CISO

Enterprise Information Security

PCI DSS & Network Devices

by Leave a Comment

PCI DSS requirements say many things about network security to make the card holder data safe and protected when it is stored, transmitted & processed. How we can achieve the maximum level of security through network devices? PCI DSS requirement talk about installation and maintenance of infrastructure devices like firewalls, IPS, routers, switches, etc. How we are going to make them secure?

We will start with access control. We have to prevent unauthorized access to the scope through these devices. There should be strict policies and procedures to access these devices and data processing facilities. A two factor authentication is an ideal solution to to access these devices. Stricter procedures should be implemented to access the data processing facilities (Physical access to the devices). All the default passwords should be replaced with memorable and non-guessable strong passwords in the operational environment.  Access to this equipment should be restricted only to authorized person with unique user id so that the tracking is possible. Apart from this, access to console port and configuration ports must be restricted and controlled. All the unnecessary ports and protocols should be disabled. Also remote access to these devices should be encrypted and enable filtering on gateways.

Implement strict policies and procedures for the configuration changes and management. As the time passes we may require changes to the configuration of these devices for short term & permanent. The change request should contain the need for temporary changes and the duration the change needs to exist. After the requirement, the device should be brought back to the original configuration and must be reported to concerned authorities. Always vigilant during this time so that the bad guys exploit these changes  to access the card holder data or interrupt the operations. Always adhere to the standards to harden these devices (NIST / IEEE).  Keep up to date with latest patches released by vendors. Experiment them in the lab environment and bring them to operational environment as early as possible, maximum within one month.

As we know, PCI is very sensitive and critical industry. Even a single minute mistake can take a financial institution to bankrupt and a nation in to financial crisis, we have to keep us vigilant always to make things safer and protected. Hope we can have better sleep by taking all these but not limited to these measures. Whenever we have a new idea to make things better, experiment it, make it fool proof, and implement it for a safer tomorrow.

How long can CISO’s avoid Cloud Computing?

by 2 Comments

Cloud computing is gaining momentum in the business world. More and more business wants to increase their IT usage on the cloud utilizing the cloud computing benefits such as faster provisioning, scalability and lower of capital expenditure

Many of the Security professionals are not very comfortable with Cloud Computing as an option for the technology needs of the organization. Often they act as the .Dr.No. towards cloud computing options available or presented.

No the big question is that .How long can CISO’s avoid Cloud Computing?.

Let us look at the history

  • Banks introduced ATM machines and we were doubtful about the ATMs and often counted the money. Now it is a normal thing to take money and many a times no one counts how much the machine delivered
  • The next thing was the Internet. Critical systems were never connected to internet in the earlier days. Now most of the systems are connected to the internet directly or indirectly.
  • Internet Banking was the next thing. A UAE based bank opened the internet banking channel only two years bank. Though there are people still using the conventional channels for banking, Online Banking is a key channel today where the customers do financial transactions over the internet. In the earlier days, it was not the case.

In all these cases, there used to be resistance to adapt the change. Cloud computing is no different. It is only a matter of time to get this adapted by companies and CISO.s.

Many of the CEO.s are not very sure about the cloud computing and if they are already using cloud computing in their business. Think about services like GMail powered emails, SalesForce CRM and many of those sort, it is all cloud services

Now the question is .How to get the Cloud Computing adapted in your business when required?.

There are some key questions a CISO should ask the cloud computing vendor to assess whether they can protect your data as you are protecting them internally in your organization.

Network & Systems delivering the cloud service

  • How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication?
  • About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc.
  • Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc.
  • Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally?
  • Does it undergo periodic audits against standards like ISO27001, SAS70 etc?
  • How is the customer data separated from one another? What are the security controls implemented to ensure this separation?
  • What are the protection and response controls against the Denial of Service attacks?

Cloud Applications & Data Protection

  • What are the security controls in the application development process? Does it include security code reviews of the code being developed or used?
  • Is there a documented change and configuration management process? How does the application servers patched and what frequency?
  • What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities.
  • IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed?
  • How is the data loss prevention ensured? Details of the DLP controls implemented?
  • Is there a backup mechanism established? How is the data protected in the backups?
  • Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements?
  • Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?
  • What are the conditions / scenarios where the data is revealed without the consent / approval of the organization?
  • Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?

