Play Jenga with the Adversary: Attacking Adversaries with Graph Theory by Matthew Winters

Yeah, I think there's at least, you know, 10 times my data has been exposed in my life. So, it's sadly common place. So, watch your credit. But we do have a mandate in terms of if we are doing any kind of payment processing, we do need to follow what is required and set out by the PCI council. Towards that end, there are various types of assessments that we can do and this largely depends on where you fall as a merchant. So, if you are a level one, you will be required to do a report of compliance. And this is the whole shebang. Basically, you're going to end up with like a 300page report at the end

of this stating what you've got in place. Now, level one, these are businesses with over six million card transactions a year. Okay? So, think your big global companies on this. you know, your hotel chains, airlines, cruise lines, u Walmart, Costco, these are your big guys. Then when we get down to level two through four, you know, then we get down, level two is 1 million to 6 million and then we break it down further for level three and four. But those you can do a selfassessment questionnaire, which is our SAQs. And as you can see, there's various and I got a second slide on this too because we have a number of SA keys to choose from

depending upon what exactly you do because it breaks it down and it gets really easy if you've outsourced everything to thirdparty providers, you know. So, say you're setting up a small kiosk, you're taking some credit card payments, but you utilize one of the providers, you know, say like Square or something. So someone else is doing all the actual processing and you have an encrypted capability for that. It goes straight to their servers. You don't save anything. You're going to do an SAQA and have a much easier time when the auditors come through if you choose to do that because SAQA is a self attestation. You get to go through and do that yourself. caveat, you may want to have someone with PCI

experience walking you through it your first time. And you know, typically if you you don't have to have like the full PCI package to do a gap assessment and have a QSA walk through it with you so that you know exactly what it is that's being asked because just like any other regulation, a lot of people end up, you know, looking at like what exactly am I supposed to do? And I will say PCI is very prescriptive. it does say what you need to do versus you know if you're working with a NIST CSF where it can be organizationally defined time period for various things. So with that as we're thinking about our audit we obviously have three key

phases. pre- audit where you do preparation. And really, this should be occurring year round because you want to make sure that you're in compliance, you know. So, if you do an update to something, you're changing systems out, you want to make sure that you've got everything hardened, patched, up todate, you're doing all your reoccurring activities, you know, such as account audits, making sure you don't have dormant accounts that are hanging around past your expected time frame. And you know, also keep that line of communication open with your QSA. Hey, we're not here to make your life hard. We're here to make sure that you're secure. Some of us tell jokes, too. And of course after the audit, if there

have been any gaps that are found, you know, work on closing those out so that you can go back to your acquiring bank and be like, "Hey, we're all good. Don't find me." So now we'll step into the strategies. As I mentioned, preparation is a very essential part of this and a core part is doing your scoping properly. because this year now we're in well technically we're in 4.0.1 I'm just going to say 4.0 for ease but with PCI4 we are now shifting where scope documentation is on the merchant themselves. So when I come in as a QSA, I am validating and confirming what you have documented as far as where your PCI data is held,

where that touches and flows through. And it's also required that this be updated on an annual basis. I would say if you have any changes to you know data flow, data storage, whatever you're doing with the data in general, take a look at your scope and make sure that it hasn't changed. you know, because if you do have a major change to your environment, much like anything else, you do kind of need to go back through an assessment along with your scoping if you can segment your PCI section, you know, so say you've got an online merchant and you know, obviously you have a web frontend, you're doing payment processing, maybe sending directly to Bank of America or whoever.

