Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Tivoli Software
ISACA
September 2007
©2007 IBM Corporation
Addressing PCI Requirements:
Protecting Cardholder Data
Marne E. Gordan
GRC M
arket Manager
Tivoli
©2007 IBM Corporation
2ISACA
September 2007
Agenda
�Why Compliance ??
�PCI Drivers
�It’s A Jungle Out There
�PCI Overview & Objectives
�What’s the Solution ??
�Summing Up
�Q & A
©2007 IBM Corporation
3ISACA
September 2007
Why Compliance ??
�At the Seattle Cancer Care Alliance
�Patient Eric Drew’s identity stolen by
phlebotomist Richard Gibson
–Gibson had access to patient record
–Obtained Drew’s SSN, date of birth, and primary
address
–Used this inform
ation to open lines of credit
–Ran up over $9k in debt
•Clothing
•Jewelry
•X-Box
•Porcelain figurines
http://www.m
snbc.msn.com/id/10549098/
©2007 IBM Corporation
4ISACA
September 2007
Drew Began Receiving Unsolicited M
ail/Collection Notices
�Contacted m
ajor credit bureaus
–Placed fraud warnings on legitimate credit cards
–Begged major issuers not to issue any new cards
–Contacted local law enforcement
�Nothing happened, until
–Local reporter Chris Daniels at KING-5 NBC TV reported the story
–Daniels and Drew continued the investigation
–Forensic trail led to Gibson
�Gibson plead guilty
–16 months in jail, plus restitution
–First documented “HIPAA conviction”
–Convicted of unlawful use of IIHI
©2007 IBM Corporation
5ISACA
September 2007
Great Story, But . . . .
�What Does it Have to do with PCI ???
–When faced with a compliance “checklist”, we
often
•Become overwhelmed by tasks and deadlines
•Focus on “minimum necessary”to pass the audit
•Focus on “beating”fines and penalties
•Forget what can happen when data is m
isused
•Overlook “harm
”to
–Customers
–Business Partners
–Employees
–Any individuals who entrust us with their data
©2007 IBM Corporation
6ISACA
September 2007
Consumer Confidence*
1.
Data security
2.
Global warm
ing
3.
Terrorism
4.
Job loss
5.
Disease or epidemics
6.
Natural disasters
* Source: Global Survey of Consumer Attitudes, Visa International, December 2006
©2007 IBM Corporation
7ISACA
September 2007
2005: Year of the Data Breach
DOJ
Stanford Univ
Valdosta State
CardSystems
Duke Univ
Cleveland State
Merlin Data Services
Motorola
CitiFinancial
FDIC
MCI
SJ Medical
CO Dept of Health
Purdue Univ.
USC, Michigan, Southern
California State
Sonoma State University
PayMaxx
Hinsdale High
Westborough Bank
Jackson CC
LexisNexis
U CA Berkeley
Boston College
Nevada DMV
Northwestern
UNLV
Cal State Chico
U CA SF
Georgia DMV
Bank of America
University of Colorado
Cisco.com
Tufts University
Polo Ralph Lauren
CA FasTrack
CA Dept of Health
DSW Shoes
Ameritrade
Carnegie Mellon
Michigan State
CSJ Hospital
Georgia Southern
Wachovia
Oklahoma State
Tim
e W
arner
ChoicePoint
Air Force
University of North Texas
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm
©2007 IBM Corporation
8ISACA
September 2007
2006: The Good Times Just Keep Coming . . .
University of Medicine and Dentistry of New
Jersey
Ross-Sim
ons
Univ. of South Carolina
University of Alaska, Fairbanks
Ohio UniversityInnovation Center University of
Texas‘McCombs School of Business
Univ. of Northern Iowa
Purdue University
Aetna --health insurance records for employees
of 2 m
embers, including Omni Hotels and the
Dept. of Defense NAF
MasterCard (Potentially UK only)
Long Island Rail Road
Ohio's Secretary of State
Dept. of Defense
Georgia State Government
Idaho Power Co.
