Post on 18-Dec-2015
Leveraging PCI Compliance Managing Risk in Michigan
Dan LohrmannChief Information Security OfficerState of Michigan
West Michigan ISACAOctober 16, 2008
State of Michigan • Department of Information Technology2
2
What’s on Tap?
First things first The Perfect Security Storm The Michigan Journey
The Good, the Bad, the Ugly PCI Compliance: Many Birds with One Stone Combining People-Processes-Technology Lessons Learned Next Steps
State of Michigan • Department of Information Technology3
3
First things first…
A bit about me: Former NSA analyst Former IT Director, Mantech International, UK Roles as State Agency CIO and e-Michigan CTO Over 23 years of IT experience Director, Michigan’s Office of Enterprise Security
Emergency management coordinator Staff of 30 security professionals Homeland security liaison Cybersecurity manager
A bit about MDIT…
State of Michigan • Department of Information Technology4
4
Michigan in focus
In 2001, IT services consolidated from 19 agencies into one department - MDIT
We now support all of the agencies with $378 million annual budget
Our 1,700 employees support and maintain: Over 800 critical business applications Over 55,000 desktop computers Over 1,300 telecommunications locations
What role do we play?
State of Michigan • Department of Information Technology5
5
What services do we touch?
Whenever a citizen: Files an income tax return Pays or receives child support Wins the Lottery Compares schools Starts a business Applies for a drivers license…
or gets pulled over by a state trooper
And, like many of you, from 2005-2007 Michigan endured the “perfect security storm”
All of them!
State of Michigan • Department of Information Technology6
6
Compliance …Payment Card Industry (PCI)
HIPAA
NIST (New Audits, SOX)
Breach Laws, Notification
Vulnerabilities …MS Patches Never End
Legacy Systems
Multiple OS Versions/ Consolidation of Servers
Configuration, Asset Mgt.
Identity Theft…Exploding # of Attacks
Hackers & Viruses
Privacy Data
Homeland Security
Organized Crime
More with Less …Budget Cuts
Standardization (Too many Scanners, Tools)
Operational Fires (Viruses) Continue
Staffing Efficiencies Desired
The Perfect Security Storm
How has compliance tightened?...
State of Michigan • Department of Information Technology7
7
The New Rules for CSO’s
We’re here today to talk a little bit about the “Michigan Story” and how we are weathering the storm…
FISCAM Controls
State of Michigan • Department of Information Technology8
8
The Good, the Bad & the Ugly
The perfect storm resulted in a set of conditions challenging security officials like never before
In Michigan, there were pros and cons alike…
State of Michigan • Department of Information Technology9
9
The Michigan Story:The Good
We had an eager customer, the Department of Treasury, ready and willing
Funding was available from Homeland Security Our CIO set a department-wide mandate on
improved security
State of Michigan • Department of Information Technology10
10
Lack of motivation for change among some…another “to do”
Culture and attitude hurdles…“don’t touch my server/we’re different”
Skill sets training for technical staff lacking Ownership questions and multiple audiences
The Michigan Story:The Bad
State of Michigan • Department of Information Technology11
11
The Michigan Story:The Ugly
Poorly administered change control - infrastructure move, add, change (IMAC) process – not centralized
Negative penetration test results, audit findings Multiple reports/purposes/metrics, moving
vulnerability and requirement targets Lack of standard configurations and builds,
multiple credit card solutions
We also had too many vulnerability scanning tools…
State of Michigan • Department of Information Technology12
12
The Michigan Story:Pick a Tool, Any Tool
Nessus Heavily used industry wideUsed by risk management for yearsOpen Source
QualysGuard Currently the risk management standardExpensiveSold as a serviceExtremely powerfulHighly configurableIntelligent Interface
ISS scanner ExpensivePowerful
SARA Less harsh vulnerability scannerOpen source
Nikto Open SourceMuch less harsh or noisyUsed for web vulnerability scanning onlyWill also show configuration errors
State of Michigan • Department of Information Technology13
13
Audit findings Security holes from pen test Legal requirements/compliance Implement industry best practice Improve overall IT processes
And… Satisfy our Treasury customer
The Michigan Story:Many Birds with One Stone
The answer was clear…PCI Compliance was necessary!
If we could solve this one problem, we could address multiple issues:
State of Michigan • Department of Information Technology14
14
Is a standard that applies to financial institutions, Internet vendors and retail merchants
Spells out security measures and auditing procedures required to protect private information during transaction involving paycards
Is used by all card brands to assure the security of the data gathered during transactions
What is PCI Compliance?
