270 likes | 422 Views
Leveraging PCI Compliance Managing Risk in Michigan. Dan Lohrmann Chief Information Security Officer State of Michigan West Michigan ISACA October 16, 2008. What’s on Tap?. First things first The Perfect Security Storm The Michigan Journey The Good, the Bad, the Ugly
E N D
Leveraging PCI Compliance Managing Risk in Michigan Dan Lohrmann Chief Information Security Officer State of Michigan West Michigan ISACA October 16, 2008
What’s on Tap? • First things first • The Perfect Security Storm • The Michigan Journey • The Good, the Bad, the Ugly • PCI Compliance: Many Birds with One Stone • Combining People-Processes-Technology • Lessons Learned • Next Steps
A bit about me: Former NSA analyst Former IT Director, Mantech International, UK Roles as State Agency CIO and e-Michigan CTO Over 23 years of IT experience Director, Michigan’s Office of Enterprise Security Emergency management coordinator Staff of 30 security professionals Homeland security liaison Cybersecurity manager First things first… A bit about MDIT…
In 2001, IT services consolidated from 19 agencies into one department - MDIT We now support all of the agencies with $378 million annual budget Our 1,700 employees support and maintain: Over 800 critical business applications Over 55,000 desktop computers Over 1,300 telecommunications locations Michigan in focus What role do we play?
What services do we touch? All of them! • Whenever a citizen: • Files an income tax return • Pays or receives child support • Wins the Lottery • Compares schools • Starts a business • Applies for a drivers license…or gets pulled over by a state trooper And, like many of you, from 2005-2007 Michigan endured the “perfect security storm”
The Perfect Security Storm • Vulnerabilities … • MS Patches Never End • Legacy Systems • Multiple OS Versions/ Consolidation of Servers • Configuration, Asset Mgt. • Identity Theft… • Exploding # of Attacks • Hackers & Viruses • Privacy Data • Homeland Security • Organized Crime • More with Less … • Budget Cuts • Standardization (Too many Scanners, Tools) • Operational Fires (Viruses) Continue • Staffing Efficiencies Desired • Compliance … • Payment Card Industry (PCI) • HIPAA • NIST (New Audits, SOX) • Breach Laws, Notification How has compliance tightened?...
The New Rules for CSO’s FISCAM Controls We’re here today to talk a little bit about the “Michigan Story” and how we are weathering the storm…
The Good, the Bad & the Ugly • The perfect storm resulted in a set of conditions challenging security officials like never before • In Michigan, there were pros and cons alike…
The Michigan Story: The Good • We had an eager customer, the Department of Treasury, ready and willing • Funding was available from Homeland Security • Our CIO set a department-wide mandate on improved security
The Michigan Story: The Bad • Lack of motivation for change among some…another “to do” • Culture and attitude hurdles…“don’t touch my server/we’re different” • Skill sets training for technical staff lacking • Ownership questions and multiple audiences
The Michigan Story: The Ugly • Poorly administered change control - infrastructure move, add, change (IMAC) process – not centralized • Negative penetration test results, audit findings • Multiple reports/purposes/metrics, moving vulnerability and requirement targets • Lack of standard configurations and builds, multiple credit card solutions We also had too many vulnerability scanning tools…
The Michigan Story: Pick a Tool, Any Tool
The Michigan Story: Many Birds with One Stone If we could solve this one problem, we could address multiple issues: • Audit findings • Security holes from pen test • Legal requirements/compliance • Implement industry best practice • Improve overall IT processes And… • Satisfy our Treasury customer The answer was clear… PCI Compliance was necessary!
