PG - Securing Sensitive Data: A Strange Game - Jeff Elliot

my talk uh securing sensitive data a strange game sorry I kind of ripped off the war Games movie there uh the only way to win with securing sensitive data particularly credit cards that I deal with a lot is not to play not to try and do it uh I'm Jeff Elliot I've got uh you a bunch of three-letter acronyms four-letter acronyms all that kind of stuff uh that said I'm not an infosec rockstar I don't have a a tumbler or a tutu which we all know those things are required from the video um I'm associate director with productivity uh put that in there cuz we're hiring so if anybody wants uh wants a new job see me or any

of my guys that would rather be fishing um the one uh credential that I will disclose is I've got seven years PCI qsa which uh I've been around the block a few times and seen the problems that can happen when you try and secure sensitive data fine print things I'm going to recommend do them at your own risk many of them are expensive if you do it right that's a great thing if you don't do it right somebody will get mad at you there'll be some products listed later they're just representative samples from a Google search no uh no sponsorship of any of that um you need to choose what uh works best in your environment uh my mentor thought I

should put that I'm not a lawyer I'm a consultant I'm probably not your consultant but we can probably work something

out so the issue um with a lot of trying to secure sensitive data is uh really around money right um credit cards are money and thieves want them thieves like money uh read an article in it was actually a couple years ago now in Wired Magazine 2011 there's a town in Romania where they had to build luxury car dealerships because the hackers that are stealing data wanted to buy luxury cars and they were going other places to do it so they built luxury car dealerships in this little town in Romania so they could keep the money there so we all know credit cards a big business we just saw another hack at uh pfchangs that they

gave us more information about yesterday criminals want money like I said they it's uh easier I guess to do that than to do honest work and Merchants spend piles of money trying to achieve what they call compliance some standard PCI standard some other standard tells them you have to get compliant you have to pass all these tests little compliance math the sum of all the compliance pain and cost that you incur we all know I've heard it in the two talks before this does not equal security compliance is not security security is security compliance is just compliance so you know the issue is money everybody wants it we spend all this money on it we still have all these

these data breaches and you way too much again we just had PF Chang again all the ones we've heard about in the last couple years the problem is the money right it's it's the people want to steal it and there's just no way to really stop them from doing that so I want to tell uh three stories just from my experience uh as a qsa and these are really typical so I'll I'll tell three specific ones I won't name any names I'll protect the innocent but this stuff happens all the time we see it every engagement we do the first one that we see a lot is good crypto is really hard to do if you're not buying you know a

solution from some vendor implementing exactly the way that they said it that's been tested by the community been in a whole bunch of different environments and really been vetted out you think you can do it yourself and that's not just in an algorithm right we all know we shouldn't invent an algorithm it's even the implementation so I had a client that we were doing an assessment and they fought and fought and fought and they said our crypto is good it's rc4 crypto there's nothing wrong with it prove there's something wrong with it and so we spent some time looked at it and said okay well you know we know the problems with stream ciphers are key reuse if you

reuse the keys we got a big problem if you don't reuse the keys interesting how you're doing that but let's figure that out so so we go through talk to the administrators people who built it and said okay how do you do encryption they said well we first generate this really really long random key with all this good entropy and it's pseudo random but you know really long thing and really great okay great then what do you do well then we encrypt the data no no no no you're not getting off that easy how do you encrypt the first credit card number that you see well we grab the chunk off the front of that key

and then we run it through the algorithm which we you know found on the internet and wrote in our own language uh that actually seemed to be okay and then we encrypt the data okay great now the second credit card comes in what do you do well we you know get some key material and we encrypt the data no no what key material well that key Material off the front again did do you ever change that key material do you ever get anything other than that first truck off the front no okay here's a spreadsheet and your crypto's broken they changed to AES so that was a good thing and it was properly implemented the next one some people are

going to yell at me uh the PCI Council has been saying for a long time that segmentation is isolation and segmentation is not controlled access now in modernday it environments trying to actually run a business this this is really painful you really cannot properly segment modern environments like the military can because they have all of yours and my money do that in a merchant type environment successfully there's always going to be something that has to talk to some in scope system and a PCI Council says that that is therefore going to have to be in scope people are we talk about there's a new PCI DSS version 3 comes effective here it's actually effective now you

