Borderless Networks And PCI Compliance

1y ago

27 Views

1 Downloads

3.29 MB

35 Pages

Report/dmca

Download PDF

Transcription

One year ago In what could be the biggest security incident inhistory, Heartland Payment Systems announcedon Tuesday 20th of January that it was the victimof a data breach that possibly compromised morethan 100 million accounts after malicioussoftware was found in its payment processingsystem.

Borderless Networks and PCI CompliancePhilippe Roggeband - proggeba@cisco.comEmerging Markets Borderless Networks team

Borderless Networks Security & PCIcomplianceAgenda Cisco’s approach to security PCI Compliance overview Cisco’s PCI Compliance solutions Call to actionCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public4

The Transformation:The World Is Our New WorkspaceAny ResourceAny DeviceBORDERLESS NETWORKSAnyoneA Next GenerationAnywhereArchitecture to Deliverthe New Workspace ExperienceCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public6

Securing Borderless NetworksBusiness ChallengesWhere?What?Who?How?Traditional Bordersare Blurred; AccessFrom AnywhereThreats are ConstantlyChanging—Viruses andWorms to Malwareto BotnetIdentity - Who IsAccessing the Networkand What TheyCan DoHow to Monitorand Enforce GlobalPoliciesCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public8

The Evolving Security ThreatsCriminal Specialization Driving MoreSophisticated AttacksWeb Ecosystem Becomes Numberone Threat VectorCriminals Exploit Users Trust, ChallengingTraditional Security SolutionsCreative Methods (BusinessModels) Used to Attract VictimsCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public9

Building Secure Borderless NetworksBorderless Security anceSecurity ModuleHybrid HostedCisco Security Intelligence OperationsPolicy and IdentityTrustedClientNetwork SecurityContent SecurityNetwork InfrastructureCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public10

Cisco Security Product PortfolioCisco Security Intelligence OperationsPolicy and IdentityTrustedClientNetwork SecurityNetwork AdmissionControlASA 5500FWSMCiscoVirtualOf f iceCisco Secure MARSISRContent SecurityIronPort HostedEmail SecurityIronPort S-SeriesIPS 4200IronPort C-SeriesAnyConnectVPN ClientACE Web AppFirewallCisco SecureACSIronPort M-SeriesCisco SecurityManagerCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public11

Cisco Security Intelligence OperationsPowering Cisco SecuritySensorBase 700,000 global sensors over four threat vectors Historical library of 40,000 threats 500 third-party feeds, 100 news feeds,open source, and vendor partnershipsThreat Operations Center Automated tracking of over 200 parameters SenderBase: categorizes and rates reputation Global threat correlationAdvanced Protection Automated rule and/or signature creation Innovative virus outbreak filtersCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Fast Accurate Detection,Advanced MitigationsCisco public12

Securing the Borderless NetworkThrough Systems and SolutionsSecure Borderless NetworkDefendExtendProtectComplyDefend AgainstThreatsSecure EnterpriseConnectivityProtect BusinessAssetsAchieve RegulatoryComplianceThreat DefenseSecure RemoteWorkforceData LossPreventionSolutionfor PCICisco Solution ExamplesCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public13

Who does what ? The PCI SSC sets the PCI DSS Standard Each card Brand has its own program for :ComplianceValidation LevelsEnforcement QSA – Qualified Security AssessorAssess compliance with the PCI DSS ASV – Approved Scanning VendorValidate adherence to the PCI DSS Scan requirements by performingvulnerability scans of Internet-facing environments of merchants andservice providers SAQ – Self Assessment QuestionnaireValidation tool for organizations that are not required to undergo an onsite assessment for PCI DSS complianceCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public15

Card brands websites American Express:www.americanexpress.com/datasecurity Discover Financial c.html JCB .html MasterCard Worldwide:www.mastercard.com/sdp Visa Inc:www.visa.com/cispCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public16

The Payment Card Industry (PCI)Data Security StandardBuild andMaintain aSecure NetworkProtectCardholder DataMaintain aVulnerabilityManagementProgramImplementStrong AccessControlMeasuresRegularlyMonitor and TestNetworksMaintain anInformationSecurity PolicyCisco ExpoBratislavaD1.2.Install and maintain a firewall configuration toprotect dataDo not use vendor-supplied defaults for systempasswords and other security parameters3.4.Protect stored dataEncrypt transmission of cardholder data andsensitive information across public networks5.6.Use and regularly update anti-virus softwareDevelop and maintain secure systems andapplications7.Restrict access to data by business need-toknowAssign a unique ID to each person withcomputer accessRestrict physical access to cardholder data8.9.10. Track and monitor all access to networkresources and cardholder data11. Regularly test security systems and processes12. Maintain a policy that addresses informationsecurity 2009 Cisco Systems, Inc. All rights reserved.Cisco public17

