WIXLIB

5/10/2016PCI Compliant but are we secure?Michael Carr, JD, CISSP, CIPPChief Information Security OfficerUniversity of KentuckyJune 20161DisclaimerThe content, discussion, or materials presented are for informational purposes only andnot for the purpose of providing legal advice. You should contact your attorney to obtainadvice with respect to any particular issue or problem or advice. Use of and access tothis information or material does not create an attorney-client relationship betweenMichael Carr and you, the conference attendee. The opinions expressed during thispresentation are the opinions of the author and do not reflect the opinions or advice of theSCCE, the University of Kentucky, the Commonwealth of Kentucky or anyone else on planetEarth.Any rebroadcast, retransmission, or account of this presentation, without the express written consentof Major League Baseball, er , I mean, SCCE, is strictly prohibited. This presentation is meant foreducational purposes only. Any resemblance to real persons, living or dead is purely coincidental.Void where prohibited. Do not use while operating a motor vehicle or heavy equipment. You must bepresent to win. Subject to change without notice. Disclaimer includes misuse, accident, lightning, flood,tornado, tsunami, volcanic eruption, earthquake, hurricanes and other Acts of God, neglect, damage fromimproper reading, incorrect line voltage, improper or unauthorized reading, broken antenna or marred cabinet,missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations,customer adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or takingon water, motor vehicle crashing, dropping the item, falling rocks, leaky roof, broken glass, mud slides, forest fire, orprojectile (which can also include, but not be limited to, arrows, bullets, shot, BB's, shrapnel, lasers, napalm, torpedoes, oremissions of X-rays, Alpha, Beta and Gamma rays, knives, stones, head slaps, nasty tones, mean looks or thoughts, etc.)2Show of hands . . . got a favorite?Barry Nelson1954: Casino RoyaleDavid Niven1967: Casino RoyaleRoger Moore1973‐1985Timothy Dalton1987‐1989Sean Connery1962‐1983Pierce Brosnan1995‐2002George Lazenby1969: On Her Majesty’s ServiceDaniel Craig2006‐31

5/10/2016Show of hands . . . Always as cool & collected?4Show of hands . . . or do you feel like this?Juggling Chainsawson a Tightrope5PCI Compliant but are we secure?Agenda Using Target Dept Store’s breach as a backdrop What does it means to be PCI Compliant? PCI Compliance Secure What can be done to ensure both62

5/10/2016 November-December 2013About 12M people in common 98M unique customers7 post-breach 248M in data beach costs (across ‘13 & ‘14) Payments to Visa, MasterCard and Banks Offset by insurance payments of 90M ‘07: TJ Max: 94M customers & payment card info‘09: Heartland: 130M payment card records’13: Adobe: 152 customers & payment card info‘14: Home Depot: 56M payment cards8Anatomy of the Target Breach93

5/10/2016Anatomy of the Target BreachContractorPortal10Anatomy of the Target BreachContractorPortalFirewallTarget’s Corporate Network11Anatomy of the Target BreachContractorPortalFirewallTarget’s Corporate Network124

5/10/2016Anatomy of the Target BreachContractorPortalFirewallTarget’s Corporate Network13Anatomy of the Target BreachContractorPortalFirewallTarget’s Corporate Network14 post-breach There were a number of missteps. Some human error; some technical failings But Target was PCI Compliant ! ? ! TrustWave was their Qualified Security Assessor (QSA)FireEye was monitoring their networkAlarms were ignored 155

5/10/2016PCI Compliant what does that mean? Let’s not get ahead of ourselves . . . What is a QSA? What does it means to be PCI Compliant?16PCI Compliant what does that mean? Way back in early 2000s . . . AmEx, Discover, JCB, MasterCard and Visa PCI Data Security Standard (DSS) Proprietary information security standard Ver 1.0: December ’04 Ver 3.2: anytime now17PCI Compliant what does that mean?Similar to being audited,PCI Compliance is a point‐in‐time assessmentof an organization’s adherenceto the PCI Data Security Standards (PCI DSS)A QSA is similar to an external auditor186

5/10/2016PCI DSS Isn’t it a bunch of technical gobbledygook? YesandNo . . . It’s a prescriptive standard/framework 12 Requirements (aka “digital dozen”) within6 Main Categories Each has sub‐points, testing procedures & “guidance” Requires documenting environment &issuing a Report on Compliance (RoC)19PCI DSS technical gobbledygook?High Level OverviewI. Build & maintain secure network1. Install/maintain firewall configuration 2. Don’t use vendor‐supplied defaults II. Protect Cardholder Data3. Protect stored cardholder data4. Encrypt . . . cardholder data III. Maintain vulnerability mgmt program5. Protect systems against malware 6. Develop & maintain secure systems 20PCI DSS technical gobbledygook?High Level Overview(continued)IV. Implement Access Control Measures7. Restrict access to cardholder data 8. Identify & authenticate access 9. Restrict physical access to cardholder dataV. Regularly Monitor & Test Networks10. Track & monitor access 11. Regularly test security systems V. Maintain Information Security Policy12. Maintain policy that addresses InfoSec for all personnel 217