Ohio UniversityHudson Health Center
Dept. of Veteran Affairs
Wells Fargo
Mercantile Potomac Bank
American Institute of Certified Public
Accountants (AICPA)
Deloitte & Touche(M
cAfee employee
inform
ation)
Medco Health Solutions
OH Secretary of State's Office
Olympic Funding (Chicago, IL)
Los Angeles Cty. Dept. of Social
ServicesHamilton County Clerk of
Courts
Metropolitan State College
Georgetown Univ.
Verizon Communications
iBill(Deerfield Beach, FL)
CA Dept. of Consumer Affairs
General Motors (Detroit, MI)
Buffalo Bisonsand Choice One Online
Ernst & Young (UK)
Bananas.com
Fidelity Investm
ents
CA State Employment Development
Division Verm
ont State Colleges
Georgia Technology Authority
Conn. Technical High School System
Progressive Casualty Insurance
DiscountDomain
Registry.com
UPMC Squirrel Hill Family M
edicine
H&R Block
Atlantis Hotel -KerznerInt'l
People's Bank
City of San Diego, Water & Sewer Dept.
Univ. Place Conference Center & Hotel
Indiana Univ.
California Arm
y National Guard
Univ. of Notre Dame
Univ. of WA M
edical Center
Providence Home Services (OR)
State of RI web site
Boston Globe
The W
orcester Telegram & Gazette
BCBS of North Carolina
FedEx
Honeywell International
Dept. of Agriculture
Old Dominion Univ.
BCBS of Florida
Calif. Dept. of Corrections, Pelican Bay
Mount St. Mary's Hospital (Lewiston,
NY)
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm
©2007 IBM Corporation
9ISACA
September 2007
2006: And Coming . . .
University of Tennessee
Nat'l Association of Securities Dealers (NASD)
Naval Safety Center
Montana Public Health and Human Services
Dept.
Moraine Park Technical College
Northwestern Univ.
University of Iowa
Treasurer's computer in Circuit Court Clerk's
office
NelnetInc.
CS Stars, subsidiary of insurance company
Marsh Inc.
U.S. Dept. of Agriculture
New York City Dept. of Homeless Services
Arm
strong W
orld Industries
Georgetown University Hospital
Old Mutual Capital Inc.
Cablevision systems
U. S. Navy recruitment offices
Kaiser Perm
anente Northern Calif. Office
Los Angeles County, Community Development
Commission (CDC)
Los Angeles County, Adult Protective Services
Western IlliniosUniv
NY State Controller's Office
ING
Univ. of Kentucky
Automatic Data Processing (ADP)
CA Dept. of Health Services(CDHS)
Equifax
Univ. of Alabama
U.S. Dept. of Agriculture
(USDA)
Cape Fear Valley Health System
Fed. Trade Comm. (FTC)
San Francisco State Univ.
U.S. Navy
CA Dept. of Health Services(CDHS)
Catawba County Schools
King County Records, Elections, and
Licensing Services Division
Gov'tAccountability Office (GAO)
AAAAA Rent-A-Space
AllState
Insurance Huntsville branch
Nebraska Treasurer's Office
Minnesota Dept. of Revenue
Nat'l Institutes of Health Federal
Credit UnionNIH
American Red Cross, Farm
ers
Branch
BisysGroup Inc.
Automated Data Processing (ADP)
Univ. of Delaware
M&T Bank
Sacred Heart Univ.
American Red Cross, St. Louis
Chapter
VystarCredit Union
Texas Guaranteed Student Loan
Corp.
Florida Int'l Univ.
Miami University
Univ. of Kentucky
Buckeye Community Health Plan
Ahold
USA
YMCA
Humana
Internal Revenue Service
Univ. of Texas
Univ. of Michigan Credit Union
Denver Election Commission
U.S. Dept. of Energy
Minn. State Auditor
Oregon Dept. of Revenue
U.S. Dept of Energy, Hanford
Nuclear Reservation
American Insurance Group (AIG)
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm
©2007 IBM Corporation
10
ISACA
September 2007
2007: ???
