Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Security and Compliance CCIA Fall Meeting – 7th October 2011

Published byColeman Janes Modified over 10 years ago

Similar presentations

Presentation on theme: "PCI Security and Compliance CCIA Fall Meeting – 7th October 2011"— Presentation transcript:

1 PCI Security and Compliance CCIA Fall Meeting – 7th October 2011
John Clark COO,

2 Educational Institution – Example Achieving Compliance
AGENDA ExoIS PCI Compliance Rules Breaches Process Costs Educational Institution – Example Achieving Compliance

3 Based in Silicon Valley Operating for 10+ years Practices:
PCI Qualified Security Assessor (QSA) PeepSafe Secure Portal Information Security and Compliance Services Secure Cloud Services IT Support Services

4 PCI (Payment Card Industry)101
What are Payment Cards? Credit, Debit, and Cash Cards (prepaid) Can be Consumer and Commercial based (Corporate Cards & P-Cards) Payment Cards Structure and Relationships? Payment Card Brands Cardholders Issuers Merchants Acquirer (aka Payment Processor) Usually the Merchant’s Bank 4

5 PCI 101 (Continued) Payment Card Transaction Lifecycle 5

6 What it means to be PCI compliant
The organization must comply with the Payment Card Industry Data Security Standards (PCI-DSS) for everything that is “In Scope” Any system that (or any system that is connected to a system that) stores, processes or transmits cardholder data is considered to be “In Scope” The PCI-DSS is a GLOBAL standard that requires that organizations handling payment card data: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Develop and maintain an information security policy

7 Payment Card Total cards in circulation in the US in 2010:
Visa: 397 million Mastercard 123 million

8 Cardholder Data and Sensitive Authentication Data Elements
Cardholder data is defined as the primary account number (“PAN,” or credit card number) and other data obtained as part of a payment transaction, including the following data elements: PAN Cardholder Name Expiration Date Service Code Sensitive Authentication Data: (1) full magnetic stripe data (2) CAV2/CVC2/CVV2/CID (3) PINs/PIN blocks) The Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements and PA-DSS. If PAN is not stored, processed, or transmitted, PCI DSS and PA-DSS do not apply. These data elements must be protected if stored in conjunction with the PAN These data elements must not be stored after authentication

9 Key Areas of PCI DSS: Consists of 6 Domains, 12 Core Requirements and around 250 Controls Updated annually based on incidents and comments from the PCI community members Domains Requirements I. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters II. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks III. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications IV. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data. V. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes VI. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors Items with * are applicable to Manual Business Processes – Faxing, ing, writing on paper, etc..

10 What “Merchant Tier / Level” Are You?
Visa MasterCard JCB AMEX Discover 1 Over 6 million Visa transactions annually, OR global merchants identified as Level 1 by any Visa Region Over 6 million Visa transactions combined MasterCard and Maestro annually, OR any merchant MasterCard deems to be Level 1 Over 1 million JCB International transactions annually Over 2.5 million AMEX transactions annually, OR any merchant AMEX deems to be Level 1 Over 6 million Visa transactions on the Discover network annually, OR any merchant Discover deems to be Level 1 2 1 million to 6 million Visa transactions annually 1 million to 6 million combined MasterCard and Maestro transactions annually Less than 1 million JCB International transactions annually 50,000 to 2.5 million AMEX transactions annually, OR any merchant AMEX deems to be Level 2 1 million to 6 million Visa transactions on the Discover network annually 3 20,000 to 1 million Visa ecommerce transactions annually 20,000 to 1 million MasterCard and Maestro ecommerce transactions annually Less than 50,000 AMEX transactions annually 20,000 to 1 million card not present (ecommerce) on the Discover network annually 4 Less than 20,000 Visa ecommerce transactions annually / up to 1 million visa transactions annually All other MasterCard merchants All other Discover network merchants Note: Any merchant suffering from a Data Breach is automatically escalated to a Level 1 Merchant Status, which means annual on site PCI QSA assessments until further notice. Also: if you are deemed Level 1 from any Payment Brand you will be Level 1 across the board All Levels: Quarterly network scan by ASV except for Visa Level 4 & Amex Level 3 (recommended)

11 Payment Card Industry - PCI
If you store, process or transmit cardholder data you are contractually required to adhere to the PCI Data Security Standards (PCI-DSS). 85 percent of data breaches occur at Level 4 merchants Any data breach results in escalation to Level 1 merchant (annual, on-site PCI QSA assessments until further notice) The fines and compensation imposed from the Payment Brands – coupled with State and Federal fines – can be substantial.

