Jordan Levesque - Keeping your Business Secure

Similar documents
Jordan Levesque Making sure your business is PCI compliant

Ritz Camera Leverages Whitelisting for Picture Perfect Security

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

COMPLETING THE PAYMENT SECURITY PUZZLE

PCI DSS and VNC Connect

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

June 2012 First Data PCI RAPID COMPLY SM Solution

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Duo End User Education Templates

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI DSS 3.2 and How You Can Achieve That on your NonStop Environment

Simplify PCI Compliance

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Daxko s PCI DSS Responsibilities

Commerce PCI: A Four-Letter Word of E-Commerce

12 Habits of Highly Secured Magento Merchants

Total Security Management PCI DSS Compliance Guide

PCI Compliance Assessment Module with Inspector

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Integrated Access Management Solutions. Access Televentures

Security and PCI Compliance for Retail Point-of-Sale Systems

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Cyber Security. Our part of the journey

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

SFC strengthens internet trading regulatory controls

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Safeguarding Cardholder Account Data

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Get BitDefender Client Security 2 Years 30 PCs software suite ]

PCI DSS V3.2. Larry Newell MasterCard

Defensible and Beyond

Cyber Essentials Questionnaire Guidance

Minimizing the PCI Footprint: Reduce Risk and Simplify Compliance

PCI DSS 3.2 AWARENESS NOVEMBER 2017

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

CSP & PCI DSS Compliance on HPE NonStop systems

in PCI Regulated Environments

The IT Search Company

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Simple and Powerful Security for PCI DSS

Docker and HPE Accelerate Digital Transformation to Enable Hybrid IT. Steven Follis Solutions Engineer Docker Inc.

Symantec Endpoint Protection Family Feature Comparison

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

This report is based on sampled data. Jun 1 Jul 6 Aug 10 Sep 14 Oct 19 Nov 23 Dec 28 Feb 1 Mar 8 Apr 12 May 17 Ju

Navigating the PCI DSS Challenge. 29 April 2011

software.sci.utah.edu (Select Visitors)

Endpoint Protection : Last line of defense?

GUIDE TO STAYING OUT OF PCI SCOPE

THE TRIPWIRE NERC SOLUTION SUITE

PCI DSS Compliance. White Paper Parallels Remote Application Server

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI DSS and the VNC SDK

Maintaining Trust: Visa Inc. Payment Security Strategy

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

A NEW MODEL FOR AUTHENTICATION

Tokenisation for PCI-DSS Compliance

PCI Compliance Assessment Module

Tips for Passing an Audit or Assessment

A QUICK PRIMER ON PCI DSS VERSION 3.0

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Sophos Central for partners and customers: overview and new features. Jonathan Shaw Senior Product Manager, Sophos Central

Addressing PCI DSS 3.2

RES Version 3.2 Service Pack 7 Hotfix 5 with Transaction Vault Electronic Payment Driver Version 4.3 PCI Data Security Standard Adherence

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

ADDRESSING PCI DSS 3.0 REQUIREMENTS WITH THE VORMETRIC DATA SECURITY PLATFORM

PCI DSS COMPLIANCE 101

SECURITY PRACTICES OVERVIEW

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Old requirement New requirement Detail Effect Impact

HIPAA Compliance Assessment Module

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

Evolution of Cyber Attacks

2017 Annual Meeting of Members and Board of Directors Meeting

The Realities of Data Security and Compliance: Compliance Security

Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

WHITE PAPER MAY The Payment Card Industry Data Security Standard and CA Privileged Access Management

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cyber security tips and self-assessment for business

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Certified Cyber Security Specialist

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Secure & Unified Identity

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Click to edit Master title style. DIY vs. Managed SIEM

Security of End User based Cloud Services Sang Young

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Invincea Endpoint Protection Test

Wireless Networking and PCI Compliance

Implementing Multi-factor Authentication for Clinical Applications

Transcription:

Jordan Levesque - Keeping your Business Secure

Review of PCI Benefits of hosting with RCS File Integrity Monitoring Two Factor Log Aggregation Vulnerability Scanning Configuration Management and Continuous Deployment

Overview of PCIDSS Payment Card Industry Data Security Standard Mandated by card brands Framework for applying good security posture

What's new in 3.2? Greater focus on Multifactor Authentication All remote access must have MFA All local administrator access must have MFA PAN masking requirements Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018

Why is PCI important?

