PCI DSS as a General Cybersecurity Framework

excellent i'm technologically challenged i'm one of the old guys that always had 12 o'clock blinking on the vcr back in the day so uh it how i wound up in technology is another question altogether i'd like to thank you all for stopping by my talk this morning uh my name is stephen kirby i'm a systems slash security engineer for rns solutions a small uh logistics company out of jackson tennessee and we're going to be talking a little bit about how we're using the pci dss security framework as a general purpose framework uh for controlling our security environment give you a little bit about me i'm a 30 year it vet started in the late 1980s

and for me uh besides greenville is a little bit of a homecoming i spent about 12 years in athens georgia at the university of georgia and for all the clemson fans better luck next year i grabbed i gravitated to security early on uh started out with nobel netwear and moved into dozens of play a dozen or so flavors of unix and i even do windows now uh generally under an assumed name i do hold multiple security certifications and that's always important because you know if you're not certified you don't know anything right and as i mentioned i am currently a systems engineer for rns solutions out of jackson tennessee a few caveats are in order before we get

to too far gone into this number one i make no claim to be a pci dss expert uh my current employer are not is not subject to pci compliance requirements and so we don't do this in air quotes for real uh don't assume that anything i say matches the pci's interpretation of their standard they know better than i do and if you're doing this to in order to process payment cards don't let me lead you astray we could be a little bit more flexible than the pci is going to be when when it comes time to do an audit i would also stress that the opinions expressed here are my own and they're not those of any employer

past or present okay a high level uh discussion of what we're going to do what we're going to talk about in the next few minutes we include four major points number one just so we start from a common ground we're going to talk about what is a security framework we'll talk about some of the most popular frameworks and see if i can answer a question why would i want to use yet another one aren't there enough other good ones out there i'll talk some about how we chose to adapt pci dss at rns solutions and we'll bring about some key takeaways uh i will emphasize that my perspective at rns is that of a very small business

i can tell you that as of last week we had 104 uh office 365 licenses and a good number of those were going to contractors and to uh third-party vendors that were using them for for purposes other than their primary email we are a small shop and that definitely has an impact on anything that i talked about if you have to put it in perspective our security team consists primarily of me myself and i and not even all of that i have responsibility for uh managing linux and windows systems and uh general networking issues and anything else that crops up we have two other engineers on one other engineering and our manager on on the technical end the other

engineer has no no formal responsibility for security at all and my manager is uh spread thin as it is he has a good security mind and i'm very fortunate uh to have him that's one of the reasons why i'm there but we're we don't have a probably a single fte devoted to security full time if you have a large organization some of these things may not be as beneficial but for us a lot of things i'm going to talk about today were critical because the alternative really was having no formal security program at all okay an introduction to security frameworks what is a security framework well a security framework is a high level strategy for protect protecting

information assets it provides guidelines and best practices frameworks provide guidance on what to do but they don't tell you how to do it typically a framework will say use strong encryption they will not say use a aes-256 there will probably be probably be some understanding that you would use an industry standard and ae256 definitely would qualify des probably does not but that's not going to be specified in the framework it will be specified in some of the supporting documentation uh there's several examples of popular general security frameworks i'm going to mention three iso 27001 or actually the entire iso 27000 series uh the nist cyber security framework or the csf and the cis critical security controls

the first one that i'll mention is iso 27001 or as i mentioned the 27 000 series and it's part of an international set of standards it was originally developed as a british standard back i believe in the 1990s i'd have to have to go back and check on the date but uh it's grown in popularity particularly in europe in the last 15 20 years one of the difficulties or obstacles that you face with iso is that the official standards documents have to be purchased and they're not cheap uh there are a number of them and they are for our but given our budget they were prohibitively expensive the good thing one of the good things

about 27 the 27 000 series it is very structured and very formal so if you are a large organization with the resources resources to throw at it uh it allows you to develop a very thorough framework the iso uh 27000 series assumes an information security management system is already in place so it's not really there are some uh startup costs associated with trying to implement this standard the main benefit from iso 27001 and other other associated uh frameworks is getting certified by an approved third party and that costs money lots of it it's a it's an expensive process to go through and as i mentioned with our small staff and small budget it never really was a

serious contender the other thing worth noting is that it's not as popular in the united states as elsewhere as i mentioned on the slide see also soccer and formula one uh this is very popular internationally not so much here in the us here in the us probably the big dog would be the nist cyber security framework or csf it's also very detailed uh special publication 800-171 r2 is the short form of the standard designed for non-governmental agencies the original framework was designed for federal government agencies and contractors and for them compliance is mandatory uh the short form there i mentioned is 113 pages with extensive links to external documents so it's quite detailed most recently revised in

