SlideShare uma empresa Scribd logo

Anatomie eines Angriffs

Transferir como PPTX, PDF
Wolfgang Kandek
Wolfgang Kandek

Demo eines Angriffs - das eingebaute video entält aber nicht die DarkComet sektion...

Tecnologia
1 de 31
Die Anatomie eines Angriffs Wolfgang Kandek, Qualys wkandek@qualys.com @wkandek 23. September 2015 Hamburg
Verizon Data Breach Investigation Report
Verizon Data Breach Investigation Report
Verizon Data Breach Investigation Report
Verizon Data Breach Investigation Report
2122 Data Breaches
2122 Data Breaches Finanzdaten, Produktdaten, Persönliche Daten, Benutzernamen/Passwörter
Schwachstellen
> 99% über 1 Jahr alt
> 99%
Aber 40 in 2014
Aber 40 in 2014 Und 50% innerhalb von 2 Wochen
> 99%
Malware auf dem Computer Exploit für bekannte Schwachstelle Geziehlte E-mail Spear Phishing Profil auf Social Media Exploit für 0-day Schwachstelle Bekannter Worm/Virus Infizierter USB Drive Betroffene Computer finden Command and Control Benutzer- namen/ Passwörter Daten Verlust Marke Finanz Sonstige
Demo
1. CTO (punk fan), ticket punk rock show, öffnet Word Datei, Script funktioniert nicht 2. Angestellter, Stellenangebot, öffnet Word Datei, Script funktioniert 3. COO (Griechenlandspezialist), Journalist, Zeitungsartikel, keine Zeit/Interesse 4. Angestellter, Informationsgesuch über privates Projekt, Word Datei nicht geöffnet 5. Angestellter, Informationen über eine Anstellung, Word Datei geöffnet, infiziert, aber nicht die nötigen Zugriffsrechte 6. Systemverwalter, Angebot einer Mitgliedschaft, Word Datei geöffnet, Script funktioniert, infiziert...
Demo
Demo
Phishing Training
Phishing Training 10%->2%
Schwachstellen Patch
Schwachstellen Patch 95%/99%
> 99%
> 99%
Schwachstellen Patch 95%/99% Priorität auf Exploits MS15-020, MS15-051
0-days Härten
> 99%
Dann: Passwörter
Schliesslich: Breach Detection
Danke Wolfgang Kandek wkandek@qualys.com @wkandek http://www.qualys.com
Referenzen • Mr Robot – bei iTunes und Amazon https://de.wikipedia.org/wiki/Mr._Robot(Fernsehserie) • Verizon DBIR 2015 http://www.verizonenterprise.com/DBIR/ • Chevron https://www.rsaconference.com/events/us15/agenda/sessions/1983/ building-a-next-generation-security-architecture • BSI https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikatio nen/Lageberichte/Lagebericht2014.pdf • Härten https://www.virusbtn.com/pdf/conference_slides/2013/Niemela- VB2013.pdf

Recomendados

Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Apresentação Isis 2015
Apresentação Isis 2015Apresentação Isis 2015
Apresentação Isis 2015Fernando Vasconcellos
 
-getrieben. Wer treibt eigentlich die Test-Entwicklung?
-getrieben. Wer treibt eigentlich die Test-Entwicklung?-getrieben. Wer treibt eigentlich die Test-Entwicklung?
-getrieben. Wer treibt eigentlich die Test-Entwicklung?Andi Albrecht
 
sadsdasd
sadsdasdsadsdasd
sadsdasdpene2000
 
waola - Robot-TV
waola - Robot-TVwaola - Robot-TV
waola - Robot-TVwaola
 
Museo wurth
Museo wurthMuseo wurth
Museo wurthMaria San Jose
 
Mirob buranobg
Mirob buranobgMirob buranobg
Mirob buranobgmastelio
 
Robots
RobotsRobots
RobotsDesiree Santos
 

Recomendados

Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Apresentação Isis 2015
Apresentação Isis 2015Apresentação Isis 2015
Apresentação Isis 2015Fernando Vasconcellos
 
-getrieben. Wer treibt eigentlich die Test-Entwicklung?
-getrieben. Wer treibt eigentlich die Test-Entwicklung?-getrieben. Wer treibt eigentlich die Test-Entwicklung?
-getrieben. Wer treibt eigentlich die Test-Entwicklung?Andi Albrecht
 
sadsdasd
sadsdasdsadsdasd
sadsdasdpene2000
 
waola - Robot-TV
waola - Robot-TVwaola - Robot-TV
waola - Robot-TVwaola
 
Museo wurth
Museo wurthMuseo wurth
Museo wurthMaria San Jose
 
Mirob buranobg
Mirob buranobgMirob buranobg
Mirob buranobgmastelio
 
Robots
RobotsRobots
RobotsDesiree Santos
 
COIED2_Robots na aula de Matemática
COIED2_Robots na aula de MatemáticaCOIED2_Robots na aula de Matemática
COIED2_Robots na aula de MatemáticaCOIED
 
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOTPROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOTronaldestelafencyt
 