Card Associations LLC https://www.pcisecuritystandards.org
Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS
Otherwise known as the Payment Card Industry (PCI) Data Security Standard, PCI compliance:
State of Michigan • Department of Information Technology15
15
Any fines from PCI-Co (up to $500,000/incident) Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from
a QDSC
Cost of Non-Compliance
In the event of the a breach the acquirer can make the merchant responsible for:
Costs add up quickly…. If 50,000 credit cards are stolen:
Not to mention the bad publicity…
PCI Penalty $500,000
Card Replacement $500,000
Fraudulent Transactions $61,750,000
State of Michigan • Department of Information Technology16
16
Build/Maintain a Secure Network
Install, maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Data Protect stored cardholder data Encrypt transmission of data across open/public networks
Maintain a Vulnerability Mgt Program
Use and regularly update anti-virus software Develop and maintain secure systems and applications
Implement Strong Access Controls
Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track, monitor access to network resources and cardholder data Regularly test security systems and processes
Maintain an IS Policy
Maintain a policy that addresses information security
“Digital Dozen” Approach to PCI Compliance
State of Michigan • Department of Information Technology17
17
Treasury takes business ownership MDIT Office of Enterprise Security forms
cross-organizational team Gaining trust from multiple orgs Training, joint buy-in
Executives buy-in Credit card users group makes business case and other
financial incentives clear Can’t afford to lose credit card authority Need e-Government growth Failing is not an option: Reputation of the State is on the line
The Michigan ApproachPeople
State of Michigan • Department of Information Technology18
18
Set uniform IMAC/change management Established common approach
Iterative scans took time (plenty of war stories) Initially centralized, later federated Training built in, best and brightest selected on server teams
Regular format/briefings to key business and technology management teams
Agreed upon standard metrics and repeatable, explainable, supportable numbers (not an easy feat)
The Michigan ApproachProcesses
State of Michigan • Department of Information Technology19
19
Chose single tool (Qualys) Achieved common configuration and builds Developed good vendor relationships Provided training on tool Focused on business outcomes (agreed upon requirements) Gave the team authority, priority, clear roles/responsibilities Shared, repeatable knowledge base
The Michigan ApproachTechnology
How does Qualys work?
State of Michigan • Department of Information Technology20
20
Qualys Categorization
Level-1: Intruders can collect not-too-sensitive info like open ports, services
Level-2: Intruders can collect sensitive information, like specific versions of software installed, to mount attacks
Level-3: Intruders can collect specific info, including security settings
Level-4: Intruders can hack the system as a non-admin user privileges, or can access highly sensitive information
Level-5: Intruders can gain complete, admin level access to the system
State of Michigan • Department of Information Technology21
21
The Michigan Process
Integrates with other MDIT processes Affects old and new Three changes for remediation—owned by server
and application teams Patch – Once installed, addresses many vulnerabilities;
patching servers is more complicated Update – Synonymous with patch, used on applications
not OS; followed with version numbers Configure – Changes to apps and services to add security;
includes removing/stopping services and configuring passwords
State of Michigan • Department of Information Technology22
22
The Michigan Process Vulnerability Remediation Tools
Phase I Refining and distributing to CSDs
new spreadsheet of vulnerability, status and coordinator by server IP
Facilitating meetings with CSDs and server support staff to work through the spreadsheet and successful processes
Phase II Linking spreadsheet information to other information available
about server, such as CMDB and server PDI scan info Building solution knowledge base Presenting all information in Web-accessible database, with
access limited as appropriate by role (user ID / password)
To speed up remediation of vulnerabilities, including open ports, false positives, and known solutions…
State of Michigan • Department of Information Technology23
23
The Michigan Process Executive Tech. Review Board (ETRB)
ETRB provides rapid resolution to questions: Reviewing approved, denied, escalated exception requests Resolving technical disagreements Exceptions Process:
One form for OES, hosting center, and managed LAN Area may approve exception or defer to program board Program board may approve or deny exception Requester can appeal denial to ETRB for final ruling ETRB reviews approved exceptions
identifying the cause; using back-ground information received in advance, makes decisions on-the-spot and communicates itacross the organization
State of Michigan • Department of Information Technology24
24
The Proof…As they say
“Significant” DMZ vulnerabilities (Severity 3 or above):
When we began in January 2006: 318 Today: Zero – None – Nada!
State of Michigan • Department of Information Technology25
25
Critical Lessons Learned
PCI compliance is worth it: Solves many complex problems Measurable – Good Metrics
Don’t forget the vendors Market your progress (communication x3) Build Trust with WIN / WIN approaches The hardest parts are NOT technical... Entrust your staff…and reward them
State of Michigan • Department of Information Technology26
26
Michigan’s Next Steps
Counties and locals Moving Up the Stack –
Applications Other systems (Moving
PCI Target) Rolling into app lifecycle
State of Michigan • Department of Information Technology27
27
Dan Lohrmann
Lohrmannd@michigan.gov
www.michigan.gov/dit
www.michigan.gov/cybersecurity