Upload
jesse-wicker
View
241
Download
1
Embed Size (px)
Citation preview
PCI DSSvs
HD Moore’s Law
Chris ToddUnisys Canada Inc.
© 2011 Unisys Corporation. All rights reserved. Page 2
Who is Chris Todd?
• Security Consultant with Unisys Canada Inc– 10+ years experience in networking and security
– GIAC Certified Firewall Analyst (GCFW), Incident Handler (GCIH), and Penetration Tester (GPEN)
– Maintain a PCI DSS compliant environment
– Provide security audit, vulnerability assessment and penetration testing services internally and externally
• SANS Mentor– Taught SEC504: Hacker Techniques, Exploits & Incident Handling
– Teaching SEC464: Hacker Detection for Systems Administrators• Nov 24/25 in Halifax
Where did PCI come from?
• The PCI Security Standards Council:– An open global forum, launched in 2006
• www.pcisecuritystandards.org
– Responsible for the development, management, education, and awareness of the PCI Security Standards
– Founded by five founding global payment brands• American Express• Discover Financial Services• JCB International• MasterCard Worldwide• Visa Inc.
– Incorporate the PCI DSS as the technical requirements of each of their data security compliance programs
© 2011 Unisys Corporation. All rights reserved. Page 3
What is PCI?
• PCI Security Standards include:– Payment Application Data Security Standard (PA-DSS)
• Software vendors
– PIN Transaction Security (PTS) • Device vendors and manufacturers
– Point-to-Point Encryption (P2PE)• Solution providers
– Data Security Standard (PCI DSS)• Anyone who stores, processes or transmits cardholder data• Specifically the Primary Account Number (PAN)
• Overall intent is to prevent the theft of electronic or paper cardholder data
© 2011 Unisys Corporation. All rights reserved. Page 4
PCI DSS Requirements
• Build and Maintain a Secure Network– Requirement 1: Install and maintain a firewall configuration to protect
cardholder data
– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data– Requirement 3: Protect stored cardholder data
– Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program– Requirement 5: Use and regularly update anti-virus software or
programs
– Requirement 6: Develop and maintain secure systems and applications
© 2011 Unisys Corporation. All rights reserved. Page 5
PCI DSS Requirements (cont)
• Implement Strong Access Control Measures– Requirement 7: Restrict access to cardholder data by business need-
to-know
– Requirement 8: Assign a unique ID to each person with computer access
– Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks– Requirement 10: Track and monitor all access to network resources
and cardholder data
– Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy– Requirement 12: Maintain a policy that addresses information
security for all personnel
© 2011 Unisys Corporation. All rights reserved. Page 6
PCI DSS Requirements (cont… again!)
• Total number of sub-requirements:
220+
© 2011 Unisys Corporation. All rights reserved. Page 7
PCI Compliance – Why do I care?
• Potential penalties for non-compliance:– Hefty fines– Refused merchant accounts– Accountability for breach
© 2011 Unisys Corporation. All rights reserved. Page 8
Concerns about PCI DSS
• It’s too specific
• It’s too vague
• Doesn’t address new technologies– e.g. virtualization
• Sucks the air out of the room– Disproportionate budget assigned to PCI compliance– Excessive time spent interpreting the requirements
• First step in getting there is to limit the scope– Therein lies one of the problems
© 2011 Unisys Corporation. All rights reserved. Page 9
More concerns about PCI DSS
• Why comply? PCI Council says:– Compliance has indirect benefits as well:
• Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
– OK• You will likely identify ways to improve the efficiency of your IT
infrastructure– Possibly
• You’ll have a basis for a corporate security strategy– Not so sure about this one
– Compliance with the PCI DSS means that your systems are secure
– What?? That’s a bold statement...
© 2011 Unisys Corporation. All rights reserved. Page 10
Whose Law?
• May have heard of Moore’s Law:– Gordon Moore was co-founder of Intel– States the number of transistors on a chip will
double approximately every two years
• Who is HD Moore?– And why does he have a “law”???
© 2011 Unisys Corporation. All rights reserved. Page 11
Who is HD Moore?
• One of the best known names in information security– Particularly the offensive side
• Founded the Metasploit Project in 2003– open-source penetration testing platform
• Metasploit acquired by Rapid7 in 2009– Became CSO at Rapid7 and…
– Still chief architect of Metasploit
• Rapid7 offers commercial versions of Metasploit– But Metasploit Framework is still free
– And as of Oct 18, 2011 so is Metasploit Community Edition!