•January 2 –
Deaconess Hospital –Evansville, IN
•January 4 –
Unnamed m
edical center via recycling service –
Stockton, CA
•January 5 –
Dr. Baceski’sOffice –
Somerset, PA
•January 25 –
Ohio Board of Nursing –
Columbus, OH
•January 26 –
Anthem Blue Cross Blue Shield –
VA
•February 2 –
VA M
edical Center –Birmingham, AL
•February 7 –
Johns Hopkins University Hospital –Baltim
ore, MD
•February 8 –
St. M
ary’s Hospital –Leonardtown, MD
•February 9 –
Radford University, Waldron School of Health and
Human Services –
Radford, VA
•February 14 –
Kaiser Medical Center –Oakland, CA
•February 19 –
Seton Healthcare Netw
ork –North Austin, TX
•February 20 –
Back and Joint Institute –
San Antonio, TX
•Today or Tomorrow --YOU ???
Source: http://www.privacyrights.org/ar/ChronDataBreaches.htm
Tivoli Software
ISACA
September 2007
©2007 IBM Corporation
It’s A Jungle Out There . . . .
©2007 IBM Corporation
12
ISACA
September 2007
One M
ore Threat to Consider . . . .
Bad PR . . . .
. . . . Priceless !!!!
©2007 IBM Corporation
13
ISACA
September 2007
Skipping compliance:
The short path from breach to extinction
©2007 IBM Corporation
14
ISACA
September 2007
And it gets worse
T.J. Maxx Parent Company Data Theft Is The Worst Ever
The intrusion hands the retailer the dubious honor of surpassingthe 40 m
illion stolen
customers record m
ark, something that only CardSystem
shad been able to achieve.
By Larry Greenemeier,Inform
ationWeek Inform
ationWeek
March 29, 2007
TJX
Co., the parent company of T.J. Maxx and other retailers, onWednesday dropped a bombshell in its ongoing investigation of acustomer data
breach by announcing in a security and exchanges commission filing that m
ore than 45 m
illion credit and debit card numbers have been stolen from
its IT system
s. Inform
ation contained in the filing reveals a company that had taken some measures over the past few years to protect customer data
through obfuscation and encryption. But TJX
didn't apply these policies uniform
ly across its IT system
s and as a result still has no idea of the extent
of the dam
age caused by the data breach.
As a result, TJX
is a company under siege. The company recorded a fourth-quarter charge of about $5 m
illion to cover the costs of containing and
investigating the breach, as well as improving the security of its IT system
s, communicating with customers, and paying legal fee. The U.S. Federal
Trade Commission has launched an investigation of TJX
. While theFTC wouldn't reveal the nature of the investigation or when it began, it's likely
the result of the data breach. And law
suits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns4,500 shares of
TJX
stock.
The intrusion into TJX
's IT system
s also hands the retailer the dubious honor of surpassing the 40 m
illion stolen customers record m
ark, something
that only CardSystem
shad been able to achieve. And it puts to sham
e the Veterans Affairs Departm
ent, which last year briefly lost track of more
than 26 m
illion records thanks to a stolen employee laptop.
©2007 IBM Corporation
15
ISACA
September 2007
How Vulnerable Are You?
If yours is an average U.S. corporation* here’s what your
network experienced in the last week . . .
�Every Internet connected devices was "probed" about 26
times per day for known vulnerabilities.
�About 13 computers somew
here in your organization
encountered a computer virus.
�16 already logged-in desktop computers were
inappropriately used by another employee in your
company to access inform
ation.
�Three people scrounged through desks and drawers
looking for someone else’s passw
ord. One of them
succeeded and used it.
Statistics provided by ICSA Labs December 2006
©2007 IBM Corporation
16
ISACA
September 2007
How Vulnerable Are You?
If yours is an average U.S. corporation here’s what your
network experienced in the last week . . . .
�On average 16 sexually explicit graphics were mailed or shared
among some of your users. There is a 50-50 chance that some
of these are stored on your network.
�At least two people experim
ented with a “hacking”tool or
technique on the general computers, servers, and databases
inside your network in the past month.
�Despite all the press and focus on hacking and viruses, there is
a 72% likelihood that the next security breach your staff deals
with will come from an insider.