and they're doing that if you're not retaining anything besides tokenized data and you can segment that all off so that you know this isn't going through your whole corporate environment. It is going to save you time and money because it's a lot less systems that have to get a pen test done on which can be pricey. It's a lot less time that I have to validate what systems are in scope and also go through with all the documentation that is requested of you. you know, security audit logs and how your controls are set up because, you know, even though we do sampling in a larger environment, especially when you have expanded scope, because of that

data transmission, it can greatly extend the time time cost and more time for an auditor to potentially find more things wrong. So obviously documentation plays a huge part of this, right? Um please make sure it's up to date. All your policies should be reviewed on an annual basis. And you know that can be one of the biggest items I I have found across every single compliance to be honest is making sure that policies are one that they exist. Um and two that they are reviewed and maintained for what is applicable. You know because some things could change. You know password policies over time have changed. It used to be eight characters. Now everyone's going to 16. So making

sure that things are up to date is kind of key. Also, uh roles and responsibilities, those 12 requirements that I showed you guys, you have to have roles and responsibilities documented for each of those. That is another net new for PCI4. So, and this doesn't have to be, you know, you don't have to list out who it is, you know, this is simply as, you know, okay, we got our security administrator, system administrator, whoever is responsible for various things. And you can tie that back to what you have documented with human resources as far as the general role, but having those duties and the roles documented is key. Also once you have gone through a PCI audit,

you know, documenting what your process was, where you went and got your documentation, having a repeatable process will greatly help you in the following years. And especially if that role that is supporting your auditor to get that data out if that changes you know because if the person gets reassigned to something else they've moved to another role maybe they've left the organization all that knowledge has gone and now now the QSA gets to go through it with someone else and be like hey I need these screenshots this this and this and we've got a boundary list and as I mentioned gap analysis highly recommended first time you're going through if you have a major like

major change in your architecture you may want to also have a sanity check just to make sure and if you've got you know if you're doing like a three-year program with a QSA firm that's one of those things where you can be like hey I want to make sure we're still on the right path because we're doing these changes and can we just have like an hour consultation between our security architect and your auditor because we will absolutely look at things and say if we need to go through and do another assessment now your team is always a core part because I'm not going to get all the answers strictly out of whoever the compliance point of contact is unless

you have a small team and they are everything which I've worked with that too but if we're talking on a larger scale you know then we've got various system administrators database administrators HR also gets an interview you know we have a variety of individuals that we touch on going through a PCI audit So making sure that all these roles are aware and this is one of those things you'll once you do go through it the first time you kind of you know know who you need to schedule ahead of time when it's coming up but including some training on PCI along the way it is required as part of security awareness training especially there is

requirement for PCI specific on those that are doing any handling of credit card data whether it's you know say a gas station attendant or one of your database administrators with like you know having tokenization data saved in your databases. So there's a variety of individuals that all this touches on. Testing always a good thing. Also another requirement to do your own risk assessment annually this is always a good recommendation anyway and you know if you have internal audit that's great um a lot of places internal audit and it tends to have a very adversarial relationship um so maybe getting them to come around to more of a purple team point of view uh you know where it's not hey we're

we're not trying to show that you're doing bad things because that's always the target on my back right as an auditor it's like I'm not trying to say that you guys suck at something I'm just pointing out areas where it needs improvement and you can then go and say hey give me more money because you know point of the matter is we all need more money because we either need more people because our client base has grown and we don't have enough people to support all the instance all the problems and everything else that's cropping up or more money in terms of well we need more stuff going in AWS we need a new firewall this one's kind of

busted you know and there's a variety of things and once again I'm not here to point out flaws I'm here to point out we have a gap and there are ways we can improve it. You just don't have the right tools. So going through that internally and especially I say this for things where you can fix it during the course of an audit because there are some things in PCI that you can fix. If you haven't reviewed your policies, for example, go get your SISO or whoever to go review that document and update it and sign it. It may take an act of God, but you can schedule them a little interview session with me and I'll tell them

you're going to fail if you don't. That tends to help at times, but I'll do it politely. So including that um but you know also looking at your instant response uh it's amazing sometimes it's like lack of testing on instant response. Now depending on your environment you may have plenty of live action that you don't really need to have a instant response tabletop. Uh but you know in those cases you know you've got people that are clicking on fishing links and you got malware events. Make sure you have a afteraction report. I can use that as a live test because you guys went through it. Just you know do a debrief and be like okay here's how

we can do it better. Here's what we learned. And I kind of touched on this the whole way through. I'm not here to fight with you. I'm here to help you get get through this. And if we find some things, you know, we're going to set up a plan of action and we're going to set some prioritizations based on what PCI says should be prioritized. And that's not like hard and fast. They give a suggested prioritization, but you may have a different one based upon your business needs. And you know, we just flow with that. And then we have that road up. we go to your merchant bank that you're acquiring bank and be like,