have to do it starting first of next year and people are freaking out cuz they're like well what's this noise I'm hearing about we have to actually do isolation and not just segmentation like we did it before and kind of let a few things through well they've been saying they've been using the word isolates since six years ago in pcidss 1.0 or 1.1 nobody wanted to hear it nobody wanted to do it because it's really hard to do in a merchant environment so what do we do as well as we can right we limit things well some people do better at that than others we limit things as much as possible and then the rest gets allowed through and

we try and talk about how there's no real risk there they continue to say it in all versions up through current Jericho however was right we had the uh PCI scoping uh group several years ago some of those slides were in that kind of beginning thing uh and the purpose of that was to try and resolve this and bring sanity to scoping the problem is exactly what Jericho says here it was a colossal waste of time and energy we there were like 50 people hours and hours and hours and days spent on this thing wrote this paper PCI Council would not let us release it and they let us release it as an open source document so they wouldn't

sign off on it like they do most of their special interest groups and when I first saw Jericho's tweet because of all the work that I'd put into that thing I was kind of upset it's like well what do you mean I I don't get it because I still was kind of drinking that Kool-Aid if you could actually segment an environment then what happened is I started watching we have a really good uh pentest group and I started watching what they were doing and they're practically Unstoppable as probably any good pent is right in these segmented environments where you don't isolate traffic you don't isolate systems that have data that thieves want from other systems

that don't there's always another way in I watched uh recently my pentest lab went after uh an engagement on a client it was an external pen test they found a vulnerable device on the perimeter hacked that from there they got into active directory got domain admin from there they started crawling around the network some more and they found a server that had credit card data in it and the client's response was actually the database below is QA but it's part of PCI contains credit card info according to our CIS admins so we can consider that you've reached your goal we'll wait for report and this happens over and over again segmentation does not work the third one I'd like to talk

about is there's these humans they're always getting involved in our security we could have perfect security if it was just the systems and no humans I think but we do we have them everywhere so what do they do so this slide here is an end case uh slide from end case forensic and uh I had to blur the credit card numbers sorry you won't be able to actually use those um but what this was was we had a a client we did an assessment we're just doing a have we been breached assessment is there any kind of clue that anything bad has happened we don't know it nobody's to Secret Service hasn't knocked on our door there's no kind of

announcement anything like that but take a look around and see see what's going on okay so we did a bunch of tests and we ran forensic images on some systems kind of the thing that they're supposed to do every year before we come to do their PCI assessment right so we did that we sent that off to our uh lab in New York and those guys went through it and they said well there's credit card numbers in there no they're not really so good with the PCI uh they were right it was credit card numbers but more than that it was track data track data now you know why I blurred it with track data you could make new cards so that is

prohibited for to be stored because of that uh by PCI and it was all over their systems so we found it talked to them about cleaning it up and they said well you know we figured out where the problem was it was the help desk the help desk said but I needed to debug a production problem and I forgot to turn it off when I was done so it's just writing this data all over the desk that was fun when we did this year's report on compliance for them because we triple checked that but there is some hope right we don't have to just live with all this data getting breached all the time there's a potential

solution potential solution my opinion is point-to-point encryption commonly called P2P um and I put tokenization as a separate item because I don't really care about tokenization if you need it in order to do things like fraud prevention uh customer tracking those kind of things and you can't do that on the encrypted values for whatever reason fine do tokenization doesn't matter to me so yeah how do we go about doing that so the PCI Council has an FAQ which is kind of our Bible so we'll have a reading from the sacred guidance today you did you all bring your PCI Bibles no okay well I got mine so PCI FAQ number 1086 says en is encrypted card holder

data in scope for PCI DSS and the key part of this here is in the yellow the entity in possession of the encrypted data does not have access to the clear text card holder data or the encryption process nor do they have the ability to decrypt the encrypted data and does not have the cryptographic keys anywhere in the environment and none of their systems processes or Personnel have access to the environment where cryptographic keys are located nor do they have the ability to retrieve them then up above in the blue if and only if that's the case and that gets validated then that doesn't have to be considered card holder data now I think that when they were

