Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.
-
Upload
elijah-hopkins -
Category
Documents
-
view
220 -
download
0
Transcript of Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.
![Page 1: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/1.jpg)
Prepared by Jerod Brennen
For ISACA – Central Ohio Chapter Meeting
12/9/2010
![Page 2: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/2.jpg)
Overview
Summary of Changes Operational Perspective Details of Changes Observations
![Page 3: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/3.jpg)
Summary of Changes (136) Clarifications
119 totalWording portrays intent
Additional Guidance15 totalIncrease understanding
Evolving Requirements2 totalEmerging threats and changes
https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdfhttps://www.pcisecuritystandards.org/documents/pci_dss_v2_summary_of_changes.pdf
![Page 4: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/4.jpg)
Operational Perspective
Informational61 total
Moderate Impact41 total
Significant Impact34 total
Subjective (your mileage may vary)
![Page 5: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/5.jpg)
Details - General Operations Staff
PCI DSS Applicability Information○ Account Data =
Cardholder Data + Sensitive Authentication Data Scope of Assessment for Compliance with PCI DSS Requirements
○ Added “virtualization components” to the definition of “system components” Policies, Procedures, Standards, etc.
Auditors Sampling of Business Facilities and System Components
○ Criteria that must be documented when sampling○ Sampling rationale must be (re)validated with each audit
Instructions and Content for Report on Compliance○ Pp 14-17 > detailed instructions for the RoC
Consistency (QSA selection)
How much will the Summary of Changes alter QSA procedures?
![Page 6: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/6.jpg)
Details – Section 1 Moderate Impact
1 > “system components providing firewall functionality” to be treated as firewalls
1.1.5 > examples of insecure services, protocols, & ports (FTP, Telnet, POP3, IMAP, SNMP)
1.3.6 > removed specification of port scanner use1.3.7 > testing procedure applies to “any type of
cardholder data storage” (i.e., files)
Significant Impact1.4.b > “personal firewall software should not be
alterable by employee-owned computer users”○ Local admin rights?
![Page 7: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/7.jpg)
Details – Section 2 Moderate Impact
2.1.1.a-e > removed reference to WPA○ WPA cracked in late 2008
2.2 > added sources for hardening standards○ CIS, ISO, SANS, NIST
2.2b > linked system configuration standards to vulnerabilities (was in in 6.2.b)
2.2.2.a-b > only enable “necessary and secure” services 2.3.a-c > “strong” cryptography is required
○ Need for agility (point-in-time)
Significant Impact 2.2.1 > clarified intent of “one primary function per server” and use of
virtualization○ Web, Database, DNS; functions that require different security levels
2.2.1.b > optional testing procedure for virtualization technologies
![Page 8: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/8.jpg)
Details – Section 3 Moderate Impact
3.4 > Deleted note on compensation controls○ “may be applicable for most PCI DSS requirements”
3.4.1.c > Clarification on encryption removable media○ Rendered unreadable through encryption or some other method
3.5 > “Any” keys used to secure cardholder data must be secured 3.6.6 > Clarification around key management operations
○ “manual clear-text cryptographic key mgmt operations” 3.6.8 > Key custodians formal acknowledgment (writing or electronic)
Significant Impact 3 > Introductory Paragraph, don’t send PAN’s via end-user messaging
tech (email, IM)○ Enforcement?
