PCI DSS Compliance in a Cloud Computing Environment. Part 1

The main purpose of this article series is to survey the research that have been done in areas of PCI DSS compliance and recent developments of cloud computing. It gives an overview of basics of cloud computing, PCI DSS and specific compliance issues when dealing with outsourcing applications and infrastructure to third parties.

Nowadays many companies changed the way they doing business with the development of cloud computing. An ability to outsource application or entire infrastructure to the third parties allows businesses to take advantage of rapid and highly scalable deployment of services with little or no information technology expertise. Unfortunately, many enterprises are slow to adopt cloud computing because of information security compliance issues. Companies are skeptical about moving their sensitive information outside their own control perimeter, and see their main obstacle as an inability to check whether outsourced infrastructure and applications are in conflict with existing rules and regulations, such as PCI DSS.

The Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) is a standard that organizations must follow if their business involves processing, storing, and transmitting cardholder data. The main purpose of this standard is to provide requirements to ensure security of payment card data

1. Overview and history

PCI DSS was developed by PCI Security Standards Council, an open global forum formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. [1].

Historically, the companies in this forum developed their own programs, but because they shared similar goals they decided to align their requirements and created PCI DSS.

The birth of PCI DSS created many discussions in the industry.

For example, PCI Council General Manager Bob Russo thinks that PCI DSS gives stakeholders “the opportunity and flexibility to work with Qualified Security Assessors (QSA) to determine appropriate security controls within their environment that meet the intent of the PCI standards.” [2]

Furthermore, Bruce Schneier says that, “Regulation – SOX, HIPAA, GLBA, the credit-card industry’s PCI, the various disclosure laws, the European Data Protection Act, whatever – has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services.” [3]

2. PCI DSS requirements compliance

PCI DSS consists of on six high-level objectives and twelve requirements (Table 1) [4]

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system passwords and other security parameters
Protect card holder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program 5. Use and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain and information security policy 12. Maintain a policy that addresses information security for all personnel.

Table 1 – PCI DSS Requirements and Security Assessment Procedures [4]

Compliance with PCI DSS requirements is enforced through contract agreements and may include fines and higher processing fees. To ensure compliance of services providers and merchants with PCI DSS requirements, special assessments are carried out. Such assessments usually utilize a sampling methodology to demonstrate compliance in target systems.

However, assessment procedure depends on the level of the merchant (it may require the completion of a Self-Assessment Questionnaire or on-site assessment) (Table 2) [5]

Category Criteria Requirements
Level 1 Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Any merchant having more than six million total combined MasterCard and Maestro transactions annually
Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
Annual Onsite Assessment
Quarterly Network Scan
Level 2 Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually Annual Self-Assessment
Onsite Assessment at Merchant Discretion
Quarterly Network Scan
Level 3 Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually Annual Self-Assessment
Quarterly Network Scan
Level 4 All other merchants Annual Self-Assessment
Quarterly Network Scan

Table 2 – Merchant Level and Validation Requirements (MasterCard version) [5]

PCI DSS requirements assessment procedure depends on merchant’s annual number of transactions and past breach history.

3. Implementing the PCI DSS

Companies face many challenges and difficulties when implementing PCI DSS requirements. According to Michael Jones, CIO of Michaels’ Stores, PCI DSS requirements “are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve ‘Requirements’ for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.” [6]

Rees identifies the following challenges of PCI DSS compliance [7]:

– Understanding scope

– Understanding of card data flow

– Organizational

– Technological

– Third party management

Bonner, O’ Raw and Curran in their paper [8] present a good analysis of application adherence with PCI DSS requirements. Researchers address such issues as maintaining legacy systems and their difficulties to implement PCI DSS requirements properly. They discuss several existing solutions such as using web services to “wrap” older legacy systems [9]. However, in their opinion, neither of these approaches directly addresses the problem of PCI DSS compliance.

The authors developed a prototype (Figure 1) and showed how to implement controls to achieve PCI DSS compliance in the application.

 system

Figure 1 -. Experimental System Overview [8]

The researchers thoroughly describe their prototype, present some experiments, and tackle the problems of masking payment card data and cryptographic key management while storing such data.

However, in their research they focus solely on adherence with requirements of developed application, completely ignoring environment in which this piece of software operates.