12 US Contractual Basis vs Regulatory Basis
Non Compliance to PCI can lead to ramifications at two levels: Contractual & Regulatory Contractual: PCI is a contractual obligation and therefore legally binding Fines and increased commission levels Non compliance / data breaches can cause card processing to be revoked Law suits will result from data breaches Brands will elevate any company with a breach to Tier 1 Merchant status for PCI-DSS purposes Regulatory: Incidents involving Payments Cards can trigger Privacy Laws - Data Breach Notification – currently required in over 45 states Within the USA – if the data breach spans multiple states, it becomes a Federal issue Contractual effectively covers all aspects of breaches – common breaches that would have been prevented by following PCI-DSS have included: Improper disposal – can range from disposing of credit card data / receipts in landfills, e.g. Radio Shack - to disposal of disc drives on eBay, Refurbished servers sold on secondary market, etc. The majority of data acquired from stolen lap tops typically results from non-encrypted data being stored together with poor / non existent password controls. Malicious hacking / introduction of Malware could have been detected by basic log reviews and up to date AV programs. And the list can go on. The ability to accept payment card transactions can be revoked until the issue has been resolved and remediation is verified – this can take several months – resulting lost revenue can be significant / can be a business killer if your main income is from payment cards The next 2 slides provide an example of how fines can mount up from States / Feds / Brand Names

13 Largest Credit Card Breach Results in over $110 Million in Fines
Heartland Payment Systems (one of the largest payment processors in U.S.) has paid over $110 million in fines and $26 million in legal costs due to a security breach where hackers stole data from over 130 million credit and debit cards.  “The Highest Standards – The Most Trusted Transactions” Financial institutions and payment processors usually get high press time for data breaches, but this one was legendary! 2008, 2009? 13

14 Largest Data Breach in Retail Over $75M in fines / settlements
Mag-stripe data involving 65 million Visa cards were exposed, resulting in a $500,000 fine “due to the seriousness of this security incident and the impact on the Visa system.” A separate $380,000 fine was imposed for “TJX’s failure to cease storing prohibited data.” TJX struck a $40.9 million settlement with Visa to compensate Visa card issuers for breach-related costs. Data from 29 million MasterCard cards exposed. TJX settled with MasterCard for $24 million. TJ Maxx stores settled charges with 41 states and agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. The “root cause” of the breach was traced back to transferring non encrypted data over a wireless link between buildings within the corporation. The data was intercepted more as an “opportunistic crime” as opposed to an organized crime event. Essentially this was a very simple breach that could have easily been prevented by following PCI-DSS Controls 2005, 2006, 2007?

15 Data Breaches – Business Impact
Data Breach  Your organization will become a Level 1 Merchant Tangible Costs: The cost of a data breach for a Level 4 merchant averages $36,000 and can be as high as $50,000 (or more). In other words, more than enough to cripple—or even destroy—a small business $3 to $10 per card for replacement costs $5,000 to $50,000 (or more) in compliance fines Loss of revenue from suspension of credit card transactions / blacklisting Additional fines based on the actual fraudulent use of the cards, which will vary depending on the number of cards exposed Average cost per data item lost = $243 (2009 Ponemon Institute) Intangible Costs: Deployment of mitigation and root cause fixes Lost revenue due to negative impact to brand / market share Ongoing impact from press coverage on data breaches Average total per-incident costs in 2008 were $6.6 million, compared to an average per-incident cost of $6.3 million in 2007 The average cost per customer record increased to $204 compared with $197 per record last year – Ponemon Institute Breaches by third-party organizations were reported by 44 percent of respondents, up from 40 percent in Breaches by third parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $179 per record

16 At 26th September 2011 ….. Running Total of Records Breached = 535,697,538 from 2,702 Data Breaches made public since 2005 Note: US figures only

17 Latest Trends in Data Breaches
Lost / stolen laptops with data (includes drives / CDs / back-ups, etc.) Vendor / service provider was breached Break-ins / theft of assets – computers / hard copy records External Hacks / Malware into company assets Logical access / user privileges Improper disposal of assets / paper records

18 Typical Security and Compliance Activities
Certification Health Check or Audit Remediation Projects Annual Assessment Gap Analysis Vulnerability Scanning Remediation report Penetration Testing

19 Non-technical analogy
You have one leg shorter than the other Remediation Projects Health Check or Audit Add 3” to your left leg or take 3” off your right leg Gap Analysis Buying and fitting the built-up shoe Get a built-up left $400 or surgery on your right $9,500 Remediation report

20 A Typical Educational Institution
(Several Campuses and many separate departments accepting payment cards) Most likely set of findings: Need policies, procedures and awareness program Multiple collection points ( , fax, phone) Extensive paper trails with no business justification Unknown cardholder data in ‘out of scope’ systems Unsolicited, pervasive with cardholder data No vendor management Third party e-Commerce sites used to enter cardholder data from corporate network

21 Understanding PCI Scope
Consider how many systems can be involved when you Take cardholder data over the phone? Receive cardholder data by fax? Receive cardholder data in ? Store, process or transmit cardholder data? Ask yourself if there is any way to cost effectively reduce or remove any or all of these applications, systems and processes from PCI scope? Soliciting cardholder data over unsecured messaging systems is actually PROHIBITED.

22 Security Policies & Administration
Full Policies and Standards Lifecycle Management Recurring operational security tasks Usage policies for critical employee-facing technologies ( , fax, voice, hard copy) Define roles & responsibilities Assign ownership Employee screening Incident Response Program Annual Risk Assessments etc The more the environment is de-scoped or outsourced the bigger the reduction in overhead! 22

23 Security Awareness Programs
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees need to be aware of the sensitivity of data and their responsibilities for protecting it (training program with records). For the purposes of this requirement, “employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site. Induction, training and campaigns must be ongoing. Most effective method is CBT (Computer Based Training) 23

24 Discovery and Removal of Cardholder Data
Payment card numbers are most often found in the following locations: Payment server log files Staff documents (Spreadsheets, Word documents) data files (Inbox and Sent Items) Application Databases (Flat files, Text Files) Browser History and File Cache Tools exist for identifying payment card information across the computer systems of an entire organization Tools produce a report of this status for use in any security compliance audit Prevent re-contamination (Gateway Filter) 24

25 Vendor Management Develop controls / policies and procedures for reviewing / approving / audit / de-selection of Vendors / Suppliers that are involved in capturing / storing / transmitting / disposal of CHD Maintain records of annual PCI compliance / certifications for each vendor. Ensure that contractual requirements / purchasing terms and conditions flow down to the suppliers / vendors and reflect the appropriate requirements of PCI-DSS Maintain a centrally controlled list of Approved Vendors for PCI-DSS that is available to all departments with FHDA

26 Vendor Security Management Tool

27 There is an alternative ……………
Corporate Compliance? Getting the organization’s In Scope systems and processes into compliance can be a massive undertaking The compliance projects usually are: Very large (hundreds of man years of effort) Time consuming (multiple years in duration) Resource intensive (require headcount & specific skill sets) Expensive ($$$) and always are: Continuous (never ending) There is an alternative ……………

28 PCI Compliance Without the Expense of a New IT Infrastructure
PCI Compliant SaaS solutions allowing organizations to de-scope entire functions and network segments with minimal cost and time without requirement to change internal systems or business processes. 28

29 PeepSafeTM PeepSafeTM is hosted by a fully managed, level 1 PCI DSS compliant hosting provider. Managed controls include: Firewalls and Intrusion Detection Annual Penetration Testing Anti-virus and Patch Management Centralized Logging and Monitoring Physical Security Quarterly Scans (internal and external) SSL Certification File Integrity Monitoring (Note: These are ALL controls that would need to be implemented within your corporate environment if you did not use PeepSafeTM) 29

30 From At Risk to Out of Scope
PeepSafeTM is a fully managed, secure portal environment. Using PeepSafeTM to manage internal systems (networks, , applications and databases) allows PCI involved systems and functions to move from “at risk” to “out of scope”. PeepSafeTM also offers options to move employees’ desktops out of scope, and even, to move “employees” out of scope PeepSafeTM can de-scope entire functions and network segments Exposed Phone Fax Store Process Transmit Secure Phone Fax Process Transmit 30

31 Case Study 1 - Order Entry Without PeepSafeTM
Process Browser Payment Gateway Site PCI Scope Agent connects to payment gateway to manually enter and process payment information. 31

32 Case Study 1 - Order Entry With PeepSafe™
PeepSafeTM Browser Payment Gateway Site PCI Compliant SSLVPN Optional features: Disabling of print screen Cut and paste disabled between portal and desktop End point security Virtual keyboard in the PeepSafeTM portal or manual entry of payment information into the telephone keypad de-scopes the desktop 32

33 Case Study 2 - Receive and Process Orders Without PeepSafeTM
Phone Fax Store Process Transmit Case Study 2 - Receive and Process Orders Without PeepSafeTM Browser Payment Gateway Site Fax PCI Scope Agent receives payment data from customers using corporate systems such as , fax and stores in local file repositories . They connect to payment gateway from corporate network. 33

34 Case Study 2 - Receive and Process Orders With PeepSafeTM
Browser Payment Gateway Site Fax PCI Compliant SSLVPN SSLVPN 34

35 In-Bound Gateway Filter
PeepSafe Browser Remote Desktop Session Filter Quarantine PCI Scope Mail Messaging A Filter monitors traffic and redirects payment data to an encrypted Quarantine within the Portal, thereby ensuring that the corporate environment does not get brought back into scope. 35

36 In-Bound Gateway Filter: On-Premise
PeepSafe Browser Remote Desktop Session Mail Filter Quarantine PCI Scope Mail Messaging A Filter monitors traffic and redirects payment data to an encrypted Quarantine within the Portal, thereby ensuring that the corporate environment does not get brought back into scope. 36

37 PeepSafeTM PeepSafeTM internal systems are tested for compliance and validated according to specific customer needs Minimal impact to existing systems  Minimal changes to existing processes Support for multiple existing environments Payment gateway agnostic Implementation in days (not months/years) Optional enhancements to take desktops and even agents out of scope, including endpoint controls Optional training and awareness, SAQ completion and policies and standards. 37

38 MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
Password discovered in recent audit: MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento 38

39 PCI Security and Compliance CCIA Fall Meeting – 7th October 2011
SUMMARY CCIA Fall Meeting – 7th October 2011 Evaluate your own PCI situation De-scope as much as possible Remove historical prohibited data Protect your environment (Gateway Filter) Do it now, do it quickly and keep doing it! Thank You! 39

40 Back-up 40

41 PCI-DSS Periodic - At Least Daily / Weekly
10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used Weekly 11.5 Verify the use of file-integrity monitoring products within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities Examples of files that should be monitored: System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log and audit files

42 PCI-DSS Periodic - At Least Quarterly
3.1 Verify that policies and procedures include a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, requirements for a review, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements 8.5.5 Remove/disable inactive user accounts at least every 90 days 8.5.9 Change user passwords at least every 90 days 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.

