iScan Online - PCI DSS Mobile Task Force
-
Upload
iscan-online-inc -
Category
Technology
-
view
1.009 -
download
1
description
Transcript of iScan Online - PCI DSS Mobile Task Force
iScan Onlinepresentation for:
PCI DSS Mobile Task ForceApril 18, 2013
Our Backgrounds
Host Scanning
Binary Scanners
Mobile Scanning
Network Scanners
Browser Plugin
Scanning
1997
1998 2012
2012 2013
The world has changed...Security and Compliance should lead and not follow.
Remember these Networks?
Good Old DaysXP Desktops with a Sta;c IP
Easy to secureOnly worry -‐ s;cky notes w/ passwords and customer credit card data
• Mobile is moving faster than the speed of light
• Threats, attacks and mobile data breaches are here
• Security and Compliance regulations are for yesterdays network
• Government 2013 battling standards:
USGCB audit benchmarks:1. IE 72. IE 83. Windows XP4. Windows XP Firewall5. Windows Vista6. Windows Vista Firewall7. Windows 78. Windows 7 Firewall9. Red Hat Linux 5
Wake Up Time
Corporate America PCIResponse: damn this is expensive
Protecting Card Data
Today’s Response to PCIEncrypt. Segment. Reduce Scope.
Scan Audit Zone Only Gets there how?
• Don’t write your passwords on sticky notes
• Don’t write, text, email or store cardholder data
Compliance 101
What do we tell employees: The employee responds?
• ?
• ?
Think users adhere to 101, think again.
Employees are MobileMobile Cybercrime War has Begun
Devices are on 24/7Assessment approach has to change
Employees on the goDon’t care about security nor compliance. They sell and take down orders!!
2013 - Today’s Network
In Case you missed the TweetInsecure Smart Mobile Devices = Secure & Compliant PC fatality
0
2250
4500
6750
9000
2012 Q1 2013 Q1
US 90 Day PC Shipment
HP Dell
0
750
1500
2013
“Daily Activations”
Android
7 billion 2013 global population
6.3 billion mobile device subscriptions
5% stolenloss or theft
0% scannedvulnerabilities or cardholder data
Mobile Standard Remarks
Purpose
Protect Cardholders or Transaction?
Repeat HistoryMobile threats - too fast for awaiting slow Standards enforcement
Selection
Step 1
Define procedures
Step 2
Specs to be assessed
Step 3
Report & Score
Step 4
Mobile Standards -
Speed
Evidence Analyze Work flow
RemarksExample
Mobile Scan AnalysisApril 2013
Android DevicesSmartphones and Tablets - Last 500 global scans
500
Scan Deliver Thought Process
• PCI Provider - Assess & Service
• Acquiring Bank - Compliance proof of results by MID, Theft locate
• Vendor - develops technology, standards mapping and features
• End user - option to self assess
Standards are usually not in place until:
• Evidence is proven that procedures can be assessed
• Procedures can be analyzed to measure - risk and mitigation
Mobile Scans Performed
Android Vulnerability Scan
2%
5%
14%79%
None Low Medium High
• CVSS Scores
• CVE numbers
• Procedures are familiar, just like PC’s but easier
• Methodology has to change to assess mobile
Data Discovery ScanCardholder PAN Data
Vulnerability ScanOS & Applications
Configuration ScanOS & Applications
Mobile Vulnerabilities vs. History
0
50
100
150
200
2011 2012 Q1 -2013
Android Apple iOS
0
22.5
45
67.5
90
1998-99
Novell Windows Linux
Vulnerable Attack Vector
Attack Threat Vector Impact Remediation
Stolen / Loss / Misplacement of Device Data breach Encrypt cardholder data
SMS / Browser / Email Exploit Full device control Patches / Configurations
Malicious App Full device control Configuration / ~Some Patches
Bluetooth / Tethering / NFC / Wifi Partial data loss Configuration / User Awareness
Carrier Network / Black List Partial data loss Configuration / Policy / Awareness
Mobile Configurations
Sample Configuration Results Severity % Failed
Device Storage Encryption Enabled 8 99
Password Expired every 30 Days 7 97
Require Password or PIN Check (unlock device) 10 72
Device Rooted 9 48
Allows Non App Market App Installation 5 44
18 Configurations - All 500 failed something
8% of scans had PAN data on Android
Protect and assess P2PE ‘Point to Point Encryption’ the transaction?
Cardholder data on mobile is everywhere?
NFC, Google Drive, Dropbox, SMS, Contacts
Today’s NetworkAlways connected, Any;me, Anywhere
Corporate Office
Yesterday
Static Networksare the past, data and devices are not only at corporate.
Employees are on the go and working remote.
Remote Office
Network Today
Small Officeslack security and connect indirectly back to corporate.
TransmiQng data with BYOD connec;ons who are on/off untrusted networks
Free wifi
Network Today
Road warrior EmployeeWho hasn’t connected to a free wifi network.
Mul;ple network connec;ons over ~untrusted Wifi / 4G
Mobile
Network Today
Mobile Devicescan now be assessed for threats but not with historical network approaches
Mobile facts vs. Non-Mobile
More likely to be stolen or lostequating to an increase in potential cardholder breaches. ~Processing w/ a financial app - Banks to get a call guaranteed.
Vulnerabilities & configurationsare equally important to assess and remediate, if not more important than traditional PC’s
Are your employees storing cardholder data?Just like not writing down passwords. They are going to SMS and store it.
Mobile Audit - Fast Easy Affordable
My Suggestions
Rapid Adopt 2Mobile moves fast and
standards should as well
Influence buyin 3Individuals: Merchant, Council,
Vendor, Bank, Providers
Continuous 5Changes to ensure costs don’t outweigh the threat
Baseline 1Many existing procedures can be used from DSS 2.0
Automate 4Utilize XML, JSON for communication and sharing
Questions?More Information?
iScan Online, Inc.19111 Dallas Parkway, Suite 200Dallas, TX 75287
Billy Austin, [email protected]