Statistics provided by ICSA Labs
©2007 IBM Corporation
17
ISACA
September 2007
Ah, the disgruntled employee !!!
�Recent Novell research indicates
–More than half the UK workforce* would be prepared to
seek revenge on form
er employers by exploiting continued
access to corporate systems if they lost a job
–55% would continue to use their company laptop if it were
not taken back; 58% would continue use of company
mobile phones.
–6% said that they would delete important files
–4% would let a virus loose in the corporate email system
–67% would be prepared to steal sensitive inform
ation that
would help in their next job
–38% said that they would steal company leads
*2006 article did not indicate how large the polling group was, nor if it were a scientific poll
©2007 IBM Corporation
18
ISACA
September 2007
The Enemy Inside….
�For years, external security threats received m
ore attention than
internal security threats, but the focus has changed. W
hy?
�Hackers
�Crackers
�Denial of service
�Viruses
�Worm
s
�Intruders
�AV
�Firewalls
�IDS
�Content security
�Encryption
©2007 IBM Corporation
19
ISACA
September 2007
•The number of attacks
attributed to the inside vs.
outside is approximately
equal (Source: CSI/FBI
Survey 2005)
•Therefore, 43.5% of the total
number of security incidents
experienced globally can be
attributed directly to the
privileged user group.
•The privileged user group
generally represents < 5%
of any given organization.
Who is W
ho ??
43.5% of global security incidents (inside & outside)
can be attributed to the privileged user
©2007 IBM Corporation
20
ISACA
September 2007
Known People (un) Intentionally Do Great Harm
�87% of insider incidents are caused
by privileged or technical users
�Many are inadvertent violations of:
–Change m
anagement process
–Acceptable use policy
�Others are deliberate, due to:
–Revenge (84%)
–“Negative events”(92%)
�Regardless, too costly to ignore:
–Internal attacks cost 6% of gross
annual revenue
–Costing $400 billion in the US alone
Sources: Forrester research, IdM Trends 2006; USSS/CERT InsiderThreat Survey 2005; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents.
Who Causes Internal Incidents?
Privileged or technical
users (87%)
Other
(13%)
©2007 IBM Corporation
21
ISACA
September 2007
Dominant loss types
©2007 IBM Corporation
22
ISACA
September 2007
Why does the audit community care about “the enemy inside”?
�While viruses, worm
s,
Trojans and DoSare
serious, attacks
perpetrated by people with
trusted insider status pose
a far greater threat to
organizationsin term
s of
potential cost per
occurrence and total
potential cost than
attacks mounted from
outside.
©2007 IBM Corporation
23
ISACA
September 2007
Redefining “Insiders”
�According to recent Gartner research
–As a result of the high demand from western companies looking tocut costs some
outsourcing service providers in India and Chinaare growing rapidly, hiring
thousands of new employees in a m
onth.
–Gartner has warned companies that outsource to countries like India and China not
to overlook the impact of cultural differences on security.
–"India is seen as an answer when outsourcing applications but is
actually a
problem in the security space"
–Standards of privacy are often loosein India because
•Reading someone else's e-m
ail would not be considered m
uch of an intrusion
•Fingerprinting is considered offensive in the Indian culture; security checks are often
outsourced to the local police, requiring that applicants have an Indian passport-thiscan
only be acquired by passing vigorous security checks conducted by law enforcement
officials
•Many firms require only two references from each applicant as a security m
easure, but do
not ensure the applicant has no criminal record.
–"Fifty percent of companies understand that there are security issues with
off-shoring, but the real issues are cultural, and in compliance and
regulation."
Source: http://www.computerworld.com/m
anagementtopics/outsourcing/story/0,10801,96074,00.htm
l
©2007 IBM Corporation
24
ISACA
September 2007
Could This be Your Worst Enemy?
©2007 IBM Corporation
25
ISACA
September 2007
Who is an “Insider”?
