SlideShare une entreprise Scribd logo

Achieving PCI-DSS compliance with network security implementations - April 2011

EQS Group
EQS Group

How to use network security solutions and technologies to achieve and maintain PCI-DSS compliance.

Technologie
1  sur  21
Achieving PCI-DSS compliance with network security implementations Marco Ermini Vodafone Group Network Security 14 April 2011 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
W this is about hat …and what is not about! This presentation is not about… > …what my company has done. This is personal point of view (of course based on experience) > …explaining what are the various network security devices. You know them. If not, you need other BrightTalks to get better informed > …choosing vendors/brands – even if we may lean towards network security vendors versus “host based” vendors, when this makes sense > …discussing if you need a network security device or not, or which technology you do need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s PCI -DSS” - it will do the job! > I assume you need and want PCI-DSS compliance > I assume you care about security, as much as compliance > I will only touch the main points. The argument is really wide What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about. However I am not a compliance expert – Do not ask me about compliance, but about technology > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort or nmap. It’s not about that > I have a realistic view about network security technology > Yes, I have been under a real attack. And not just once! > I am a customer of network security technology. I evaluate, test, deploy, implement, use them. But I don’t sell them. I will never try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view > Yes, I will compare host/agent-based against network-based approaches, and I prefer the second You are not drinking from the fountain of truth. Never ever!  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security officer, security manager, or compliance manager, and need to… – of course achieve PCI-DSS compliance > You are a security or network engineer, or compliance manager, and need to… – possibly bring “real” value from your investment – are thinking/need about the network security approach for PCI-DSS > You are a PCI-DSS auditor, and need to… – understand if network security approach is valid > You are just curious… – graduate student, and/or future PCI-DSS auditor, getting into the security job’s World – experienced security or network personnel trying to understand network security appliances You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
W is required by PCI-DSS? hat It is in many senses, a technical compliance standard W is PCI-DSS different from other compliance requirements? hy > Differently from others, it goes into the nitty-gritty details of technical specifications > For this reason, it has already required a couple of updates > However, like any requirement, you can have documented exceptions, if needed (i.e. NAT) > We are concentrating on the latest version, PCI DSS v 2.0 – Changes from latest version (1.2.1) are mainly about virtualisation and several clarifications > There are several standards: – Data Security Standard: how to protect cardholders’ data – Requirement and Security Assessment Procedures: about how to assess the environment – PIN Transaction Security – Various supporting documents focusing on roles like merchants, service providers, and so on 5 The argument is extremely wide!!! level on title master Presentation title in footer Confidentiality January 3, 2013 Department on title master Version number on title master
W use network-based approach? hy In many cases it is easier to implement W should I stop securing with the PCI-DSS environment? hy > Although it is necessary by requirement to isolate the zone where cardholders’ data are processed, in many cases it is easier to implement many of the requirements to the whole DC > You can leverage the investment to apply best practices to a wider zone > In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI DSS zone?!?) > In many cases, network security appliances can be used in multiple zones and it is just a matter of license how many systems you protect – Caveat: management stations (we will see this later) > It is much easier to leverage this investment when using network-based approaches > In some cases, there is no choice but use network security devices – for instance when the requirements specify it If you are forced to invest in security, make the most of it! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Let’s see the requirements Requirement 2 “Do not use vendor-supplied defaults for system passwords and other security parameters” > You can use network security scanners and compliance scanners to verify that this is in place – Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not needed daemons…) have been implemented, through scanning of the environment – Some network scanners can login to the systems and verify that policies are implemented. This is very often a much better approach than deploying agent- based solutions – Be sure that the vendor supports both servers and network devices – You need to verify for instance wireless devices, if present – Scan virtualisation technologies: this seems to suggest that we must verify hypervisors – Only documented daemons/services must be running > Must verify that newer installed systems are compliant – This is much better done with a scanner, that detects when new systems are installed 7 Presentation title in footer a network title master January 3, 2013 Confidentiality level on title master I do prefer by a great extent Version number onbased, agent-free solution for hardening Department on title master
Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Tricky pitfalls for network security devices, let’s see why > Keep data retention to a minimum, do not store authentication/authorisation data and credit cards – If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the WAF often cannot see them – However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic, they may also see authentication/authorisation data, or even credit card data – If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the transaction > How to address this? – Have a geographically/topologically localised management station in the zone (“manager of the manager” issue)? – Disable packet capture/logging? – Special policy for PCI-DSS IDS/IPS/WAF? – Disk encryption on the management station? – How security operation people handle packet captures of signatures? It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Management of encryption keys – Do you need HSM devices/modules? – Do your IDS/IPS/WAF supports HSM modules? – How are crypto keys stored on your device? – How are crypto keys distributed? – Do you implement “split knowledge” for key management? – Do you monitor for keys substitution/replacement? – Best practices for keys’ custodians Again, it can be tricky so we must plan this in advance. And choose the right devices 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
Let’s see the requirements Requirement 4 “Encrypt transmission of cardholder data across open, public networks” > Are considered public networks in scope: – Internet – Wireless technologies in general – GSM/GPRS networks as well > You must implement encryption, and take care that IDS/IPS/WAF supports: – inspection of HTTPS if necessary, or placed after reverse-proxies – GTP traffic, if this makes sense for you – Must implement wireless scanners, if this makes sense for you I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > As per requirement 2, you can use network security scanners and compliance scanners – Verify that patches are installed – both with vulnerability and compliance scanners – Verify that undocumented or “custom” applications/services are removed – Verify that there are no development tools installed in production > Use Web Application Scanners to scan application for SQL injection, buffer overflows, XSS, CSRF, and so on – Suggestion: focus on OWASP top 10 – Ensure your vendor covers the PCI-DSS requirements but also OWASP – PCI-DSS inspired by OWASP I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > It is required that for externally-facing web sites, either a review is done, or a Web Application Firewall (WAF) is in use > About reviews: – can be performed with “automated” tools (Web Application Scanners) or manually – however they must be done at least annually, and anyway after any change – if you find a vulnerability, you must correct it; this means you are deploying a change, so this means you must review again the application! – therefore it is better to plan for an automated tool anyway > About Web Application Firewalls (WAF) – you do not need to review your application – anyway, experience shows that it is better than you do it. Do not use WAF as scapegoat to avoid application reviews. Heard about Barracuda Networks recently? I suggest to have both W and assess the applications, as having the W simplify AF AF the application patching too – catch 22 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > FAQ: can I use an IDS/IPS as WAF? – I cannot go into great extent into this, however I discourage it – They are inheritely different technologies – All of the IDS/IPS vendors have web protection functionality, however they are not the same as a Web Application Firewall – Although you may argue about that with an auditor, if you care about real security and not just compliance, do not take the shortcut – Please feel free to ask me about details on that off line if you care. I suggest to have both W and IDS/ AF IPS. Do not use shortcuts unless you are on a budget 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 7/8 “Restrict access to cardholder data by business need to know” > Use vulnerability and compliance scanners to assess that servers and network devices have proper RBAC set up in place > Firewalls and Access Control Systems set up with a final “deny all” rule – May look trivial, but sometimes it is not  “Assign a unique ID to each person with computer access” > Two factors authentication in place for all of the remote accesses > This is also valid for security appliance management! > If you have not implemented good practices for security appliance management, now you must do it! In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 8 “Assign a unique ID to each person with computer access” > Database protection > Restrict access to the databases, restrict direct user accesses, review database applications, do not use application IDs outside of applications > This can be achieved with a Database Activity Monitor (DAM) technology > Agent or Agent-less solution > I strongly suggest a combination of both, where the focus is on the agent-less solution > For specific questions contact me off line Database Activity Monitors are a good practice, along with proper set up of database management for the environment 15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 9 “Restrict physical access to cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > If you have not implemented good physical security practices for security appliance management, now you must do it! > This includes camera surveillance, badge systems and practices, logs and physical escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on > Usually part of the DC practices, but it may be different for security monitoring In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 16 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 10 “Track and monitor all access to network resources and cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > You must implement audit logs on accessing to the management systems of the security devices – You must implement single users and not use generic or default users – You must use a time server (NTP), and verify against company’s LDAP/AD > You must off-load logs to a syslog/logging server – Logs for IPS/IDS/firewalls/and so on – Best to use a SEM/SIEM if you are not doing it already > Use file integrity monitoring tool – Agent-less solutions are again my favourite Again, in many cases security appliances have a very simple management model, and SEM/ SIEM are not in use 17 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > It goes without saying, internal network vulnerability and compliance scanners are often the best solution for test of systems from the internal network > Many scanners can scan themselves too > Ensure scanners also supports security systems and appliances – Some systems like IDS/IPS and possibly WAF, are only available for scan on the management network – Ensure scanners can also reach management networks, and networks for hypervisor’s management Ensure scanners can internally reach the whole environment and they support a wide range of checks 18 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > External vulnerability scanning is a requirement > Can be done with external or internal resource, but it must be “qualified” > There are requirements clearly defined for external resources, a bit less for internals > Generally easier to use a qualified external supplier > Tricky for security: vulnerabilities are stored outside of company’s network, this can be a problem for some organisation’s policy – Some vendors offer solutions for that – Some vendors have not secure enough external solutions Ensure you are using a qualified vendor and you are not violating your own policies or compromising your security using an external vendor 19 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > Ensure you have IDS/IPS systems at the perimeter – You must verify “all the traffic at the perimeter”, but nothing prohibits to check the internal network too – You must ensure proper management of IDS/IPS – Must verify that they can see decrypted traffic (after reverse-proxies) and packet captures are properly treated for the data retention requirements already explained > File integrity monitors Again, in many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 20 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
Thank you 21 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master

