Entries categorized as ‘Payment Card Industry Data Security Standard’
I am a strong believer in group “live” training experiences where I am in a room with individuals who have different perspectives, challenges, and questions. Unfortunately, the real world keeps spinning and constant training is not always possible, so the web (yes… that which gives and takes) has online training. For those unaware there are several very good online free training seminars for PCI DSS. In fact, the one I am highlighting is “sponsored” by MasterCard.
After free registration - the simplest I have yet to see, you are provided with a list of sessions to listen to or you can download the PDFs! You can find nearly currently a dozen sessions here. They cover the following topics:
- Maximize Internal Preparation for PCI DSS New!, by Mathieu Gorge – CEO Vigitrust
- Network Segmentation New!, Mark Lippman – Senior Partner, Arsenal Security Group
- Data Encryption: Understanding Encryption and PCI DSS New!, by Gerard Onorato and Jeffrey Foresman
- An Introduction to the PCI Security Standards Council, by Bob Russo – General Manager, PCI Security Standards Council
- A Detailed Look at PCI DSS Requirements, by Andrew Henwood - Director of Operations, One-SEC/Trustwave
- A look into the new Self Assessment Questionnaire, by Jennifer Mack – Vice President, MasterCard Worldwide
- A Merchant’s Journey towards PCI Compliance, by Alexander Grant, General Manager British Airways
- Understanding Account Data Compromise, by A. Bryan Sartin - Vice President Investigative Response, Verizon Business
- Preparing for a Successful PCI Assessment, Lessons from the Field, by Michael Walter – Senior Partner, Arsenal Security Group
- Reducing Your Risk: A Look Into PCI Vulnerability Scanning, by John Bartholomew – Vice President, Security Metrics
- Security and the Payments Systems, By John Verdeschi – Vice President, MasterCard Worldwide and Jeremy King – Vice President, MasterCard Worldwide
- Compliance Validation & Beyond, by Sally Ramadan - MasterCardWorldwide
I have gone through several thus far, and my comments on a few are as follows:
- Maximize Internal Preparation - Helpful. Core Message: Setup a diverse team with senior management, and leverage your QSA’s experience
- Understanding Account Data Compromise - Educational. Great walk through! Check out Michael Dahn’s excellent ongoing articles on the carder market
Check out the online webinars here. I am sure there are many others, so please add them below in the comments to help everyone!
Best,
James DeLuccia
Categories: Compliance · IT Controls · PCI DSS · Payment Card Industry Data Security Standard · Security
Tyson Kpczynski of NetworkWorld has an article highlighting 6 free tools you shouldn’t live without for the security minded. He highlights a few of the numerous available tools, but neglects a few foundation security applications. He suggests the following tools (comments added):
- Metasploit - a superb tool! Necessary for everyone. It provides the user with a clear understanding of the true risks of chaining vulnerabilities, provides concrete results, and is lead by one of the most brilliant crews around. Be aware this tools should be used with caution on pre-production systems, and only on systems that are redundant.
- Splunk - excellent interface and allows for excellent review of large amounts of data. A great tool if the budget exists - other resources are Zenoss and Nagios systems
- Google - always great for data mining, but check out the data exploration tool below as an addition to your arsenal
- KeePass - centrally locating your passwords is great, so long as you use a secure key - fyi this is not a proper alternative to your enterprises key management process.
- Helix - Knoppix is a great platform to work from and a top tool in my kit.
- Netwox - Never used this particular tool, but the capabilities speak for themselves.
Check out his full article which describes their usage and his thoughts of each tool here.
Personally I would add the following to any individual charged with security responsibilities (who isn’t these days) and to those key individuals tasked with attesting to the state of an environment (so, yes I would expect auditors for PCI DSS and AICPA / PCAOB efforts to leverage such tools):
- WireShark (formerly Ethereal) - network sniffer that is useful for superb network diagnosis and analysis of network traffic (i.e. finding decrypted communications with cardholder data and such things)
- Nessus - of course, great vulnerability scanner to quickly assess the state of an environment (use in conjunction with deeper assessment tools - such as Metasploit)
- BackTrack in lieu of a generic LiveCD this is a great - cheap / free / 0 effort - security environment to get your feet wet and super simple to customize to create your own company / personal security tool environment.
- John the Ripper - test password strength - i.e. truly validate whether passwords are meeting secure settings. Also check out ophrack which comes as a LiveCD and utilizes Rainbow tables.
- Wireless testing of access point security tools in your kit should include - The Shmoo Group (not a tool, but they lead the way in bluetooth, 802.11, and other channels), Aircrack-ng, Kismet, and you may experiment with wicrawl (here is a video of their preso at Defcon 15)
- Tyson recommends Google as a discovery tool, and it is an excellent tool (check out here where a custom search identifies SSN and credit card data in cached pages), but there are others - in no particular order of preference check out SEAT (Search Engine Assessment Tool) Information collection tool, and Bidiblah by Sensepost ($)
- Extreme packet manipulation (for those with savy technical backgrounds) is ideal for truly testing the resilience and secure coding practices of the systems on your network. Check out Scapy for such a test.
PCI DSS Requirement 11, FFIEC Information Security booklet and numerous others define the expected level of vigilance that must be taken, as an example.
A long standing universal reference for security professionals has been this list hosted by Insecure.org (developers of NMAP) - Click here for top 100 tools. This list is based on votes from users of the tools and includes supported platforms, UI, and whether it costs any dough.
Please add comments for the best security tools that address your challenges. Free is preferred, but products with nominal fees can be worth the expense. If any of the above are unknown to you - download them and experiment, it truly is the only way to understand your control environment.
