SlideShare ist ein Scribd-Unternehmen logo
1 von 31
Downloaden Sie, um offline zu lesen
Treasury Institute for Higher Education
1
Monitoring threats for PCI Compliance
PCI DSS Workshop,
May 23, 2016
Step by step approach to evaluate threat
risk and mitigate
Introduction
2
About University of Alaska
America’s Arctic university – land sea and
space grant system. Geographically
distributed across three major campuses –
in Anchorage, Fairbanks and Juneau with 17
satellite campuses and 28 facilities. As of
2015, total enrollment is 32,000.
.
Speakers
Shiva Hullavarad
Manager of Compliance,
Information & Record Systems
University of Alaska System
P: 907-450-8074
Email: sshullavarad@alaska.edu
Raaj Kurapati
Associate Vice Chancellor for Financial
Service & Business Operations
University of Alaska Fairbanks
P: 907-474-7323
Email: rkurapati@alaska.edu
Arctic Circle 65th Parallel
Agenda
4
 Threats & Vulnerability – why & how does it matter?
 Types, Sources and Tools
 Risks of non-compliance
 PCI DSS 3.2
 New technology(s) and unknown threats
 5 basic steps for maintaining and achieving compliance
 Vulnerability Assessment and Pen Test (VAPT)
Available tools for VAPT
Q & A
Vulnerability Vs Threat
5
Vulnerability
Any flaw in the design, implementation or administration of
a system that provides a mechanism for a threat to exploit
the weakness of a system or process
They are weaknesses in networked environments, web
applications and physical premises
Threat
Any person, circumstance or event that has the potential to
cause damage to an organizational asset or business
function
Advanced Persistent Threat
6
“An adversary that possesses sophisticated levels of expertise and
significant resources which allow it to create opportunities to achieve
its objectives by using multiple attack vectors (e.g., cyber, physical,
and deception).”
“ These objectives typically include establishing and
extending footholds within the information technology infrastructure of
the targeted organizations for purposes of exfiltrating information,
undermining or impeding critical aspects of a mission, program, or
organization; or positioning itself to carry out these objectives in the
future.” ---- NIST
H Hacker
7
 pursues its objectives repeatedly over an extended
period of time
 adapts to defenders’ efforts to resist it
 targetetted approach
 is determined to maintain the level of interaction needed
to execute its objectives
Advanced Persistent Threat
8
Threat landscape – Moving target!!
All entry points need to be secured from hackers:
Wi-Fi, security cameras, wireless credit card processors, digital menu boards and more interface to networks via IP addresses
1980s
1ST GEN
• Boot viruses
2ND GEN
• Macro viruses
• Email
• DoS
• Limited hacking
3RD GEN
• Network DoS
• Blended threat
(worm + virus+
trojan)
• Turbo worms
• Widespread
system hacking
NEXT GEN
• Infrastructure
hacking
• Flash threats
• Massive worm
driven
• DDoS
• Damaging
payload viruses
and worms
1990s Yesterday Today
WEEKS
DAYS
MINUTES
SECONDS
Individual
Computer
Individual
Networks
Multiple
Networks
Regional
Networks
Global
Infrastructure
Impact
Target and Scope
of Damage
 Bring Your Own Device: Personnel Vs Professional usage
 Web Exploits: Cross-site scripting /SQL injection
 Botnets: Updating and modification
 Data loss: Student, finance, health, IP – data theft
 Big Data: Ability to gather & store data equals greater
liability
 Targeted and Persistent attacks
 Sponsored cyber operations: Attacks, espionage
9
Threats follow technology trends
Threat – Detect, Response and Recovery
10
Source: Cisco Threat Report
11
12
PCI DSS 3.2 - Threat is the main driver
13
 Changing payment and threat environment
 Breach reports and compromise trends
 Feedback from industry
6Control
Objectives
6Control Objectives
12Core
Requirements290+Audit
Procedures
Key changes
 Multi factor authentication for admins (8.3.1)
 5 new sub requirements for service providers (3,10,11,12)
 2 new appendices
SSL/TLS migration deadline
Designated entities supplemental validation
Threat flow landscape
14
15
Retail Chain CC Data Security BreachResearchers view
Source : krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/.
Vulnerability Management Lifecycle
16
 Business unit
 IT Security
 Compliance
 Legal
 Risk Services
Source: FoundStone
17
Vulnerability management approaches
 Focus on 5 key areas:
 Prioritize Assets
 Assess threats
 Quantify Risk Level (assets, threats, vulnerabilities)
 Remediate Vulnerabilities
 Measure
18
Step 1:Prioritize Assets (Policy, Inventory & Prioritize)
 Identify assets by:
 Networks
 Logical groupings of devices
