Using the PCI DSS as a General Cybersecurity Framework

good morning or good afternoon or good evening depending on where you are in the world my name is steve kirby and i'm going to be talking today about using the pci dss as a general cyber security framework uh it's something that we've been doing in my current employer for a few months now and i thought it was an interesting way to approach uh the issue of security frameworks give you a little bit of information about me i have over 30 years of experience in it i started in the late 1980s uh worked through novell netware more flavors of unix and i can shake the sticky at i've done windows i've gravitated to security issues very

early on because there was a need for it back in the day security was almost an afterthought in a lot of cases and i was running some projects was associated with some projects that had considerable visibility would have been a bad thing if we had any kind of security issues i do hold multiple security certifications so you you know i'm an a you know i'm an expert uh if you believe in those things i'm currently working as a systems engineer for rns solutions we are a third-party logistics company servicing the pharmaceutical industry located in jackson tennessee it's a small company we only have about a hundred employees and one of the things that we discovered

when we started to try to develop a security program is that a lot of the a lot of the frameworks and other documentation are really geared towards at least medium size and probably larger organizations so we're either going to have to do a lot of rolling of our own or find and i'll find some sort of alternative and i stumbled across using pci dss for this purpose when i was studying for uh the cissp kevin henry who teaches the course that i was taking on that mentioned in the course of that of the class at one of the class sessions that someone i think in canada had done exactly this they did they simply uh adapted pci dss as a general purpose

framework and so i decided to investigate it and see what we could do with it we're going to talk about uh four basic uh concepts here the first thing i want to do for just in case anybody is unaware of what a security framework is i want to talk about that for a little bit we want to talk about what some of the most popular frameworks are and why why in the world we need yet another one i'll talk a little bit about how we've chosen to adapt pci dss at rns solutions and see if i can prevent some key takeaways that might be useful for people who might want to reproduce this down the road

security frameworks are well the security framework is a high level strategy for protecting information assets it's usually a collection of guidelines and best practices frameworks provide guidance on what to do but they don't necessarily provide detailed instructions on how to do it it may say you need to encrypt data at rest but it's not going to tell you what ciphers to use or how what the key link needs to be or any of those other factors that you would need to decide for yourself there are a number of popular general security frameworks i'm going to mention three but there are plenty of others uh iso 27001 uh is very popular in a lot of places not so much in the us

in the us we're very fond of the cyber security framework or csf and then the cis critical security controls uh formerly known as the uh sans top 20 controls iso 27001 is part of a suite of standards produced by the international standards organization uh it's a very thorough program but it has some disadvantages particularly for small shops who don't necessarily have a huge security budget uh for starters if you want to find out anything about how the program is structured the official standards documents have to be purchased and they are not cheap i think most of the standard asset starts at about or some of the document sets start at about 350 dollars uh and you're going to need several of

them and we just didn't have the budget for that uh iso 27001 is a very structured formal process uh it seems that you have an information security management system or isms already in place so starting from scratch really requires considerable overhead uh the main benefit comes if you can become certified be an approved third-party examiner and that's very very expensive um the there are other standards in that in a series that go with the twenty seven thousand series that go along with this twenty seven thousand one is basically is the building block it tells you what you need to do and other standards will tell you for example give you some guidance on how to do it

uh or how to assess risk and that sort of thing the iso series are quite popular overseas uh they're not as popular in the us as elsewhere as i mentioned there on the slide uh you can also see soccer or formula one motor racing uh this started as a british set of standards and has been adopted by international organizations and you will find some organizations in the us that the following but it doesn't quite have the uh following here in the united states what you have elsewhere probably more commonly used here in the united states and again especially for larger organizations is the cybersecurity security framework this is the national institute for standards and technology

uh it's a division of the united states government and it produces standards and guidance uh in some cases they are obligatory for united states government agencies or us government contractors but they also produce documents that can be an industry uh in this case sp uh special publication 800-171 r2 is the short form designed for non-governmental agencies this short form is still 113 pages with multiple links to external documents so it's quite an ambitious undertaking it was most most recently revised in february of this year so it is a living document uh nist doesn't wait or prior to prioritize individual controls and allows a lot of room for interpretation so if you don't have a large security

staff and our security staff basically consists of part of me and maybe a hand from one or two other admins as needed and as possible but we don't have a a large security staff and taking on something as ambitious as this was just more than we felt like we were up to the third uh framework that i mentioned will be the cis top controls uh formerly the sans top 20 and it's now the cis top 18 controls uh as of may of this year version 8 was released and they were they reduced the number of controls from 20 to 18. it does help prioritize individual controls because there are three implementation groups where implementation group one is really aimed

