Jordan Levesque - Keeping your Business Secure
Review of PCI Benefits of hosting with RCS File Integrity Monitoring Two Factor Log Aggregation Vulnerability Scanning Configuration Management and Continuous Deployment
Overview of PCIDSS Payment Card Industry Data Security Standard Mandated by card brands Framework for applying good security posture
What's new in 3.2? Greater focus on Multifactor Authentication All remote access must have MFA All local administrator access must have MFA PAN masking requirements Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018
Why is PCI important?
Risk Overview 62% more breaches in 2013 than in 2012, over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594% 2012 2013 = 20 million
Risk Overview Threats are becoming more advanced, and attacks are becoming more frequent
Breach Overview Avg cost per record for retailers $172 Avg cost per breach $4 million Average time to detection of a breach 197 days Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan 1 Jul 17
What are the 12 Standards? Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security for all personnel
Benefits of Hosting with RCS
Shared Responsibility of PCI sub-requirements RCS 362 Admin Credentials NCR Counterpoint Managed Firewalls Application Whitelisting 2FA Security policy Hosting You 49 Credentials POS maintenance Security policy
Cost, Time, Expertise More cost-effective for RCS to manage security applications in bulk vs smaller deployments RCS has dedicated personnel to handle day-today operations of security applications (the apps are very needy) RCS Security personnel are trained in the use of security applications, and become subject-matter experts
Cost, Time, Expertise
File Integrity Monitoring (FIM) & Application Whitelisting (AW)
FIM / Application Whitelisting Goes beyond traditional AV Signature-less, vs AV which is signature-based Analyzes patterns in file activity, not just file hashes or signatures Hash / Signature String of a fixed size which is used to identify data of an arbitrary size. Hello World Crypto Hash Func. 3e25960a79dbc69b 674cd4ec67a72c62 This is a one-way function.
FIM / AW: Rule Abstraction Signature-less rule example: IF [any file hash] SIGNED BY [LogMeIn] EXECUTES AT [C:\%APPDATA%\local\logmein rescue unattended], ALLOW EXECUTION
FIM / AW: File Report Example
FIM / AW: Control Models Low Operates on a blacklist Unapproved files allowed Banned files blocked Low potential for false positives Monitors file propagation Custom rules enforced for fine-tuning of allowed or disallowed file activity High Operates on a whitelist Unapproved files blocked Banned files blocked High potential for false positives Monitors file propagation Custom rules enforced for fine-tuning of allowed or disallowed file activity
Two-Factor Authentication (2FA)
Authentication Factors Something you know Something you have Something you are Password RSA Token Digital Certificate YubiKey Phone & Duo Security Iris Fingerprint Voice
2FA: Our Solutions YubiKeys Duo Push Primary uses: POS users Back office users Admin users Token is plugged in, and the center button is pressed at the 2FA prompt Primary uses: Back-office Admin users A push is requested from the 2FA prompt, which is sent to the corresponding smartphone
2FA: Where does it apply? During the Remote Desktop login
Security Information & Event Manager (SIEM)
SIEM: Why does it matter? Local event logs can be manipulated, SEIM provides forensically-sound archival of events Local event logs are overwritten when space runs out Can be mined / queried for deep security intelligence about any and all systems reporting in
Vulnerability Scanning
Vulnerability Scanning: HOLY VULNERABILITIES, BATMAN! Evaluates a system for open ports, missing patches, and other potential attack vectors or points of weakness Provides actionable intelligence and recommendations Example from vendor s website
Vulnerability Scanning: Breakdown Example
Configuration Management (CM) & Continuous Deployment (CD)
CM&CD: The Challenge How the heck do you enforce a change on X amount of servers without touching each one individually?
CM&CD: The Solution Something akin to the Starkiller base, but like for the good guys. All seeing, all reaching.
CM&CD: How it works Deployments are delivered to clusters of servers within defined maintenance windows Windows Updates AV Updates Applications Config Rules
CM&CD: Benefits Well that s all fine and dandy, but what does that get me? Quick response to updates in best-practices Faster deployment of critical patches High compliance = high stability