
Intelligent Services RouterSecurity services limit the traffic allowed in and out of the store network Routing, QoS and Filtering of business data flows
Cisco Catalyst LAN SwitchesSegmentation, Quality of Service
Aironet Wireless Access PointsConnect wireless clients to the store networkSecurity and Identity services enforce central policy for encryption and authentication
Business Servers and Hosts Cisco Security Agent enforces file access and host FW policyRSA file and database security management encrypt stored dataRSA Key manager enforces key management policy
Cisco Intelligent Services Router
Desktop PCs and Laptops
POS Electronic
Cash Register
Mobile POS and Pricing
Mobile Payments
Payment Devices
WAN
Cisco Aironet Wireless LAN Access Point
Cisco CatalystLAN Switch
POS Server
Store Components
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKSEC-200814327_04_2008_c2
PCI Solution: Remote Location
Cisco 802.11AGWLAN Access Point
Cisco Integrated Services Router Cisco IOS® Security + Ethernet Switch
Inventory Management
Data VLAN/ WVLAN
POS Cash Register
Mobile POS
POS Server
Centralized Management Servers
MARS
ACS
Store Worker PC
Security Manager
WCS
PoS VLAN/
WVLAN
Wireless Controllers
CSA
Small Store
Primary WAN Connection
Alternate WAN Connection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKSEC-200814327_04_2008_c2
PCI Solution: Remote Location
Cisco ISRIOS Security
PoS VLAN/
WVLANData VLAN
WVLAN
Management VLAN
Vendor/Guest WVLAN
Personal Shopper/PDA for Enhanced Customer Service
Cisco 802.11a/b/g WLAN Access Points
Partner Device for Inventory Management
POS
Cisco Catalyst Switches Power over Ethernet
and Security
Mobile POS
POS ServerInventory
Management
Store Worker PC
CSA
Medium Store
Centralized Management Servers
MARS
ACS
Security Manager
WCS
Primary WAN Connection
Alternate WAN Connection
Cisco ISR IOS Security
+Wireless LAN Controller
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKSEC-200814327_04_2008_c2
PCI Solution: Remote Location
Vendor/Guest WVLAN
Management VLAN
Wireless Controllers
Data VLAN and WVLAN
Personal Shopper/ PDA Customer Service
Vendor Device for Inventory Management
Inventory Management
PoS VLAN/
WVLAN
POS
Mobile POS
POS Server
Cisco Catalyst Switches Distribution and Access
Cisco ISRsIOS Security
Cisco 802.11a/b/g WLAN Access Points
Store Worker PC
CSA
Large Store
Centralized Management Servers
MARS
ACS
Security Manager
WCS
Primary WAN Connection
Alternate WAN Connection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKSEC-200814327_04_2008_c2
Credit CardStorage
Network Environment Blue Print
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
ASA CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
7300
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG AXG
ASA
IPSWAN
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKSEC-200814327_04_2008_c2
Cisco Security Manager (CSM) Topology-Centric View
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKSEC-200814327_04_2008_c2
PCI Requirement 1
Configuration standards, documentation
Segment card holder data from all other data
FW to public connections (Inbound and Outbound)
Wireless
Personal Firewall
28
Install and Maintain a Firewall Configuration to Protect Data
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKSEC-200814327_04_2008_c2
Requirement 1: Install and Maintain a Firewall Configuration to Protect Data
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
Data VLAN
POS VLAN
ASA
ASA ASA
AXG
VLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKSEC-200814327_04_2008_c2
CSM Firewall ConfigurationFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKSEC-200814327_04_2008_c2
CSM Global Firewall ConfigurationFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKSEC-200814327_04_2008_c2
ASA: Inspection Rules
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKSEC-200814327_04_2008_c2
Network Compliance Manager (NCM)Requirement 1 Status
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKSEC-200814327_04_2008_c2
PCI Requirement 2
Change vendor supplied defaults
Wireless: Change wireless vendor defaults, disable SSID broadcasts, use WPA/WPA2
Configuration standards for all system components
Implement one primary function per server