�Current or form
er
employees, consultants,
and outsourcers who:
–Intentionally or inadvertently
exceeded or misused an
authorized level of access to
networks, systems, or data
in a manner that
–Targeted a specific
individual or affected the
security of the organization’s
data, systems, and/or daily
business operations
Consultant using the LAN to
conduct daily business
LAN
Semi-Trusted
User
Client or partner accessing
account inform
ation
Extranet
Semi-Trusted
User
Executive logging in remotely
to review personnel files
VPN
Super/
Privileged User
IT administrator using the LAN
to administer desktop
LAN
Super/
Privileged User
Salesperson logging in via
remote access to m
anage
accounts
Dial-up
Trusted User
Employee using a directory on
the file server to save critical
files
LAN
Trusted User
Example
Access
Type
User
©2007 IBM Corporation
26
ISACA
September 2007
Insiders have two important factors in their favors:
–Access –
both logical and physical
–Trust
�In general, users and computers accessing resources on the
local area network (LAN) of the company are deemed
trusted. Practically, we do not draconically restrict their
activities –
revoke trust --because an attempt to control
these trusted users too closely will impede the free flow of
business.
The reason insider attacks “hurt”
�And, obviously, once an attacker
has physical control of an asset,
that asset can no longer be
protected from the attacker.
©2007 IBM Corporation
27
ISACA
September 2007
�The United States Secret Service and the Carnegie
Mellon University Software Engineering Institute’s
CERT Coordination Center published an insider
threats study report in 2005 which offered critical
insights into the m
ind and m
otivation of the
“inside attacker.”
The insider threat profile
�A frightening 87% of those
perpetrating harm
were those
we would consider as having
the “keys to the kingdom”
©2007 IBM Corporation
28
ISACA
September 2007
The insider threat profile
�Male
�17-60 Years Old
�87% technical positions
�About half m
arried
�Variety of racial and ethnic
backgrounds
Source: CERT
©2007 IBM Corporation
29
ISACA
September 2007
The insider threat profile
�The average IT worker
•More comfortable in the
world of ideas and
concepts than emotions
and relationships,
•Prefer to work
independently,
•Tend to resist authority,
•More subject to
environmental stress.
Source: CIA’s Center for Analysis of Personality and Behavior
©2007 IBM Corporation
30
ISACA
September 2007
What motivates the internal attacker?
–Challenge/Curiosity:Many internal
attackers don’t think about their acts as
“attacks”at all. They would constitute the
act instead as a challenge—combining
patience, skill, and a combination of
tactical and strategic thinking. Common
examples of these attacks may include
breaking into e-m
ail or IM accounts,
accessing sensitive data assets (i.e.,
salary or financial data) or conducting ad
hoc penetration tests.
–Financial Gain:Internal attackers
motivated by financial gain steal
confidential inform
ation for a third party.
�Internal attackers “perpetrate harm
” for a number of
reasons.
©2007 IBM Corporation
31
ISACA
September 2007
What motivates the internal attacker?
–Revenge:Internal
attackers motivated by
revenge have negative
feelings directed not
simply to the company,
but also toward a
particular individual
within that company.
•These attackers can be
particularly dangerous
because they are
patient and targeted.
Motivations for Deliberate attacks
(CERT)
0%
84%
92%
0%10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Financial
Revenge
Response to Negative
Event
Motivation
©2007 IBM Corporation
32
ISACA
September 2007
�80% exhibited suspicious or
disruptive behavior to their
colleagues or supervisors before
the attack.
�Only 43% had authorized access
(by policy, not necessarily via
system control).
�64% percent used remote access to
carry out the attack.
Source: USSS/CERT
These attackers planned ahead
�62% percent of the attacks were planned in advance.
�57% percent of the attackers surveyed would
consider themselves “disgruntled.”
©2007 IBM Corporation
33
ISACA
September 2007
Though let us not forget the role of stupidity
�Common threats to the internal security of
any enterprise can be chalked up to stupidity:
–Organizational stupidity: Systems
administrators are highly sensitive to
environmental stress*. If the systems
administrator is overworked, mistakes will
happen. Unfortunately, in the security world
mistakes can have incredibly significant and
negative impacts.
