1 / 37

Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies bryan@syrinxtech.com www.syrinxtech.com 804-539-9154

Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies bryan@syrinxtech.com www.syrinxtech.com 804-539-9154. Agenda. Speaker Introduction What is PCI How Compliant Are We What Happened to Target The Aftermath Lessons Learned Summary. Speaker Introduction. B.S., M.S. – VCU

zazu
Download Presentation

Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies bryan@syrinxtech.com www.syrinxtech.com 804-539-9154

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies bryan@syrinxtech.com www.syrinxtech.com 804-539-9154

  2. Agenda • Speaker Introduction • What is PCI • How Compliant Are We • What Happened to Target • The Aftermath • Lessons Learned • Summary Is PCI Broken?

  3. Speaker Introduction • B.S., M.S. – VCU • Former Adjunct Faculty Member @ VCU • CISSP, former Cisco CCIE • VA SCAN, ISSA, ISACA,VCU FTEMS speaker • Published author with 30 years in the industry • Founded Syrinx Technologies in 2007 Is PCI Broken?

  4. Does anybody ever feel like this? (Does anybody other than me even remember this movie?) Is PCI Broken?

  5. What Is PCI Is PCI Broken?

  6. Definition • The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. • Defined by the Payment Card Industry Security Standards Council (PCI SSC), the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. • Source: Wikipedia Is PCI Broken?

  7. OK, one more time in plain English If you transmit, store or process credit card data you are responsible to protect it. So….what exactly is “credit card data”? Is PCI Broken?

  8. What you can store • Primary Account Number (obfuscated) • Cardholder Name • Expiration Date • What you must NEVER store • Magnetic stripe data • CVV • PIN Is PCI Broken?

  9. What It Is • 12 Requirements summarized by 6 control objectives • Build and Maintain a Secure Network and Systems • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy Is PCI Broken?

  10. What It Is • Began life as the “VISA Digital Dozen” • Current version is 3.0, released November 2013 • Sponsored by • American Express • VISA • MasterCard • Discover • Japan Credit Bureau (JCB) Is PCI Broken?

  11. What It Isn’t • A legal compliance obligation like HIPAA, GLBA, Sarbanes-Oxley • A guarantee that you won’t • Have a data breach • Suffer financial or reputational damages • Be the featured guest in the newspapers and magazines • Remember SECURE <> COMPLIANT Is PCI Broken?

  12. Source: Rapid7 Is PCI Broken?

  13. How Compliant Are We Is PCI Broken?

  14. Source: VERIZON 2014 PCI COMPLIANCE REPORT Is PCI Broken?

  15. Source: VERIZON 2014 PCI COMPLIANCE REPORT Is PCI Broken?

  16. Source: VERIZON 2014 PCI COMPLIANCE REPORT Is PCI Broken?

  17. Source: VERIZON 2014 PCI COMPLIANCE REPORT Is PCI Broken?

  18. What Happened to Target Is PCI Broken?

  19. Attack began with phishing email attack on HVAC vendor • Attack began around 2 months before the actual breach • Malware from phishing allowed attackers to gain Target network credentials • Vendor claimed “…our IT system and security measures are in full compliance with industry practices.” • Vendor allegedly used free version of malware software Is PCI Broken?

  20. Using credentials obtained from HVAC, attackers expanded to internal Target networks • Unclear whether or not 2-factor authentication required by PCI was employed by HVAC vendor • Initial compromise between Nov. 27 – Dec. 15 • Target announced breach December 19 Is PCI Broken?

  21. What about warning signs? • Target allegedly warned two months before breach by internal security employees that its systems were not sufficiently secure (ignored?) • At the time Target was updating POS software • FireEye installed six months earlier • Security monitoring performed by a team in Bangalore • Reported findings November 30 (apparently ignored) • Malware updated December 2 Is PCI Broken?

  22. Is PCI Broken?

  23. Supplier Portal Home Page – no credentials required Is PCI Broken?

  24. Facilities Management Home Page – no credentials required Is PCI Broken?

  25. Supplier Download Page – no credentials required Is PCI Broken?

  26. Metadata Obtained from Files Harvested from Downloads Page Is PCI Broken?

  27. Is PCI Broken?

  28. The Aftermath Is PCI Broken?

  29. January in-store and online traffic drops from 43% to 33% of US households • Target spent $61 million during Q4 related to breach • Estimated 5-10% will never shop there again • March 5 – Target replaces CIO and hires two additional positions • Chief Security Officer • Chief Compliance Officer Is PCI Broken?

  30. Lawsuits (at least 53) filed by multiple banks, including several in Target’s home state • Target’s PCI auditing firm Trustwave Holdings also named in lawsuits • Estimated losses could reach $18 billion • Estimated 110 million cardholders affected Is PCI Broken?

  31. Security engineer who first broke the story could soon be the subject of a Hollywood movie • Target accelerating plan to offer upgraded credit cards with chip technology • Current goal to release updated REDcards in early 2015 Is PCI Broken?

  32. Lessons Learned Is PCI Broken?

  33. Four Questions the CIO Must Answer • Do we have an ISO/CISO providing direction? • Do we have an incident response plan? • Which alerts can we safely ignore? • What are we overlooking as insignificant? Is PCI Broken?

  34. Steps Every Organization Can Take • Accept that you have a problem. • Diagram credit card data flows in, through and out. • Ensure you have a tested incident response plan. • Clean up the “low hanging fruit”. • Invest in and maintain quality monitoring systems. • Review contracts with vendors, partners, clients, etc. • Create build lists for all systems to ensure consistency. • Limit the systems in PCI scope. • Build security audits into every project. • Provide feedback to all departments on progress. Is PCI Broken?

  35. Summary Is PCI Broken?

  36. PCI compliance (and security in general) should not be ignored or seen as just another business expense. • Start building monitoring systems and trust them when they report incidents. • Continue practicing due diligence. Security is a never ending issue. Is PCI Broken?

  37. Q&A Is PCI Broken?

More Related