february of this year one of the problems that we ran into looking at it is that it doesn't way to prioritize individual controls quite the same way that pci dss does and we'll see what i mean by that in a moment it allows quite a bit of room for interpretation and it has to because it's it's intended to be a one-size-fits-all type of framework and it can be a little i can tell you from having looked at it that if you're a small shop it could be a little bit daunting if dedicated resources are small or non-existent one of the other popular security frameworks here in the us would be the cis uh top top controls they're now called just

the top controls because the number has changed uh it got it began life as the sands top 20 and then became known as the cis cis top 20 it's now the cis top 18 controls because the ver in version 8 of the of the framework released in may of this year the number was reduced i think they combined some of the elements one of the one of the benefits of the the top controls framework is that it does help prioritize individual controls for example if you're a small organization there's an implementation they've impl they've introduced the idea of implementation groups and there are three three levels of those implementation group one is aimed at small organizations

uh implementation group three would probably be applicable to a fortune 5 or something like that it's easy to overlook the cis controls because 18 to 20 controls doesn't sound like much the reality is it's much more detailed than it sounds there are a whole lot of subsections under each individual control and if if we had uh not gone with pci dss this probably would have been the framework that i tried to implement the problem with cis is that it doesn't have the kind of supporting tools that we're going to look at here in a minute that pci makes available for folks who are trying to implement their framework in order to comply with payment card processing requirements

the way to get started is to quit talking and begin doing and the reason that i would give for why we decided to go with pci dss as a general non-binding framework is that it made it easier for us to get the program off the ground up and running um we started in may of this year really and we are already in the process of completing our first self-assessment uh i'm not sure i could have pulled that off if i tried to go through and implement some of the other more detailed standards

pci dss or the payment card industry data security standard is a another security control and compliance is mandatory for organizations that process payment cards credit and debit card transactions it's not intended for use as a general purpose security framework but it can be adapted for that use very easily in fact if if you want if you want to know the presentation in a nutshell download some of the pci tools do a global finder replace find card holder data replaced with sensitive data and you're done then all you got to do is all you have to do is go implement it the idea of doing that was presented in a cissp training course i took oh

a year or so ago taught by kevin henry who uh basically taught developed the training materials for isc squared for for the cissp i thought it sounded like an interesting idea so i that was the first thought that popped into my head when i was trying to find a framework that we could uh that would work for us in a small company pci does produce a spreadsheet that we'll see in a moment called the prior prioritized approach tool and i found that to be very useful it helps decide which which uh controls need to be implemented first it actually it's color coded with here so you can look at at a glance and say okay i need to do this group

first this group second and this group six down here we'll put off to the very end it makes it easy to track and document implementation as you proceed through the spreadsheet and through review the controls there are sections to indicate yes we did this no we didn't here's what we have to do excuse me here's what here's our plan going forward and i think that that is a key advantage of other uh of pci dss over other uh for security frameworks for example cis top 20. you could develop the same sort of documentation for any of the controls that i mentioned earlier but you would have to go out and do that for yourself with pci you can download

it from their document library make a few pro a few appropriate customizations and have a full suite of documentation ready to begin in a matter of days a few of the things that i like about the pci dss are that the controls are focused and detailed they provide structure but not constraints again they don't specify that you have to to use a particular level of encryption let's say but they do specify that it needs to be an industry standard and i would want to document what that standard i'm following is in the spreadsheet as i work through it the controls are adaptable for organizations with small acting staffs because at the end of the day

pci is targeted at everybody who processes credit cards or debit cards so they will have to i mean they have to us be adaptable to organization mom and pop grocery and drug stores for example uh they won't those folks won't necessarily have to provide the same level of documentation that a larger organization would say a credit card clearing house but they have to be able to provide some information or find someone who can provide it for them the concepts are easy to explain to non-technical personnel one of the easiest sales jobs i've ever done was ex having to explain to our leadership that our goal is to process our sensitive information with the same level of care

that we would process if you were dealing with credit card transactions that intuitively made sense to them because because so many organizations are familiar with pci dss it's easy to communicate what we're doing to other organizations that ask about our security policies and the as i mentioned the biggest uh advantage that we have found is that extensive documentation is available directly from pcids dss at no charge uh and that's certainly a welcome uh benefit for an organization with tight security budget this is an example of the prioritized approach spreadsheet and you can see there a whole list of subordinate requirements under the major requirement install and maintain a firewall configuration and you have prioritized lists one through six level one being

stop what you're doing and do this first two is what you do after that and then there are an additional six levels of uh priority you can indicate it are you done yes or no if you're not explain why and then provide a little bit of explanation out uh in the additional columns and you have documented the stat the current status of your security program in a very detailed fashion once you've finished the uh process in the spreadsheet

pci uses a three-pronged approach basically the first stage is to assess and identify all locations where sensitive data might be stored taking an inventory of assets and analyzing those for vulnerabilities that could expose sensitive data the next step is to repair find the vulnerabilities and fix them and then the third third stage would be to report a document report document your assessment and your remediation details and at that point you're ready to to begin the process again so this is a continual cycle assess repair report and we are now at the report stage for our our first pass through there's some things that are useful to keep in mind when you're uh trying to apply pci dss

one the most important is that unless you're processing payment card data there's no need to stick to the absolute letter pci dss uh you're not going to get penalized if you don't you will be you probably will be less secure but so long as you can say you're keeping in the spirit that probably is going to be good enough for example uh there's no you need to use third party a third party for external vulnerability scans penetration tests or audits uh you can take that you can do that in-house so long as you're not trying to process payment cards and we have done so we we do conduct external vulnerability scans against all of our environments

uh using a third-party vendor that we contracted with for a very small charge i was quite pleased with that if we were doing this for real we'd have to use an approved scanning vendor and the cost would have gone up substantially informal self-assessment can take the place of an audit and we'll talk about that a little bit in just a moment and the pci dss does offer guidance for performing such an assessment uh pci dss requires payment card information to be deleted as soon as there's no longer a business need to retain it that's good practice and i definitely would do that but there are some things that our management wants to keep around longer than i wish they would

we're not we're not failing to be in compliance because of that so it does give you flexibility whether or not that flexibility is a good thing uh is subject to debate there's no deadline to achieve compliance we do not have a sword hanging over our head that if we don't get our assessment done by 31 december that we're going to no longer be able to process payment cards because we're not doing that this is just us using this framework to go as a as a form of guidance and there's no no penalty for falling out of compliance if uh you if you're your next cycle you detect that something is no longer working it's not the end of the world you need

to fix it but it doesn't put your ability to do business at any risk it may be something you need to address as soon as possible maybe today or tomorrow but you're not at a risk of being having your ability to do business suspended there's some sections of pci dss that may not apply for example we don't develop applications in-house and there are entire chunks of some of the security controls that don't apply to us those were those were my favorite sections i sailed through those uh some sections are aimed service providers and those are outside entities that could impact impact security of cardholder data you won't need to necessarily worry about those important points to keep in mind would

be that provisions are not restricted to information that is stored electronically as difficult as it is for us and what is now almost a digital age to remember there's still a lot of paper records out there and those paper records need to be secured or securely disposed up too pci does take that into account

pci envisions the secure environment to be a subset of the company network but when you're processing sensitive data as opposed to payment card data it may not be it may not be possible to simply isolate off into one segment of the network your accounting department may need to be able to talk to hr which may need to be able to talk to the ceo ceo's office and the cfo so you may wind up with a larger shared environment and that means that you're going to need to look at some of the controls that we would normally apply to a segmented environment and apply them possibly to a larger segment of your larger spread of your network

there are a few common pitfalls that i've discovered in reading and in our own experience for organizations that are attempting to comply even either to the letter or into the spirit with pci dss the bugaboo for every security professional i've ever known has been failing to change default passwords on network devices routers switches iot uh printers uh printers uh multi-function printers are very useful as penetration testing tools because most of the most of the default passwords you can find through a google or a search engine uh and very few it seems to be common practice amongst uh printer service technicians to keep those set to the same thing for convenience sake and there are seven

have been several um conference presentations on how to use set up a reverse shell on the printer and use them to capture uh credentials as people come come to log into the printer to print something poorly written web apps that allow sql injections and sql injections is hard to believe are still an issue but they still make the a wasp top 10 on a regular basis sql injections or exposing a database to the public internet directly i mean it's hard to believe that those are still problems but they are uh and then another big issue would be exposing sensitive data to insecure networks or endpoints the the most obvious example would be byod devices that are excuse me

allowed to connect directly to the company network or are somehow able to gain access to the company network through guest wireless because that wireless network isn't properly segmented i show my age here sack it to me reminds me of the late 1960s uh comedy show rowan and martin's laughing one of the by phrases or catchphrases on that show with socket to me so if you remember laugh in you know where this came from and if not well i'm old organizations that prom that process payment cards are required to submit responses to an annual self-assessment questionnaire and the saq for self-requesting self-assessment questionnaire is a standardized form that can be downloaded from the pci dss document

library we're working with with the questionnaire for class d merchants and we found it very very useful the one problem that i did run into was that the form as it is delivered by pci is a pdf file so i spent the better part of about three days converting that into a spreadsheet similar to the uh one that we looked at earlier once i got there it great that greatly simplified the process of doing our self-assessment which we recently just completed uh with modifications that self-assessment questionnaire provides a great template for an annual review of an organization security practices i'm using it to prepare an end of the year report uh for our ownership and