–Individual stupidity: This category includes
accidental destruction, modification, disclosure, or
incorrect classification of inform
ation; or failure to
follow security policy or operational procedure,
which leads to breach of system or inform
ation
integrity confidentiality or availability.
•Again, according to the CIA personality profile of
the average IT worker, IT workers resist authority,
working outside the “playbook.”While we didn’t
need the CIA to tell us that, it should be noted that
that human error is a significant threat to any
organization.
*(Source: CIA’s personality profile of an average IT worker).
©2007 IBM Corporation
34
ISACA
September 2007
Source: Association of Certified Fraud Examiners
�The m
edian loss caused by
males is about $185,000; by
femalesabout $48,000
�Losses caused by m
anagers
are four timesthose
caused by employees
�Median losses caused by
executives are 16 tim
es
those of their employees
Additional Statistics…
©2007 IBM Corporation
35
ISACA
September 2007
A concise list of worries from the CXO
We all know the drill; operating systems such as W
indows and Linux have not
been designed to be highly secure. Privileged users in particular have easy
access to inform
ation regarding which vulnerabilities exist, andwhich
vulnerabilities have been patched. With the ability to read, andadministrative
access –
privileged users have it in their power to m
anipulate these design
flaws and exercise native vulnerabilities.
Manipulation of Operating
System Design Flaws
Protocol weaknesses in TCP/IP can result in a virtual treasure trove of
problems, for example --DNS spoofing, TCP sequence, hijacked sessions and
authentication session / transaction replay, denial of service, and TCP_SYN
flooding.
Manipulation of Protocol Design
Flaws
“Bad code”may include tim
e bombs (software programmed to damage a
system on a certain date), or logic bomb (software programmed todamage a
system under certain conditions).
Introduction of bad code
Common attacks include the installation of Trojans by privilegedusers.
Installation of unauthorized
software or hardware
While the m
ost significant internal threat is the “ignorant”employee that
double clicks on the email attachment, activating a virus, results from a
number of “insider attack’surveys show that viruses m
ay be exploited by
hostile employees.
Viruses
This category includes theft of anything from digitally stored inform
ation (like
customer credit card inform
ation to company critical financial data to internal
product engineering plans) to theft of physical devices.
Theft of inform
ation or
computing assets
This category includes inadvertent or deliberate destruction of system
operations or inform
ation assets. This category includes the physical
destruction of netw
ork cabling, computing devices, or disabling of electrical
or other environmental control.
Sabotage of inform
ation or
systems
©2007 IBM Corporation
36
ISACA
September 2007
So W
hat is the Answer ??
�Heavily regulated industries have been dealing with CIA
of customer/consumer inform
ation for years
–Financial Services
–Health Care
–Government Agencies
�But other industries are not so “lucky”
–Retail
–eRetail
–HR/Recruitment
–Higher Education
�These industries are a target
–They aggregate personal inform
ation
–Inform
ation sharing is typically part of the business model
©2007 IBM Corporation
37
ISACA
September 2007
PCI Overview
�The five major card associations jointly created the Paym
ent
Card Industry (PCI) Data Security Standard around security
and payment data
–Genesis was VISA CISP Program
–PCI standards apply to all members, merchants, and service
providers that store, process or transmit cardholder data
–Security requirements apply to all system components which is
defined as any network component, server, or application included
in, or connected to, the cardholder data environment
–Merchants are categorized by level which dictate validation
requirements against the standards
©2007 IBM Corporation
38
ISACA
September 2007
Merchant Levels Defined
Merchant
Level
Description
1Any merchant who processes over 6,000,000
transactions annually.
Any merchant that has suffered a breach.
Any merchant designated Level 1 by Visa
2Any merchant who processes between 150,000 and
6,000,000 e-commercetransactions annually.
3Any merchant who processes between 20,000 and
150,000 e-commercetransactions annually.