Disable all unnecessary and insecure services and protocols
Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
34
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKSEC-200814327_04_2008_c2
Requirement 2: Do Not Use Vendor-Supplied Defaults for System Settings
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKSEC-200814327_04_2008_c2
PCI Requirement 2.1 for Wireless
Verify that the Cisco Controller is, by default, configured for administrative restriction and AAA authentication for administrative users
Verify that no default SSID is enabled on the WLC
Disable/remove default SNMP strings of “public/private”
Create new community strings
Verify that default community strings are no longer accessible
Configure administrative user either via initial controller setup script or via CLI
Configure wireless system for WPA authentication
Disable SSID Broadcast
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKSEC-200814327_04_2008_c2
Cisco Wireless ConfigurationFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKSEC-200814327_04_2008_c2
PCI Requirement 3
Keep cardholder data storage to a minimum
Do not store the full contents of any track from the magnetic stripe (also called full track, track, track1, track 2 and magnetic stripe data), card-validation code or value, PIN
Mask PAN when displayed, and render it unreadable when stored (hashed indexes, truncation, index tokens and pads, strong cryptography), disk encryption
Document and implement key management processes
Protect Stored Data
38
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKSEC-200814327_04_2008_c2
Requirement 3: Protect Stored Data
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKSEC-200814327_04_2008_c2
Protect Stored Data: From What?
Cisco Security Agent (CSA) protects from:Copying cardholder information to removable media (USB sticks, CD ROMs, etc.)
Copying cardholder information to different file formats
Printing cardholder information
Saving information to a local machine
Plus typical worm/virus protection (think e-commerce)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKSEC-200814327_04_2008_c2
CSA Information Protection Creation
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKSEC-200814327_04_2008_c2
CSA Action RuleFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKSEC-200814327_04_2008_c2
PCI Requirement 4
Use SSL/TLS or IPSec, WPA for wireless
If using WEP:Use with a minimum 104-bit encryption key and 24 bit-initialization value
Use only in conjunction with WPA/WPA2, VPN or SSL/TLS
Rotate shared WEP keys quarterly (or automatically)
Restrict access based on MAC address
Never send unencrypted PANs by e-mail
Encrypt Transmission of Cardholder Data Across Open, Public Networks
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKSEC-200814327_04_2008_c2
Requirement 4: Encrypt Transmission of Cardholder Data Across Public Networks
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKSEC-200814327_04_2008_c2
IPSec Point-to-Point Tunnels
GET VPN: Tunnel-less VPNs
Scalability—an issue (N^2 problem)Overlay routingAny-to-any instant connectivity cannot be done to scaleLimited advanced QoSMulticast replication inefficient
Data is encrypted without need for tunnel overlay—scalable any-to-anyRouting/multicast/QoS integration is optimal—native routingEncryption can be managed by either subscribers or service providersCustomized, per-application encryption
Tunnelless VPN
A New Security Model
Multicast
WAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKSEC-200814327_04_2008_c2
IronPort: PCI Compliance over Email
Comprehensive Scanning for Cardholder Info
Integrated Encryption and Remediation
Auditable Reporting
Users Outbound Mail IronPort Email Security Appliance
Comprehensive Detection:• Credit Card Smart Identifier• Preloaded PCI Lexicons Dictionary• Embedded Attachment Scanning
Integrated Remediation:• Universal Message Encryption• Quarantine, Archive Capabilities • Notifications• Reporting
“IronPort meets PCI compliance requirements in an easy to administer, transparent manner.”—Brian Burke, Director, Secure Content, IDC
“IronPort has provided customers with an easy to deploy, use, and manage PCI compliance solution for email.”—Barry Johnson, Director, Risk Mitigation, IGXGlobal
Automatic Detection and Encryption of Credit Card Info