doing that they were probably thinking about tapes at Iron Mountain right cuz nobody has the keys are the tapes of Iron Mountain so Iron Mountain probably doesn't need to be in scope for your PCI assessment but what it also means is as technology improved over the years we got to where we can do encryption in ways that all these criteria are met the key elements is tldr here the whole FAQ and all that documentation is up on the PCI council's website the key things are there can be no keys in the merchant environment this means that give me the best pen Tester the best hacker doesn't matter give them all the IDS all the credentials give them domain

admin give them Unix admin give them root whatever there's no keys for them to get you have to in order to accomplish that you have to encrypt at the point of interaction POI using a tamper resistance security module or Hardware security module those sound really technical but it's any modern pin pad you also then have to get that data back out the other end of the system and only ever decrypt the data at a third party service provider or at the bank therefore there are no keys in the environment there's some data flying around but it's encrypted and your best attack is Brute Force unless you can get into the trsm and that's what trsm are built to

prevent but there are only three you might tell me point-to-point encryption Solutions if you go to the PCI council's website link there on the bottom there are only three you get blue fin payconnect EPS Total Care and solve data shield now has anybody seen any of these implemented yeah I pinged my list of a couple hundred people and neither of we but so what does that mean well the way that that uh PCI works it's really it's not a law right it's contracts so the PCI Council tells us in another FAQ that Merchants using encryption solutions that are not included on the council's list of three validated p2pe Solutions should consult with their acquir or payment brand about the use of

these Solutions the way PCI works is the payment Brands Visa Mastercard all them contract with acquiring Banks and they say acquiring Banks you have to make sure that all your Merchants maintain PCI compliance at all times and then report that up to us and that's how that's going to work well then acquiring banks in order to comply with that contract with merchants and say Merchant you have to maintain PCI compliance at all times you have to meet all the requirements and you have to do whatever level of assessment based on how many transactions you're doing you have to do all that stuff so that's that's how the legality of all this works that's how people are

forced to comply with PCI it's all these contracts so you know restating that the acquiring Banks enforce the compliance requirements on Merchants and the acquiring banks are accepting alternative Solutions and sometimes they sell them so there are far more than three potential solutions that I've seen this is just a quick Google search there are more than this on the list again none of these are sponsored I don't I know some of them some of them I just found can also do this work but you might say well my database only takes 16 digigit numerics or my data entry fields or my whatever part of your system only takes numeric 16 digit and you know we all thought crypto made

big ugly long hexadecimals strings with equal signs on them when they're base 64 encoded so there's also available uh format preserving encryption what format preserving encryption does is it keeps doing the crypto until it finds a value that meets the format of the original data so if you have a 16-digit numeric it keeps doing this until it finds a 16-digit numeric and then that's what the crypto value is why does that work because you can back it out and do the same thing backwards and get back to the original number there are potential drawbacks here we we are again with money this can be expensive right everybody wants their little hand in your pie so there's the

cost for equipment there's setup costs there's you know the real big one is there are ongoing transaction costs whoever is doing this for you wants a little taste of every transaction that you do so it can be expensive the next one is what I like to call data jail these providers would just love to get into an arrangement providers or Banks would love to get into an arrangement where they have your data and you can't get it back if you want to change providers oh that's kind of too bad because you didn't think about that on the front end so what you want to do with that and some of the other stuff on the money is make sure

that your contract negotiations are handled properly on the front end so that you have terms in there for you know what's the exit strategy how do we get the data back out you know how do we cap fees how do we do you know you know reduce setup costs those kind of things uh technology uplifts those kind of things that you need to do you want to think about those all up in the uh up in the front end so the next one is as you can see um sometimes your information security budget May shrink if you do this and all of a sudden there aren't any credit cards left in the environment to steal

right so you know the Stick of compliance is is a mighty weapon and if you Mo remove it from his rightful place they might take away some of your money so you overall so what why do I want to do this well thieves can't steal data that you don't have well they went their Mercedes Auditors can't audit what you don't have there went my job but I really want to do Healthcare if anybody's got any any option there uh um and there are no breach fines if you don't have a breach those breach fines can get astronomical as we probably have seen also another benefit is no cios CEOs or cisos have to get fired if

there's no breach is that too soon thanks that's my [Applause] time