4Anyone else
©2007 IBM Corporation
39
ISACA
September 2007
PCI Overview (continued)
�Validation requirements
–Level 1 m
erchants
•annual on-site assessment by approved assessor
•quarterly network security scan by approved scan
vendor
–Level 2 and 3 m
erchants
•self-assessment questionnaire
•quarterly network security scan by approved scan
vendor
�All merchants, regardless of level, must comply
with all elements of the PCI DSS standards
©2007 IBM Corporation
40
ISACA
September 2007
The scope of the PCI Audit
�Scope of compliance validation is focused on any
system(s) or system component(s) related to
authorization and settlement where cardholder
data is processed, stored, or transmitted,
including:
–All external connections into the merchant network
–All connections to and from the authorization and
settlement environment
–Any data repositories outside of the authorization and
settlement environment where m
ore than 500K
account numbers are stored
©2007 IBM Corporation
41
ISACA
September 2007
Outsourcing
�For those entities that outsource processing,
transmitting, or storage of cardholder data to third-
party service providers, the Report On Compliance
must document the role of each service provider;
�Service providers are responsible for validating their
own compliance with the PCI Data Security Standard
independent of their customers.
�Additionally, merchants and service providers m
ust
contractually require all associated third partieswith
access to cardholder data to adhere to the PCI Data
Security Standard. (Requirement 12.8)
©2007 IBM Corporation
42
ISACA
September 2007
Consequences for lack of compliance
�Financial Risk
–Merchant banks may
pass on substantial fines
–Up to $500,000 per
incident from Visa alone
–Civil liability and cost of
providing ID theft
protection
�Compliance Risk
–Exposure to Level 1
validation requirements
�Operational Risk
–Visa-imposed operational
restrictions
–Potential loss of card
processing privileges
©2007 IBM Corporation
43
ISACA
September 2007
PCI Data Security Standards
The PCI Data Security
Standard consists of six of
major categories supported
by twelve basic
requirements. W
ithin these
categories is a total of 175
detailed requirements.
Audits assess both
implementation as well as
policy and process as
identified in the detailed sub
requirements.
©2007 IBM Corporation
44
ISACA
September 2007
PCI enterprise security m
odel
PCI awareness principles:
Value statements that the
business requires for the
delivery of PCI
Security processes:
Activities typically
perform
ed across
multiple organizations to
implement PCI required
policies and standards
PCI procedures:
Specific operational
steps that
individuals m
ust
take to achieve PCI
goals, which are
often stated in
policies
Security policy:
The security rules that
must be followed to m
eet
PCI compliance
Security architecture:
Details how all the
technologies fit together to
assure one of PCI
compliance
Security products:
PCI mitigating risk products
and tools
PCI standards:
Set of rules for im
plementation policy;
standards m
ake specific m
ention of
technologies, methodologies, im
plementation
procedures and other details factors to m
eet
company wide PCI compliance
©2007 IBM Corporation
45
ISACA
September 2007
Sample Solutions for PCI Compliance
PCI Reporting and Audit Dashboard
Perimeter
Security
Requirement 1:
Install & m
aintain a
firewall…
Access
Management
Requirement 2:
Do not use vendor
default passwords
Build and M
aintain
a Secure Netw
ork
Protect
Cardholder
Data
Maintain a
Vulnerability
Management
Program
Implement Strong
Access Control
Measures
Maintain an
Inform
ation
Security
Policy
Regularly
Monitor and
Test Netw
orks
Storage
Management
Requirement 3:
Protect stored
cardholder data
Data Encryption
Requirement 4:
Encrypt
transmission of
cardholder data
Anti-virus /
Vulnerability
Assesment
Requirement 5:
Use & update anti-
virus software
CCMDB /
Vulnerability
Assesment
Requirement 6:
Develop &
maintain secure
systems &
applications
Access
Management
Requirement 7:
Restrict access to
cardholder data
Identity
Management
Requirement 8:
Assign a unique ID
to each person
Physical Access
Controls
Requirement 9:
Restrict physical
access
Security Incident
Management
Requirement 10:
Track & m
onitor
access
Vulnerability
Assesment/
Security Incident
Management
Requirement 11:
Regularly test
security systems
& processes
IT Service
Management /
Consulting
Services
Requirement 12:
Maintain a policy
that addresses
inform
ation
security
Security Incident and Event Management
©2007 IBM Corporation
46
ISACA
September 2007
Security Incident and Event Management (SIEM)
©2007 IBM Corporation
47
ISACA
September 2007
SIEM Capabilities
Build and M
aintain a Secure Netw
ork
1:Install and maintain a firewall configuration to protect data
2:Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3:Protect stored data
4:Encrypt transmission of cardholder data and sensitive inform
ation across public networks
Maintain a Vulnerability Management Program
5:Use and regularly update anti-virus software
6:Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7:Restrict access to data by business need-to-know
8:Assign a unique ID to each person with computer access
9:Restrict physical access to cardholder data
Regularly M
onitor and Test Netw
orks
10:Track and monitor all access to network resources and cardholder data
11:Regularly test security systems and processes.
