Leveraging PCI Compliance Managing Risk in Michigan Dan Lohrmann Chief Information Security Officer State of Michigan West Michigan ISACA October 16, 2008

Leveraging PCI Compliance Managing Risk in Michigan

Dan LohrmannChief Information Security OfficerState of Michigan

West Michigan ISACAOctober 16, 2008

State of Michigan • Department of Information Technology2

2

What’s on Tap?

First things first The Perfect Security Storm The Michigan Journey

The Good, the Bad, the Ugly PCI Compliance: Many Birds with One Stone Combining People-Processes-Technology Lessons Learned Next Steps


3

First things first…

A bit about me: Former NSA analyst Former IT Director, Mantech International, UK Roles as State Agency CIO and e-Michigan CTO Over 23 years of IT experience Director, Michigan’s Office of Enterprise Security

Emergency management coordinator Staff of 30 security professionals Homeland security liaison Cybersecurity manager

A bit about MDIT…


4

Michigan in focus

In 2001, IT services consolidated from 19 agencies into one department - MDIT

We now support all of the agencies with $378 million annual budget

Our 1,700 employees support and maintain: Over 800 critical business applications Over 55,000 desktop computers Over 1,300 telecommunications locations

What role do we play?


5

What services do we touch?

Whenever a citizen: Files an income tax return Pays or receives child support Wins the Lottery Compares schools Starts a business Applies for a drivers license…

or gets pulled over by a state trooper

And, like many of you, from 2005-2007 Michigan endured the “perfect security storm”

All of them!


6

Compliance …Payment Card Industry (PCI)

HIPAA

NIST (New Audits, SOX)

Breach Laws, Notification

Vulnerabilities …MS Patches Never End

Legacy Systems

Multiple OS Versions/ Consolidation of Servers

Configuration, Asset Mgt.

Identity Theft…Exploding # of Attacks

Hackers & Viruses

Privacy Data

Homeland Security

Organized Crime

More with Less …Budget Cuts

Standardization (Too many Scanners, Tools)

Operational Fires (Viruses) Continue

Staffing Efficiencies Desired

The Perfect Security Storm

How has compliance tightened?...


7

The New Rules for CSO’s

We’re here today to talk a little bit about the “Michigan Story” and how we are weathering the storm…

FISCAM Controls


8

The Good, the Bad & the Ugly

The perfect storm resulted in a set of conditions challenging security officials like never before

In Michigan, there were pros and cons alike…


9

The Michigan Story:The Good

We had an eager customer, the Department of Treasury, ready and willing

Funding was available from Homeland Security Our CIO set a department-wide mandate on

improved security


10

Lack of motivation for change among some…another “to do”

Culture and attitude hurdles…“don’t touch my server/we’re different”

Skill sets training for technical staff lacking Ownership questions and multiple audiences

The Michigan Story:The Bad


11

The Michigan Story:The Ugly

Poorly administered change control - infrastructure move, add, change (IMAC) process – not centralized

Negative penetration test results, audit findings Multiple reports/purposes/metrics, moving

vulnerability and requirement targets Lack of standard configurations and builds,

multiple credit card solutions

We also had too many vulnerability scanning tools…


12

The Michigan Story:Pick a Tool, Any Tool

Nessus Heavily used industry wideUsed by risk management for yearsOpen Source

QualysGuard Currently the risk management standardExpensiveSold as a serviceExtremely powerfulHighly configurableIntelligent Interface

ISS scanner ExpensivePowerful

SARA Less harsh vulnerability scannerOpen source

Nikto Open SourceMuch less harsh or noisyUsed for web vulnerability scanning onlyWill also show configuration errors


13

Audit findings Security holes from pen test Legal requirements/compliance Implement industry best practice Improve overall IT processes

And… Satisfy our Treasury customer

The Michigan Story:Many Birds with One Stone

The answer was clear…PCI Compliance was necessary!

If we could solve this one problem, we could address multiple issues:


14

Is a standard that applies to financial institutions, Internet vendors and retail merchants

Spells out security measures and auditing procedures required to protect private information during transaction involving paycards

Is used by all card brands to assure the security of the data gathered during transactions

What is PCI Compliance?