46
Internet
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKSEC-200814327_04_2008_c2
NCM Requirement 4 StatusFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKSEC-200814327_04_2008_c2
Cisco Wireless ConfigurationFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKSEC-200814327_04_2008_c2
PCI Requirement 5
Deploy anti-virus software on all systems commonly affected by viruses
AV programs capable of detecting, removing, and protecting against all forms of malicious software, including spyware and adware
Ensure that all AV mechanisms are current, actively running, and capable of generating audit logs
Use and Regularly Update Anti-Virus Software or Programs
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKSEC-200814327_04_2008_c2
Requirement 5: Use and Regularly Update Anti-Virus Software
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKSEC-200814327_04_2008_c2
NAC ManagerFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKSEC-200814327_04_2008_c2
Adding NAC A/V RuleFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKSEC-200814327_04_2008_c2
NAC Rule ListFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKSEC-200814327_04_2008_c2
NAC A/V Update
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKSEC-200814327_04_2008_c2
IronPort A/V
Preventive Defense + Reactive DefensesVirus Outbreak Filters + Anti-Virus Signatures
Ease of Deployment and Zero ManagementAutomatic Updates Email Security: Highest Virus Transmission Medium
Sophos Anti-Virus Signatures
McAfee Anti-Virus Signatures
IronPort Virus
Outbreak Filters
Industry Leading Defense in Depth Solution
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKSEC-200814327_04_2008_c2
PCI Requirement 6
Systems and software have latest vendor-supplied security patches installed; install relevant security patches within one month of release
Establish process to identify new security vulnerabilities (subscribe to alert services, etc.)
Develop SW applications based on industry best practices and incorporate security throughout SW development lifecycle
Develop web application based on secure coding guidelines such as the Open Web Application Security Project
Web-facing applications are protected against known attacks by installing an application layer firewall in front of web-facing applications, or review application code by a specialized application security organizations
Develop and Maintain Secure Systems and Applications
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKSEC-200814327_04_2008_c2
Requirement 6: Develop and Maintain Secure Systems and Applications
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKSEC-200814327_04_2008_c2
OWASP’s 2007 Top TenFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKSEC-200814327_04_2008_c2
Cisco Application Control Engine (ACE) XML Gateway
1. Define hosts to protect
2. Define policies per host
We are going to validate GET and POST parameters
AXG in Action: Blocking XSS Attacks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKSEC-200814327_04_2008_c2
AXG in Action: Blocking XSS Attacks
1. Define acceptable range for each GET or POST query parameter
2. Attack detected and blocked
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKSEC-200814327_04_2008_c2
AXG in Action: Blocking XSS Attacks
1. Alternatively, use a blacklist approach using Cisco-verified signatures
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKSEC-200814327_04_2008_c2
PCI Requirement 7
Limit access to computing resources and cardholder information only to those individuals whose job requires such access
Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed
62
Restrict Access to Cardholder Data by Business Need-to-Know
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKSEC-200814327_04_2008_c2
Requirement 7: Restrict Access to Data by Business Need-to-Know
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKSEC-200814327_04_2008_c2
CSA Action RuleFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKSEC-200814327_04_2008_c2
When a User Attempts to Save a Change…
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKSEC-200814327_04_2008_c2
CSA Manager Event LogFor YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKSEC-200814327_04_2008_c2
PCI Requirement 8