Best,
James DeLuccia
Categories: IT Controls · Payment Card Industry Data Security Standard · Security
The payment card industry security standards council released a publication today providing paths for organizations to take to satisfy the PCI DSS v1.1 Requirement 6.6. As has been consistent, the council has recognized that confusion existed and parties were addressing this mandate in an inefficient and in some cases ineffective manner. The council provides several options for addressing the risks defined in the standard. These options include:
- Application Code Reviews - (not necessarily MANUAL all the time), and can be achieved through any of these approaches:
- Manual reviews (granted not possible on proprietary systems)
- Automated Source Code Scanners
- Manual Web Application Vulnerability Assessment
- Automated Web App Scanners
- Independence and qualification of individuals performing effort (internal or external) remains necessary
- Integration of these controls should occur and are nicely described in the clarification document (Page 3)
- Highlighted in the “Additional Considerations” section on Page 6 and 7 there is an important note that not all alerts are cause for non-compliance and some deployments of web applications (use of cookies, unusual headers, etc..) may require an experienced individual to ascertain which are threats and which are not to the organization.
- Application Firewalls (WAF) - defined as a technology that inspects that packets and hence inputs crossing from an untrusted to trusted environment. In the PCI SSC own words:
- “…designed to inspect, evaluate, and react to the parts of an Internet Protocol (IP) message (packet) consumed by web applications, and therefore public applications frequently receive uninspected input.” (Page 4)
- The council is not advocating extra or redundant controls, but is ensuring that the packets are inspected. To this point they have highlighted that OTHER means of accomplishing and mitigating this risk are available such that “IT packet content adequately inspected (i.e., providing equivalent protection) by network firewalls, proxies, and other components do not have to be RE-INSPECTED by a WAF”.
- Page 5 has a few nice succinct bullets to describe the necessary functionality and inspection protocols highlighted (but certainly not forever set in stone) that must be included in Option 2 WAF.
A great document with lots of specifics to clear the air. Far superior than the information that was available after the ETA conference. There are some nice “Sources of Information” without links, so I have provided those to accelerate your efforts and research:
As always - add comments to enhance and improve our community and the controls under discussion.
Best,
James DeLuccia
Additional References:
Categories: Compliance · PCI DSS · Payment Card Industry Data Security Standard · regulations
UPDATE: New Article on OFFICIAL Documents released by PCI SSC 4/22/08
This week was a banner week in PCI DSS clarifications, interpreted confusion by third parties, and varied levels of agreement and discontent. At this time the clarification that was distributed at this year’s ETA conference (which is a very good conference for those seeking a full understanding of the payment process industry), but has not been published by the PCI SSC. That did not prevent nCircle from providing us a snippet. Please check here to read their full post. Instead of simply repeating what they have posted, or promote the update and create more noise let me provide a few business impacts on how this affects your business today.
The update provides, as has been the case in other parts of the standard, many forms of controls that may be embraced to satisfy the control. What should be noted is that the clarification reinforces the need to meet the intent outlined in the standard, and a simple least practice mentality is insufficient. Businesses should consider a rotation of controls defined by the PCI SSC. Meaning that organizations should consider a SDLC that embraces the following process:
- Develop a common code base library - ala, develop chunks of code and get them manually tested against development best practices. Then certify these (internally) and lock the code. Re-use this code wherever appropriate. I have seen this practice embraced by many firms and achieve 80% reductions in roll-outs of new products (they developed online payment sites), and lowered their error-detection rate (any vulnerability identified during application level testing at or above a medium threat level)
- Identify and contract a third party for manual evaluations - Third parties provide fresh eyes to any project, and can bring to bear many resources (humans, experience, and applications) to any engagement. Depending on the development rate of “new” systems I would advise having these done once a year with medium development efforts and greater as development efforts increase.
- Automation - Invest in an automated tool that is best for the type of evaluations and have these occur regularly (weekly on critical systems; monthly on medium risk). These applications cannot replace the capabilities and attacks evaluated by a manual engagement, but they can provide an excellent stop gap to prevent excessive deterioration in risk management.
As in any update, read the official release and realize the intent. These mandates are in place to prevent fraud and bolster confidence in the credit transactions.
Thank you to those who have posted on this subject, and please add to the conversation!
James DeLuccia IV
Categories: Compliance · PCI DSS · Payment Card Industry Data Security Standard
The new book is HERE!!!
Here are two quick shots taken while opening up the first shipment of books! Below the pictures I briefly sum up the intent of the book. Of course, the major book sellers present it better, and you can read the entire back covers and inside flaps here.
A brief overview:
Over the past year and a half I have been putting together a book with the magnificent crew at John Wiley & Sons Publishing (a company that is over 200 years old - a point that makes sense if you skim my final closing chapter). I have had a tremendous amount of help from friends, colleagues, companies, and numerous industry and government enforcement groups. My family was especially kind while I put together the book - allowing me to lock myself in my office while I sought to simplify the book to ultimately become:
A global synthesizing of how society and business has progressed over the past 100 years to integrate information technology, and their relative importance to business. The work is based on an analysis of over 140 separate public frameworks, laws, audit reports, and numerous guidance documents plus personal experience auditing and assessing over a million systems around the world. This effort resulted in an identification of key principles that represent the best practices that globally competitive organizations must adopt to balance the risks and rewards of operating in the 21st century. An action plan is designed to enable businesses to evaluate their important controls and consider the next 100 years.
A great deal of time is spent exploring PCI DSS, NERC, SOX, FFIEC, and their related controls. Plus some interesting challenges related to virtualization, grid computing, and the implied reliability of the Internet backbone. Thank you for taking the time to visit and contribute to this forum, and your feedback and future comments on this site.
Kind regards,
James DeLuccia
Categories: IT Controls · Payment Card Industry Data Security Standard · ROI · Risk Management · regulations
