Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI DSS vs HD Moore’s Law Chris Todd Unisys Canada Inc.

Similar presentations


Presentation on theme: "PCI DSS vs HD Moore’s Law Chris Todd Unisys Canada Inc."— Presentation transcript:

1 PCI DSS vs HD Moore’s Law Chris Todd Unisys Canada Inc.

2 © 2011 Unisys Corporation. All rights reserved. Page 2 Who is Chris Todd? Security Consultant with Unisys Canada Inc –10+ years experience in networking and security –GIAC Certified Firewall Analyst (GCFW), Incident Handler (GCIH), and Penetration Tester (GPEN) –Maintain a PCI DSS compliant environment –Provide security audit, vulnerability assessment and penetration testing services internally and externally SANS Mentor –Taught SEC504: Hacker Techniques, Exploits & Incident Handling –Teaching SEC464: Hacker Detection for Systems Administrators Nov 24/25 in Halifax

3 Where did PCI come from? The PCI Security Standards Council: –An open global forum, launched in 2006 www.pcisecuritystandards.org –Responsible for the development, management, education, and awareness of the PCI Security Standards –Founded by five founding global payment brands American Express Discover Financial Services JCB International MasterCard Worldwide Visa Inc. –Incorporate the PCI DSS as the technical requirements of each of their data security compliance programs © 2011 Unisys Corporation. All rights reserved. Page 3

4 What is PCI? PCI Security Standards include: –Payment Application Data Security Standard (PA-DSS) Software vendors –PIN Transaction Security (PTS) Device vendors and manufacturers –Point-to-Point Encryption (P2PE) Solution providers –Data Security Standard (PCI DSS) Anyone who stores, processes or transmits cardholder data Specifically the Primary Account Number (PAN) Overall intent is to prevent the theft of electronic or paper cardholder data © 2011 Unisys Corporation. All rights reserved. Page 4

5 PCI DSS Requirements Build and Maintain a Secure Network –Requirement 1: Install and maintain a firewall configuration to protect cardholder data –Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data –Requirement 3: Protect stored cardholder data –Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program –Requirement 5: Use and regularly update anti-virus software or programs –Requirement 6: Develop and maintain secure systems and applications © 2011 Unisys Corporation. All rights reserved. Page 5

6 PCI DSS Requirements (cont) Implement Strong Access Control Measures –Requirement 7: Restrict access to cardholder data by business need- to-know –Requirement 8: Assign a unique ID to each person with computer access –Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks –Requirement 10: Track and monitor all access to network resources and cardholder data –Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy –Requirement 12: Maintain a policy that addresses information security for all personnel © 2011 Unisys Corporation. All rights reserved. Page 6

7 PCI DSS Requirements (cont… again!) Total number of sub-requirements:220+ © 2011 Unisys Corporation. All rights reserved. Page 7

8 PCI Compliance – Why do I care? Potential penalties for non-compliance: –Hefty fines –Refused merchant accounts –Accountability for breach © 2011 Unisys Corporation. All rights reserved. Page 8

9 Concerns about PCI DSS It’s too specific It’s too vague Doesn’t address new technologies –e.g. virtualization Sucks the air out of the room –Disproportionate budget assigned to PCI compliance –Excessive time spent interpreting the requirements First step in getting there is to limit the scope –Therein lies one of the problems © 2011 Unisys Corporation. All rights reserved. Page 9

10 More concerns about PCI DSS Why comply? PCI Council says: –Compliance has indirect benefits as well: Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc. –OK You will likely identify ways to improve the efficiency of your IT infrastructure –Possibly You’ll have a basis for a corporate security strategy –Not so sure about this one –Compliance with the PCI DSS means that your systems are secure –What?? That’s a bold statement... © 2011 Unisys Corporation. All rights reserved. Page 10

11 Whose Law? May have heard of Moore’s Law: –Gordon Moore was co-founder of Intel –States the number of transistors on a chip will double approximately every two years Who is HD Moore? –And why does he have a “law”??? © 2011 Unisys Corporation. All rights reserved. Page 11

12 Who is HD Moore? One of the best known names in information security –Particularly the offensive side Founded the Metasploit Project in 2003 –open-source penetration testing platform Metasploit acquired by Rapid7 in 2009 –Became CSO at Rapid7 and… –Still chief architect of Metasploit Rapid7 offers commercial versions of Metasploit –But Metasploit Framework is still free –And as of Oct 18, 2011 so is Metasploit Community Edition! © 2011 Unisys Corporation. All rights reserved. Page 12

13 Introducing Joshua Corman Director of Security Intelligence, Akamai Technologies –Former Research Director, Enterprise Security, The 451 Group –Former Principal Security Strategist, IBM ISS Industry Experience: –Expert Faculty: The Institute for Applied Network Security (IANS) –2009 NetworkWorld Top 10 Tech People to Know http://www.networkworld.com/supp/2009/outlook/010509-tech- people-to-know.htmlhttp://www.networkworld.com/supp/2009/outlook/010509-tech- people-to-know.html –Co-Founder of “Rugged Software” www.ruggedsoftware.org Recently coined “HD Moore’s Law” © 2011 Unisys Corporation. All rights reserved. Page 13