Card Associations LLC https://www.pcisecuritystandards.org

Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS

Otherwise known as the Payment Card Industry (PCI) Data Security Standard, PCI compliance:


15

Any fines from PCI-Co (up to $500,000/incident) Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from

a QDSC

Cost of Non-Compliance

In the event of the a breach the acquirer can make the merchant responsible for:

Costs add up quickly…. If 50,000 credit cards are stolen:

Not to mention the bad publicity…

PCI Penalty $500,000

Card Replacement $500,000

Fraudulent Transactions $61,750,000


16

Build/Maintain a Secure Network

Install, maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and

other security parameters

Protect Data Protect stored cardholder data Encrypt transmission of data across open/public networks

Maintain a Vulnerability Mgt Program

Use and regularly update anti-virus software Develop and maintain secure systems and applications

Implement Strong Access Controls

Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Track, monitor access to network resources and cardholder data Regularly test security systems and processes

Maintain an IS Policy

Maintain a policy that addresses information security

“Digital Dozen” Approach to PCI Compliance


17

Treasury takes business ownership MDIT Office of Enterprise Security forms

cross-organizational team Gaining trust from multiple orgs Training, joint buy-in

Executives buy-in Credit card users group makes business case and other

financial incentives clear Can’t afford to lose credit card authority Need e-Government growth Failing is not an option: Reputation of the State is on the line

The Michigan ApproachPeople


18

Set uniform IMAC/change management Established common approach

Iterative scans took time (plenty of war stories) Initially centralized, later federated Training built in, best and brightest selected on server teams

Regular format/briefings to key business and technology management teams

Agreed upon standard metrics and repeatable, explainable, supportable numbers (not an easy feat)

The Michigan ApproachProcesses


19

Chose single tool (Qualys) Achieved common configuration and builds Developed good vendor relationships Provided training on tool Focused on business outcomes (agreed upon requirements) Gave the team authority, priority, clear roles/responsibilities Shared, repeatable knowledge base

The Michigan ApproachTechnology

How does Qualys work?


20

Qualys Categorization

Level-1: Intruders can collect not-too-sensitive info like open ports, services

Level-2: Intruders can collect sensitive information, like specific versions of software installed, to mount attacks

Level-3: Intruders can collect specific info, including security settings

Level-4: Intruders can hack the system as a non-admin user privileges, or can access highly sensitive information

Level-5: Intruders can gain complete, admin level access to the system


21

The Michigan Process

Integrates with other MDIT processes Affects old and new Three changes for remediation—owned by server

and application teams Patch – Once installed, addresses many vulnerabilities;

patching servers is more complicated Update – Synonymous with patch, used on applications

not OS; followed with version numbers Configure – Changes to apps and services to add security;

includes removing/stopping services and configuring passwords


22

The Michigan Process Vulnerability Remediation Tools

Phase I Refining and distributing to CSDs

new spreadsheet of vulnerability, status and coordinator by server IP

Facilitating meetings with CSDs and server support staff to work through the spreadsheet and successful processes

Phase II Linking spreadsheet information to other information available

about server, such as CMDB and server PDI scan info Building solution knowledge base Presenting all information in Web-accessible database, with

access limited as appropriate by role (user ID / password)

To speed up remediation of vulnerabilities, including open ports, false positives, and known solutions…


23

The Michigan Process Executive Tech. Review Board (ETRB)

ETRB provides rapid resolution to questions: Reviewing approved, denied, escalated exception requests Resolving technical disagreements Exceptions Process:

One form for OES, hosting center, and managed LAN Area may approve exception or defer to program board Program board may approve or deny exception Requester can appeal denial to ETRB for final ruling ETRB reviews approved exceptions

identifying the cause; using back-ground information received in advance, makes decisions on-the-spot and communicates itacross the organization


24

The Proof…As they say

“Significant” DMZ vulnerabilities (Severity 3 or above):

When we began in January 2006: 318 Today: Zero – None – Nada!


25

Critical Lessons Learned

PCI compliance is worth it: Solves many complex problems Measurable – Good Metrics

Don’t forget the vendors Market your progress (communication x3) Build Trust with WIN / WIN approaches The hardest parts are NOT technical... Entrust your staff…and reward them


26

Michigan’s Next Steps

Counties and locals Moving Up the Stack –

Applications Other systems (Moving

PCI Target) Rolling into app lifecycle


27

Dan Lohrmann

[email protected]

www.michigan.gov/dit

www.michigan.gov/cybersecurity

Documents

Leveraging PCI Compliance Managing Risk in Michigan Dan Lohrmann Chief Information Security Officer State of Michigan West Michigan ISACA October 16, 2008