at small organizations like us it's easy to overlook at the cis top controls as a security framework because 18 to 120 controls doesn't sound like much it's actually more detailed than it sounds and we might have considered this uh for our framework but there aren't a lot of supporting tools associated with with the cis controls you can get you can get the documents that's no problem and find out what what the requirements are we're going to look at some tools that are available for pci that uh we just couldn't find counterparts for for cis and we decided we'd rather go that route than trying to develop our own and to quote walt disney the way to get

started is to quit talking and begin doing and their main reason that we decided to go with pci and use the sort of a net adaptation as a general purpose control or framework is that we wanted to get hit hit the ground running we are in the middle of a major business expansion we're going to be uh rebranding ourselves in the near future probably in the next 10 to 12 months and we wanted we wanted to wrap up our first kind a security program before that happens so we really needed to get get more done in as little time as we possibly could pci dss or the payment card industry data security standard is a very widely used

uh framework but it's typically only used by companies that have to process payment cards credits credit cards and debit cards it's not intended for use as a general purpose security framework we found that can be adapted for that use very easily in a nutshell you just you find a global finder in place find cardholder data and replace with sensitive data and all of a sudden you have a general purpose control that works very well we've been pleased with it one of the most helpful things about uh the pci framework is they produce a spreadsheet called the prioritized approach tool and that is very very useful because it offers as mentions priorities helping you decide which controls need

to be implemented first it also makes it very easy to track and document how you've implemented the framework and that's a major advantage of pci dss over other frameworks in particular the cis top controls the controls that pci offers are focused and detailed they provide structure but not constraints the controls are adaptable for organizations with small i.t staffs i've been able to fill in a lot of this in maybe half a work time and i've been very pleased with the results and it makes sense that something like pci would be amenable to smaller organizations because even small mom and pop stores that like a gas station for example that processes credit cards is going to have

to comply with this they're going to have to fill out the forms themselves or or hire someone else to do it for them we found that pci dss is easy to explain to non-technical personnel when we explain to senior management that our goal is to treat our sensitive corporate data with the same level of security that we would have to treat payment cards or credit cards the white clicks and it's been made for a very easy sales job i expect the concepts could easily be communicated to other organizations as well because again a lot of companies have experience dealing with pci dss but by the same token they're using a similar language uh you don't necessarily map

uh the pci dss framework to uh other frameworks but you can use the same language and communicate the same concepts so that people who are working at another company you have an interest in what you're doing security-wise can understand what you're telling them and the biggest one of the other big advantages is that is extensive documentation from pci dss at no charge basically their full document set is available for download the link is there at the top of the slide uh if you want the forms if you want the spreadsheets if you want the instructions it's no trouble getting it uh you'll have to register with with the website and then download your arts content

this is an example of the prioritized approach spreadsheet and as you see there this is the spreadsheet as it comes from pcidss you have the milestone we have over on the left hand side a list of the objectives that you need to accomplish and then the milestone column prioritizes then there are three levels of priority reflected on this page the uh 1.1.2 and 1.1.3 are top priority and basically that means they want you to create a map of your network asset management in in other terms the you do that first you do the ones in yellow label two second and move on through the through the spreadsheet you'll find three four and the purple ones and six are the ones you

can do uh towards the end of the process because they're probably the least pressing

the pci standard adopts a three-pronged approach assess repair and report so the first step the audio this ongoing process will involve assessing all locations where sets sensitive data might be stored doing an inventory of assets and business processes and analyzing them for vulnerabilities that can expose sensitive data once you've performed the assessment you perform a repair you fix identified vulnerabilities and implement secure business processes and if something hap changes along the way you may have to modify those processes and once the once the processes and vulnerabilities have been repaired you report you document what you've done you've documented that you've assessed it and that you've taken remediation there's some things to keep in mind about pci dss and one of the most

important is to remember that unless you're processing payment card data there's no need to stick to the letter of of the framework you can adapt this to your to your needs and to your purposes uh you for example don't have to use a third party for extended external vulnerability scans uh you can do or penetration tests or audits you can do all those yourself we do perform external scans we've contracted with a uh another company that does that but we don't we're not going out and uh purchasing services from an approved uh scanning vendor for example that you wouldn't like you would have to do if you were uh trying to maintain compliance in order to process payment

