How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts. April 24, 2018

Transcription

1 How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts April 24, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2018 Wolf & Company, P.C.

2 Before we get started Today s presentation slides can be downloaded at The session will last about 50 minutes, and we ll then have time for Q & A. Our audience will be muted during the session. Please send your questions in using the Questions Box located on the webinar s control panel. 2

3 About Wolf & Company, P.C. Established in 1911 Offers Audit, Tax, and Risk Management Services Offices located in: Boston, Massachusetts Springfield, Massachusetts Albany, New York Livingston, New Jersey Over 250 professionals As a leading regional firm founded in 1911, we provide our clients with specialized industry expertise and responsive service. 3

4 Meet Today s Presenter Sean D. Goodwin, CCSP, CISA, CISSP, GSEC, PCIP, QSA Senior Consultant Wolf & Company, P.C. sdgoodwin@wolfandco.com Phone: Linkedin: linkedin.com/in/seandgoodwin

5 Agenda Speaker Introductions Where to start Common Pitfalls Pitfalls to avoid

6 Sean Goodwin CCSP, CISA, CISSP, GSEC, PCIP, QSA Senior Consultant Wolf & Company, P.C. PCI specialization in Service Provider environments

7 PCI DSS as a Security Strategy Service Providers with several business lines Designed to expand on best practices (NIST, SANS, OWASP, etc.) Written with a focus on Cardholder Data (CHD) Replace CHD with your Key data Good balance of controls without excessive overhead Focus on Security Compliance will follow

8 Where to Start Assign Project Management Responsibility Information Security Oversight Project Management Office Identify Organizational Overlaps Data Inventory Standard Configurations Identify the highest sensitivity level per silo

9 Change Control Foundational Control for any security initiative Entire DSS Requirement Enforcement of Testing Requirements Required evidence Hooks into almost every other IT Operations Process Monitoring for Performance

10 Change Control - Pitfalls Improper Membership of Change Control Board Change Control Policy and Procedure Documentation Lack thereof Monitoring for Unauthorized Changes

11 Real-World Example AMD Meltdown and Spectre patches High Profile Vulnerability Many rush to patch MS was provided outdated AMD documentation Patch caused unbootable machines Without a valid CC process this can cause a significant issue

12 Data Inventory To protect Key Data need to identify the landscape Can this data be encrypted or tokenized? Perform this scope-review at least annually Interview Personnel Scan file shares for keywords / patterns Various Commercial and Open Source solutions

13 Data Inventory - Pitfalls Undocumented processes Reports and other Data Manipulations Shadow IT Cloud document storage Legacy Backups Compliance retention requirements

14 Real-World Example Accounts Payable keeping undisclosed backups of CHD Spreadsheet on Accounting File Share Several employees kept printed and stored with month-end records (retention issue)

15 Standard Configurations Standardize Build Images Automated Configuration Monitoring (Puppet/Chef/GPO) Lowest common denominator minimize exceptions to policy Review exceptions for repeats

16 Standard Configurations - Pitfalls IT inherited systems We don t touch that it runs and we re not sure why Root Cause Analysis Updating Baseline Images Managing Exceptions / Customization Requirements Document and Track

17 Real-World Example Equifax & Apache Struts Lack of Vulnerability identification and remediation Vulnerability disclosed March 7, 2017 Patch released Match 8, 2017 Intrusion discovered July 29, 2017 "On March 15," Smith's testimony continues, "Equifax s information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue identified by U.S. CERT. Unfortunately, however, the scans did not identify the Apache Struts vulnerability."

18 Access Control Centralize to Simplify SSO everywhere possible Network Segmentation Isolate by Silo Jump Hosts Principle of Least Privilege Separate user IDs for admin users

19 Access Control - Pitfalls Defining Roles for RBAC Standardized Roles Properly classifying assets Data Inventory Privilege Creep Access Reviews are tedious automate!

20 Real-World Example 3 rd party access into network Lack of internal segmentation Standard Local Admin credentials Password Policy existed on paper no enforcement

21 Activity Monitoring ALL systems Networking equipment often overlooked Starting with Privileged Users Start with Admin user or system modifications Expand to Manager or similar as needed Incorporate additional actions per your risk appetite Example: Access to Employee Records, or People of Interest

22 Activity Monitoring - Pitfalls Built-in Admin / System Limitations Password vaulting Independent Monitoring Conflict of Duties Disk Usage Retain long-term in compressed flat files Define critical Alerts vs. important Reviews Alert Fatigue

23 Real-World Example 2018 DBIR Stats 12% of breaches involve privilege misuse 68% took months or longer to discover Fairly even distribution of assets involved (DB, POS, POS Controller, Web Server) Spike in misdelivery breaches sending to the wrong person

24 Q & A Sean D. Goodwin, CCSP, CISA, CISSP, GSEC, PCIP, QSA Senior Consultant Wolf & Company, P.C. sdgoodwin@wolfandco.com Phone: Linkedin: linkedin.com/in/seandgoodwin