 Connectivity - None, LAN, broadband, wireless
 Network Devices
 Wireless access points, routers, switches
 Operating System
 Windows, Unix
 Applications
 IIS, Apache, SQL Server
 Versions
 IIS 5.0, Apache 1.3.12, SQL Server V.7
Step 1: Continued…
19
 Network-based discovery
 Known and “unknown” devices
 Determine network-based applications
 Excellent scalability
 Agent-based discovery
 In-depth review of the applications and patch levels
 Deployment disadvantages
 Network- and agent-based discovery techniques are optimal
 Agents - Cover what you already know in great detail
 Network - Identify rogue or new devices
 Frequency
 Continuous, daily, weekly
 Depends on the asset
20
Step 2:Assess threats – Goal: Protect most critical assets
 Threat and vulnerability data have varied priority
 Identify threats
 Worms
 Exploits
 Wide-scale attacks
 New vulnerabilities
 Correlate with your most critical assets
 Result = Prioritization of vulnerabilities within your
environment
21
Step 3: Quantify Risk Level - (AVT)
 The product of:
 Assets
 Vulnerabilities
 Threats
 Based upon the criticality of AVT
 Focus your resources on the true risk
22
Step 4: Remediate Vulnerabilities
Patch or Mitigate
Impact on availability from a bad patch vs. the risk of not
patching
Patch or mitigate
Recommendations:
QA security patches 24 hours
Determine if there are wide spread problems
Implement defense-in-depth
23
Step 5: Measure
 Current state of security metrics
 Future Look:
 Common nomenclature
 Dashboard view of risk and vulnerabilities across
disparate organizations
 Technologies that will help answer the questions:
 How am I trending over time?
 How do I compare to my peers?
 How do I compare outside my industry?
24
Assess Compliance
 PCI DSS – Current standard
 Assess the environment for the qualifying SAQ
 Develop reports
 Training
 Upgrade
25
10 Steps to Effective Threat Management
1. Identify all the assets in your purview
2. Create an Asset Criticality Profile (ACP)
3. Determine exposures and vulnerabilities
4. Track relevant threats – realized and unrealized
5. Determine Risk - product of Assets x Vulnerabilities x Threats
6. Take corrective action if risk > cost to eliminate or mitigate
7. Create meaningful metrics and hold people accountable
8. Identify and address compliance gaps
9. Implement an automated vulnerability management system
10.Convince someone with a budget that vulnerability management is
important
Vulnerability Assessment and Penetration
Testing (VAPT)
26
 Vulnerability assessment is the process of scanning
the system or software or a network to find out the
weakness and loophole in that.
 Vulnerability types
 Access control,
 Boundary condition,
 Input validation,
 Authentication,
 Configuration Weakness,
 Exception Handling etc.
VAPT continued…
 Penetration testing is the next step after
vulnerability assessment.
 Penetration testing is to try to exploit the system in
authorized manner to find out the possible exploits
in the system.
 In penetration testing, the tester (QSA) intently
exploits the system and find out possible exploits.
27
VAPT – 8 Step process
28
1 • Scope
2 • Reconnaissance
3 • Vulnerability detection
4 • Information analysis and planning
5 • Penetration testing
6 • Privilege escalation
7 • Result analysis
8 • Reporting
VAPT – Top15 Tools (OpenSource &
Proprietary)
29
# Name License Type Operating
System
1 Metasploit Proprietary Vulnerability scanner and exploit Cross-platform
2 Nessus Proprietary Vulnerability scanner Cross-platform
3 Kali Linux GPL Collection of various tools Linux
4 Burp Suite Proprietary Web vulnerability scanner Cross-platform
5 w3af GPL Web vulnerability scanner Cross-platform
6 OpenVAS GPL Vulnerability scanner Cross-platform
7 Paros proxy GPL Web vulnerability scanner Cross-platform
8 Core Impact Proprietary Vulnerability scanner and exploit Windows
9 Nexpose Proprietary Entire vulnerability management lifecycle Linux, Windows
10 GFI LanGuard Proprietary Vulnerability scanner Windows
11 Acunetix WVS Proprietary Web vulnerability scanner Windows
12 QualysGuard Proprietary Vulnerability scanner Cross-platform
13 MBSA Freeware Vulnerability scanner Windows
14 AppScan Proprietary Web vulnerability scanner Windows
15 Canvas Proprietary Vulnerability scanner and exploit Cross-platform
30
Summary and Conclusions
 Threats of data compromise are dynamic and global
in scope
 Assess the risk, vulnerability and threat – develop
the risk tolerance model
 Have risk mitigation plan in place
 Vulnerability is more of a reputational risk to the
institution than the financial threat
 PCI DSS is an effective tool to ensure minimal risk
31