Sibrape Robot XT5 e XT7 Sibrape
Sibrape Robot XT5 e XT7 SibrapeSibrape Robot XT5 e XT7 Sibrape
Sibrape Robot XT5 e XT7 Sibrapeworldpiscinas
 
Robotica
RoboticaRobotica
RoboticaROBOTICAPERU
 
Curso básico de SEO
Curso básico de SEOCurso básico de SEO
Curso básico de SEOClaudio Chalom
 
Robô BeetleBot
Robô BeetleBotRobô BeetleBot
Robô BeetleBotGuima San
 
David 1000 basta
David 1000 bastaDavid 1000 basta
David 1000 bastaJulio Gomez
 
Nxt
NxtNxt
Nxtsergioguzman013
 
myMpeL2011_antonio_quintas
myMpeL2011_antonio_quintasmyMpeL2011_antonio_quintas
myMpeL2011_antonio_quintasMestrado em Pedagogia do eLearning
 
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!HubSpot Deutschland
 
Explorando o Robot Operating System para aplicações em robótica móvel.
Explorando o Robot Operating System para aplicações em robótica móvel.Explorando o Robot Operating System para aplicações em robótica móvel.
Explorando o Robot Operating System para aplicações em robótica móvel.robota-ufsc
 
SEO für Studenten: Contentmanagement & so
SEO für Studenten: Contentmanagement & soSEO für Studenten: Contentmanagement & so
SEO für Studenten: Contentmanagement & soEric Kubitz
 
Robot-Performance
Robot-PerformanceRobot-Performance
Robot-Performancezukunft-durch-innovation
 
SEO - Conceitos Básicos
SEO - Conceitos BásicosSEO - Conceitos Básicos
SEO - Conceitos BásicosFelipe Silva
 
Gartner UK 2015 Anatomy of An Attack
Gartner UK 2015 Anatomy of An AttackGartner UK 2015 Anatomy of An Attack
Gartner UK 2015 Anatomy of An AttackWolfgang Kandek
 
MindTheSec Anatomia de um Ataque
MindTheSec Anatomia de um AtaqueMindTheSec Anatomia de um Ataque
MindTheSec Anatomia de um AtaqueWolfgang Kandek
 
RSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersRSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersWolfgang Kandek
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
BSI Lagebericht 2014
BSI Lagebericht 2014BSI Lagebericht 2014
BSI Lagebericht 2014Wolfgang Kandek
 
Februar Patch Tuesday 2015 Webinar
Februar Patch Tuesday 2015 WebinarFebruar Patch Tuesday 2015 Webinar
Februar Patch Tuesday 2015 WebinarWolfgang Kandek
 
RSA ASIA 2014 - Internet of Things
RSA ASIA 2014 - Internet of Things RSA ASIA 2014 - Internet of Things
RSA ASIA 2014 - Internet of Things Wolfgang Kandek
 
20 Critical Security Controls and QualysGuard
20 Critical Security Controls and QualysGuard20 Critical Security Controls and QualysGuard
20 Critical Security Controls and QualysGuardWolfgang Kandek
 

Mais conteúdo relacionado

Destaque

COIED2_Robots na aula de Matemática
COIED2_Robots na aula de MatemáticaCOIED2_Robots na aula de Matemática
COIED2_Robots na aula de MatemáticaCOIED
 
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOTPROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOTronaldestelafencyt
 
Sibrape Robot XT5 e XT7 Sibrape
Sibrape Robot XT5 e XT7 SibrapeSibrape Robot XT5 e XT7 Sibrape
Sibrape Robot XT5 e XT7 Sibrapeworldpiscinas
 
Robô BeetleBot
Robô BeetleBotRobô BeetleBot
Robô BeetleBotGuima San
 
David 1000 basta
David 1000 bastaDavid 1000 basta
David 1000 bastaJulio Gomez
 
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!HubSpot Deutschland
 
Explorando o Robot Operating System para aplicações em robótica móvel.
Explorando o Robot Operating System para aplicações em robótica móvel.Explorando o Robot Operating System para aplicações em robótica móvel.
Explorando o Robot Operating System para aplicações em robótica móvel.robota-ufsc
 
SEO für Studenten: Contentmanagement & so
SEO für Studenten: Contentmanagement & soSEO für Studenten: Contentmanagement & so
SEO für Studenten: Contentmanagement & soEric Kubitz
 
SEO - Conceitos Básicos
SEO - Conceitos BásicosSEO - Conceitos Básicos
SEO - Conceitos BásicosFelipe Silva
 

Destaque (14)

COIED2_Robots na aula de Matemática
COIED2_Robots na aula de MatemáticaCOIED2_Robots na aula de Matemática
COIED2_Robots na aula de Matemática
 
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOTPROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
PROF. RONALD ESTELA - FENCYT 2007 - CARRO ROBOT
 
Sibrape Robot XT5 e XT7 Sibrape
Sibrape Robot XT5 e XT7 SibrapeSibrape Robot XT5 e XT7 Sibrape
Sibrape Robot XT5 e XT7 Sibrape
 
Robotica
RoboticaRobotica
Robotica
 
Curso básico de SEO
Curso básico de SEOCurso básico de SEO
Curso básico de SEO
 
Robô BeetleBot
Robô BeetleBotRobô BeetleBot
Robô BeetleBot
 
David 1000 basta
David 1000 bastaDavid 1000 basta
David 1000 basta
 
Nxt
NxtNxt
Nxt
 
myMpeL2011_antonio_quintas
myMpeL2011_antonio_quintasmyMpeL2011_antonio_quintas
myMpeL2011_antonio_quintas
 
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
Ist Ihr Marketing müde? Zeit für Lean und Inbound Marketing!
 
