PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Transcription

1 Welcome!

2 PCI DSS Addressing Cyber-Security Threats ETCAA June Gabriel Leperlier

3 Short Bio Current Position Head of Continental Europe Advisory Services at Verizon. Managing 30+ GRC/PCI/Pentest Consultants across Continental Europe Professional experience Now 9 years within Verizon Enterprise Solutions. 7 years as Key Manager at Cerplus a VeriSign Affiliate Cryptography & Key Management. 8 years in the French Air Force (including Operations in Former Yugoslavia). Crypto transmissions Operator. Education & Certifications : Positive Leadership by Michigan Ross School of Business Executive Education. PCI DSS QSA by PCI SSC CISSP by (ISC)2 CISA & CISM by ISACA Non Commissioned Officer (Crypto Transmissions) in the French Air Force IAll images are property of their respective owner 3

4 Data Breach Investigation Report DBIR 2017

5 DBIR 2017 What does reality of Data Breaches looks like? How can you make it more difficult for Hackers? Download our Data Breach Investigation for free If you haven t suffered a cybersecurity breach you ve either been incredibly well prepared, or very, very lucky. Are you incredibly well prepared?

6 DBIR Key Highlights

7 DBIR Key Highlights

8 Key findings The main play is still phishing leading to installation of malware, and using stolen credentials to advance attacks. 1 in 14 users fell for phishing attacks. 25% more than once! Ransomware is now the top malware functionality within Crimeware. It has seen a 50% increase in our dataset YoY. 81% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.

9 Focusing your defenses Single-factor authentication is compromised often, and reused as a tool for the attacker. Shift from weak authentication methods to multi-factor solutions. Malware is not going anywhere. We assume you have client-based antivirus running, which is a start. Enrich AV with network malware detection, sandboxing technologies and application whitelisting. Most breaches are starting with a compromised user device. Limit the sensitive data stored on workstations and build a properly segmented network with strong authentication between security zones.

10 Focusing your defenses Patch web browser software (and associated plugins) promptly. Know what assets you have from which to determine patching. Limit what attachments make it past your gateway. Strip all executables and macroenabled Office documents, at a minimum. Encrypt all mobile devices! Threat Intelligence is the key to knowing what the next looming threat might look like and how to plan, recognize, respond and mitigate it as necessary.

11 GDPR General Data Protection Regulation

12 One Regulation to rule them all! National Laws in each EU member state, which are currently based on the EU Data Protection Directive 1995, will be replaced with the General Data Protection Regulation (GDPR) from 25 th May 2018 This is common for all the EU member states. No need for national implementations. Impact: Broader accountability Any organisation, regardless of country of origin, that offers goods and services to EU residents or monitor behaviour of EU residents is subject to the GDPR. Mandatory auditing Penalties for non-compliance Potential Fines up to 4% of Global Revenue or 20,000,000 Annual Activity Reports (reputational damage) IAll images are property of their respective owner 1

13 Timeline towards compliance Collaboration with Legal and Data Protection Authorities coordinated by DPO Review of Contractual Agreements between Controllers, Partners, Suppliers, Customers and Data Subjects Policy and Procedural Review, Risk Assessment Records of Processing activities Review of Data Breach procedures Identification Affected Systems and Information Lifecycle Current Technical State Analysis, Design and Implement Corrective Measures Data Protection by Design and by Default Secure Processing Right to be Forgotten Unambiguous Consent Implement additional Technical Controls Image courtesy: CC0 Public Domain 1

14 GDS systems PNR + Last Name : A real weakness Instagram and other Social Networks Key points to remember

15 PCI DSS Payment Card Industry Data Security Standard

16 What is PCI SSC? The PCI SSC (Payment Card Data Security Standards Council) born in 2006 version 1.1 of the standard released Responsibilities: Develop, manage, training, awareness on the PCI Security Standards In practice, the PCI Council : Promote and maintains PCI Security Programs. Ensures the qualification process and quality control (QSA, ASV, ISA, ) Maintain an up-to-date list of certified entities : QSA, ASV, PED,

17 PCI Security Standards PCI DSS : Secure Environments for Merchants & Service Providers PCI PA-DSS : Payment Applications for Software Developers PCI PTS : PIN Entry Devices Card Production for Manufacturers P2PE : Incorporates requirements from PCI DSS, PCI PA-DSS and PCI PTS to protect account data from the point of capture to payment processor (point to point)

18 Overview of PCI Ecosystem Card Brand - Decide to apply penalties (Acquirer and PSP) - Ordering the investigation (if compromised) at the expense of the compromise entity Acquirer - Responsible for merchant compliance - Work with merchant until full compliance has been validated Merchant Payment Service Provider (PSP) - Responsible of its own compliancy Web Hosting and Data Center Hosting Providers Payment applications editor/vendor Payment Terminal Provider Others providers Contractual Relationship Commercial Relationship

19 Service Providers Are considered Service providers, any organisation that store, transmit or process cardholder data for VISA/Mastercard/Amex/... Merchants, or for other Payment service providers. This also include Providers affecting Security of an entity elligible to PCI DSS. Different levels of services providers exist : Level of Service Provider Description 1 > 300,000 transactions per year 2 < 300,000 Visa transactions per year More than having a PCI DSS program, any service provider must be able to present an AoC (Attestation on Compliance). Level Action to complete Validated by : 1 2 Onsite Annual PCI DSS Audit Quarterly ASV Scans Self Assessment Questionnaire (SAQ) Quarterly ASV Scans QSA Approved Scaning Vendor (ASV) Service Provider itself Approved Scaning Vendor (ASV)

20 Merchant level As a merchant under your own Merchant ID, you should be Level 3 ecommerce or Level 4.

21 PCI DSS Payment Card Industry Data Security Standard This is also a IATA requirement : There is even a new resolution after this one bellow : IATA s obligations for Travel agents 2

22 PCI-DSS, what does an agency have to do in practice?

23 Protect your systems GDS Providers are PCI DSS Certified Know where your data are stored outside GDS systems Do not store if you don t really need it Storage must be encrypted Other applications for Accounting / Invoicing This does not mean you are fully protected Key points to remember Patch your systems & Applications Make your Windows/OS updates Make your applications updates Use Anti-Virus / Firewall Protection Anti-Virus / Anti-Phishing Anti-Malware / Anti-Spyware Firewall Network Protection

24 PCI-DSS Want some more details?

25 Some more details Access Management Accountability Key points to remember Only Personnal accounts - No Shared Login No shared Passwords Passwords to be changed at least every 90 days No Direct Access from Internet to Databases Network Segmentation Firewall Management Access Management Need to Know Least Privilege Security Policies and Procedures Tell what you are doing Do what you are telling

26 Thanks! Merci! Danke! Obrigado! Grazie!