"Hey, here's the issue." They may or may not decide there's going to be fines involved. They may set a time frame. You've got six months to fix it. Um, this is one of those it depends because it really depends. And that's stuff that's totally out of your QSA's control, but we can provide, you know, input as far as whether it's a really big issue or not, you know, because a lot of times it's just these little things that it's like you can't fix it in a week. And sometimes that happens, you know, if you've got a third party that something got updated and now something doesn't work because of it because what software plays well together.

So, you know, in these cases, it's one of those here's the problem, here's the potential risk, and when it's low, it's usually, you know, one of those, okay, here's your time frame. Let's circle back and make sure you've got this cleared out. and common pitfalls. So, I talked about some, but a lot of these come down to, hey, we're good. Yeah, we're good enough to pass, but there's always more we can do because again, doesn't matter what compliance you're going through, there is always more, you know. bad guys will find a way. Scope management always the biggest thing. This is where having a full inventory hardware software comes into play. Really important because then also

when you've got your pentest going on and it's like oh well we found some other stuff that is not listed in the inventory. Uh where are we seeing these? Is this a whole another network? You know, and then they start poking around. So, yeah, it's not just the QSA that pokes around, it's the Pentas team, too. So, you got two sides of the coin here. But because they will make sure that your segmentation is actually functional because that's key. Scope is key on anything and everything. And if you think it's big on this, if you're going to end up doing some CMMC stuff, it's really important there because that's going to be even more expensive.

That's do new DoD stuff new um neglecting documentation. Everything I have mentioned devolves into documentation, policies, procedures, the stuff needs to exist. The stuff needs to be refreshed. It needs to be reviewed. And you know, if you're doing things that you are supposed to do, such as you're doing your account review, you're doing your firewall rule review, there also needs to be a document, you know, just meeting notes basically. Hey, we did our firewall review, here's who attended, even if it's just one person and you know what was done. All firewall rules are needed at this time. Didn't remove, you know, no changes made. Good to go. It doesn't have to be a novel. It

just needs to document what was done as proof that this has been done on its mandatory reoccurring basis. Yeah. So on pitfall one, um the slight version shift of that is we've passed ISO, we've passed something else, so we're always fine. Um, does that come up in a lot of in your practice of people who have in the very regulated environment, they've passed a lot of other things and so they naturally just assume that they're going to that their documents are going to be good enough for PCIDSS or is that something that because it's really kind of more to the financial world, it doesn't really have a lot of overlap into other reg other regulations? No, I

I've seen it uh like pretty much across everything because even sock 2, some places have gone for sock twos and it's like well that doesn't necessarily cover you for everything PCI asks because there's a lot of you know we have a lot of controls in this so there's a lot of boxes to check a little a little twist right a little different than what it would be for something Yeah, that just those those little unique individualisms between the various things while we all do come from that same baseline of all the best practices and I mean you can crosswalk everything I I don't care what compliance you're looking at you can go back to a NIST document and you can find

a solid control question for it and it's if you don't do anything else go through the N CSF you'll have a nice baseline and you know it lends to everything else but there's there's always the little little things that it's like okay I need an extra document or five or 50 um and also uh third parties you know obviously there's a lot of stuff that gets you know outsourced whether whether it's you know having your payment processing in this case directly done by you know something like Square or some other processor um also even things like MSPs you know you've got a lot of stuff that is outsourced to MSPs that the other half of I do the consulting side but I

also work for an MSP so that's part of it and you do have things that are outsourced what's their security level? You know, you got to make sure that you're doing and this is another 4.0 required. Reassess your third party vendors on an annual basis. You know, what's the risk that they're bringing in to your environment? Is that acceptable? Has it changed? you know, think let's go back many, many years, and I'm showing my age here, but Anthem, I was helping out with thirdparty risk at that point, and one of the things was well companies renewing with Anthem, um, what's their current cyber security insurance policy at? that that was a main thing to continue