Recommandé

Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case studyashu6
 
Importance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat ProtectionImportance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat ProtectionHTS Hosting
 
Network and network security
Network and network securityNetwork and network security
Network and network securityRuchi Gupta
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowNuuko, Inc.
 
Day1
Day1Day1
Day1Jai4uk
 
01
01 01
01 Jadavsejal
 

Recommandé

Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010EQS Group
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case studyashu6
 
Importance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat ProtectionImportance of Using Firewall for Threat Protection
Importance of Using Firewall for Threat ProtectionHTS Hosting
 
Network and network security
Network and network securityNetwork and network security
Network and network securityRuchi Gupta
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowNuuko, Inc.
 
Day1
Day1Day1
Day1Jai4uk
 
01
01 01
01 Jadavsejal
 
Wireless Networking
Wireless NetworkingWireless Networking
Wireless NetworkingGulshanAra14
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Intro
IntroIntro
IntroJustineJohn3
 
Network Security
Network Security Network Security
Network Security Vipul Mosaic
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudSedthakit Prasanphanich
 
Day4
Day4Day4
Day4Jai4uk
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people makeAnton Chuvakin
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 BackupJai4uk
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressVallie Joseph
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortDisha Bedi
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and RisksMiguel Rebollo
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsFat-Thing Gabriel-Culley
 
Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...master student
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
Domains of network security
Domains of network securityDomains of network security
Domains of network securityKeithThai1
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Deris Stiawan
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
Mako PCI Presentation
Mako PCI PresentationMako PCI Presentation
Mako PCI PresentationAdrian_Pearce
 
White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014Brett Farley
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 

Contenu connexe

Tendances

Wireless Networking
Wireless NetworkingWireless Networking
Wireless NetworkingGulshanAra14
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudSedthakit Prasanphanich
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people makeAnton Chuvakin
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 BackupJai4uk
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressVallie Joseph
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortDisha Bedi
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and RisksMiguel Rebollo
 
Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...master student
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
Domains of network security
Domains of network securityDomains of network security
Domains of network securityKeithThai1
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Deris Stiawan
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 

Tendances (19)

Wireless Networking
Wireless NetworkingWireless Networking
Wireless Networking
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Intro
IntroIntro
Intro
 
Network Security
Network Security Network Security
Network Security
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
 
Day4
Day4Day4
Day4
 
Five IDS mistakes people make
Five IDS mistakes people makeFive IDS mistakes people make
Five IDS mistakes people make
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
 
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World CongressHoneypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Computer Security and Risks
Computer Security and RisksComputer Security and Risks
Computer Security and Risks
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...Certified Information Systems Security Professional (cissp) Domain “access co...
Certified Information Systems Security Professional (cissp) Domain “access co...
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
 
Domains of network security
Domains of network securityDomains of network security
Domains of network security
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 

En vedette

Mako PCI Presentation
Mako PCI PresentationMako PCI Presentation
Mako PCI PresentationAdrian_Pearce
 
White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014Brett Farley
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivBuilding PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivAmazon Web Services
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 

En vedette (10)

Mako PCI Presentation
Mako PCI PresentationMako PCI Presentation
Mako PCI Presentation
 