PCI 1.2 Changes and ImpactNetwork Segmentation Network Segmentation reduces PCI scope reducescost of audit reduces cost to achieve PCIcompliance Network segmentation now needs to be proveneffectiveIf ineffective, the segmentation does not apply, and thecardholder data environment is now expanded Network segmentation with VLANs alone is no longersufficientFirewalls are necessary to segment wireless LANs out of thecardholder data environmentCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public18

Scoping with SegmentationEntire Network Is in ScopeBranchDetermineScopeOnly Devices Passing CardHolder Data Is in ScopeBranchWarehouseWarehouseCan scopebe reduced withsegmentation?IN PLACENOTIN PLACEWide AreaAcceleratedNetworkWANAccessDid assessorvalidate essor documentssegmentation in place Entire network is inscope for PCI DSSreviewStorageData CenterCisco ExpoBratislavaDHeadquarters 2009 Cisco Systems, Inc. All rights reserved.Wide ServersServerAccessinventoryServersScope limited forPCI DSS reviewAuditPerformedCisco publicStorageData CenterHeadquarters19

PCI 1.2 Changes and Impact – QSA Audits PCI Security Standards Council started QSA QualityAssurance Program in November 2008 QSAs (PCI Auditors) - more thorough due diligenceduring audit, need to provide more details in Report onCompliance (ROC)Test compensating controls for effectivenessTest network segmentation for effectivenessJustify sample size selectionCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public20

PCI 1.2 Major Areas - Wireless Wireless deadlines – in the cardholder dataenvironment (CDE)No new WEP installations after 31 March 2009Existing WEP deployments must be decommissioned by 30June 2010Written into the PCI DSS 1.2 standard Wireless Guidelines & Recommendations PublishedGuidelines map to existing PCI DSS 1.2 standardRecommendations may go above & beyond existing standard(wIPS for example)Anticipate (but not guarantee) most of the recommendationswill be incorporated into the next PCI standard revisionCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public21

Published Deadlines, Fines and LevelValidation Changes MasterCard Global PCI deadline is now Dec 31, 2010 forLevel 1, 2, 3 Merchants and Service Providers Level 1 & 2 merchants must use an external QSA for onsite audits. Level 2 merchants must also still completeand submit a PCI Self-Assessment Questionnaire Service Provider (banks, payment processors) Tier 1 transactions reduce from 1 Million transactions to300,000 transactions Fines for non-compliance (not breach) per calendar year Merchant Level 1 & 2, Service Providers - 25k, 50k, 100k, 200k consecutively Level 3 - 10k, 20k, 40k, 80k consecutivelyCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public22

MasterCard/VISA PCI Merchant LevelsCategoryLevel 1MerchantsCriteriaRequirementMerchants processing over six millionVisa/MC transactions annually (allchannels) or global merchants identified asLevel 1 by any card brandAny merchant that has suffered a hack or anattack that resulted in an account datacompromiseAnnual on-site audit by QualifiedSecurity Assessor (―QSA‖)Quarterly network scan by ApprovedScan Vendor (―ASV‖)Attestation of Compliance FormOne million to six million transactionsannually (all channels)Annual on-site Audit by QSAAnnual Self-AssessmentQuarterly Network Scan by ASVLevel 3Merchants20,000 to one million e-commercetransactions annuallyAnnual Self-Assessment (SAQ)Quarterly Network Scan by ASVLevel 4MerchantsLess than 20,000 e-commercetransactions per annually and all othermerchants processing up to one millionVisa transactions annuallyAnnual SAQ recommendedCompliance validation requirementsset by acquirerLevel 2MerchantsSource: in-visa-pci-dss-framework-111808.pdfCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public23

