Embed Size (px)
Citation preview
© 2007 Tizor. All Rights Reserved.
Best Practices for PCI Compliance
New England ISSA Chapter Meeting
July 19, 2007
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 2
Page
The PCI-DSS Requirement
• PCI-DSS 1.1 released September 7th, 2006• Released in conjunction with the announcement of the PCI
Security Standards Council (PCI SSC)• New Requirements
2.4 – Requirement for Hosting Providers 5.1.1 – Detection & Removal of Spyware, Adware and other Malware 6.6* – Application Firewall or Code Review on web facing apps 12.10 – Service Providers Only, maintain list of “connected entities”
and ensure that they are compliant
• How do these new requirements apply to my organization? Merchants Service Providers Hosting Companies
* Best Practice until June 30, 2008 when it becomes a requirement
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 3
Page
What is PCI SSC?
• The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
• PCI SSC members include Visa, MasterCard, American Express, Discover, and JCB
• PCI SSC committees: Technical Working Group (DSS) Technical Working Group (PED) Task Forces (ad hoc)
• Two change factors: Feedback from Merchants, Service Providers, Banks, and Qualified
Security Assessors Compromises
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 4
Page
Best Practices for Data Protection
• Use discovery tools to locate unencrypted data
• Eliminate & Purge data after its useful life• Only send relevant data to internal
customers Frequent and constant review
• Automate identity management Build into HR processes Include periodic access reviews Evaluate encryption by platform, by application Re-engineer process where needed
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 5
Page
What are Assessors looking for?
• Diligence Requirement 3 – Retention Guides, Sensitive Data, and Encryption Requirement 4 – Transmissions over “public” networks Requirement 7 – Need to Know Requirement 8 – User/Password controls Requirement 10 – Track & Monitor Requirement 12 – Policy/Contracts
• Compensating Controls Appendix B Mainframes (z/OS, OS/390, Tandem/HP Non-Stop)
• Data Monitoring Where does the data go? Does it leave the control of the company? Paper is painful!
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 6
Page
A Closer Look at PCI and Data Protection
File Server
Mainframe
Database
Log
Encrypt
ExternalUsers
InternalUsers
Requirement 1:Install and Maintain a Firewall Configuration
Requirement 8:Assign a Unique ID
to Each Person
FirewallIAM
Requirement 3:Protect Stored
Cardholder Data
Data Protection
Requirement 4:Encrypt Network
Transmissions of Data
Requirement 7:Implement Strong
Access Control
Requirement 10:Track and Monitor
All Access to Cardholder Data
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 7
Page
Challenges With PCI & Data Protection
• Where is all of the sensitive PCI data?• What about privileged user access & activity?
Encryption doesn’t help with privileged users!
• What happens if encryption keys are stolen?• How can I verify whether I am protecting all the
sensitive data?• How and when do I know if data has been taken?• Impact on computer system performance and
business process: manage risk while not disabling business
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 8
Page
Its Time to Re-Think Data Protection The Layered Data Defense System
• Protect Data From the “Inside Out”• Data Auditing is the Foundation
CMF
FTP
Other
DataAuditing
End PointMonitoring
PC
Laptop
Server
File Server
Mainframe
Database
Monitor
Audit
Alert
UsersEncryption
Foundation
Security Event Management
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 9
Page
Data Auditing & Protection
• What Is Enterprise Data Auditing and Protection? Data auditing and protection is the set of processes and the supporting
infrastructure for monitoring and auditing the activity taking place in your critical data repositories such as databases and file systems.
It enables you to answer the following questions:
Where is Your Data & Who’s Accessing It?
What Are They Doing With the Data?
How Do You Protect Your Data ?
– Privileged users– Applications– System users
– Creating, reading, updating or deleting
– Changing Schema– Exhibiting unusual
behavior
– Alert administrators– Alert SIEM or other
security products– Generate reports
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 10
Page
A New Approach to Data Auditing
A Highly Scalable, Passive Network-Centric
Approach With Intelligent Analytics
A Highly Scalable, Passive Network-Centric
Approach With Intelligent Analytics
Decode network and local SQL and file server traffic
Policy-driven audit of activity by location, operation, content, users, etc.
Intelligent analytics to identify anomalous user behavior and issue alerts
Reports provide detailed and summary view into activity
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 11
Page
Data Auditing Lifecycle
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 12
Page
The importance of discovery
• PCI Challenge: Where is the cardholder data? Is it encrypted? Should it be?
• Solution: Discovery:
• Database Servers & File Shares • Database/File Operations• Content - Tables, Columns, File Names• Users, Location, Time & Session
Content Scanning for PCI• Identifies data patterns such as credit card #’s, PANs, or magnetic
stripe data (track data)
• PCI Requirements Supported Requirement #1
• Discover un-trusted network access Requirement #3
• Discover unencrypted cardholder data
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 13
Page
Automate Data Policies
• PCI Challenge: How do I create data auditing policies for PCI?
• Solution: Passive network monitoring
• Strong, yet flexible policy language• Multiple facets of the communication
Operation, Content, User, Location, Hour, Size, etc. • Policy wizard
Policy Templates for PCI• PCI Requirements Supported
Requirement #10
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 14
Page
Monitor Activity
• PCI Challenge: How do I gain visibility into activity with PCI data?
• Solution: Reports
• PCI Summary Reports• Detailed Reports• Custom Reports
Automated approval workflow and report signing Forensics
• Drill down into event details• PCI Requirements Supported
Requirement #1, #3, #6, #7 Requirement #8
• 8.4 - Monitor passwords “in the clear”• 8.5 - Identify dormant and shared user account
Requirement 12.5 – monitor and control access to data Compensating control for encryption requirement #3
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 15
Page
Protect Data
• PCI Challenge: How do I protect against data breaches and data leaks?
• Solution: Intelligent Analytics
• Real time, per-user behavioral profiling• Simple anomaly operators used in policy
Alert Policies• Issue alerts on suspicious behavior, unauthorized activities or other
events• Ex. Alert when large amount of PAN or Credit Card numbers are
being accessed and/or moved
• PCI Requirements Supported Requirement #10
04/13/23 © 2007 Tizor. All Rights Reserved. Page: 16
Page
Beyond PCI
• Avoid Point Solutions Target technology that enables monitoring and protection for
multiple issues• PCI• SOX• GLBA• Data Theft• Data Breach
• It’s a Data Problem, Not a Database Problem File Shares Mainframe Desktops
![2. Walkability Practices.ppt [Read-Only] Practices.pdf2. 1-2 civic buildings 3. ... Built with Common Sense Not A CODE Book • 5-Minute Walk from Center ... Walkability Practices.ppt](https://img.pdfslide.us/doc/110x75/5af7b4867f8b9a44658b6c6f/2-walkability-read-only-practicespdf2-1-2-civic-buildings-3-built-with.jpg)