cards informal self-assessment can take the place of an of a formal audit in fact pci dss offers guidance for performing such an assessment uh pci dss requires payment card data to be deleted immediately for so if there's no longer a business need for it that's not a hard and fast requirement for other forms of sensitive data it's probably a good idea but you're not necessarily going to get into trouble if you get caught not doing it as quickly as someone else thinks you should there's no deadline to achieve compliance but you you set that for yourself uh this is a journey it's not necessarily it's it's not necessarily a sprint yeah and it has it's going to be more of a

marathon for most people there's no penalty pro falling out of compliance because your assessment as you as you run through the cycle is geared towards detecting things that might have fallen through the cracks or a process that might no longer match your current needs or practices some needs some sections of pci dss may not apply to you for example if you don't develop applications in-house there are there are sections of the standard that talk about i'll talk about security security uh bespoke applications and those want to fly you don't have to worry about them and some sections are aimed at service providers those would be outside entities that could impact the security of cardholder data again you probably

don't have to worry about that some other things to note would be that provisions are not as restricted information that's stored electronically pci has to deal with the possibility that somebody is running one of those old slide card processors and that they'll need to deal with paper records uh with retention and destruction and security of for all those uh pci envisions the secure environment to be a subset in other words the uh section of your network that processes payment cards is assumed to be a subset of your network or a segment of it that might not be the case if you're using this as a general standard because you may have more than one group

of people or part group or one or more teams processing information that defines easy segmentation if you can great but you may have to think about segmenting off other things that might pose a threat uh the most common example would be guest wireless you definitely don't want people having guest access well yes wireless access to anything that stores sensitive data some typical pitfalls for organizations attempting to comply with pci dss would be failing to change default passwords on network devices be sure to do that that's one of the first items on on the list i think it's on the second page of the spreadsheet but it's something that often gets overlooked and obviously can come back

invite in a very hard way poorly written web apps that allow sql injection or otherwise expose a database to the public internet that's also something that's easy to overlook and has something that's known to cause problems in the past and then exposing sensitive data to insecure networks or endpoints as i mentioned the guest wireless networks and again employee mobile devices if you're processing sensitive data particularly financial or personal data you don't want mobile employee owned mobile devices having access to that information

sack it to me is a sick pun perhaps you may have to be of my age and generation to remember the laughing show where the the punchline was always socket to me but organizations that process payment card data are required to submit responses to an annual self-assessment questionnaire or saq and the good news is that the saq is a standardized form that can be downloaded from the pci dss document library we're working ourselves through the questionnaire for class d merchants uh it's taking some development work because that form is a pdf and so we discover that we're going to have to make some changes to it to make it more usable as a general-purpose tool but it's a very handy uh

way of assessing where where we how far we've come in this time that we've been working with modifications the saq can provide a template for an review of your organization's security practice and in fact the interesting thing is the final section of the saq document is known as an estimation of compliance the attestation of compliance doesn't soon require full compliance rather it provides an action plan for non-compliant requirements and a timetable for completing those requirements so if there are things that need to be done that you can carry that over into your next next year's plan takeaways well you're going to have to look at some very familiar looking areas uh when dealing with pci dss you'll need

to look at network protection firewalls and network segmentation passwords and settings making sure that passwords is secure and defaults have all been changed uh you'll need to make sure data is encrypted when it's at rest and the transmission across sensor data across open up open public networks is encrypted you'll need to make sure you have up-to-date malware protection on any on any systems that can conceivably process sensitive data you need to practice send assistance hardening each user will need their own account sensitive data will need to be limited by need to know access would need to be limited by need to know and you'll need to restrict physical access to that sensitive data you'll need to provide logging in log

management vulnerability management both internal and external scans as i mentioned and you'll need to do continual risk assessment and documentation the good news is those are all things that most organizations should be doing if they're not already anyhow so it really doesn't involve a great deal of unusual work there are no oddities that you really need to contend with again perform regular reviews at least annually and you'll need to do another one if you make any major changes to infrastructure in summary security frameworks are a roadmap for developing a security program upon available resources some more established frameworks may not be viable for smaller organizations like the one i work for the important thing is to find a

framework that you like and work with it and the pci dss which has been developed to secure payment card data can be leveraged to create a viable security framework for small and medium-sized organizations and we're enjoying the fruits of that every day thank you for coming to talk my contact information is there a copy of the slides will be made available i think we'll have a link to that somewhere and if you have any questions don't hesitate to reach out and contact me thank you very much