Automating Google Workspace (GWS) & more with Apps Script
Achieving PCI-DSS compliance with network security implementations - April 2011
1. Achieving PCI-DSS compliance with
network security implementations
Marco Ermini
Vodafone Group Network Security
14 April 2011
1 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master
2. W this is about
hat
…and what is not about!
This presentation is not about…
> …what my company has done. This is personal point of view (of course based on
experience)
> …explaining what are the various network security devices. You know them. If not,
you need other BrightTalks to get better informed
> …choosing vendors/brands – even if we may lean towards network security vendors
versus “host based” vendors, when this makes sense
> …discussing if you need a network security device or not, or which technology you
do need (maybe a short note…)
> … “off the shelves” or “vendor provided” best practices
– you can just Google for “be s t p ra c tic e s PCI
-DSS” - it will do the job!
> I assume you need and want PCI-DSS compliance
> I assume you care about security, as much as compliance
> I will only touch the main points. The argument is really wide
What you are looking for, are best practices to make your investment worth
2 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
3. W is speaking?
ho
This is not a bio…
W are you listening to me? – 1
hy
> I am supposed to know what I am talking about. However I am not a compliance
expert
– Do not ask me about compliance, but about technology
> Yes, that’s my daily job. No, I am not a trainer or something like that
> No, this is not academia or pure science. There is hardly here!
> I know what the market offers. Everyone can download Snort or nmap. It’s not about
that
> I have a realistic view about network security technology
> Yes, I have been under a real attack. And not just once!
> I am a customer of network security technology. I evaluate, test, deploy, implement,
use them. But I don’t sell them. I will never try to contact you and sell you anything
> Yes, this will be my personal, partial, questionable, but realistic point of view
> Yes, I will compare host/agent-based against network-based approaches, and I
prefer the second
You are not drinking from the fountain of truth. Never ever!
3 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
4. W is this for?
ho
Why do you care?
W are you listening to me? – 2
hy
> You are a security officer, security manager, or compliance manager, and need to…
– of course achieve PCI-DSS compliance
> You are a security or network engineer, or compliance manager, and need to…
– possibly bring “real” value from your investment
– are thinking/need about the network security approach for PCI-DSS
> You are a PCI-DSS auditor, and need to…
– understand if network security approach is valid
> You are just curious…
– graduate student, and/or future PCI-DSS auditor, getting into the security job’s
World
– experienced security or network personnel trying to understand network security
appliances
You are welcome to share your expectation, doubts, questions!
4 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
5. W is required by PCI-DSS?
hat
It is in many senses, a technical compliance standard
W is PCI-DSS different from other compliance requirements?
hy
> Differently from others, it goes into the nitty-gritty details of technical specifications
> For this reason, it has already required a couple of updates
> However, like any requirement, you can have documented exceptions, if needed (i.e.
NAT)
> We are concentrating on the latest version, PCI DSS v 2.0
– Changes from latest version (1.2.1) are mainly about virtualisation and several
clarifications
> There are several standards:
– Data Security Standard: how to protect cardholders’ data
– Requirement and Security Assessment Procedures: about how to assess the
environment
– PIN Transaction Security
– Various supporting documents focusing on roles like merchants, service
providers, and so on
5 The argument is extremely wide!!! level on title master
Presentation title in footer
Confidentiality
January 3, 2013
Department on title master Version number on title master
6. W use network-based approach?
hy
In many cases it is easier to implement
W should I stop securing with the PCI-DSS environment?
hy
> Although it is necessary by requirement to isolate the zone where cardholders’ data
are processed, in many cases it is easier to implement many of the requirements to
the whole DC
> You can leverage the investment to apply best practices to a wider zone
> In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI
DSS zone?!?)
> In many cases, network security appliances can be used in multiple zones and it is
just a matter of license how many systems you protect
– Caveat: management stations (we will see this later)
> It is much easier to leverage this investment when using network-based approaches
> In some cases, there is no choice but use network security devices
– for instance when the requirements specify it
If you are forced to invest in security, make the most of it!