Explorando o Robot Operating System para aplicações em robótica móvel.
Explorando o Robot Operating System para aplicações em robótica móvel.Explorando o Robot Operating System para aplicações em robótica móvel.
Explorando o Robot Operating System para aplicações em robótica móvel.
 
SEO für Studenten: Contentmanagement & so
SEO für Studenten: Contentmanagement & soSEO für Studenten: Contentmanagement & so
SEO für Studenten: Contentmanagement & so
 
Robot-Performance
Robot-PerformanceRobot-Performance
Robot-Performance
 
SEO - Conceitos Básicos
SEO - Conceitos BásicosSEO - Conceitos Básicos
SEO - Conceitos Básicos
 

Mais de Wolfgang Kandek

Gartner UK 2015 Anatomy of An Attack
Gartner UK 2015 Anatomy of An AttackGartner UK 2015 Anatomy of An Attack
Gartner UK 2015 Anatomy of An AttackWolfgang Kandek
 
MindTheSec Anatomia de um Ataque
MindTheSec Anatomia de um AtaqueMindTheSec Anatomia de um Ataque
MindTheSec Anatomia de um AtaqueWolfgang Kandek
 
RSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersRSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersWolfgang Kandek
 
Februar Patch Tuesday 2015 Webinar
Februar Patch Tuesday 2015 WebinarFebruar Patch Tuesday 2015 Webinar
Februar Patch Tuesday 2015 WebinarWolfgang Kandek
 
RSA ASIA 2014 - Internet of Things
RSA ASIA 2014 - Internet of Things RSA ASIA 2014 - Internet of Things
RSA ASIA 2014 - Internet of Things Wolfgang Kandek
 
20 Critical Security Controls and QualysGuard
20 Critical Security Controls and QualysGuard20 Critical Security Controls and QualysGuard
20 Critical Security Controls and QualysGuardWolfgang Kandek
 
Patch Summary Webinar February 14
Patch Summary Webinar February 14Patch Summary Webinar February 14
Patch Summary Webinar February 14Wolfgang Kandek
 
Patch Summary Webinar April 11
Patch Summary Webinar April 11 Patch Summary Webinar April 11
Patch Summary Webinar April 11 Wolfgang Kandek
 
SANS Critical Security Controls Summit London 2013
SANS Critical Security Controls Summit London 2013SANS Critical Security Controls Summit London 2013
SANS Critical Security Controls Summit London 2013Wolfgang Kandek
 

Mais de Wolfgang Kandek (11)

Gartner UK 2015 Anatomy of An Attack
Gartner UK 2015 Anatomy of An AttackGartner UK 2015 Anatomy of An Attack
Gartner UK 2015 Anatomy of An Attack
 
MindTheSec Anatomia de um Ataque
MindTheSec Anatomia de um AtaqueMindTheSec Anatomia de um Ataque
MindTheSec Anatomia de um Ataque
 
RSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on HackersRSA USA 2015 - Getting a Jump on Hackers
RSA USA 2015 - Getting a Jump on Hackers
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
BSI Lagebericht 2014
BSI Lagebericht 2014BSI Lagebericht 2014
BSI Lagebericht 2014
 
Februar Patch Tuesday 2015 Webinar
Februar Patch Tuesday 2015 WebinarFebruar Patch Tuesday 2015 Webinar
Februar Patch Tuesday 2015 Webinar
 
RSA ASIA 2014 - Internet of Things
RSA ASIA 2014 - Internet of Things RSA ASIA 2014 - Internet of Things
RSA ASIA 2014 - Internet of Things
 
20 Critical Security Controls and QualysGuard
20 Critical Security Controls and QualysGuard20 Critical Security Controls and QualysGuard
20 Critical Security Controls and QualysGuard
 
Patch Summary Webinar February 14
Patch Summary Webinar February 14Patch Summary Webinar February 14
Patch Summary Webinar February 14
 
Patch Summary Webinar April 11
Patch Summary Webinar April 11 Patch Summary Webinar April 11
Patch Summary Webinar April 11
 
SANS Critical Security Controls Summit London 2013
SANS Critical Security Controls Summit London 2013SANS Critical Security Controls Summit London 2013
SANS Critical Security Controls Summit London 2013
 

Anatomie eines Angriffs

Notas do Editor

  1. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  2. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  3. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  4. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  5. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  6. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  7. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  8. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  9. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  10. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  11. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  12. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  13. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  14. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  15. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  16. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  17. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  18. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  19. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  20. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  21. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  22. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  23. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  24. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  25. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  26. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  27. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
  28. PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.