What is PCI Compliance? Otherwise known as the Payment Card Industry (PCI) Data Security Standard, PCI compliance: • Is a standard that applies to financial institutions, Internet vendors and retail merchants • Spells out security measures and auditing procedures required to protect private information during transaction involving paycards • Is used by all card brands to assure the security of the data gathered during transactions Card Associations LLChttps://www.pcisecuritystandards.org Mission: Enhance payment account data security by fostering a broad adoption of PCI-DSS
Cost of Non-Compliance In the event of the a breach the acquirer can make the merchant responsible for: • Any fines from PCI-Co (up to $500,000/incident) • Cost to notify victims • Cost to replace cards (about $10/card) • Cost for any fraudulent transactions • Forensics from a QDSC • Level 1 certification from a QDSC • Costs add up quickly…. • If 50,000 credit cards are stolen: • Not to mention the bad publicity…
The Michigan ApproachPeople • Treasury takes business ownership • MDIT Office of Enterprise Security forms cross-organizational team • Gaining trust from multiple orgs • Training, joint buy-in • Executives buy-in • Credit card users group makes business case and other financial incentives clear • Can’t afford to lose credit card authority • Need e-Government growth • Failing is not an option: Reputation of the State is on the line
The Michigan ApproachProcesses • Set uniform IMAC/change management • Established common approach • Iterative scans took time (plenty of war stories) • Initially centralized, later federated • Training built in, best and brightest selected on server teams • Regular format/briefings to key business and technology management teams • Agreed upon standard metrics and repeatable, explainable, supportable numbers (not an easy feat)
The Michigan ApproachTechnology • Chose single tool (Qualys) • Achieved common configuration and builds • Developed good vendor relationships • Provided training on tool • Focused on business outcomes (agreed upon requirements) • Gave the team authority, priority, clear roles/responsibilities • Shared, repeatable knowledge base How does Qualys work?
Qualys Categorization • Level-1: Intruders can collect not-too-sensitive info like open ports, services • Level-2: Intruders can collect sensitive information, like specific versions of software installed, to mount attacks • Level-3: Intruders can collect specific info, including security settings • Level-4: Intruders can hack the system as a non-admin user privileges, or can access highly sensitive information • Level-5: Intruders can gain complete, admin level access to the system
The Michigan Process • Integrates with other MDIT processes • Affects old and new • Three changes for remediation—owned by server and application teams • Patch – Once installed, addresses many vulnerabilities; patching servers is more complicated • Update – Synonymous with patch, used on applications not OS; followed with version numbers • Configure – Changes to apps and services to add security; includes removing/stopping services and configuring passwords
The Michigan Process Vulnerability Remediation Tools To speed up remediation of vulnerabilities, including open ports, false positives, and known solutions… • Phase I • Refining and distributing to CSDs new spreadsheet of vulnerability, status and coordinator by server IP • Facilitating meetings with CSDs and server support staff to work through the spreadsheet and successful processes • Phase II • Linking spreadsheet information to other information available about server, such as CMDB and server PDI scan info • Building solution knowledge base • Presenting all information in Web-accessible database, with access limited as appropriate by role (user ID / password)
The Michigan ProcessExecutive Tech. Review Board (ETRB) ETRB provides rapid resolution to questions: • Reviewing approved, denied, escalated exception requests • Resolving technical disagreements • Exceptions Process: • One form for OES, hosting center, and managed LAN • Area may approve exception or defer to program board • Program board may approve or deny exception • Requester can appeal denial to ETRB for final ruling • ETRB reviews approved exceptions identifying the cause; using back-ground information received in advance, makes decisions on-the-spot and communicates itacross the organization
The Proof…As they say “Significant” DMZ vulnerabilities (Severity 3 or above): • When we began in January 2006: 318 • Today: Zero – None – Nada!
Critical Lessons Learned • PCI compliance is worth it: • Solves many complex problems • Measurable – Good Metrics • Don’t forget the vendors • Market your progress (communication x3) • Build Trust with WIN / WIN approaches • The hardest parts are NOT technical... • Entrust your staff…and reward them
Michigan’s Next Steps • Counties and locals • Moving Up the Stack – Applications • Other systems (Moving PCI Target) • Rolling into app lifecycle
Dan Lohrmann Lohrmannd@michigan.gov www.michigan.gov/dit www.michigan.gov/cybersecurity