White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014White Paper - Pixel Pitch 5192014
White Paper - Pixel Pitch 5192014
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivBuilding PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Firewalls
FirewallsFirewalls
Firewalls
 

Similaire à Achieving PCI-DSS compliance with network security implementations - April 2011

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010EQS Group
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...Greg Swedosh
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?Thomas Burg
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersITExamAnswers.net
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionUlf Mattsson
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Project Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docxProject Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docxbriancrawford30935
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 

Similaire à Achieving PCI-DSS compliance with network security implementations - April 2011 (20)

Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010Best practices in NIPS - IDC Sofia - March 2010
Best practices in NIPS - IDC Sofia - March 2010
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data ProtectionISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 
Project Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docxProject Instructions You have been recently hired as a.docx
Project Instructions You have been recently hired as a.docx
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
PACE-IT: Network Hardening Techniques (part 2)
PACE-IT: Network Hardening Techniques (part 2)PACE-IT: Network Hardening Techniques (part 2)
PACE-IT: Network Hardening Techniques (part 2)
 
Matrix
MatrixMatrix
Matrix
 

Plus de EQS Group

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networksEQS Group
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - MEEQS Group
 

Plus de EQS Group (6)

Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...Blockchain: everyone wants to sell me that - but is that really right for my ...
Blockchain: everyone wants to sell me that - but is that really right for my ...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Architecting Security across global networks
Architecting Security across global networksArchitecting Security across global networks
Architecting Security across global networks
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 

Dernier

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Dernier (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Achieving PCI-DSS compliance with network security implementations - April 2011

  • 1. Achieving PCI-DSS compliance with network security implementations Marco Ermini Vodafone Group Network Security 14 April 2011 1 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master
  • 2. W this is about hat …and what is not about! This presentation is not about… > …what my company has done. This is personal point of view (of course based on experience) > …explaining what are the various network security devices. You know them. If not, you need other BrightTalks to get better informed > …choosing vendors/brands – even if we may lean towards network security vendors versus “host based” vendors, when this makes sense > …discussing if you need a network security device or not, or which technology you do need (maybe a short note…) > … “off the shelves” or “vendor provided” best practices – you can just Google for “be s t p ra c tic e s PCI -DSS” - it will do the job! > I assume you need and want PCI-DSS compliance > I assume you care about security, as much as compliance > I will only touch the main points. The argument is really wide What you are looking for, are best practices to make your investment worth 2 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 3. W is speaking? ho This is not a bio… W are you listening to me? – 1 hy > I am supposed to know what I am talking about. However I am not a compliance expert – Do not ask me about compliance, but about technology > Yes, that’s my daily job. No, I am not a trainer or something like that > No, this is not academia or pure science. There is hardly here! > I know what the market offers. Everyone can download Snort or nmap. It’s not about that > I have a realistic view about network security technology > Yes, I have been under a real attack. And not just once! > I am a customer of network security technology. I evaluate, test, deploy, implement, use them. But I don’t sell them. I will never try to contact you and sell you anything  > Yes, this will be my personal, partial, questionable, but realistic point of view > Yes, I will compare host/agent-based against network-based approaches, and I prefer the second You are not drinking from the fountain of truth. Never ever!  3 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 4. W is this for? ho Why do you care? W are you listening to me? – 2 hy > You are a security officer, security manager, or compliance manager, and need to… – of course achieve PCI-DSS compliance > You are a security or network engineer, or compliance manager, and need to… – possibly bring “real” value from your investment – are thinking/need about the network security approach for PCI-DSS > You are a PCI-DSS auditor, and need to… – understand if network security approach is valid > You are just curious… – graduate student, and/or future PCI-DSS auditor, getting into the security job’s World – experienced security or network personnel trying to understand network security appliances You are welcome to share your expectation, doubts, questions! 4 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 5. W is required by PCI-DSS? hat It is in many senses, a technical compliance standard W is PCI-DSS different from other compliance requirements? hy > Differently from others, it goes into the nitty-gritty details of technical specifications > For this reason, it has already required a couple of updates > However, like any requirement, you can have documented exceptions, if needed (i.e. NAT) > We are concentrating on the latest version, PCI DSS v 2.0 – Changes from latest version (1.2.1) are mainly about virtualisation and several clarifications > There are several standards: – Data Security Standard: how to protect cardholders’ data – Requirement and Security Assessment Procedures: about how to assess the environment – PIN Transaction Security – Various supporting documents focusing on roles like merchants, service providers, and so on 5 The argument is extremely wide!!! level on title master Presentation title in footer Confidentiality January 3, 2013 Department on title master Version number on title master
  • 6. W use network-based approach? hy In many cases it is easier to implement W should I stop securing with the PCI-DSS environment? hy > Although it is necessary by requirement to isolate the zone where cardholders’ data are processed, in many cases it is easier to implement many of the requirements to the whole DC > You can leverage the investment to apply best practices to a wider zone > In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI DSS zone?!?) > In many cases, network security appliances can be used in multiple zones and it is just a matter of license how many systems you protect – Caveat: management stations (we will see this later) > It is much easier to leverage this investment when using network-based approaches > In some cases, there is no choice but use network security devices – for instance when the requirements specify it If you are forced to invest in security, make the most of it! 6 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 7. Let’s see the requirements Requirement 2 “Do not use vendor-supplied defaults for system passwords and other security parameters” > You can use network security scanners and compliance scanners to verify that this is in place – Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not needed daemons…) have been implemented, through scanning of the environment – Some network scanners can login to the systems and verify that policies are implemented. This is very often a much better approach than deploying agent- based solutions – Be sure that the vendor supports both servers and network devices – You need to verify for instance wireless devices, if present – Scan virtualisation technologies: this seems to suggest that we must verify hypervisors – Only documented daemons/services must be running > Must verify that newer installed systems are compliant – This is much better done with a scanner, that detects when new systems are installed 7 Presentation title in footer a network title master January 3, 2013 Confidentiality level on title master I do prefer by a great extent Version number onbased, agent-free solution for hardening Department on title master
  • 8. Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Tricky pitfalls for network security devices, let’s see why > Keep data retention to a minimum, do not store authentication/authorisation data and credit cards – If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the WAF often cannot see them – However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic, they may also see authentication/authorisation data, or even credit card data – If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the transaction > How to address this? – Have a geographically/topologically localised management station in the zone (“manager of the manager” issue)? – Disable packet capture/logging? – Special policy for PCI-DSS IDS/IPS/WAF? – Disk encryption on the management station? – How security operation people handle packet captures of signatures? It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible 8 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 9. Let’s see the requirements Requirement 3 “Protect stored cardholder data” > Management of encryption keys – Do you need HSM devices/modules? – Do your IDS/IPS/WAF supports HSM modules? – How are crypto keys stored on your device? – How are crypto keys distributed? – Do you implement “split knowledge” for key management? – Do you monitor for keys substitution/replacement? – Best practices for keys’ custodians Again, it can be tricky so we must plan this in advance. And choose the right devices 9 Presentation title in footer Version number on title master January 3, 2013 Confidentiality level on title master Department on title master
  • 10. Let’s see the requirements Requirement 4 “Encrypt transmission of cardholder data across open, public networks” > Are considered public networks in scope: – Internet – Wireless technologies in general – GSM/GPRS networks as well > You must implement encryption, and take care that IDS/IPS/WAF supports: – inspection of HTTPS if necessary, or placed after reverse-proxies – GTP traffic, if this makes sense for you – Must implement wireless scanners, if this makes sense for you I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 10 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 11. Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > As per requirement 2, you can use network security scanners and compliance scanners – Verify that patches are installed – both with vulnerability and compliance scanners – Verify that undocumented or “custom” applications/services are removed – Verify that there are no development tools installed in production > Use Web Application Scanners to scan application for SQL injection, buffer overflows, XSS, CSRF, and so on – Suggestion: focus on OWASP top 10 – Ensure your vendor covers the PCI-DSS requirements but also OWASP – PCI-DSS inspired by OWASP I do prefer by a great extent a network based, agent-free solution for hardening checks!!! 11 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 12. Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > It is required that for externally-facing web sites, either a review is done, or a Web Application Firewall (WAF) is in use > About reviews: – can be performed with “automated” tools (Web Application Scanners) or manually – however they must be done at least annually, and anyway after any change – if you find a vulnerability, you must correct it; this means you are deploying a change, so this means you must review again the application! – therefore it is better to plan for an automated tool anyway > About Web Application Firewalls (WAF) – you do not need to review your application – anyway, experience shows that it is better than you do it. Do not use WAF as scapegoat to avoid application reviews. Heard about Barracuda Networks recently? I suggest to have both W and assess the applications, as having the W simplify AF AF the application patching too – catch 22 12 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 13. Let’s see the requirements Requirement 6 “Develop and maintain secure systems and applications” > FAQ: can I use an IDS/IPS as WAF? – I cannot go into great extent into this, however I discourage it – They are inheritely different technologies – All of the IDS/IPS vendors have web protection functionality, however they are not the same as a Web Application Firewall – Although you may argue about that with an auditor, if you care about real security and not just compliance, do not take the shortcut – Please feel free to ask me about details on that off line if you care. I suggest to have both W and IDS/ AF IPS. Do not use shortcuts unless you are on a budget 13 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 14. Let’s see the requirements Requirement 7/8 “Restrict access to cardholder data by business need to know” > Use vulnerability and compliance scanners to assess that servers and network devices have proper RBAC set up in place > Firewalls and Access Control Systems set up with a final “deny all” rule – May look trivial, but sometimes it is not  “Assign a unique ID to each person with computer access” > Two factors authentication in place for all of the remote accesses > This is also valid for security appliance management! > If you have not implemented good practices for security appliance management, now you must do it! In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 14 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 15. Let’s see the requirements Requirement 8 “Assign a unique ID to each person with computer access” > Database protection > Restrict access to the databases, restrict direct user accesses, review database applications, do not use application IDs outside of applications > This can be achieved with a Database Activity Monitor (DAM) technology > Agent or Agent-less solution > I strongly suggest a combination of both, where the focus is on the agent-less solution > For specific questions contact me off line Database Activity Monitors are a good practice, along with proper set up of database management for the environment 15 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 16. Let’s see the requirements Requirement 9 “Restrict physical access to cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > If you have not implemented good physical security practices for security appliance management, now you must do it! > This includes camera surveillance, badge systems and practices, logs and physical escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on > Usually part of the DC practices, but it may be different for security monitoring In many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 16 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 17. Let’s see the requirements Requirement 10 “Track and monitor all access to network resources and cardholder data” > Again, if your security appliances enters into PCI-DSS scope, you must apply the same requirements to them > You must implement audit logs on accessing to the management systems of the security devices – You must implement single users and not use generic or default users – You must use a time server (NTP), and verify against company’s LDAP/AD > You must off-load logs to a syslog/logging server – Logs for IPS/IDS/firewalls/and so on – Best to use a SEM/SIEM if you are not doing it already > Use file integrity monitoring tool – Agent-less solutions are again my favourite Again, in many cases security appliances have a very simple management model, and SEM/ SIEM are not in use 17 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 18. Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > It goes without saying, internal network vulnerability and compliance scanners are often the best solution for test of systems from the internal network > Many scanners can scan themselves too > Ensure scanners also supports security systems and appliances – Some systems like IDS/IPS and possibly WAF, are only available for scan on the management network – Ensure scanners can also reach management networks, and networks for hypervisor’s management Ensure scanners can internally reach the whole environment and they support a wide range of checks 18 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 19. Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > External vulnerability scanning is a requirement > Can be done with external or internal resource, but it must be “qualified” > There are requirements clearly defined for external resources, a bit less for internals > Generally easier to use a qualified external supplier > Tricky for security: vulnerabilities are stored outside of company’s network, this can be a problem for some organisation’s policy – Some vendors offer solutions for that – Some vendors have not secure enough external solutions Ensure you are using a qualified vendor and you are not violating your own policies or compromising your security using an external vendor 19 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 20. Let’s see the requirements Requirement 11 “Regularly test security systems and processes” > Ensure you have IDS/IPS systems at the perimeter – You must verify “all the traffic at the perimeter”, but nothing prohibits to check the internal network too – You must ensure proper management of IDS/IPS – Must verify that they can see decrypted traffic (after reverse-proxies) and packet captures are properly treated for the data retention requirements already explained > File integrity monitors Again, in many cases security appliances have a very simple management model, this must be reviewed for PCI-DSS!!! 20 Department on title mastertitle in footer Version number on title master Presentation January 3, 2013 Confidentiality level on title master
  • 21. Thank you 21 Presentation title in footer Confidentiality level on title master January 3, 2013 Department on title master Version number on title master