Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
1. PCI 2.0What's Next for PCI DSS and Logging Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com/ September 2010
2. Outline PCI DSS Refresher PCI DSS 2.0 Review Logging – Key to PCI DSS! PCI DSS: What You MUST Do Now! Conclusions
3. QSA is Coming! Are You Ready? Annual on-site PCI DSS assessment (“QSA visit”) Review PCI DSS policies and procedures Evaluate the scope of PCI applicability Assess compliance with technical controls – including collection and review of logs
4. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
5. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
14. The Key Piece: Requirement 10 In brief: Must have good logs Must collect logs Must store logs for 1 year Must protect logs Must review logs daily (using an automated system)
15. PCI DSS Requirement 10.1 What it is? “Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” What it means? This means that every log of user action should have a user name in it What will QSA check for? ”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components” What you MUST do? Log all admin access, actions; make sure logs are tied to user names
16. PCI DSS Requirement 10.2 What it is? “Implement automated audit trails for all system components” What it means? Make sure you log all PCI-mandated events on all in-scope systems What will QSA check for? ”Through interviews, examination of audit logs, and examination of audit log settings” verify that this is being done What you MUST do? Enable logging on all PCI systems; for details see PCI DSS
17. PCI DSS Requirement 10.5 What it is? “Secure audit trails so they cannot be altered.” What it means? Collected logs must be protected from changes and unauthorized viewing What will QSA check for? ”Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered” What you MUST do? Store logs on a secure system and log all access to logs
18. PCI DSS Requirement 10.5.3 What it is? “Promptly back up audit trail files to a centralized log server or media that is difficult to alter.” What it means? Logs must be centrally collected What will QSA check for? ” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter” What you MUST do? Deploy a log server to collect logs from all PCI systems
19. PCI DSS Requirement 10.6 What it is? “Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like IDS and authentication, authorization, and accounting protocol servers.” What it means? Collected logs must be reviewed daily What will QSA check for? ”Obtain and examine security policies … to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.” What you MUST do? Establish a log review process and follow it
20. PCI DSS Requirement 10.7 What it is? “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.” What it means? Collected logs must be stored for ONE YEAR. What will QSA check for? ”Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.” What you MUST do? Make sure that all PCI logs are stored for a year
21. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009!
22. Questions? Dr. Anton Chuvakin Security Warrior Consulting Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
23. More on Anton Now: independent consultant Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
24. Security Warrior Consulting Services Logging and log management strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com
25. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
26. Security Warrior Consulting Services Logging and log management strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com
27. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009! www.pcicompliancebook.info
Notas do Editor
Finally we are ready to talk about PCI 2.0The specifics are:“Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization. Provide clarification on secure boundaries between internet and card holder data environment (Requirement 1) Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data. (Requirement 3.2)Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. (Requirement 3.6) Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. (Requirement 6.2)Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT (Requirement 6.5)Update requirement to allow business justification for copy, move, and storage of CHD during remote access (Requirement 12.3.10)”BTW, logs are in there to – but in PA-DSS“Add sub-requirement for payment applications to support centralized logging, in alignment with PCI DSS requirement 10.5.3. (PA-DSS Requirement 4.4 )”
Consulting Servicesfocused on security product strategy, SIEM / log management as well as PCI DSS and other regulatory compliance (details [PDF] )Technology Vendor ServicesThis section of the services is intended for security vendors and security services providers. The focus is on security and compliance strategy for product planning, development and marketing as well as on content development. Product management and strategyReview security product compliance strategy, PCI DSS strategy and optimize them for the marketPerform market assessment and analysis, competitive analysis, product strategy (build/buy/partner); prepare Market Requirements Documents (MRDs)Help develop and refine security product marketing and positioning messages, focused on compliance and new threatsAugment internal Product Management staff for strategic security and compliance projects, use case analysis, product definition, Product Requirement Documents (PRD) developmentWork with product management team to help define and prioritize product features based on market feedback and compliance requirements.Research and content developmentLead content development for whitepapers, "thought leadership"; documents, research papers and other messaging documents, related to security and regulatory compliance (example whitepaper, recent book on PCI DSS)Review security and compliance marketing materials, site contents and other public- or partner-facing materialsCreate correlation rules, reports as well as policies and procedures and other operational content to make SIEM and log management products more useful to your customersMap regulatory compliance controls such as PCI DSS (key focus!), HIPAA, NERC, FISMA, NIST, ISO, ITIL to security product features and document the use of the product in support of the mandatesDevelop compliance content such as reports, correlation rules, queries and other relevant compliance content for security product.Events and webinarsPrepare and conduct thought leadership webinars, seminars and other events on PCI DSS, log management, SIEM and other security topics (example webinar).TrainingPrepare and conduct customized training on log management, log review processes, logging "best practices," PCI DSS for customers and partners (example training class).Develop advanced training on effective operation and tuning of SIEM and log management tools to complement basic training.End-user Organization / Enterprise ServicesThis section of services menu applies to end-user organizations. The main theme is related to planning and implementing logging, log management and SIEM / SIM / SEM for security and compliance. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.Incident response artifact analysisAnalyze logs and other evidence collected during security incident response