Risk Overview 62% more breaches in 2013 than in 2012, over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594% 2012 2013 = 20 million

Risk Overview Threats are becoming more advanced, and attacks are becoming more frequent

Breach Overview Avg cost per record for retailers $172 Avg cost per breach $4 million Average time to detection of a breach 197 days Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan 1 Jul 17

What are the 12 Standards? Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security for all personnel

Benefits of Hosting with RCS

Shared Responsibility of PCI sub-requirements RCS 362 Admin Credentials NCR Counterpoint Managed Firewalls Application Whitelisting 2FA Security policy Hosting You 49 Credentials POS maintenance Security policy

Cost, Time, Expertise More cost-effective for RCS to manage security applications in bulk vs smaller deployments RCS has dedicated personnel to handle day-today operations of security applications (the apps are very needy) RCS Security personnel are trained in the use of security applications, and become subject-matter experts

Cost, Time, Expertise

File Integrity Monitoring (FIM) & Application Whitelisting (AW)

FIM / Application Whitelisting Goes beyond traditional AV Signature-less, vs AV which is signature-based Analyzes patterns in file activity, not just file hashes or signatures Hash / Signature String of a fixed size which is used to identify data of an arbitrary size. Hello World Crypto Hash Func. 3e25960a79dbc69b 674cd4ec67a72c62 This is a one-way function.

FIM / AW: Rule Abstraction Signature-less rule example: IF [any file hash] SIGNED BY [LogMeIn] EXECUTES AT [C:\%APPDATA%\local\logmein rescue unattended], ALLOW EXECUTION

FIM / AW: File Report Example

FIM / AW: Control Models Low Operates on a blacklist Unapproved files allowed Banned files blocked Low potential for false positives Monitors file propagation Custom rules enforced for fine-tuning of allowed or disallowed file activity High Operates on a whitelist Unapproved files blocked Banned files blocked High potential for false positives Monitors file propagation Custom rules enforced for fine-tuning of allowed or disallowed file activity

Two-Factor Authentication (2FA)

Authentication Factors Something you know Something you have Something you are Password RSA Token Digital Certificate YubiKey Phone & Duo Security Iris Fingerprint Voice

2FA: Our Solutions YubiKeys Duo Push Primary uses: POS users Back office users Admin users Token is plugged in, and the center button is pressed at the 2FA prompt Primary uses: Back-office Admin users A push is requested from the 2FA prompt, which is sent to the corresponding smartphone

2FA: Where does it apply? During the Remote Desktop login

Security Information & Event Manager (SIEM)

SIEM: Why does it matter? Local event logs can be manipulated, SEIM provides forensically-sound archival of events Local event logs are overwritten when space runs out Can be mined / queried for deep security intelligence about any and all systems reporting in

Vulnerability Scanning

Vulnerability Scanning: HOLY VULNERABILITIES, BATMAN! Evaluates a system for open ports, missing patches, and other potential attack vectors or points of weakness Provides actionable intelligence and recommendations Example from vendor s website

Vulnerability Scanning: Breakdown Example

Configuration Management (CM) & Continuous Deployment (CD)

CM&CD: The Challenge How the heck do you enforce a change on X amount of servers without touching each one individually?

CM&CD: The Solution Something akin to the Starkiller base, but like for the good guys. All seeing, all reaching.

CM&CD: How it works Deployments are delivered to clusters of servers within defined maintenance windows Windows Updates AV Updates Applications Config Rules

CM&CD: Benefits Well that s all fine and dandy, but what does that get me? Quick response to updates in best-practices Faster deployment of critical patches High compliance = high stability

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback