Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
PCI 2.0What's Next for PCI DSS and Logging<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarri...
Outline<br />PCI DSS Refresher<br />PCI DSS 2.0 Review<br />Logging – Key to PCI DSS!<br />PCI DSS: What You MUST Do Now!<...
QSA is Coming! Are You Ready?<br />Annual on-site PCI DSS assessment (“QSA visit”)<br />Review PCI DSS policies and proced...
What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card  = <br />Payment Card Industry...
PCI Regime vs DSS Guidance<br />The PCI Council publishes  PCI DSS <br />Outlined the minimumdata security protections mea...
The Requirements<br />
What Does PCI DSS Mean to You?<br />PCI Compliance Impact<br />Acquirer fines<br />Rate increases<br />Legal fees<br />Los...
Breach notification costs
Investigation costs
New security measures
Brand damage
Cost of lost IP
Loss of customer trust</li></li></ul><li>PCI is Changing!<br />Select items changing for PCI 2.0<br />Scoping clarificatio...
The Key Piece: Requirement 10<br />In brief:<br /> Must have good logs<br /> Must collect logs<br /> Must store logs for 1...
PCI DSS Requirement 10.1<br />What it is?<br />“Establish a process for linking all access to system components (especiall...
PCI DSS Requirement 10.2<br />What it is?<br />“Implement automated audit trails for all system components”<br />What it m...
PCI DSS Requirement 10.5<br />What it is?<br />“Secure audit trails so they cannot be altered.”<br />What it means?<br />C...
PCI DSS Requirement 10.5.3<br />What it is?<br />“Promptly back up audit trail files to a centralized log server or media ...
PCI DSS Requirement 10.6<br />What it is?<br />“Review logs for all system components at least daily. Log reviews must inc...
PCI DSS Requirement 10.7<br />What it is?<br />“Retain audit trail history for at least one year, with a minimum of three ...
Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, ven...
Questions?<br />Dr. Anton Chuvakin <br />Security Warrior Consulting<br />Email:anton@chuvakin.org<br />Site:http://www.ch...
Prochain SlideShare
Chargement dans…5
×

PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin

1 800 vues

Publié le

PCI 2.0 What's Next for PCI DSS and Logging

Publié dans : Technologie
  • Login to see the comments

PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin

  1. 1. PCI 2.0What's Next for PCI DSS and Logging<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com/<br />September 2010<br />
  2. 2. Outline<br />PCI DSS Refresher<br />PCI DSS 2.0 Review<br />Logging – Key to PCI DSS!<br />PCI DSS: What You MUST Do Now!<br />Conclusions<br />
  3. 3. QSA is Coming! Are You Ready?<br />Annual on-site PCI DSS assessment (“QSA visit”)<br />Review PCI DSS policies and procedures<br />Evaluate the scope of PCI applicability<br />Assess compliance with technical controls – including collection and review of logs<br />
  4. 4. What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
  5. 5. PCI Regime vs DSS Guidance<br />The PCI Council publishes PCI DSS <br />Outlined the minimumdata security protections measures for payment card data.<br />Defined Merchant & Service Provider Levels, and compliance validation requirements.<br />Left the enforcement to card brands (Council doesn’t fine anybody!)<br />Key point: PCI DSS (document) vs PCI (validation regime)<br />
  6. 6. The Requirements<br />
  7. 7. What Does PCI DSS Mean to You?<br />PCI Compliance Impact<br />Acquirer fines<br />Rate increases<br />Legal fees<br />Loss of card network access<br />Related Security Impact<br /><ul><li>Direct loss due to breach
  8. 8. Breach notification costs
  9. 9. Investigation costs
  10. 10. New security measures
  11. 11. Brand damage
  12. 12. Cost of lost IP
  13. 13. Loss of customer trust</li></li></ul><li>PCI is Changing!<br />Select items changing for PCI 2.0<br />Scoping clarification<br />Data storage<br />Virtualization (!!)<br />DMZ clarification<br />Vulnerability remediation<br />Remote data access<br />PA-DSS changes as well (including application logging)<br />
  14. 14. The Key Piece: Requirement 10<br />In brief:<br /> Must have good logs<br /> Must collect logs<br /> Must store logs for 1 year<br /> Must protect logs<br /> Must review logs daily<br /> (using an automated system)<br />
  15. 15. PCI DSS Requirement 10.1<br />What it is?<br />“Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.”<br />What it means?<br />This means that every log of user action should have a user name in it<br />What will QSA check for?<br />”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components”<br /> What you MUST do?<br />Log all admin access, actions; make sure logs are tied to user names<br />
  16. 16. PCI DSS Requirement 10.2<br />What it is?<br />“Implement automated audit trails for all system components”<br />What it means?<br />Make sure you log all PCI-mandated events on all in-scope systems<br />What will QSA check for?<br />”Through interviews, examination of audit logs, and examination of audit log settings” verify that this is being done<br /> What you MUST do?<br />Enable logging on all PCI systems; for details see PCI DSS <br />
  17. 17. PCI DSS Requirement 10.5<br />What it is?<br />“Secure audit trails so they cannot be altered.”<br />What it means?<br />Collected logs must be protected from changes and unauthorized viewing<br />What will QSA check for?<br />”Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered”<br /> What you MUST do?<br />Store logs on a secure system and log all access to logs<br />
  18. 18. PCI DSS Requirement 10.5.3<br />What it is?<br />“Promptly back up audit trail files to a centralized log server or media that is difficult to alter.”<br />What it means?<br />Logs must be centrally collected<br />What will QSA check for?<br />” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter”<br /> What you MUST do?<br />Deploy a log server to collect logs from all PCI systems<br />
  19. 19. PCI DSS Requirement 10.6<br />What it is?<br />“Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like IDS and authentication, authorization, and accounting protocol servers.”<br />What it means?<br />Collected logs must be reviewed daily<br />What will QSA check for?<br />”Obtain and examine security policies … to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.”<br /> What you MUST do?<br />Establish a log review process and follow it<br />
  20. 20. PCI DSS Requirement 10.7<br />What it is?<br />“Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.”<br />What it means?<br />Collected logs must be stored for ONE YEAR.<br />What will QSA check for?<br />”Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.”<br /> What you MUST do?<br />Make sure that all PCI logs are stored for a year<br />
  21. 21. Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, vendors – and everybody else<br />Released December 2009!<br />
  22. 22. Questions?<br />Dr. Anton Chuvakin <br />Security Warrior Consulting<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
  23. 23. More on Anton<br />Now: independent consultant<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
  24. 24. Security Warrior Consulting Services<br />Logging and log management strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at www.SecurityWarriorConsulting.com<br />
  25. 25. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
  26. 26. Security Warrior Consulting Services<br />Logging and log management strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at www.SecurityWarriorConsulting.com<br />
  27. 27. Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, vendors – and everybody else<br />Released December 2009!<br />www.pcicompliancebook.info<br />

×