43 PCI-DSS Periodic - At Least Six Monthly / Annually
1.1.6a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months 1.1.6b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months At Least Annually 3.6.4 Verify that key-management procedures are implemented to require periodic key changes at least annually 6.6 Review public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes 9.5 Verify that the storage location is reviewed at least annually to determine that back-up media storage is secure 9.5.b Verify that the storage location security is reviewed at least annually. 9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least annually 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: Network-layer penetration tests Application-layer penetration tests Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment 12.1.6b Verify that employees attend awareness training upon hire and at least annually Verify that the security awareness program requires employees to acknowledge (for example, in writing or electronically) at least annually that they have read and understand the company’s information security policy Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. Test the incident response plan to be implemented in the event of system breach at least annually

44 PCI DSS – Store / Record 9.1.1 Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law 9.4.a Verify that a visitor log is in use to record physical access to the facility as well as for computer rooms and data centers where cardholder data is stored or transmitted. 9.4.b Verify that the log contains the visitor’s name, the firm represented, and the employee authorizing physical access, and is retained for at least three months. 9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility 10.3 Record at least the following audit trail entries for all system components for each event User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource 10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis

45 PCI-DSS Sections 1 – 3 - Do Not…
Allow direct public access between the Internet and any system component in the cardholder data environment Allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment Allow internal addresses to pass from the Internet into the DMZ Allow outbound traffic from the cardholder data environment to the Internet Use vendor-supplied default passwords include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts Store sensitive authentication data after authorization (even if encrypted) Store the full contents of any track from the magnetic stripe full track, track, track 1, track 2, and magnetic-stripe data Store the card-verification code or value (CVV2) Store the personal identification number (PIN) or the encrypted PIN block Display full PAN - except for those with a legitimate business need to see full PAN

46 PCI-DSS Sections 4 – 8 - Do Not…
Send unencrypted PANs by end-user messaging technologies (for example, , instant messaging, chat) Allow production data (live PANs) to be used for testing or development Allow users access to system components or cardholder data before allocating them a unique ID Audit trail – log data Use group, shared, or generic accounts and passwords Allow an individual to submit a new password that is the same as any of the last four passwords he or she has used

47 PCI-DSS Sections 9 – 12 - Do Not…
Allow general physical access to publicly accessible network jacks or wireless access points, gateways, and handheld devices Store media containing cardholder data when it is no longer needed for business or legal reasons Dispose of electronic media where cardholder data can be reconstructed Utilize a secure wipe program in accordance with industry-accepted standards for secure deletion, such as degaussing, or physically destroy the media Dispose of hard copy records containing CHD / sensitive authentication data in an unsafe manner (landfill / trash, etc.)

48 Breaches in Education

49 A stolen storage device contained the credit information of 147 parents and freshmen. The device was stolen from a secure room on November 8. Phone numbers, credit card numbers and credit card expiration dates for participants in the Dartmouth Outdoor Club First Year Program were on the device. Possible Mitigation Steps: Business need for data storage Storing of non encrypted data Physical security Monitoring of access to secure areas Type of Incident: Portable device

50 OSU has had several data breaches in the past.
Ohio State revealed a data breach Wednesday that has jeopardized the identities of 760,000 people and could cost the university $4 million in fees for investigating the root cause of the breach (this does not include any provisions for possible law suits / fines) The university notified current and former faculty, students, applicants and others affiliated with the university that hackers had accessed the server that stored their names, Social Security numbers, dates of birth and addresses – it does not appear that any financial / credit card information was breached. OSU has had several data breaches in the past. Possible Mitigation Steps: AV programs up to date Storing of non encrypted data Track and monitor access – logs / IDS Password access for mobile devices Type of Incident: Hacking or Malware

51 The HISD may have experienced a hacking incident over the weekend of October 24.
Employees and students were unable to access the Internet, online classes and until late Tuesday afternoon. Payroll information of workers and academic information of students may have been compromised along with other personal information. Up to 30,000 employees may have been affected with the total number including students as high as 232,000. Possible Mitigation Steps: AV programs up to date Storing of non encrypted data Track and monitor access – logs / IDS Password access for mobile devices Type of Incident: Hacking or Malware

52 Type of Incident: Unintended disclosure
Unencrypted files that were placed on the faculty web server exposed student information. Student names, Social Security numbers, birth dates, addresses and academic information were placed on the server in December of Students who attended UHWO in Fall of 1994 or graduated between 1988 and 1993 were affected. A much larger number of students who attended the University of Hawai'i Mānoa between 1990 and 1998 were also affected. The files were removed on October 18 after a privacy group notified the University. The server was quickly removed from the network. The faculty member who accidentally placed the file on the server retired before the breach was discovered. Around 259,000 private records have been exposed by the University of Hawai'i since 2005. Possible Mitigation Steps: Separation of Test and Production data Network Segmentation Asset Management Type of Incident: Unintended disclosure