Despite the fact that this paper contributes to the field of secure software development, and emphasizes some application PCI DSS compliance issues, one should remember that environment plays an important role in achieving compliance for business overall

References

[1]       PCI Security Standards Council  https://www.pcisecuritystandards.org/

[2]       Russo (2009). “Letter to NRF”. PCI Council. https://www.pcisecuritystandards.org/pdfs/statement090615_letter_to_nrf.pdf

[3]       Schneier (2008) “Bruce Schneier reflects on a decade of security trends”. http://www.schneier.com/news-049.html

[4]       PCI DSS Requirements and Security Assessment Procedures, Version 2.0 p. 5

[5]       Merchant Level and Validation Requirements (MasterCard version) http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html

[6]       Jones (2009). “Testimony of Michael Jones before the emerging threats cybersecurity and science and technology subcommittee “. Congress of the United States.

Click to access 20090331142012-77196.pdf

[7]       Rees (2010) “Computer Fraud & Security” Volume 2010, Issue 12, p. 14–116

[8]       Bonner, O’ Raw, Curran (2011) “Implementing the Payment Card Industry (PCI) Data Security Standard (DSS)”.

[9]       Steed (1996) “Encapsulating Legacy Software for Use in Client/Server Systems”. Proceedings of the Third Working Conference on Reverse Engineering. Monterey, CA: p.104-119

 

Penetration Tester’s Toolkit

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. The manuals section provides you with simple information in order to get up and running with Back|Track and help with some additional features unique to the suite.

Nmap –free open source tool for network analysis and security audits.

Typical use:
nmap -A -T4 localhost
-A to identify operating system, trace and scan with scripts
-T4 configure time parameters (scale 0 to 5, higher the number – higher the speed)
localhost — target host

You can use “slow comprehensive scan” to get more detailed information pertaining target system
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO –script all localhost

For more information please refer to Nmap Reference Guide

Hydra is a flexible and fast password auditing tool which supports numerous protocols and parallelization.

Nikto – Open Source (GPL) web-scanner. This tool can help you find undeleted scripts (such as test.php, index_.php, etc), database administration utilities ((/phpmyadmin/, /pma, etc) and many more typical errors on target website.

To use simply start with:
/nikto.pl -host localhost

Acunetix – very easy to use web vulnerability scanner. Free version still has great functionality and can help checking web applications for SQL Injection, XSS & other web vulnerabilities

Nessus – very powerful free for home use web-scanner, which helps security auditors identify available running services on target system, check for potential security misconfiguration and many more

To test identified vulnerabilities you can use Metasploit Framework or try to find exploit (on explot searchExplot-db, etc.) and use it manually on your system

The Metasploit Framework helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments./

It is possible to use Nmap to analyze ports, identify services and Metasploit to exploit vulnerabilities depending on service (ssh, ftp, etc.)

Armitage – tool that can help you test network for vulnerabilities. Basically, it is a GUI for Metasploit Framework and Nmap. It visualizes targets, collects data and makes whole process of penetration testing easier

And to test all of these for those of you, who interested in vulnerability analysis, reverse engineering, debugging,, exploit development and privilege escalation, you can refer to Linux hacking challenges. This project has several virtual machines, exercises and manuals to help you improve your skills.

Here are some additional TOP lists of tools for penetration testing

Top 100 Network Security Tools
Top 10 Web Vulnerability Scanners
Top 10 Vulnerability Scanners
OWASP Top 10 Tools and Tactics
Web-based Application Security Scanners
Web Application Security Scanner List by WebAppSec

Public Speaking

ID-100217406

I worked at an oil and gas company a couple of years ago. Gazprom, held an event where the chief security officers and some other technical staff from more than 50 branches were gathered, and it was at our head office’s conference hall. I was chosen by the management team to prepare a 20 minute presentation on the internal audit results of 2011.

I wrote some notes, thought about the structure, and decided on what I really wanted to get from the audience in terms of compliance with corporate policies and procedures related to information security by inviting them to a “call to action” at the end of my speech.

Everything went very well and I was glad to help everybody clarify some aspects on information security, and share some ways of solving typical issues. Although my presentation was a little harsh (it’s sometimes the only way to get something done), I was applauded and congratulated, and asked a barrage of questions. I had engaged the audience very well and made my message come across.

