MindTheSec Anatomia de um Ataque
•Transferir como PPTX, PDF•
0 gostou•258 visualizações
O documento resume um discurso sobre anatomia de um ataque cibernético. Ele discute como ataques comuns começam com spear phishing ou exploração de vulnerabilidades conhecidas, levando à infecção de computadores e acesso não autorizado a dados. Ele também destaca a importância de patches de segurança e treinamento contra phishing para prevenir a maioria dos ataques.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais de Wolfgang Kandek
Mais de Wolfgang Kandek (11)
Último
Último (6)
MindTheSec Anatomia de um Ataque
- 1. Anatomia de um Ataque Wolfgang Kandek, Qualys wkandek@qualys.com @wkandek 27 Agosto 2015 mindthesec - São Paulo, Brasil
- 2. Verizon Data Breach Investigation Report
- 4. Verizon Data Breach Investigation Report
- 5. Verizon Data Breach Investigation Report
- 6. Verizon Data Breach Investigation Report
- 8. 2122 Data Breaches Dados financeiros, Dados de Produtos, Dados pessoais, Usuários/Senhas
- 10. > 99% mais que 1 ano
- 11. > 99%
- 12. Mas 40 em 2014
- 13. Mas 40 em 2014 e 50% em 2 semanas
- 14. > 99%
- 15. Malware Infects Computer Exploit for known Vulnerability Targeted E-mail Spear Phishing Social Media Profile Exploit for 0-day Vulnerability Known Worm/Virus Infected USB Drive Find infected Computers Command and Control Username/ Passwords Dataloss Brand Finance Others
- 16. > 99%
- 17. 1. CTO (fan de punk), ticket punk rock show, abriu doc, script falhou 2. Empregado, oferta de emprego, abriu doc, script rodou 3. COO (Historia Grega), comentário de artigo, não abriu doc 4. Empregado, pedido de informação sobre projeto, não abriu doc 5. Empregado, formulário de pesquisa de um emprego passado, abriu doc, script rodou, mas não teve acesso a conta 6. Administrator de Sistemas, oferta de associação professional, abriu doc, script roda, -> Infecção
- 18. Demo
- 19. Demo
- 24. > 99%
- 25. > 99%
- 29. Resources • Verizon DBIR 2015 http://www.verizonenterprise.com/DBIR/ • Chevron https://www.rsaconference.com/events/us15/agenda/sessions/1983/ building-a-next-generation-security-architecture • BSI https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikatio nen/Lageberichte/Lagebericht2014.pdf • Phishing Example https://www.reddit.com/r/Bitcoin/comments/3bpdb4/bitstamp_inciden t_report_22015/
Notas do Editor
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.