Brian Cloud August 06, 2009. Overall Digital Security What is Digital Security Murphy’s Law...
-
Upload
aileen-jody-spencer -
Category
Documents
-
view
216 -
download
0
Transcript of Brian Cloud August 06, 2009. Overall Digital Security What is Digital Security Murphy’s Law...
Overall Digital Security
What is Digital Security
Murphy’s LawSince 2005, over 263M records breeched
(privacyreports.com)○ Hacking, Internal Flaws, Stolen Equipment
Marketing is Profitability, Profiles are Productivity
Security Concerns Databases Communications and Transmissions Media Access Levels Traveler Issues and Awareness
Types of Issues:Data BreechIntellectual Property TheftDoS AttacksInternal Issues and Employee Mindset
PCI Compliance Overview What is it?
Payment Card Industry (PCI) Data Security Standard (DSS) defines what cardholder data can be stored and how it may be
processed and managed to keep it secure.
Who must comply? All members, merchants, and service providers that store, process, OR
transmit cardholder data. All system components which are defined as any network component,
server, or application that is included in or connected to the cardholder data environment.
PCI Security Standard Council Develop and manage the PCI Data Security Standard. Establish and maintain industry-level approval processes for Qualified
Security Assessors (QSA) and Approved Scanning Vendors (ASV). Publish and distribute the PCI Data Security Standard. Provide an open forum for all key stakeholders
Cardholder Data Any personally identifiable information associated
with the cardholder that is stored, processed, or transmitted. Account number, expiration date, name, address, social
security number, etc.
It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. However, the following individual data elements may be retained subsequent to transaction authorization: Cardholder Account Number Cardholder Name Card Expiration Date
Still applies even if cardholder data is not stored
Getting Compliant Compliance Classification (Levels I-IV) determined by number
of transactions in merchant account
Point of Sale (POS) environment Merchant location (i.e. travel agency, retail store, restaurant, hotel
property, gas station, supermarket, or other point of sale location). Internet protocol (IP) -based POS environment is one in which
transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.
Compensating Controls for encryption of stored data Complex network segmentation Internal firewalls that specifically protect the database TCP wrappers or firewall on the database to specifically limit who can
connect to the database. Separation of the corporate internal network on a different network
segment from production, with additional firewall separation from database servers.
PCI Compliance Level Definitions
Compliance Validation Level
AnnualOn-site
Assessment
QuarterlyPerimeter
Scan
Self-AssessmentQuestionnaire
Level 1> 6M Transactions
Required Required N/A
Level 21M-6M Transactions
N/A Required Required
Level 320K-6M Transactions
N/A Required Required
Level 4< 20K Transactions
N/A Determinedby Acquirer
Determinedby Acquirer
** Anyone suffering a breech may be escalated
Participating Card Associations
PCI Compliance
Cardholder Information Security Program (CISP)
Site Data Protection (SDP)
Penalties and Fees When do I get penalized?
Not meeting PCI Compliance by the specified date. Card Holder data compromise when not PCI compliant.
What are the fines associated? Dependent on the card brand and acquiring bank. Non-compliance (Visa Example) – $5,000 and $25,000 a month for each of its
Level 1 and 2 merchants (CVV2 can be worse). Card Holder Breach (Visa Example) –Fines up to $500,000 per incident, for any
merchant or service provider that is compromised and not compliant at the time of the incident. Safe Harbor if PCI Compliant.
Impose restrictions on noncompliant merchants All fraud losses incurred from the use of the compromised account numbers from
the date of compromise forward. Cost of re-issuing cards associated with the compromise. Cost of any additional fraud prevention/detection activities required by the card
associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).
Possible revocation of merchant status Loss of Business Integrity with Customers
Credit Card Breeches The Cost of Non-Compliance
20% of individuals who received a data breach notification during 2005 terminated their relationship with that company.
Stock price: A 2004 study found that companies that suffered data breaches lost an average of just over 5% of their market valuation.
Breach Recovery: Average cost to recover from a data breach - $14 million ($140 per customer record).
Average loss was 2.6% of all customers.
Examples of breaches TJMax: At least 45.7 million credit/debit cards of shoppers stolen. Largest
ever. BJ’s Wholesale: Booked $16 million reserve to cover all costs related to
breach. DSW Shoe Warehouse: Booked $6.5 million reserve to cover breach
costs. ChoicePoint: $15 million fine.
Common Failure Points Data Encryption
While at rest and during transit. Proper encryption key management.
Network Monitoring and Logging Inability to recreate user’s activity (who did what, when, where, and how). Lack of real time monitoring of network events (e.g., IDS and firewall).
Network Segmentation Customer network’s typically flat. Systems serve multiple purposes.
Data Archival and Disposal Backup tapes not secured or encrypted. Hard copies not secured or not disposed of properly.
Web Application Security Lack of software development life cycle. Poor QA process and testing.
Steps You Should be Taking Get A Security Assessor Re-Assess Until Compliant Self-Audit (PCI Data Security Standards Compliance Questionnaire)
https://www.pcisecuritystandards.org/saq/index.shtml Perform a System Perimeter Scan Inform Employees, Change Environments and Mindsets
Key Questions Only applicable to e-commerce merchants? How do merchants determine the cost of compliance validation? What if a merchant has outsourced the storage, processing, or
transmission of cardholder data to a service provider? Do merchants need to include their service providers in the scope of their
PCI Data Security Standards Review?
Path to Compliance Determine the locations of the card holder data.
Reduce scope by eliminating or segmenting the card holder data.
Baseline your environment against the PCI DSS to identify gaps. Online tools available for Vulnerability Reports
For all gaps determine recommendations with associated effort (don’t overlook “gotcha’s” such as logging track data on a Point of Sales system). (Online Mediation Reports)
Develop a prioritized plan to address gaps.
Execute (…but with management support).
Continue to Scan