PCI DSS: Good, Fast, or Cheap
(Pick One)
2014 Fall Security Briefing Dustin Hutchison PhD, QSA
VP and Executive Manager...
AGENDA
• Recent Breaches
• Good, Fast, or Cheap (or Bad, Slow, or Expensive
depending on your outlook on life)
• Monit...
WE ARE ALL TARGETS (PUN INTENDED)
3
TARGET – 12/2013
4
TARGET – PCI DSS
5
TARGET – PCI DSS
6
TARGET – PCI DSS
7
GOOD, FAST, OR CHEAP?
Anti-Virus:
Good – No
Fast – No
Cheap – No (Symantec Endpoint Protection)
Verdict – Just ineffe...
HOME DEPOT – 9/2014
9
HOME DEPOT – 9/2014
10
Reference: www.krebsonsecurity.com
GOOD, FAST, OR CHEAP?
Anti-Virus:
Good – No
Fast – No
Cheap – No (Symantec)
Verdict – Just ineffective
11
DAIRY QUEEN – 9/2014
12
GOOD, FAST, OR CHEAP?
Anti-Virus:
Good – No
Fast – No
Cheap – No (Symantec)
Verdict – Just ineffective
13
BACKOFF MALWARE
In addition to Dairy Queen, Backoff also affected:
• UPS Store
• Goodwill
• Michaels Stores
To see ho...
FIREWALL PROTECTION?
15
SYSTEMS UPDATED?
16
FRIENDLY REMINDER
All the breaches lead to more opportunities for attackers.
Be cautious – free credit monitoring, free ...
THE GOOD, FAST, OR CHEAP
Disclaimers:
PCI DSS is not a “one size fits all” – work with your
acquiring bank or customer(...
PRIORITIZED APPROACH
19
REDUCE YOUR SCOPE
Limit data retention and remove cardholder data when
possible.
Segmenting your cardholder data enviro...
PROTECT SYSTEMS
Two-factor authentication (remember those remote
vendor accounts)
• Duo Security – Good, Fast, and Chea...
MONITOR AND CONTROL ACCESS
Assign unique user IDs, limit access
• GPOs – Good, Fast, and Cheap
• Spreadsheet – Good, Ch...
WHAT IS REALLY REQUIRED?
23
REQUIREMENT 10 (CONTINUED)
24
LOGGING AND MONITORING
Turn on the right stuff in the Advanced Audit Policies
25
SYSTEM LEVEL
26
Reference: http://
sniperforensicstoolkit.squarespace.com/
DIRECTORY LEVEL
27
Reference: http://
sniperforensicstoolkit.squarespace.com/
REGISTRY LEVEL
28
Reference: http://
sniperforensicstoolkit.squarespace.com/
MANUAL PROCESS
AuditPol – View your current settings
Reg.exe – Query the registry
SC.exe – Query services
WEvtUtil – Q...
QUESTIONS
30
Dustin Hutchison
Dustin.Hutchison@pondurance.com
of 30

Pondurance pci dss 112014

PCI DSS
Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Pondurance pci dss 112014