Identify all users with a unique user name before allowing access to system components or cardholder data
In addition, employ one method of authentication (password, token devices [SecureID, certificates or public key], biometrics)
Implement two-factor authentication
Encrypt all passwords during transmission and storage
67
Assign a Unique ID to Each Person with Computer Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKSEC-200814327_04_2008_c2
Requirement 8: Assign a Unique ID to Each Person with Computer Access
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKSEC-200814327_04_2008_c2
Cisco Secure Access Control Server (ACS)
For YourReference
Administration Accounts
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKSEC-200814327_04_2008_c2
Cisco ACSFor YourReference
Only Allow HTTPS Connections
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKSEC-200814327_04_2008_c2
Cisco ACSFor YourReference
Idle Timeouts and Failed Attempts
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKSEC-200814327_04_2008_c2
Cisco ACSFor YourReference
Map to Active Directory
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKSEC-200814327_04_2008_c2
PCI Requirement 9
Facility entry controls and monitor physical access to systems that store, process or transmit cardholder data
Cameras to monitor sensitive areas
Restrict physical access to network jacks, wireless access points, gateways, and handheld devices
Distinguish between employees and visitors
Visitor log in, physical token, authorization before entering area
Physically secure card holder data media
Destroy media when it is no longer needed
73
Restrict Physical Access to Cardholder Data
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKSEC-200814327_04_2008_c2
PCI Requirement 10
Implement automated audit trails
Record audit trail entries
Secure audit trails so they cannot be altered
Review logs for all system components at least daily
Destroy media when it is no longer needed
Retain audit trail history for at least one year, with a minimum of three months online availability
74
Track and Monitor All Access to Network Resources and Cardholder Data
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKSEC-200814327_04_2008_c2
Requirement 10: Track and Monitor All Access to Network and Cardholder Data
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKSEC-200814327_04_2008_c2
PCI DSS Requirement 10: “Is Administrator Access to the End Systems Monitored?”
Critical System Access MonitoringCS-MARS: PCI DSS Requirement 10
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKSEC-200814327_04_2008_c2
CS-MARS PCI Reports/Reporting
Detailed Monitoring and Reporting for PCI RequirementsComprehensive PCI Reports
PCI Reports Group
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKSEC-200814327_04_2008_c2
PCI Reports GroupComprehensive and Detailed Reports and Reporting
For YourReferenceCS-MARS for PCI Reporting
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKSEC-200814327_04_2008_c2
NCM Requirement 10 StatusFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKSEC-200814327_04_2008_c2
PCI Requirement 11
Use a wireless analyzer at least quarterly to identify all wireless devices in use
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network
Perform penetration testing at least once a year and after any significant upgrade or modification
Use NIDS/IPS, HIDS/HIPS
Deploy file integrity monitoring software to perform critical file comparisons at least weekly
80
Regularly Test Security Systems and Processes
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKSEC-200814327_04_2008_c2
Requirement 11: Regularly Test Security Systems and Processes
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKSEC-200814327_04_2008_c2
Cisco ASA 5500 Series and IPS Network Environment Blue Print for PCI
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
ASA CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
ASA
IPSWAN
ASA7200/7300
ASA
IPS
ASA IPS, Cisco IOS IPS, or ISR AIM IPS
IPS 4200, ASA-IPS or IDSM-2
IPS 4200 or ASA-IPS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKSEC-200814327_04_2008_c2
CS-MARS: PCI DSS Requirement 11
PCI DSS Requirement 11: “Is the Wireless Network Being Monitored and Are New Wireless Devices Identified?”