5/10/2016PCI DSS technical gobbledygook?Sub‐points, Testing Procedures & “Guidance”I. Build & maintain secure network1. Install/maintain firewall configuration Example:RequirementTesting ProcedureGuidance1.3.5 Permit only“established”connections intothe network1.3.5 Examine firewall and routerconfigurations to verify that thefirewall permits only establishedconnections into the internalnetwork and denies any inboundconnections not associated with apreviously established session.A firewall that maintains the "state" (or thestatus) for each connection through thefirewall knows whether an apparentresponse to a previous connection is actuallya valid, authorized response (since it retainseach connection’s status) or is malicioustraffic trying to trick the firewall into allowingthe connection.22PCI DSS technical gobbledygook?Sub‐points, Testing Procedures & “Guidance”I. Build & maintain secure network1. Install/maintain firewall configuration Example:RequirementTesting ProcedureGuidance1.3.5 Permit only“established”connections intothe network1.3.5 Examine firewall and routerconfigurations to verify that thefirewall permits only establishedconnections into the internalnetwork and denies any inboundconnections not associated with apreviously established session.A firewall that maintains the "state" (or thestatus) for each connection through thefirewall knows whether an apparentresponse to a previous connection is actuallya valid, authorized response (since it retainseach connection’s status) or is malicioustraffic trying to trick the firewall into allowingthe connection.23PCI DSS technical gobbledygook? Validation Reqmt depends on Merchant LevelMerchantLevelTrx LevelValidation Requirement1 6M trx/yrAnnual ROC by a QSA &Qtrly n/w scan by approved vendor21M 6M trx/yrAnnual Self‐Assessment (SAQ) &Qtrly n/w scan . . .320,000 1M trx/yrsame4 20,000 trx/yrsame248

5/10/2016PCI DSS technical gobbledygook?What’s in a RoC? If satisfactory, Attestation of Compliance (AoC) Similar to an external audit Assimilate PCI‐related policies & proceduresAmass Documentation,Configuration Stds & Reports,Penetration (aka ‘pen’) Test & Scan Results,Confirmation of controls,Etc.25Compliant Secure? that seems odd?26Compliant Secure? that seems odd?Review of Target’s Breach1. Reconnaissance2. Get someone to give you keys3. Exploit vulnerabilities (quietly)4. Don’t stay long279

5/10/2016Compliant Secure? that seems odd?1. Reconnaissance Microsoft case study of Target’s servers Target’s online list of supplier/vendors Google metadata Naming Convention(none of which are addressed by PCI DSS)28Compliant Secure? that seems odd?2. Get someone to give you keys HVAC Co. used free anti‐malware Unclear if HVAC Co. access was still needed HVAC Co. was from PA; Hackers: Russia(neither specific anti‐malware software norcontext‐based security is addressed by PCI DSS)29Compliant Secure? that seems odd?3. Exploit vulnerabilities (quietly) Admin logins weren’t monitored Creation of new VMs wasn’t monitored Network‐to‐network traffic was allowed(okay PCI DSS should have caught these)3010

5/10/2016Compliant Secure? that seems odd?4. Don’t stay long No alert re: changes made to POS server Traffic from a new server not monitored Alerts from security vendor ignored(damages could have been minimized)31Can we ensure both?PCI Compliance & SecureSecure [si‐kyoo r]free from or not exposed to danger or harm.free from care; without anxiety.Like compliance & auditing,“secure” is a point in timeSecurity is a continuous‐improvement process(not a project)32Can we ensure both?PCI Compliance & Secure InfoSec Frameworks are great But don’t treat like a checklist Consider them as “baseline” It’s all about Risk Management! Requires continuous assessmentsand regular adjustments3311

5/10/2016Can we ensure both?PCI Compliance & Secure Annual Assessmentshave gone the way of . . .34Can we ensure both?PCI Compliance & Secure Systems and network complexity Warrant continuous updates & patching Which, in turn, introduce uncertainty &increase riskA compliant & “secure” system todaymay be identified as having a multitudeof exploitable vulnerabilities tomorrow35PCI Compliant but are we secure?Re‐cap Using Target Dept Store’s breach as a backdrop Better understanding of “PCI Compliance” Kinda understand why PCI Compliance Secure See the need for eternal vigilance3612

5/10/2016PCI Compliant but are we secure?Questions?Discussion?37PCI Compliant but are we itical‐security‐controls38Thank You Michael Carr, JD, CISSP, CIPPChief Information Security OfficerUniversity of KentuckyJune 20163913

PCI Compliant Way back in early 2000s . . . AmEx, Discover, JCB, MasterCard and Visa PCI Data Security Standard (DSS) Proprietary information security standard Ver 1.0: December '04 Ver 3.2: anytime now what does that mean? 18 PCI Compliant Similar to being audited, PCI Compliance is a point‐in‐time assessment