Security Management

  • What are the information security management policies and procedures implemented and documented? Are all employees required to undergo the security awareness training and acknowledge their acceptance to the policies and procedures at least annually?
  • Is the cloud computing service provider has a dedicated information security professional? What are the network security capabilities established by the service provider? Are these personal technical qualified and certified?
  • How is the insider threats within the cloud service provider being addressed? What is the background verification process being followed by the cloud service provider?
  • Is there a privileged activity monitoring of systems and databases? How is the security incidents and violations are handled? Does it have a documented policy?
  • How is the log integrity ensured? What are the mechanisms implemented to ensure that the logs cannot be altered and / or stopped. How long the logs are kept online and on the backup?
  • What are the business continuity and disaster recovery capabilities of the cloud service provider? Many organization look at cloud as a BCM solution. Does the underlying cloud service provider is capable of delivering a BCM aware cloud service?

Not all questions above are not necessarily in the scope of all cloud computing vendor selection process. Depending on the criticality of the data being hosted at the cloud computing infrastructure you would need to choose the questions.

These questions are complied to assess a cloud computing offering from a financial service provider and may not be suitable to all organizations. If you think I should add more into the list, do let me know. I might release an excel sheet covering all these questions as a decision tree tool.

You may also want to read:

Who should be PCI Compliant

by Leave a Comment

It is often asked if this organization should be PCI Compliant. Many conferences include a discussion around the topic of Who should be PCI compliant.

PCI DSS is applicable to all organizations who store, process or transmit account data. Extract from the PCI Standard tells us that the account data consist of cardholder data plus Sensitive Authentication Data

Cardholder data includes:

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code

Sensitive Authentication Data includes:

  • Full magnetic stripe data or equivalent on a chip
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks

If the PAN is stored, processed or transmitted then the PCI DSS requirements are applicable to the organization. However, if the PAN is not stored, processed or transmitted PCI DSS requirements do not apply.

This provides clarity on whether or not your organization falls under the PCI DSS requirement and weather you should be PCI Compliant

Outsourcing the payment card related activities

by Leave a Comment

Many organizations outsource their work to third parties for meeting their business objectives. The objectives vary from simple low cost labour to risk management practices. Some organizations outsource part of the work while others outsource a major chunk of their work.

In this essay, I will be covering some aspects of outsourcing the payment card related activities. The key focus is on doing a review of what are the areas to be looked into when the payment card related processing is outsourced.

Being an Information Security Manager at a Bank, I would be concerned about the information security practices of the third party. A key area to be looked into is the risk posture of the vendor and how it is aligning the information security best practices.

Does it have ISO 27001 implemented, is it managed and reviewed periodically. What is the scope of the ISO27001 implementation? These are some of the questions to be asked to understand if the vendor is serious about the information security practices.

Coming to the specifics of PCI DSS, the 12.8 section of the PCI DSS standard discusses the controls to be implemented when the card holder data is shared with service providers.

12.8.1 requires the organization to maintain a list of all the service providers readily available.

12.8.2 requires the organization to have a written agreement with the vendor and also requires that the vendor (service provider) acknowledges the responsibility of securing the card holder data.

It would be easily addressed through adding these clauses in the business agreement or security agreement and is acknowledged by the service provider when they sign the agreement.

12.8.3 is more interesting. It requires the organization to have a formal process in engaging with service providers. This includes ensuring due diligence before engaging with the vendor / service provider.

There are many ways for doing it. The best way I should look for is to check the compliance of the vendor towards PCI DSS. An easy mechanism is to ask for a copy of the PCI DSS compliance certificate issued to the vendor. In addition, one can also check the PCI Security council website for a list of active service providers with a good compliance status. In short, it is advisable to ensure that one criteria for vendor selection shall be the PCI DSS compliance and certification.

12.8.4 is for monitoring the service providers PCI DSS compliance status. The best mechanism is to include legally binding clauses in the business agreement whereby the vendor is required to communicate the status of the PCI DSS status to the organization as and when there is a change in the status which includes renewal, failure to comply etc.

In addition, the organization shall periodically check the status of the service provider at the PCI Security council website for validating the status.