53 Type of Incident: Hacking or Malware
An unnamed third-party vendor that hosted the organization's jflac.org website experienced a security incident. Customers who made purchases related to Japanese Language Proficiency Testing for 2009 and 2010 may have had their names, dates of birth and credit card information accessed. The servers containing customer data were shut down and taken offline after the incident was discovered. The incident occurred on or around September 18, 2010 and the organization aimed to notify all affected customers by October 25. Possible Mitigation Steps: AV programs up to date Storing of non encrypted data Track and monitor access – logs / IDS Password access for mobile devices Type of Incident: Hacking or Malware Vendor Management

54 The University of Oklahoma is warning students about a security breach that may put their personal information at risk."  A laptop was found to be infected with a Trojan that could have led to the disclosure of sensitive information Possible Mitigation Steps: AV programs up to date Storing of non encrypted data Track and monitor access – logs / IDS Password access for mobile devices Type of Incident: Hacking or Malware

55 Type of Incident: Unintended disclosure
It appears that anyone with a Tech computer account could have accessed more than 3,000 Social Security numbers over the past four or five years. Copies of an accounting file were mistakenly stored in two public locations on the TCC server. Many data breaches occur where data is stored on an asset that was not known to be accessible to other parties – Can be addressed as part of “Discovery” and “Configuration Management” / “Continuous Compliance” activities Possible Mitigation Steps: Separation of Test and Production data Network Segmentation Asset Management Type of Incident: Unintended disclosure

56 The University of Hawai‘i at Manoa today began notifying approximately 53,000 individuals listed in a system database, housed on a computer server used by the Parking Office, that a recent security breach may have exposed personal information—including approximately 40,870 Social Security numbers and 200 credit card numbers Possible Mitigation Steps: AV programs up to date Storing of non encrypted data Network segregation Firewall Type of Incident: Hacking or Malware

57 Stolen laptop contains names and Social Security numbers of unspecified number of graduates
Possible Mitigation Steps: Business need for data on laptop Storing of non encrypted data Network segregation Type of Incident: Portable device

58 Type of Incident: Unintended disclosure
Names, Social Security numbers, and dates of birth for 245 available on file server Type of Incident: Unintended disclosure Possible Mitigation Steps: Separation of Test and Production data

59 Possible Mitigation Steps:
The University of Florida last week revealed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school. It's an incident that is likely to further reinforce the reputation college networks and systems have of being notoriously insecure environments. The compromised data included the names, dates of birth, Social Security numbers, and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement. The data had been stored unencrypted in a database on the breached server, it added. In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn't be found were affected by the intrusion, according to the statement. Possible Mitigation Steps: AV programs up to date Storing of non encrypted data Network segregation Firewall Type of Incident: Hacking or Malware

60 MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
Password discovered in recent audit: MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento “Hello! It has to be at least 8 characters long and include at least one capital.” “Why so long?” 60

Download ppt "PCI Security and Compliance CCIA Fall Meeting – 7th October 2011"

Similar presentations

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.

© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.

Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Protecting Credit Card Information

Protecting Credit Card Information
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
User Friendly Price Book Maintenance A Family of Enhancements For iSeries 400 DMAS from Copyright I/O International, 2006, 2007, 2008, 2010 Skip Intro.

User Friendly Price Book Maintenance A Family of Enhancements For iSeries 400 DMAS from Copyright I/O International, 2006, 2007, 2008, 2010 Skip Intro.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
 Copyright I/O International, 2013 Visit us at: www.iointernationalonline.com A Feature Within from Item Class User Friendly Maintenance  Copyright.

 Copyright I/O International, 2013 Visit us at: A Feature Within from Item Class User Friendly Maintenance  Copyright.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
GEtServices Services Training For Suppliers Requests/Proposals.

GEtServices Services Training For Suppliers Requests/Proposals.

Similar presentations

Ads by Google