Here are some general tips on public speaking:

  1. Firstly, take a moment to ask yourself several important questions:
  • Why am I doing this?
  • Why is it so important to me?
  • What do I want?
  • Who is my audience?
  • What do I want from the audience?
  • What is my goal?
  1. Mentally exercise your speech. Vividly imagine yourself making the greatest presentation of your life. Think of your previous positive experience in public speaking.
  2. When on stage, act and speak as if you own the place. You are big, brave and strong.
  3. Remember that the only emotion you actually feel on stage is excitement. It is in your power to transform it into a positive aggressive attitude instead of fear.
  4. Remember that only you gain from this presentation. Forget about result – just practice.
  5. Don’t try to be perfect.
  6. Don’t be so serious about it – you’ve done it a thousand times. Imagine that you are just going to tell a funny story to your friends or relatives.
  7. Act as if you already successfully delivered this presentation. Just let the success happen.
  8. Think of yourself as a kind of person who is a master at public speaking and enjoys it a lot.
  9. You have to actually believe in what you are saying. Integrity is crucial.
  10. Remember that the audience is your best friend. They want you to succeed because they want to hear an interesting presentation.
  11. Appreciate your audience and remember – you have something important to tell them, you have value. Your great presentation has the potential to change the world and make them better people.
  12. Move the attention from yourself to the audience. Focus on them.
  13. Be aware of your body language: posture, chin, and shoulders.
  14. Take time to rehearse. Practice makes perfect.
  15. Remember that the presentation actually begins when you stand up and walk to stage. Not when you are already on stage.
  16. Slow deep breathing can help you relax. Some physical exercises right before speech also work well. Help the audience to feel comfortable and relaxed by relaxing yourself.
  17. Voice: use intonation and take regular pauses.
  18. Speak loud and clear.
  19. Eye-contact is very important: scan the audience, focus on individuals
  20. Move, but avoid patterns
  21. Use gentle gestures
  22. Smile, show enthusiasm
  23. Channel your emotions
  24. The delivery of your presentation is important. Try to stick to the following structure:
  • State the purpose: “Today I’m here for…”
  • Executive summary: Say what you want to say and then say it
  • Describe situation (context)
  • State the problem
  • Give a solution
  • Call to action
  1. Show something to involve people. Especially in the beginning.  Personally, I usually show some printed copies of policies or guidelines just for drawing attention.
  2. Interact with the audience. Ask rhetorical questions
  3. Tell them a story. Everybody loves stories. Of course you have to stay formal but try to make the  audience see juicy pictures in their imagination. Airport stories are magical.
  4. When asked a question, always thank the person. Questions are about your topic – not about you personally. They simply indicate that your subject is very interesting. Take a good pause before answering – show them the question is important and you’re thinking – avoid interrupting
  5. After the presentation take a moment and write down what you think you did well and what should be improved.

Image courtesy of Chaiwat / FreeDigitalPhotos.net

Security in the SAP System Environment

ID-10024004

During a course called ADM960 at SAP, we covered numerous topics which included the fundamental concepts of authentication, encryption and network infrastructure, configuration of single sign-on, certificates-based authentication, system auditing in AS ABAP, AS Java, etc. Despite the fact that I haven’t had previous hands-on knowledge on SAP technologies and administration, I found the overall concepts pretty simple. My experience in security-related issues helped me out. All the exercises aided me in raising my awareness about security topics in SAP NetWeaver Application Server 7.00. I learned some basic transactions for password and roles auditing. I also found the configuration of SAProuter and trusted relationship to be somewhat interesting.

There are several things to remember:

  1. Pay attention to SAP standard users like “SAP*”. Remember that the configuration may differ depending on the system you’re using: ABAP or Java. This standard user always uses “pass” as the password. You have to clone that account and block the original one (remove all authorizations).
  2. Monitor services which you are actually using (including system services) and block all others.
  3. You can use the “se95” transaction to monitor changes.
  4. Use the “RSECNOTE” tool to check for critical security updates.
  5. For ABAP system monitoring use transaction “sm19” for audit configuration and “sm20” for log monitoring. For Java go to: SAP Netweaver Administration – System Management- Monitoring – Logs and Traces
  6. Use the “suim” transaction for users monitoring: authorizations, roles and account change control.
  7. Use the “rz20” transaction to access Alert monitor.

The “sa38” transaction is used to run reports.

For more information please refer to the original SAP Security Guidance

Image courtesy of jscreationzs / FreeDigitalPhotos.net

Information systems auditing

ID-10031899

Information systems audit do’s:

1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.

Information systems audit don’ts:

1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.

Image courtesy of Michal Marcol / FreeDigitalPhotos.net