PCI Security Standards CouncilBoard of Advisors – Cisco Member2- year commitment (May 2009 – April 2011)Bank of AmericaExxon MobilCorporationNational Australia BankBanrisul S.A.First DataPayPalBarclaycardGlobal Payments IncRoyal Bank of ScotlandGroupChase PaymentechSolutions IncJPMorgan Chase & CoTesco Stores LtdCiscoLufthansa SystemsPassenger ServicesTSYS AcquiringSolutionsCitrix Systems, IncMcDonald’s Corporation VeriFoneEuropean PaymentsCouncilMICROS Systems, IncCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco publicWal-Mart Stores, Inc24

Cisco Security for PCIFirewallVPNASA 5500ISR SeriesIPSNACIPS 4200IP VideoVideo MonitorEmail SecurityNAC ApplianceCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Email SecurityCisco public25

Cisco Wireless Security for PCI802.11n Wireless AccessPointsMobility Services EngineWPA/WPA2Scan/monitorwIPSWireless LAN ControllerISR Series with WirelessDevice locationDevice hardeningCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public26

Cisco Data Center for PCIMDS StorageEncryptionNexus & UCSStorageVirtualizationFWWAN StorageEncryptionASA 5500VPNIPSCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.IPS 4200Cisco public27

Cisco Management for PCIACS – Access Control SystemCisco Security Manager(Provisioning)AAAWireless Control System(Provisioning)Rule based AccessCentralized ProvisioningCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public29

Cisco Unified Customer Voice PortalSecurity for PCIASA 5500ISR SeriesFirewallVPNCatalyst SwitchesCisco ExpoBratislavaDVoice Self ServiceApplicationSecurity 2009 Cisco Systems, Inc. All rights reserved.Cisco public30

Cisco PCI Validated ArchitecturesCisco Validated DesignIncludes:Validated DesignSmall RetailStore Recommended architectures fornetworks, payment data at rest,and data in-transit Tested in a simulated retailenterprise Configuration, monitoring, andauthentication managementsystems Architectural design guidance andaudit review provided by PCI auditand remediation partnersCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.PCI Audit PartnerRetail Solution PartnersCisco public31

Cisco Security InnovationsSecurityIntelligenceIdentity First to developand bring NACtechnology tothe market Cisco TrustSecdeliverssecurity grouptagging forRBAC Simplifies802.1xdeploymentswith ―OpenMode‖ and―FlexibleAuthentication‖Cisco ExpoBratislavaD SenderBase Network theworld's first andlargestreputationdatabase SensorBase largest historicalvulnerability andlive networksecurity threatfeedIPS with GlobalCorrelationWebSecurity First toimplement IPSin modularformat inswitches/routers Web UsageControls: First to useglobal reputationin threat analysis Patented RiskRating system Virus OutbreakFilters to detectzero-day threats 2009 Cisco Systems, Inc. All rights reserved. First to createDynamicVectoring andStreaming(DVS) for antimalwaredefense First to createDynamicContentAnalysis (DCA)to evaluate andcategorize webcontent (evenhidden)Cisco publicRouterSecurity Industry-leadingintegration ofVPN, routing,and QoS:DMVPN, GETVPN, SSL VPN,and Easy VPN Embeddedsecurity:applicationfirewall, IPS,and URLfilteringVPN First to useDTLS thatoptimizesconnections forlatencysensitive traffic First offer clientVPN onWindowsMobile Phones First VPNsolution tosupport theiPhone One-touchlockdown andsecurity audit32

Cisco Security Market Leadership 100M spent on dynamic research anddevelopment 250 certifications, 1000s publications, 25books authored, and 100 security patents 80 PhDs, CCIEs, CISSPs, MSCEsInvestment Over 20 million security appliances and100 million clients deployed #1 enterprise security revenue over 2B #1 in network security appliances: firewall,email security, NAC, router securityMarketLEADERSHIPSolution Comprehensive solutions: Layer 2 topurpose-built proxies Validated industry solutions: PCI, SAFEData Center, UC Flexible delivery options: Appliances,security modules, cloudThreat Intelligence Threat operations team: 500 analysts,five global locations Largest sensor network: Millions ofsensors Broadest data footprint: Network andapplication levelMerging Innovative Security Technology with More Than25 Years of Networking Expertise to Redefine Network SecurityCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public33

ExpectGetSaveMORE From YourBorderless NetworkSuperior Customer ExperienceIncrease ProductivityFocus on Strategic ITOptimize CostsSingle Point of ServiceCisco ExpoBratislavaD 2009 Cisco Systems, Inc. All rights reserved.Cisco public34