Embed Size (px)
DESCRIPTION
Citation preview
Measuring SecuritySecurity Metrics for PCI DSS Compliance
Sergey Gordeychik
Security Lab by Positive Technologies
What is PCI DSS?
QSA audits?
ASV scans?
Pentests?
Web applications security assessment?
What is PCI DSS?
Building up the process of maintaining IS in secure (and compliant) condition!•The process of monitoring and audit (ISO 27001 A.15.2…)
QSA audits?ASV scans?Pentests?Web applications security assessment?
What is PCI DSS?
Building up the process of maintaining IS in secure (and compliant) condition!•The process of monitoring and audit (ISO 27001 A.15.2…)
QSA audits?ASV scans?Pentests?Web applications security assessment?
Black-and-white approach
Technical orientation of PCI provokes auditors into black-and- white (red-and-yellow) resultNot in compliance!In compliance!
Reality is much more complicated…
Example: Updating Oracle
Auditor: There are some problems with Oracle
Company:Consultation with developersWaiting for approvalTestingDeployment
Example: Updating Oracle. What to do?!!
Speed up the process?
Update at one’s own risk?
Restrict access to firewall?
Migrate the application to terminal?
Implement customized IPS?
What is good and what is bad?
How to measure the current level of compliance in nonbinary format?
How to divide the process of compliance maintenance into measurable tasks?
How to assess planned and current expenses?
Security metrics
Explicitly measured, no "expert opinion"
Available for calculations and analysis (automatically, if possible)
Rendered quantitatively (not just "high", "medium", "low")
Measured in units that fit for analysis (such as "errors", "hours", "cost")
Comprehensible and pointing to the problem area and possible solutions (the "So what?" test)
Compliance
With respect to requirements
Compliance
With respect to hosts
Compliance
With respect to hosts and requirements
Compliance
How many PCI requirements do we violate?
What violations are the most common?
What issues should be addressed in the first place?
Good, but not enough!
Allows you to trace a course of action
Allows you to observe the dynamics
Unable to provide a comprehensible engineering estimate!
Labor input metrics
Allow you to assess planned and current labor input in achieving the goal• Labor input in making the system match the
compliance• Justification of chosen compensatory security
measures•Assessment of spent resources
Differentiation of types of modifications•Patch installation•Version update•Configuration modification•Code change…
Labor input metrics
Process metrics
Are generated on the basis of Compliance and the derivatives•Quantity and percentage of workstations with anti-
virus software installed•Quantity and percentage of hosts that comply with
patch-management requirements•Quantity and percentage of DBMS servers that
comply with password requirements•Quantity and percentage of network devices that
comply with security requirements
Process metrics
Example with Oracle•Convergence on hosts: from 20 days to eternity
•Maximum compliance level: 23%
Perhaps it’s better not to think of installation of Oracle patches at all?
Comparison with the world level
What about others?
Is my level acceptable?
Perhaps I needn’t do anything?
Web applications vulnerability research, 2008.
Scope of research:•Automatic mode – approximately 10000 hosts•Detailed analysis – approximately 1000 hosts
Results:•Most websites security level is low•Detection of vulnerabilities and their exploitation
methods is automated
Web Application Security Consortium preliminary data
Distribution of websites according to the amount of detected vulnerabilities (the year 2008)
The most common vulnerabilities
To compromise a website attackers usually exploit…
Analysis of a compromised website exposes a pack of vulnerabilities, one third of which could be exploited by an attacker
How soon can these issues be solved?
Whitehat Security