14 Attacker Drop-Off: Casual Attacker © 2011 Unisys Corporation. All rights reserved. Page 14 Provided courtesy of Joshua Corman

15 HD Moore’s Law © 2011 Unisys Corporation. All rights reserved. Page 15 HDMoore’s Law Provided courtesy of Joshua Corman

16 Attacker Drop-Off: QSA © 2011 Unisys Corporation. All rights reserved. Page 16 Provided courtesy of Joshua Corman

17 Attacker Drop-Off: APT/APA © 2011 Unisys Corporation. All rights reserved. Page 17 Provided courtesy of Joshua Corman

18 Attacker Drop-Off: Chaotic Actors © 2011 Unisys Corporation. All rights reserved. Page 18 Provided courtesy of Joshua Corman

19 Welcome to Metasploit © 2011 Unisys Corporation. All rights reserved. Page 19

20 Metasploit’s Sweet ASCII Art © 2011 Unisys Corporation. All rights reserved. Page 20

21 And some more... © 2011 Unisys Corporation. All rights reserved. Page 21

22 Last one © 2011 Unisys Corporation. All rights reserved. Page 22

23 Build and set the trap © 2011 Unisys Corporation. All rights reserved. Page 23

24 User interaction © 2011 Unisys Corporation. All rights reserved. Page 24 Hmm. Double-click and it does nothing... or does it...

25 Meanwhile, back in Metasploit... © 2011 Unisys Corporation. All rights reserved. Page 25

26 Finding a better place to live... © 2011 Unisys Corporation. All rights reserved. Page 26

27 And movin’ on in! © 2011 Unisys Corporation. All rights reserved. Page 27 Now living in the Symantec User Session process tasklist doesn’t show the malicious DLL netstat doesn’t show network sessions no way to tell it’s running on your system PWNED!

28 How does PCI DSS stack up? AntiVirus? –Yes, it was actually enabled Firewall? –Do you allow port 443 to the internet? IPS? –Can’t check encrypted traffic Web proxy? –Does privacy policy allow decryption of outbound SSL? “Attention users: If you happen to forget your online banking password, please contact the network group. They will gladly provide it to you.” © 2011 Unisys Corporation. All rights reserved. Page 28

29 A little about scoping Workstations likely not in scope –And less secured because focus is on PCI compliance But that’s ok because two-factor authentication is required, right? –Where is the certificate? –What version of SecureID? © 2011 Unisys Corporation. All rights reserved. Page 29

30 Compliance Architecture © 2011 Unisys Corporation. All rights reserved. Page 30

31 What does it all mean? PCI DSS is a useless piece of trash? –No! –Will certainly help those doing nothing Use it wisely –Get the security budget you need –Spend smart –Implement flexibly Don’t be afraid of the compensating control –Challenge may be to find a QSA who feels the same –Don’t let it distract you from securing your intellectual property © 2011 Unisys Corporation. All rights reserved. Page 31

32 More from Joshua Corman Unconventional Strategies For Unconventional Adversaries ─Discusses HD Moore’s Law and Visible Ops ─https://community.rapid7.com/docs/DOC-1520https://community.rapid7.com/docs/DOC-1520 RSA Pecha Kucha Speed talk "Why Zombies Love PCI” ─http://www.youtube.com/watch?v=JQEBYxp_vKs&list=FLGpGqR0fqn X-9UBB0GTPSiA&index=25&feature=plpphttp://www.youtube.com/watch?v=JQEBYxp_vKs&list=FLGpGqR0fqn X-9UBB0GTPSiA&index=25&feature=plpp NetSecPodcast scheduled this week with HD Moore –http://netsecpodcast.comhttp://netsecpodcast.com Blog post coming soon with more on HD Moore’s Law –Not sure where this will be posted yet –Contact me at chris.todd@unisys.com or @imchristodd © 2011 Unisys Corporation. All rights reserved. Page 32

33 PCI Hug-it-Out Find it at http://netsecpodcast.com/?s=PCI+hug+it+outhttp://netsecpodcast.com/?s=PCI+hug+it+out 3 part series featuring: –Michael Dahn Works with Visa and MC developing PCI DSS and PA-DSS standards Has trained thousands of PCI qualified security assessors (QSA) –Joshua Corman We’ve already met him Questions whether compliance actually weakens security –Face-to-face They’re actually not that far apart... © 2011 Unisys Corporation. All rights reserved. Page 33

34 Conclusion Chris Todd chris.todd@unisys.com 902-421-2460 @imchristodd SANS Security 464: Hacker Detection for Systems Administrators http://www.sans.org/mentor/details.php?nid=26319 Nov 24-25 in Halifax © 2011 Unisys Corporation. All rights reserved. Page 34


Download ppt "PCI DSS vs HD Moore’s Law Chris Todd Unisys Canada Inc."

Similar presentations


Ads by Google