management which is something that they've never had before one thing i will say is that you should not fail fear failing your first assessment particularly if you're starting from ground zero uh in a small shop that has not had an active security program before you're not going to get everything done in the first year what you can do is map out a road map for what needs to be done and maybe come up with a an improvement plan to get the top priorities taken care of in the next six to eight months uh since we're not using pci for compliance purposes our objective is a little bit different than uh the standard we simply need to identify

what we need to do what we're actually doing both what we're doing well and what we're not doing well and we're going to we're done we need to identify what we're not doing but need to do in future and then develop a strategy to close those gaps the final section of the saq document is at a station of compliance or aoc the other aoc aoc doesn't assume or require full compliance even for environments that are in scope for pci dss what it does necessarily it provides an ac what it does is provide an action plan for non-compliant requirements and a timetable for re for completing those requirements and it can be massaged to generate a summary of

your current cert security practices that you can share with your with customers and potential customers in fact that's exactly what we intend to do some key takeaways from this uh things that you're going to need to look at especially carefully if you do decide to follow pci dss one is network protection you're going to need make sure you've got firewalls in all the right places and that your network is properly segmented uh as has been mentioned elsewhere in other talks this morning there's no such thing as a there's no such thing as a security professional who doesn't believe in network segmentation you'll need to be careful with passwords and default settings make sure that none of your devices are using the

default passwords the users are choosing secure passwords because we're stuck with them for the time being that i would emphasize making sure that none of your passwords have been involved in a data breach because the definition of what constitutes a good a secure password has changed considerably in the last uh five or ten years and make sure that all the default settings are all the settings on your network devices and pcs are configured correctly uh you'll need to make sure that data at rest is properly encrypted the data in in transit is properly encrypted that you have malware protection and is kept updated that systems are hardened if they're patched and the unnecessary services have been removed

make sure that each user has their own account and that a password is assigned to the account and that you can track exactly who has done what in as much as possible you need to restrict physical access to sensitive data make sure that your your cert your main server shouldn't be on a pc sitting under somebody's desk it's been a while but i have seen that you need to restrict physical access to sensitive data for example backup tapes if anyone's still backing up to tape that's almost as good as having access to the data itself it needs to be secured it needs to be encrypted and it needs to be stored securely you'll need to have logging and log

management set up some form of central log management or storage for example a seam you'll need vulnerability management practice both internally and externally you'll need to conduct regular risk assessment and documentation which turns out to be easier said than done we're still wrestling with that ourselves and you'll need to perform regular reviews at least annually and following every any major change to your infrastructure summary security frameworks are a useful roadmap for developing a security program uh dependent upon available resources some more established uh frameworks may not be viable for smaller organizations my advice would be to find a framework that you like and stick with it the pci dss was developed to secure payment card data but it can be

leveraged to create a viable security framework for both small and medium-sized organizations i thank you very much for coming by my talk i think we're done a little bit early if we have questions i'll be glad to take them and i will provide a link to the slide deck in the chat in case anybody wants it thank you and let's see great stephen and i know my experience with this is um this is mark um i work for a company that had nine um nine other companies that i oversaw and two of them had the pci compliant compliance requirement and they had they had a contract in place to do the external scanning and i thought it was fabulous and so i

you know got with the same company and put a contract in place to scan the other seven country companies now it was a totally separate agreement so it wouldn't you know mess up their results but it was just so nice to be able to get the same type of information easily it was so easy for me to do that yes that that's wonderful we actually went out and evaluated some companies that uh provide this as a service not necessarily for pci and found one that allows us to do uh they're actually selling open vaz uh which again probably wouldn't have been my first choice but the price was right and it does allow us to at least

guarantee that for example i can promise you that we're not that we don't have rdp running on any of our public ids that was my first big concern when i got there uh and those are the things that you need to check for it it helps to make sure that you have things buttoned up as well as you do because i think if you ask any systems administrator anywhere in the world all of them would deny that they have uh rdp port 389 3389 exposed to the internet and we know obviously that has not been the case and another issue that you encounter is when you tell somebody they need to do something they're like well that's just your

opinion yeah we've been doing it this other way forever and when you have some type of standard to stand behind you and go well no this is the best practice according to this industry standard this is why you need to do it you tend to get more traction if it's an industry standard you're trying to implement versus what could be considered your opinion yeah and that's one of the reasons that we adopted a framework developed in our program because it was easier to sell to management they intuitively understood when we said we're pro we're handling all of our sensitive data the way we would handle credit card data it made sense to them i don't know if i had said well we're

doing this because the government the this agency and the federal government said to do it i don't know that it would have registered quite as solidly and that's that's going to be an issue probably more for smaller organizations like ours than it might be for some place that is a little bit larger and is and is more in tune with uh government requirements