3.2 > business justification for storing “sensitive authentication data” 3.6.4 > Increased frequency of key changes, per “defined cryptoperiod” 3.6.5 > New testing procedures for retired keys
![Page 9: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/9.jpg)
Details – Section 4
Moderate Impact4.1.c > Protocol “must be implemented” to
use only secure configurations (i.e., encrypted)
Significant Impact4.1.1 > 6/3/2010 has passed; no more WEP4.2 > PANs should never be sent by end-
user messaging technologies (see section 3)
![Page 10: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/10.jpg)
Details – Section 5
Moderate Impactnone
Significant Impact5.2 > AV must be generating audit logs, and
not just “capable of generating” logs
![Page 11: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/11.jpg)
Details – Section 6 Moderate Impact
6.3.2 > clarified scope to include non-web applications 6.4.5.a-b > addresses security patches and software
modifications○ Details to include in change documentation
6.4.5.1 > documentation of impact is required 6.5 > broadened to include OWASP, SANS CWE, & CERT 6.5.1-9 > again, OWASP + CWE + CERT
Significant Impact * 6.2 > evolving req, rank vulnerabilities according to risk 6.3.a-d > added types of software apps to be tested (scope)
○ Security in “written software development proceses” 6.4.5.3.a-b > requires security testing for application changes * 6.5.6 > new req regarding high-risk vulnerabilities
○ Best Practice through 6/30/2012
![Page 12: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/12.jpg)
Details – Section 7
Moderate Impactnone
Significant Impactnone
![Page 13: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/13.jpg)
Details – Section 8 Moderate Impact
8 > POS access to one card number at a time○ Aligned with PA-DSS requirement 3.2
8.3 > clarified intent of multi-factor authentication○ Know, Have, Are○ No clarification on physical vs. virtual here
8.5.3 > password resets (unique value, immediate change) 8.5.6.a-b > clarified “access” by vendors
○ Disabled by default, enabled only when needed○ Monitored while being used
8.5.9-13 > password management for “non-consumer users”○ For service providers only
Significant Impact 8.5.2/7/8/13 > allow for authentication mechanisms outside of passwords 8.5.16.a-d > restricting user queries against databases
○ Closer review of database config
![Page 14: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/14.jpg)
Details – Section 9 Moderate Impact
9.1.3 > restrict physical access to ”networking / communications hardware and telecommunications lines”
9.3.1 > visitors are not permitted unescorted physical access to areas that store cardholder data
9.6 > changed “paper and electronic media” to “all media”○ Computers, removable electronic media, paper receipts,
paper reports, faces, etc.
Significant Impact 9.7.1 > intent is to determine sensitivity of data on media
○ “Verify that all media is classified…”
![Page 15: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/15.jpg)
Details – Section 10
Moderate Impact10.4.2 > changes to time settings are
authorized10.4.3 > time is received from industry
accepted sources
Significant Impact10.7.b > processes to “immediately restore”
log data (vs. “immediately available)
![Page 16: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/16.jpg)
Details – Section 11 Moderate Impact
none
Significant Impact 11.1 > “detect unauthorized wireless access points on a
quarterly basis” (vs. real-time) 11.1.a-e > detect & alert on unauthorized wireless access points 11.2.1-3 > internal & external scans must be verified (ASV) 11.2.1.a-c > scans must be repeated & verified until all high
vulnerabilities have been resolved 11.2.2.a-b > ref to ASV Program Guide Requirements 11.2.3.a-c > keep scanning until high vulnerabilities are resolved 11.3.2 > vulnerability scanning must encompass all application
types in-scope (see 6.5) 11.4 > IDS/IPS at the perimeter and at key points inside the CDE
![Page 17: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/17.jpg)
Details – Section 12 Moderate Impact
12.1.3 > replaced “once a year” with “annually” 12.3 > added “tablet” to example technologies 12.3.10.a-b > flexibility to limit prohibitions to those “personnel
without authorization” 12.7 > “potential personnel to be hired for certain positions”
○ Recommendation if personnel can only access one card number at a time
Significant Impact 12.1.2 > test should verify risk assessment documentation 12.8.4 > monitor service providers’ PCI compliance at least
annually 12.9.3 > designated personnel should be available 24/7 for
incident response
![Page 18: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/18.jpg)
Details – Appendices Moderate Impact
Appendix E is now “Attestation of Compliance – Service Providers”○ options for list of services not covered by PCI DSS
assessmentAppendix D > Segmentation and Sampling of
Business Facilities / system Components○ was Appendix F○ aligns with new introduction
Significant Impactnone
![Page 19: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/19.jpg)
Observations Perception
Revised vs. New Should vs. Must
27 vs. 77 Effective Date Risk-Based New Technologies
Wireless Virtualization Encryption (future-state)
Better Log Management Opportunities
Fresh Document Auditors can help Operations achieve compliance Budget
![Page 20: Prepared by Jerod Brennen For ISACA – Central Ohio Chapter Meeting 12/9/2010.](https://reader034.fdocuments.in/reader034/viewer/2022051018/56649de35503460f94ada85a/html5/thumbnails/20.jpg)
Questions?
Jerod Brennen
http://twitter.com/slandail
http://www.linkedin.com/in/jerodbrennen