6 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
7. Let’s see the requirements
Requirement 2
“Do not use vendor-supplied defaults for system passwords and other security
parameters”
> You can use network security scanners and compliance scanners to verify that this
is in place
– Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not
needed daemons…) have been implemented, through scanning of the
environment
– Some network scanners can login to the systems and verify that policies are
implemented. This is very often a much better approach than deploying agent-
based solutions
– Be sure that the vendor supports both servers and network devices
– You need to verify for instance wireless devices, if present
– Scan virtualisation technologies: this seems to suggest that we must verify
hypervisors
– Only documented daemons/services must be running
> Must verify that newer installed systems are compliant
– This is much better done with a scanner, that detects when new systems are
installed
7 Presentation title in footer a network title master January 3, 2013
Confidentiality level on title master
I do prefer by a great extent Version number onbased, agent-free solution for hardening
Department on title master
8. Let’s see the requirements
Requirement 3
“Protect stored cardholder data”
> Tricky pitfalls for network security devices, let’s see why
> Keep data retention to a minimum, do not store authentication/authorisation data and credit cards
– If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the
WAF often cannot see them
– However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic,
they may also see authentication/authorisation data, or even credit card data
– If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the
transaction
> How to address this?
– Have a geographically/topologically localised management station in the zone (“manager of the
manager” issue)?
– Disable packet capture/logging?
– Special policy for PCI-DSS IDS/IPS/WAF?
– Disk encryption on the management station?
– How security operation people handle packet captures of signatures?
It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible
8 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
9. Let’s see the requirements
Requirement 3
“Protect stored cardholder data”
> Management of encryption keys
– Do you need HSM devices/modules?
– Do your IDS/IPS/WAF supports HSM modules?
– How are crypto keys stored on your device?
– How are crypto keys distributed?
– Do you implement “split knowledge” for key management?
– Do you monitor for keys substitution/replacement?
– Best practices for keys’ custodians
Again, it can be tricky so we must plan this in advance. And choose the right devices
9 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
10. Let’s see the requirements
Requirement 4
“Encrypt transmission of cardholder data across open, public networks”
> Are considered public networks in scope:
– Internet
– Wireless technologies in general
– GSM/GPRS networks as well
> You must implement encryption, and take care that IDS/IPS/WAF supports:
– inspection of HTTPS if necessary, or placed after reverse-proxies
– GTP traffic, if this makes sense for you
– Must implement wireless scanners, if this makes sense for you
I do prefer by a great extent a network based, agent-free solution for hardening
checks!!!
10 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
11. Let’s see the requirements
Requirement 6
“Develop and maintain secure systems and applications”
> As per requirement 2, you can use network security scanners and compliance
scanners
– Verify that patches are installed – both with vulnerability and compliance scanners
– Verify that undocumented or “custom” applications/services are removed
– Verify that there are no development tools installed in production
> Use Web Application Scanners to scan application for SQL injection, buffer
overflows, XSS, CSRF, and so on
– Suggestion: focus on OWASP top 10
– Ensure your vendor covers the PCI-DSS requirements but also OWASP
– PCI-DSS inspired by OWASP
I do prefer by a great extent a network based, agent-free solution for hardening
checks!!!
11 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
12. Let’s see the requirements
Requirement 6
“Develop and maintain secure systems and applications”
> It is required that for externally-facing web sites, either a review is done, or a Web
Application Firewall (WAF) is in use
> About reviews:
– can be performed with “automated” tools (Web Application Scanners) or manually
– however they must be done at least annually, and anyway after any change
– if you find a vulnerability, you must correct it; this means you are deploying a
change, so this means you must review again the application!
– therefore it is better to plan for an automated tool anyway
> About Web Application Firewalls (WAF)
– you do not need to review your application
– anyway, experience shows that it is better than you do it. Do not use WAF as
scapegoat to avoid application reviews. Heard about Barracuda Networks
recently?
I suggest to have both W and assess the applications, as having the W simplify
AF AF
the application patching too – catch 22
12 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
13. Let’s see the requirements
Requirement 6
“Develop and maintain secure systems and applications”
> FAQ: can I use an IDS/IPS as WAF?
– I cannot go into great extent into this, however I discourage it
– They are inheritely different technologies
– All of the IDS/IPS vendors have web protection functionality, however they are not
the same as a Web Application Firewall
– Although you may argue about that with an auditor, if you care about real security
and not just compliance, do not take the shortcut
– Please feel free to ask me about details on that off line if you care.