Cisco Wireless Controller
Wireless Access Detection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKSEC-200814327_04_2008_c2
Wireless Controller Configuration
Untrusted AP Policy
Rogue Location Discovery Protocol………………………Disabled
RLDP Action ……………………………………...Alarm Only
Rogue APs
Rogues AP advertising my SSID ………………….Alarm Only
Detect and report Ad-Hoc Networks ………………Enabled
For YourReference
Scan for and Detect Rogue APs and Wireless Devices
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKSEC-200814327_04_2008_c2
Cisco Security ManagerIPS Device-Centric Signature View
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKSEC-200814327_04_2008_c2
Cisco Security ManagerPolicy-Centric Signature View
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKSEC-200814327_04_2008_c2
Cisco Security Agent (CSA)PCI Rule Modules
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKSEC-200814327_04_2008_c2
CSA PCI Requirement 11 Modules
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKSEC-200814327_04_2008_c2
CSA PCI Module Drill-Down
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKSEC-200814327_04_2008_c2
NCM Requirement 11 Status
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKSEC-200814327_04_2008_c2
PCI Requirement 12
Establish, publish, maintain, and disseminate a security policy
Develop usage policies for critical employee-facing technologies
Implement a security awareness program
Implement an incident response plan
If cardholder data is shared with service providers, the SP mustadhere to the PCI DSS requirements
91
Maintain a Policy that Addresses Information Security for Employees and Contractors
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKSEC-200814327_04_2008_c2
Requirement 12: Maintain a Policy that Addresses Information Security
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
CSA
WAP
E-commerce
NCM/CAS
WAP
POS Cash Register
Mobile POS POS Server
Store Worker PC
Network Management Center
Data Center
CSMACS
WAP
CSACSA
ASA
IronPort
AXG
IPSWAN
ASA
ASA ASA
AXG
7200/7300
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKSEC-200814327_04_2008_c2
CSM Workflow
What Is It?Structured process for change management that complements your operational environment
ExampleWho can set policies
Who can approve them
Who can approve deployment and when
Who can deploy them
BenefitProvides scope of control
Policy Deployment
Network Operations
Policy Deployment
Undo
Security Operations
Policy Definition
ApproveJob
DeployGenerate/
SubmitJob
Rollback
Firewall, VPN, and IPS Services
“Enable Different Management Teams to Work Together”
Review/Submit
Create/Edit Policy
Approve/Commit
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKSEC-200814327_04_2008_c2
Cisco Secure ACS
Cisco Security Manager
AAA
Home Office
Remote Access
Cisco IOS Software
Cisco PIX®
Firewall and Cisco ASA
CSM Role-Based Access Control
What Is It?Authenticates administrator’s access to management systemDetermines who has access to specific devices and policy functions
ExampleVerifies administrator and associate administrators to specific roles as to who can do what
BenefitEnables delegation of administrator tasks to multiple operators Provides appropriate separation of ownership and controls
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKSEC-200814327_04_2008_c2
NCM Requirement 12 StatusFor YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKSEC-200814327_04_2008_c2
Cisco Solution for PCI
Credit CardStorage
Wireless Device
Remote Location Internet Edge
ISRCisco CatalystSwitch
CS-MARS
NAC
CSA
Main Office
6500 Switch
CSA
E-commerce
NCM/CAS
WAP
POS Terminal
POS Server
Store Worker PC
Network Management Center
Data Center
CiscoSecurityManagement
ACS
WAP
CSA
CiscoSecurityAgent (CSA)
IronPort
AXG
IPSWAN
ASA 5500
ASA ASA
AXG
7300 Router
Requirement 1 Requirement 4 Requirement 7 Requirement 10Requirement 2 Requirement 5 Requirement 8 Requirement 11Requirement 3 Requirement 6 Requirement 9 Requirement 12
CSA
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKSEC-200814327_04_2008_c2
PCI Solution Mapping
12
n/an/an/an/a11
n/an/an/a10
n/an/an/an/an/an/an/an/an/an/an/an/an/a9
n/an/an/an/an/an/a8
n/an/an/an/a7
n/an/an/an/an/an/a6
n/an/an/an/an/an/an/a5
n/a
n/a
n/a
n/a
ACS
n/a
n/a
n/a
n/a
ACE XML
n/a
NCM
n/a
CSM
n/a
n/a
n/a
IronPort
n/a
n/a
6500
n/a
n/a
n/a
n/a
NAC
n/a
n/a
n/a
n/a
IPS
n/a4
n/an/an/a3
n/a2
1
WLANMARSCSAASAISRPCI
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKSEC-200814327_04_2008_c2
Cisco PCI Services
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKSEC-200814327_04_2008_c2
Services from Cisco and Cisco Security Specialized Partners
Supporting your efforts to achieve complianceIdentify and remediate gaps in your current network environment relative to the PCI Data Security Standard
Gap analysis and remediation plan
Design and implementation
Supporting your efforts to stay compliantAsset monitoring and support for configuration and change management
Quarterly security gap analysis
Periodic reporting of PCI-critical device status
*PCI compliance service capabilities may vary by region
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKSEC-200814327_04_2008_c2
Gap Analysis and Remediation Plan
PCI Analysis ToolsetCollects data about devices and configurations (Cisco and third party)
Analyzes your network for gaps relative to PCI Data Security Standard requirements
Cisco engineer creates a tailored remediation plan that includes a prioritized set of actions for closing compliance gaps
Identifies Gaps in Your Network Components and Systems, Policies, and Processes
For YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKSEC-200814327_04_2008_c2
Design and Implementation
Security Policy DefinitionDevelop or refine your company’s high-level goals, procedures, rules, and requirements for securing its information assets
Design Review, if necessaryProvide design review if the PCI gap analysis and remediation plan suggest it
ImplementationImplement your solution on time and on budget by following a thorough, detailed implementation process based on best practicesRealize business and technical goals by installing, configuring, and integrating new system components in accordance with remediation plan recommendations
Best Practices for Implementing the Remediation Plan Recommendations
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKSEC-200814327_04_2008_c2
Asset Monitoring and Support for Configuration and Change Management
Asset MonitoringMonitor and manage devices critical to your PCI-compliant network in real time 24 hours a day, 365 days a yearIdentify anomalies, events, or trends that might adversely affect your network security Provide consolidated status reports that you can use with your stakeholders and third parties such as auditors
Configuration Management SupportImprove operational efficiency by maintaining an accurate, reliable system configuration database and managing configuration changes through an orderly, effective process
Change Management Support Reduce operating costs and limit change-related incidents with a consistent and efficient change management process
For YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKSEC-200814327_04_2008_c2
Quarterly IncrementalSecurity Gap Analysis
Assess for Changes that Might Affect Compliance
Provide Improvement Recommendations and Remediation Services as Needed
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKSEC-200814327_04_2008_c2
Summary
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
53
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKSEC-200814327_04_2008_c2
Summary
PCI is moving rapidly to global importance
PCI Compliance encompasses Security Best Practices
Work closely with Approved Scan Vendor and Qualified Security Assessor to understand expectations
Use Cisco’s PCI Validated Architectures as a guide to ease design and implementation
Key Take Aways
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKSEC-200814327_04_2008_c2
More Information
Cisco Compliance informationhttp://www.cisco.com/go/compliance
http://www.cisco.com/go/retail
VISA Cardholder Information Security Programhttp://usa.visa.com/merchants/risk_management/cisp.html
MasterCard PCI Merchant Educationhttp://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html
PCI Security Standards Councilhttps://www.pcisecuritystandards.org/
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKSEC-200814327_04_2008_c2
Relevant Security Sessions
Advanced IPSec with GET VPNBRKSEC-4012
Secure MessagingBRKSEC-2052
Deploying Cisco Network Admission Control ApplianceBRKSEC-2041
Understanding Host-Based Threat Mitigation TechniquesBRKSEC-2031
Deploying Network-Based Intrusion Prevention SystemsBRKSEC-2030
Firewall Design and DeploymentBRKSEC-2020
Deploying Dynamic Multipoint VPNsBRKSEC-2012
Deploying Site-to-Site IPSec VPNsBRKSEC-2011
Deploying Cisco IOS SecurityBRKSEC-2007
Inside the Perimeter: Six Steps to Improving Your Security MonitoringBRKSEC-2006
Monitoring and Mitigating ThreatsBRKSEC-2004
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKSEC-200814327_04_2008_c2
Q and A
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
55
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKSEC-200814327_04_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press®
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKSEC-200814327_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily.
Receive 20 Passport points for each session evaluation you complete
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKSEC-200814327_04_2008_c2