  • 1. PCI DSS: Good, Fast, or Cheap (Pick One) 2014 Fall Security Briefing Dustin Hutchison PhD, QSA VP and Executive Manager 3105 E. 98th St. Suite 120 Indianapolis, IN 46280 317.429.0029 dustin.hutchison@pondurance.com www.pondurance.com
  • 2. AGENDA • Recent Breaches • Good, Fast, or Cheap (or Bad, Slow, or Expensive depending on your outlook on life) • Monitoring and Audit Logging 2
  • 3. WE ARE ALL TARGETS (PUN INTENDED) 3
  • 4. TARGET – 12/2013 4
  • 5. TARGET – PCI DSS 5
  • 6. TARGET – PCI DSS 6
  • 7. TARGET – PCI DSS 7
  • 8. GOOD, FAST, OR CHEAP? Anti-Virus: Good – No Fast – No Cheap – No (Symantec Endpoint Protection) Verdict – Just ineffective Monitoring: Good – Kind of? Fast – Kind of? Cheap – No (third party (not Pondurance)) Verdict – Ineffective because of Target’s processes 8
  • 9. HOME DEPOT – 9/2014 9
  • 10. HOME DEPOT – 9/2014 10 Reference: www.krebsonsecurity.com
  • 11. GOOD, FAST, OR CHEAP? Anti-Virus: Good – No Fast – No Cheap – No (Symantec) Verdict – Just ineffective 11
  • 12. DAIRY QUEEN – 9/2014 12
  • 13. GOOD, FAST, OR CHEAP? Anti-Virus: Good – No Fast – No Cheap – No (Symantec) Verdict – Just ineffective 13
  • 14. BACKOFF MALWARE In addition to Dairy Queen, Backoff also affected: • UPS Store • Goodwill • Michaels Stores To see how Backoff works, go to: http:// www.esecurityplanet.com/malware/backoff-pos-malware-demonstrated- at-black-hat-video.html 14
  • 15. FIREWALL PROTECTION? 15
  • 16. SYSTEMS UPDATED? 16
  • 17. FRIENDLY REMINDER All the breaches lead to more opportunities for attackers. Be cautious – free credit monitoring, free gift cards, etc. may just be phishing attempts 17
  • 18. THE GOOD, FAST, OR CHEAP Disclaimers: PCI DSS is not a “one size fits all” – work with your acquiring bank or customer(s) to determine if a Self Assessment Questionnaire (SAQ) or full Report on Compliance (ROC) is appropriate I am not going to recommend specific products (at least here in a large audience, but if you have a question about something specific, see me in the hallway or give me a call) (alright, I may mention some specific products) 18
  • 19. PRIORITIZED APPROACH 19
  • 20. REDUCE YOUR SCOPE Limit data retention and remove cardholder data when possible. Segmenting your cardholder data environment should be a priority. This reduces the scope of your compliance requirements, but must be validated by data discovery. • DLP / Data Discovery = Good, Not Fast, Not cheap • Manual Review = Cheap, Not Fast, Good? 20
  • 21. PROTECT SYSTEMS Two-factor authentication (remember those remote vendor accounts) • Duo Security – Good, Fast, and Cheap • PhoneFactor (purchased by Microsoft) – Good, Fast, sort of Cheap Anti-Virus • You do need it, maybe aim for Cheap 21
  • 22. MONITOR AND CONTROL ACCESS Assign unique user IDs, limit access • GPOs – Good, Fast, and Cheap • Spreadsheet – Good, Cheap, not Fast Track and monitor all access • Manual process – Cheap, can be Good, Not Fast • SEIM / FIM (OSSEC) / Splunk – Good, your mileage may vary on speed of implementation and cost 22
  • 23. WHAT IS REALLY REQUIRED? 23
  • 24. REQUIREMENT 10 (CONTINUED) 24
  • 25. LOGGING AND MONITORING Turn on the right stuff in the Advanced Audit Policies 25
  • 26. SYSTEM LEVEL 26 Reference: http:// sniperforensicstoolkit.squarespace.com/
  • 27. DIRECTORY LEVEL 27 Reference: http:// sniperforensicstoolkit.squarespace.com/
  • 28. REGISTRY LEVEL 28 Reference: http:// sniperforensicstoolkit.squarespace.com/
  • 29. MANUAL PROCESS AuditPol – View your current settings Reg.exe – Query the registry SC.exe – Query services WEvtUtil – Query your logs Develop scripts to alert based on critical / high items (such as changes to POS systems) 29 Reference: http:// sniperforensicstoolkit.squarespace.com/
  • 30. QUESTIONS 30 Dustin Hutchison Dustin.Hutchison@pondurance.com

Related Documents