I suggest to have both W and IDS/
AF IPS. Do not use shortcuts unless you are on a
budget
13 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
14. Let’s see the requirements
Requirement 7/8
“Restrict access to cardholder data by business need to know”
> Use vulnerability and compliance scanners to assess that servers and network
devices have proper RBAC set up in place
> Firewalls and Access Control Systems set up with a final “deny all” rule
– May look trivial, but sometimes it is not
“Assign a unique ID to each person with computer access”
> Two factors authentication in place for all of the remote accesses
> This is also valid for security appliance management!
> If you have not implemented good practices for security appliance management,
now you must do it!
In many cases security appliances have a very simple management model, this must
be reviewed for PCI-DSS!!!
14 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
15. Let’s see the requirements
Requirement 8
“Assign a unique ID to each person with computer access”
> Database protection
> Restrict access to the databases, restrict direct user accesses, review database
applications, do not use application IDs outside of applications
> This can be achieved with a Database Activity Monitor (DAM) technology
> Agent or Agent-less solution
> I strongly suggest a combination of both, where the focus is on the agent-less
solution
> For specific questions contact me off line
Database Activity Monitors are a good practice, along with proper set up of database
management for the environment
15 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
16. Let’s see the requirements
Requirement 9
“Restrict physical access to cardholder data”
> Again, if your security appliances enters into PCI-DSS scope, you must apply the
same requirements to them
> If you have not implemented good physical security practices for security appliance
management, now you must do it!
> This includes camera surveillance, badge systems and practices, logs and physical
escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on
> Usually part of the DC practices, but it may be different for security monitoring
In many cases security appliances have a very simple management model, this must
be reviewed for PCI-DSS!!!
16 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
17. Let’s see the requirements
Requirement 10
“Track and monitor all access to network resources and cardholder data”
> Again, if your security appliances enters into PCI-DSS scope, you must apply the
same requirements to them
> You must implement audit logs on accessing to the management systems of the
security devices
– You must implement single users and not use generic or default users
– You must use a time server (NTP), and verify against company’s LDAP/AD
> You must off-load logs to a syslog/logging server
– Logs for IPS/IDS/firewalls/and so on
– Best to use a SEM/SIEM if you are not doing it already
> Use file integrity monitoring tool
– Agent-less solutions are again my favourite
Again, in many cases security appliances have a very simple management model, and
SEM/ SIEM are not in use
17 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
18. Let’s see the requirements
Requirement 11
“Regularly test security systems and processes”
> It goes without saying, internal network vulnerability and compliance scanners are
often the best solution for test of systems from the internal network
> Many scanners can scan themselves too
> Ensure scanners also supports security systems and appliances
– Some systems like IDS/IPS and possibly WAF, are only available for scan on the
management network
– Ensure scanners can also reach management networks, and networks for
hypervisor’s management
Ensure scanners can internally reach the whole environment and they support a wide
range of checks
18 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
19. Let’s see the requirements
Requirement 11
“Regularly test security systems and processes”
> External vulnerability scanning is a requirement
> Can be done with external or internal resource, but it must be “qualified”
> There are requirements clearly defined for external resources, a bit less for internals
> Generally easier to use a qualified external supplier
> Tricky for security: vulnerabilities are stored outside of company’s network, this can
be a problem for some organisation’s policy
– Some vendors offer solutions for that
– Some vendors have not secure enough external solutions
Ensure you are using a qualified vendor and you are not violating your own policies or
compromising your security using an external vendor
19 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
20. Let’s see the requirements
Requirement 11
“Regularly test security systems and processes”
> Ensure you have IDS/IPS systems at the perimeter
– You must verify “all the traffic at the perimeter”, but nothing prohibits to check the
internal network too
– You must ensure proper management of IDS/IPS
– Must verify that they can see decrypted traffic (after reverse-proxies) and packet
captures are properly treated for the data retention requirements already
explained
> File integrity monitors
Again, in many cases security appliances have a very simple management model, this
must be reviewed for PCI-DSS!!!
20 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
21. Thank you
21 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master