on with the company I was at at the time keeping Anthem as their healthcare provider instead of switching up. So, you know, you can have additional threats introduced to your environment from all kinds of angles. So, things to think about, who are you doing work with? and then step into post audit best practices. You know, as I said, this is continuous. You know, think of this as a living, breathing document for everything that you've got because everything changes. You know, it's just like making sure you got the latest, greatest patches up. There's something new. So making sure that you're keeping updated and you're looking at, you know, what flaws, what gaps might be introduced if

we make a change. You know, bake that security in if you're going to do an architectural change somewhere in your environment and you look at what's upcoming. Are there new changes? You know, even things like okay, what systems do I have that's coming up on end of life? Uh because another requirement is well we're not doing that whole limp along after end of life on all of our hardware software. It's like no we need to have supported stuff. We need to make sure we have some kind of warranty program in place and something that we can depend on so that it's not just well I'm gonna see what I can get on eBay to fix this.

don't work anymore. So, you know, things to, you know, have on the horizon for what's coming up, what do I need to prepare for? And, you know, also maybe schedule your major changes so that it's like right before an audit comes through versus right after and then you got to go through it again. I've had clients like that, too. So planning is important. Obviously some things can't always be planned for due to timing, funding, and everything else in a business, but where you can it'll save you seeing me twice in a six-month period. Not that that's necessarily a bad thing. It's just an expensive thing. So with that, we'll open it up to questions. Um, So can you talk more about cyber

auditing what it is and how to balance that with the compliance side? Okay. So the difference between uh the audit and the compliance side within so for me as an auditor I'm coming in as a third party and I'm assessing and validating what controls you have in place and that can be against whatever regulation it is that you need on the compliance side for the company. Now, it's it's kind of a broad scope because you've got a lot of people that will take part of that. Typically, you're going to have someone that gets to act as your compliance officer. Now, that could be someone that's in legal or, you know, you could if it's if we're

looking more cyber focused. It could be jointly between legal and an IT manager, security, SISO, what have you. It it's really company dependent. Um but you'll have technical as well as legal representation t typically looking at it and you know with that then there's all the underlying you know having your security administrators making sure they've got everything locked down in terms of access authentication and whatnot for you know accounts and identity but then also in terms of hardening the systems with like the system administrators database admins and Yeah, there there's a whole host more including human resources because we look at the physical side as well, including doing physical walkthrough of buildings, make sure there's, you know,

CCTV where appropriate, you know, um, badging as well as, you know, lock network cabinets and the like. So, you know, it really takes in the whole picture. Does that help or Okay. Um, do you actually help the the company remediate their findings or you just offer suggestions and just have them take care of? So that's one of those where if I'm going to audit it, I can't fix it because I can't audit my own work. So I could have someone else come in. You know, it's like I also do viso work for other companies that I'm not auditing. So, you know, have that trade-off within the team where one person will be the visa. So, come in, help them, give them the

guidance they need, help them get their security controls in place, and then someone else audits it. So, it's segregation of duty. Yeah. But I I do do that too. Yep. So what effect would you say is all these kind of novel payment systems having on this like the zills and the zooms and and the cash apps to me a lot of them feel like their competitive advantage over Visa and Mastercard is that they claim they don't need to follow all these regulations and they can kind of look it's we're using something totally new it's all very different and so we don't really need to follow things like PCIPSS but looks to me like they actually kind

of do. Um, what I'm interested in your opinion on that. Yeah, because I mean if you're doing like, you know, say you're doing a cash app where you're transferring cash between people or you're doing a debit card, like that doesn't necessarily fall under PCI. Uh but now if you've got like a Mastercard stamp debit card, yeah, you're going to be having PCI coming along because it's still associated with the brand and they're going to require it. But yeah, it's Yeah, it just seems like they're fudging it. So, at least to me is like, yeah, okay, sure. You're Venmoing money. Um and because you're Venmoing, it doesn't have a Mastercard or a Visa on it. So, congratulations.