© 2011 Unisys Corporation. All rights reserved. Page 12
Introducing Joshua Corman
• Director of Security Intelligence, Akamai Technologies– Former Research Director, Enterprise Security, The 451 Group
– Former Principal Security Strategist, IBM ISS
• Industry Experience: – Expert Faculty: The Institute for Applied Network Security (IANS)
– 2009 NetworkWorld Top 10 Tech People to Know• http://www.networkworld.com/supp/2009/outlook/010509-tech-peop
le-to-know.html
– Co-Founder of “Rugged Software” www.ruggedsoftware.org
• Recently coined “HD Moore’s Law”
© 2011 Unisys Corporation. All rights reserved. Page 13
Attacker Drop-Off: Casual Attacker
© 2011 Unisys Corporation. All rights reserved. Page 14
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Provided courtesy of
Joshua Corman
HD Moore’s Law
© 2011 Unisys Corporation. All rights reserved. Page 15
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
HDMoore’s Law
Provided courtesy of
Joshua Corman
Attacker Drop-Off: QSA
© 2011 Unisys Corporation. All rights reserved. Page 16
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Provided courtesy of
Joshua Corman
Attacker Drop-Off: APT/APA
© 2011 Unisys Corporation. All rights reserved. Page 17
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Provided courtesy of
Joshua Corman
Attacker Drop-Off: Chaotic Actors
© 2011 Unisys Corporation. All rights reserved. Page 18
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Provided courtesy of
Joshua Corman
Welcome to Metasploit
© 2011 Unisys Corporation. All rights reserved. Page 19
Metasploit’s Sweet ASCII Art
© 2011 Unisys Corporation. All rights reserved. Page 20
And some more...
© 2011 Unisys Corporation. All rights reserved. Page 21
Last one
© 2011 Unisys Corporation. All rights reserved. Page 22
Build and set the trap
© 2011 Unisys Corporation. All rights reserved. Page 23
User interaction
© 2011 Unisys Corporation. All rights reserved. Page 24
Hmm. Double-click and it does nothing... or does it...
Meanwhile, back in Metasploit...
© 2011 Unisys Corporation. All rights reserved. Page 25
Finding a better place to live...
© 2011 Unisys Corporation. All rights reserved. Page 26
And movin’ on in!
© 2011 Unisys Corporation. All rights reserved. Page 27
Now living in the Symantec User Session process• tasklist doesn’t show the malicious DLL• netstat doesn’t show network sessions• no way to tell it’s running on your system
PWNED!
How does PCI DSS stack up?
• AntiVirus?– Yes, it was actually enabled
• Firewall?– Do you allow port 443 to the internet?
• IPS?– Can’t check encrypted traffic
• Web proxy?– Does privacy policy allow decryption of outbound SSL?
“Attention users: If you happen to forget your online banking password, please contact the network group. They will gladly provide it to you.”
© 2011 Unisys Corporation. All rights reserved. Page 28
A little about scoping
• Workstations likely not in scope– And less secured because focus
is on PCI compliance
• But that’s ok because two-factor authentication is required, right?– Where is the certificate?– What version of SecureID?
© 2011 Unisys Corporation. All rights reserved. Page 29
Compliance Architecture
© 2011 Unisys Corporation. All rights reserved. Page 30
What does it all mean?
• PCI DSS is a useless piece of trash?– No!– Will certainly help those doing nothing
• Use it wisely– Get the security budget you need– Spend smart– Implement flexibly
• Don’t be afraid of the compensating control– Challenge may be to find a QSA who feels the same
– Don’t let it distract you from securing your intellectual property
© 2011 Unisys Corporation. All rights reserved. Page 31
More from Joshua Corman
• Unconventional Strategies For Unconventional Adversaries
─ Discusses HD Moore’s Law and Visible Ops
─ https://community.rapid7.com/docs/DOC-1520
• RSA Pecha Kucha Speed talk "Why Zombies Love PCI”
─ http://www.youtube.com/watch?v=JQEBYxp_vKs&list=FLGpGqR0fqnX-9UBB0GTPSiA&index=25&feature=plpp
• NetSecPodcast scheduled this week with HD Moore– http://netsecpodcast.com
• Blog post coming soon with more on HD Moore’s Law– Not sure where this will be posted yet– Contact me at [email protected] or @imchristodd
© 2011 Unisys Corporation. All rights reserved. Page 32
PCI Hug-it-Out
• Find it at http://netsecpodcast.com/?s=PCI+hug+it+out
• 3 part series featuring:– Michael Dahn
• Works with Visa and MC developing PCI DSS and PA-DSS standards
• Has trained thousands of PCI qualified security assessors (QSA)
– Joshua Corman• We’ve already met him• Questions whether compliance actually weakens security
– Face-to-face• They’re actually not that far apart...
© 2011 Unisys Corporation. All rights reserved. Page 33
Conclusion
Chris [email protected]
902-421-2460@imchristodd
SANS Security 464:Hacker Detection for Systems Administratorshttp://www.sans.org/mentor/details.php?nid=26319
Nov 24-25 in Halifax
© 2011 Unisys Corporation. All rights reserved. Page 34