If these requirements are met, the organization can outsource the payment card related activities while ensuring the compliance towards the PCI DSS standard. A key advantage in addition to the low cost labour, is the transfer of risk to a third party

PCI Compliant Hosting

by 1 Comment

PCI compliant hosting is one of the key aspect you need to look for when you plan to host some of the credit card data of your customers at hosting providers site. Some of the key aspects you should look for from a PCI DSS Compliance perspective are (to qualify a service provider as PCI compliant hosting provider):

  • The hosting provider should support / allow the periodic pci scans/ vulnerability scans /asv scans
  • Shared hosting providers must protect each entity.s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

Specific to the payment card industry data security standard or commonly known PCI standard the following requirements should be met by the PCI Compliant Hosting provider:

  • 1.1 Establish firewall and router configuration standards and all the sub controls
  • 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment and all the sub controls
  • 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment and all the sub controls
  • 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards and all the sub controls
  • 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access.
  • Requirement 5: (5.1 an 5.2) Use and regularly update anti-virus software or programs
  • 6.1 Ensure that all system components and software have the latest vendor-supplied security patches
    installed. Install critical security patches within one month of release.
  • 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by
    PCI DSS Requirement 2.2 to address new vulnerability issues.
  • 6.6 on the web application firewall requirement, if applicable
  • 8.3 You might need to consider this if it is applicable
  • 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components and some of the sub controls
  • Requirement 9: Restrict physical access to cardholder data and all sub controls. This is a key component as all the physical security is the responsibility of the hosting provider

As per my view, this list covers most of the requirements to be met by the service provider to be classify as PCI Compliant Hosting

PCI SSC Guidance for Merchants on PCI DSS

by Leave a Comment

The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today released a new resource to promote card data security through adoption of the PCI DSS. The Prioritized Approach framework helps merchants identify highest risk targets, create a common language around PCI DSS implementation efforts and demonstrate progress on the compliance process to key stakeholders.

The Prioritized Approach framework was created to help merchants who are not yet fully compliant with the PCI DSS understand and reduce risk while on the road to compliance.

Comprised of six security milestones outlined below, the tool focuses on best practices for protecting against the highest risk factors and escalating threats facing cardholder data security:

  1. Milestone One: If you don.t need it, don.t store it
  2. Milestone Two: Secure the perimeter
  3. Milestone Three: Secure applications
  4. Milestone Four: Monitor and control access to your systems
  5. Milestone Five: Protect stored cardholder data
  6. Milestone Six: Finalize remaining compliance efforts, and ensure all controls are in place

.Securing cardholder data is the ultimate priority and following the PCI DSS is the best way to achieve this. The Prioritized Approach framework will help stakeholders understand where they can act to reduce risk earlier in their journey towards PCI DSS compliance,. said Bob Russo, general manager, PCI Security Standards Council. .The launch of these new guidance and interactive documents are another step by the Council to increase understanding of and education around PCI DSS among merchants, providing them with insight into how they can protect card holder data faster and demonstrate progress and compliance with the PCI DSS..

The Prioritized Approach was compiled after considering actual data compromise events, feedback from Qualified Security Assessors (QSAs) and forensic investigators and input from the PCI SSC Board of Advisors. The framework gives practical suggestions on how to approach compliance with PCI DSS to create the most immediate impact on card data security in a merchant.s environment. The Prioritized Approach also creates a common language to improve communication around compliance progress between merchants, QSAs, acquiring banks and card brands.

The Prioritized Approach framework is available on the Council.s website and includes a reference document and simple to use, downloadable worksheet that allows merchants to sort specific PCI DSS requirements by Prioritized Approach milestones. In addition, educational webinars to provide insight and information on how to utilize the Prioritized Approach framework will be held on Wednesday, March 18th at 11:30am and 7:30pm

ET. Register at http://register.webcastgroup.com/event/?wid=0800318094557 (11:30 am ET Webinar) or http://register.webcastgroup.com/event/?wid=0800318094558 (7:30 pm ET Webinar).

https://www.pcisecuritystandards.org/pdfs/090318pci_dss_prioritized_approach_webinar.pdf

The Payment Card Process

by Leave a Comment

When a payment happens using a payment card (debit/credit) a verification process happens at the background which will decide whether to approve or reject the transaction. When a customer pays for products or services with a credit card, the card information is recorded.either by manual entry, a card imprinter, point-of-sale (POS) terminal, or virtual terminal.and then verified so that the merchant can receive payment for the transaction.

This process involves the following parties:

  • Cardholder: the owner of the card used to make a purchase
  • Merchant: the business accepting credit card payments for products or services sold to the cardholder
  • Acquirer: the financial institution or other organization that provides card processing services to the merchant
  • Card association: a network such as VISA