New Scoping Guidelines

Transcription

1 New Scoping Guidelines Kerry Digou, ISA NC State University Craig Henninger, CISSP, QSA CampusGuard

2 Definition - Scope Scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of CHD. The first step of a PCI DSS assessment is to accurately determine the scope of the review.

3 Definition - Segmentation Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE. While not required, Segmentation can reduce; Scope Cost Difficulty Risk

4 Responsibility for Scope At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.

5 Responsibility for Scope For each PCI DSS assessment, the assessor is required to validate that the scope of the assessment is accurately defined and documented. The assessor relies on accurate data from the entity, so it is imperative that the full CDE and connected technologies, people and processes are included.

6 Scoping Categories CDE Stores Processes or Transmits CHD/SAD On the Same Network Connected-to Directly connects to CDE Indirectly connects to CDE Impacts security of CDE Provides services to CDE Security Segmentation Requirements Out of Scope Everything Else Third Parties Don t forget the third parties that provide services that affect the CDE or connected systems

7 Scoping & Segmentation POS Systems POI Devices Webservers Firewalls Domain Controllers AV/AM SCCM/WSUS Hypervisor (virtualization) Administrators systems And the list continues.. Other Campus Networks Internet

8 Segmentation Controls Host Based Firewall IDS/IPS Physical/Logical Access controls Multifactor Authentication Restricting Administrative Access Actively Monitoring for Suspicious Network or System Behavior Logging

9

10 NCSU CDE POS/POI Bookstore Cash Register Environment We have > 30 Cash Registers in 3 buildings (6 different locations) Dedicated Payment Workstations Designed for >100 stations, we now have 5 to be replaced

11

12

13 CDE Example MAC Address IP Address Hostname VLAN: Switch Hostname Switch Port: Bookstores CDE Devices - Cash Registers Uplink Switch 1 Uplink Switch 1 Port Uplink Switch 2 Uplink Switch 2 Port Uplink Switch 3 Uplink Switch 3 Port

14 Connected-to Systems Can directly Connect to CDE Provides Support Services Can impact configuration or Security Applicable PCI DSS Requirements

15 Bookstore CDE w/connected Systems

16 DPW CDE w/connected Systems

17 Directly Connected

18 Can impact configuration or Security

19 Can impact configuration or Security

20 Can impact configuration or Security Old Transportation Setup Gate Server How Much? Reporting Card Reader

21 PCI Support Services

22 PCI Support Services Active Directory Admin Workstations Splunk Web infrastructure for Registration Monitoring Servers NTP ERP LDAP Network Tools Badge Access System

23 PCI Support Services Puppet Enterprise Bookstore Server Thin client Server Intrusion Detection System DNS System Scanning System Web Proxy (outgoing) Network Devices Tripwire

24 Oh..Don t Forget.. Analog POS People Policy /Procedures

25 Out-of-scope Systems Doesn t fit in the previous two groups If it has connectivity to a connected-to or security impacting system: controls must be in place to prevent the out-of-scope system from gaining access to the CDE via the inscope systems. These controls must be validated at least annually.

26 Out-of-scope issues Old Old Transportation Setup Gate Server How Much? Reporting Card Reader Admin Wkst

27 Out-of-scope issues Old Transportation Setup Gate Server How Much? Reporting Card Reader

28 Questions? Before we get to questions one that has come up

29 System and Network Administration

30 System and Network Administration Administrator has duties in and out of the CDE A Jumpbox is used to Administer systems Firewall controls all in/out access Limited access from specific Admin network & systems Admin workstation is considered in-scope Active monitoring and DLP tools in place MFA is in place on Admin workstation and Jumpbox Admin userid to access the jumpbox does NOT have admin control of the jumpbox Must use a physical token (smart card, secureid, etc) Firewall rules control all in/out Not required but recommended: Separate Admin workstation

31

32 Now really open to questions Questions?