Maintain an Inform
ation Security Policy
12:Maintain a policy that addresses inform
ation security
supports
supports
supports
automates
automates
supports
Build and M
aintain a Secure Netw
ork
1:Install and maintain a firewall configuration to protect data
2:Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3:Protect stored data
4:Encrypt transmission of cardholder data and sensitive inform
ation across public networks
Maintain a Vulnerability Management Program
5:Use and regularly update anti-virus software
6:Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7:Restrict access to data by business need-to-know
8:Assign a unique ID to each person with computer access
9:Restrict physical access to cardholder data
Regularly M
onitor and Test Netw
orks
10:Track and monitor all access to network resources and cardholder data
11:Regularly test security systems and processes.
Maintain an Inform
ation Security Policy
12:Maintain a policy that addresses inform
ation security
supports
supports
supports
automates
automates
supports
©2007 IBM Corporation
48
ISACA
September 2007
Leveraging Control Activity for PCI
�Tell the story of the cardholder data environment
–Articulate activity
•To the auditors
•To Senior Management and the BOD
–Demonstrate
•Controls in place over time
•Routine activity
•Anomalous activity
•Incidents
–From discovery through resolution
–Lessons learned
–Document
•Controls narrative
–Risk tolerance
–Decisions and rationale
•Written policies and procedures
–Including enforcement plans and/or examples
©2007 IBM Corporation
49
ISACA
September 2007
Compliance Objective
�Is access to payment card account numbers restricted for users on a need-
to-know basis?
�Is all access to cardholder data, including root/administration access,
logged?
�Do access control logs contain successful and unsuccessful login
attempts
and access to audit logs?
�Are all critical system clocks and tim
es synchronized, and do logs include
date and tim
e stamp?
�Are the firewall, router, wireless access points, and authentication server
logs regularly reviewed for unauthorized traffic?
�Are audit logs regularly backed up, secured, and retained for atleast three
months online and one-year offline for all critical systems?
�Are inform
ation security policies, including policies for accesscontrol…
form
ally documented?
�When an employee leaves the company, are that employee’s user accounts
and passwords immediately revoked?
�Are security alerts from IDS/IPS’scontinuously m
onitored, and are the latest
IDS/IPS signatures installed?
yes
no
yes
no
yes
no
yes
no
yes
no
yes
no
yes
no
yes
no
yes
no
©2007 IBM Corporation
50
ISACA
September 2007
It W
orks Perfectly –
In Powerpoint
�It is obvious and it is EASY
–Here in this m
eeting room
–Devil in the details . . . .
�Demonstrate that you understand
–WHO
–has access to W
HAT
–for what PURPOSE
–at any given TIME
�There is no “one-size-fits-all”
�Remember why this is important
–Consider “harm
”
©2007 IBM Corporation
51
ISACA
September 2007
IBM Tivoli Security
•Tivoli Security Solutions (in Australia)
SecuritySpecialists for(VIC / SA / W
A & NZ)
–Barry M
etzger 0412 772 552
barry.m
etzger@
au.ibm.com
–Darren W
right 0402 892 296
darrenwr@
au1.ibm.com
Security Specialists for (NSW / QLD / NT)
–Paul Cooper 0411 892 296
pcooper@
au1.ibm.com
–Brad Anderson 0411 304 040