You don't PCIDSS doesn't doesn't apply to you, but something should apply to making sure that you're still, you know, compliant with something. Um, yeah. And aside from like the the New York financial stuff, there's not a lot that like really targets fintech. Uh, I mean, we should uh just just because it's just moving money around. I mean, it's it's one of those gray areas. Fair enough. Yes. Um, are there any pathways you suggest for getting into this kind of cyber security? uh to do audit or to do uh so uh in general uh if you've got a technical background that's really great because um one of the worst well not the worst things but you know it's like

you've you've got someone that just kind of got thrown into it because they came from accounting. Not saying accountants are bad. They're they're also great at this because they're very like I'm going to make sure I check everything here. I'm checking it all. But sometimes then they need those of us that spent time as a system administrator, help desk, what have you beforehand to be like, "Okay, no, the pen test is fine. Don't worry about that. That's low. They closed out their criticals. We're good." So, you know, it's it's kind of a blend. Um, but having a technical background absolutely helps uh because you can get in there and you can look at stuff a lot

quicker, so to speak, you know, without needing additional team members to guide you through it once you're starting. Um, aside from that, you know, being willing to look at a lot of regulatory language entry level. Um, I just kind of fell into it myself. Like I started out as a Unix Linux system administrator. I went through my first audit and you know like two years later you know I I utilized that and my technical background to move into an auditor position uh you know based on it's like I've gone through it from the other side. I know how to apply the controls so I can certainly test the controls was the approach I took. Any certifications?

Oh there's a ton of certifications to start with. Um CompTIA uh, security plus is like the total start. It gives you a good baseline, helps you get past those HR filters, but then there's also, um, the CYSA plus, but I'm spelling it out because we've got too many CISAS at this point. We got that. We got the CISA, that's the certification. We got CISA, that was Homeland Security. So, just confuses. But yeah, there there's a ton that are out there. Yeah. You said that you went from systems to like an audit. Was that like a ISA or USA? Um well, no, that that was like ISA because I was doing federal contracting because ISA is internal, right? Within

the company. Oh. Oh, no. within PCI that that wasn't PCI that was that was government work. No, I I was I was going around as a DISA contractor uh running disigs on Unix systems everywhere. Fun stuff.

Anyone else? Um two questions. First one is where's a good reference for policies or procedures in general in general because um we got dinged on that and I know it's not comprehensive and I really don't have a lot of people who want to read this besides me so it'd be nice to have better documents SANS does have some white papers on that yeah they they've got a nice white paper repository on a whole lot of things actually. And um yeah, I mean, and you can also utilize like NIST guidance for some of your baselines if you want to like fine-tune things towards specifics because they've got special publications on everything. They I mean they make the

guidelines for everything, weights, measures, and everything. Awesome. I'm into both of those. Second question is we had an assessment but they did not do um a physical walk through. So in anticipation of that happening um where should we start looking so we can be prepared for any dings on physical uh the biggest thing is security of systems security of the physical the building itself you know um badging locks and CCTV at entry points uh if you have if it's like payment systems making sure those are over where credit cards are taken. Uh you know, like you walk into a gas station, there's like three above the gas the the register. So things like that and

especially visitor logs, making sure that visitors are signed in and out and appropriately escorted.

Yeah. And that any room with, you know, like your networking cables and stuff like that that those also have locks on them. Yeah. Um with with the introduction of PCI 4.0. Whatever. Um what should large organizations really be looking for? We've already we're already working with our normal auditor. Um but is should there be anything that I could expect to be thrown at me? We're mid audit right now. Um I don't think so. I mean, you know, it's been in that slow phase in for a bit now and yeah, just finally hit that drop deadline. So, it's it's really just what's there and making sure that it's implemented. So, yeah, thank you. Okay, guess we're done. Thank you

everybody. [Applause] Great. Thank you.