Jordan Levesque - Keeping your Business Secure

Transcription

1 Jordan Levesque - Keeping your Business Secure

2 Review of PCI Benefits of hosting with RCS File Integrity Monitoring Two Factor Log Aggregation Vulnerability Scanning Configuration Management and Continuous Deployment

3 Overview of PCIDSS Payment Card Industry Data Security Standard Mandated by card brands Framework for applying good security posture

4 What's new in 3.2? Greater focus on Multifactor Authentication All remote access must have MFA All local administrator access must have MFA PAN masking requirements Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018

5 Why is PCI important?

6 Risk Overview 62% more breaches in 2013 than in 2012, over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594% = 20 million

7 Risk Overview Threats are becoming more advanced, and attacks are becoming more frequent

8 Breach Overview Avg cost per record for retailers $172 Avg cost per breach $4 million Average time to detection of a breach 197 days Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan 1 Jul 17

9 What are the 12 Standards? Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security for all personnel

10 Benefits of Hosting with RCS

11 Shared Responsibility of PCI sub-requirements RCS 362 Admin Credentials NCR Counterpoint Managed Firewalls Application Whitelisting 2FA Security policy Hosting You 49 Credentials POS maintenance Security policy

12 Cost, Time, Expertise More cost-effective for RCS to manage security applications in bulk vs smaller deployments RCS has dedicated personnel to handle day-today operations of security applications (the apps are very needy) RCS Security personnel are trained in the use of security applications, and become subject-matter experts

13 Cost, Time, Expertise

14 File Integrity Monitoring (FIM) & Application Whitelisting (AW)

15 FIM / Application Whitelisting Goes beyond traditional AV Signature-less, vs AV which is signature-based Analyzes patterns in file activity, not just file hashes or signatures Hash / Signature String of a fixed size which is used to identify data of an arbitrary size. Hello World Crypto Hash Func. 3e25960a79dbc69b 674cd4ec67a72c62 This is a one-way function.

16 FIM / AW: Rule Abstraction Signature-less rule example: IF [any file hash] SIGNED BY [LogMeIn] EXECUTES AT [C:\%APPDATA%\local\logmein rescue unattended], ALLOW EXECUTION

17 FIM / AW: File Report Example

18 FIM / AW: Control Models Low Operates on a blacklist Unapproved files allowed Banned files blocked Low potential for false positives Monitors file propagation Custom rules enforced for fine-tuning of allowed or disallowed file activity High Operates on a whitelist Unapproved files blocked Banned files blocked High potential for false positives Monitors file propagation Custom rules enforced for fine-tuning of allowed or disallowed file activity

19 Two-Factor Authentication (2FA)

20 Authentication Factors Something you know Something you have Something you are Password RSA Token Digital Certificate YubiKey Phone & Duo Security Iris Fingerprint Voice

21 2FA: Our Solutions YubiKeys Duo Push Primary uses: POS users Back office users Admin users Token is plugged in, and the center button is pressed at the 2FA prompt Primary uses: Back-office Admin users A push is requested from the 2FA prompt, which is sent to the corresponding smartphone

22 2FA: Where does it apply? During the Remote Desktop login

23 Security Information & Event Manager (SIEM)

24 SIEM: Why does it matter? Local event logs can be manipulated, SEIM provides forensically-sound archival of events Local event logs are overwritten when space runs out Can be mined / queried for deep security intelligence about any and all systems reporting in

25 Vulnerability Scanning

26 Vulnerability Scanning: HOLY VULNERABILITIES, BATMAN! Evaluates a system for open ports, missing patches, and other potential attack vectors or points of weakness Provides actionable intelligence and recommendations Example from vendor s website

27 Vulnerability Scanning: Breakdown Example

28 Configuration Management (CM) & Continuous Deployment (CD)

29 CM&CD: The Challenge How the heck do you enforce a change on X amount of servers without touching each one individually?

30 CM&CD: The Solution Something akin to the Starkiller base, but like for the good guys. All seeing, all reaching.

31 CM&CD: How it works Deployments are delivered to clusters of servers within defined maintenance windows Windows Updates AV Updates Applications Config Rules

32 CM&CD: Benefits Well that s all fine and dandy, but what does that get me? Quick response to updates in best-practices Faster deployment of critical patches High compliance = high stability

33