Weitere ähnliche Inhalte

Was ist angesagt?

Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Advanced Endpoint Protection
Advanced Endpoint ProtectionAdvanced Endpoint Protection
Advanced Endpoint ProtectionMustafa YÜKSEL
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Advanced Threat Defense Intel Security
Advanced Threat Defense  Intel SecurityAdvanced Threat Defense  Intel Security
Advanced Threat Defense Intel Securityxband
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?Ryan G. Murphy
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneSean Roth
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Alert Logic
 

Was ist angesagt? (18)

Malware detection
Malware detectionMalware detection
Malware detection
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Advanced Endpoint Protection
Advanced Endpoint ProtectionAdvanced Endpoint Protection
Advanced Endpoint Protection
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Advanced Threat Defense Intel Security
Advanced Threat Defense  Intel SecurityAdvanced Threat Defense  Intel Security
Advanced Threat Defense Intel Security
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOne
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017
 

Andere mochten auch

Nadeem Khan Resume
Nadeem Khan ResumeNadeem Khan Resume
Nadeem Khan ResumeNady Khan
 
como influye la television en las emosiones y en la educacion en los niños de...
como influye la television en las emosiones y en la educacion en los niños de...como influye la television en las emosiones y en la educacion en los niños de...
como influye la television en las emosiones y en la educacion en los niños de...Angeles Pool
 
Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...
Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...
Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...7thingsmedia
 
Prontuario adquisicion de la lengua 3er grado
Prontuario adquisicion de la lengua 3er gradoProntuario adquisicion de la lengua 3er grado
Prontuario adquisicion de la lengua 3er gradoVimarie Negrón
 
Cuestionamientos sobre los elementos de una investigación
Cuestionamientos sobre los elementos de una investigaciónCuestionamientos sobre los elementos de una investigación
Cuestionamientos sobre los elementos de una investigaciónSkepper63
 
Recommendation Letter-Pastor Kyle Mullett 11-12-15
Recommendation Letter-Pastor Kyle Mullett 11-12-15Recommendation Letter-Pastor Kyle Mullett 11-12-15
Recommendation Letter-Pastor Kyle Mullett 11-12-15Susan Dyer Layer
 
Capital budgeting
Capital budgetingCapital budgeting
Capital budgetingankyta89
 

Andere mochten auch (12)

Nadeem Khan Resume
Nadeem Khan ResumeNadeem Khan Resume
Nadeem Khan Resume
 
Avtividad final 2
Avtividad final 2Avtividad final 2
Avtividad final 2
 
Networking During the Holidays
Networking During the HolidaysNetworking During the Holidays
Networking During the Holidays
 
Planilla 1er cuatrimestre
Planilla 1er cuatrimestrePlanilla 1er cuatrimestre
Planilla 1er cuatrimestre
 
como influye la television en las emosiones y en la educacion en los niños de...
como influye la television en las emosiones y en la educacion en los niños de...como influye la television en las emosiones y en la educacion en los niños de...
como influye la television en las emosiones y en la educacion en los niños de...
 
Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...
Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...
Making an Efficient Generic Paid Search Strategy - 7thingsmedia - Figaro Sear...
 
Prontuario adquisicion de la lengua 3er grado
Prontuario adquisicion de la lengua 3er gradoProntuario adquisicion de la lengua 3er grado
Prontuario adquisicion de la lengua 3er grado
 
Cuestionamientos sobre los elementos de una investigación
Cuestionamientos sobre los elementos de una investigaciónCuestionamientos sobre los elementos de una investigación
Cuestionamientos sobre los elementos de una investigación
 
Recommendation Letter-Pastor Kyle Mullett 11-12-15
Recommendation Letter-Pastor Kyle Mullett 11-12-15Recommendation Letter-Pastor Kyle Mullett 11-12-15
Recommendation Letter-Pastor Kyle Mullett 11-12-15
 
Tp (apartment)
Tp (apartment)Tp (apartment)
Tp (apartment)
 
Proyecto de Humanidades
Proyecto de HumanidadesProyecto de Humanidades
Proyecto de Humanidades
 
Capital budgeting
Capital budgetingCapital budgeting
Capital budgeting
 

Ähnlich wie Monitoring threats for pci compliance

USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Shakeel Ali
 
Software design Project Presentation-1.pptx
Software design Project Presentation-1.pptxSoftware design Project Presentation-1.pptx
Software design Project Presentation-1.pptxkrthkkholi
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmPolySwarm
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureNRC
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET Journal
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat managementRajendra Menon
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 

Ähnlich wie Monitoring threats for pci compliance (20)

USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
 
Software design Project Presentation-1.pptx
Software design Project Presentation-1.pptxSoftware design Project Presentation-1.pptx
Software design Project Presentation-1.pptx
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 

Mehr von Shiva Hullavarad

Leveraging shared IT and Business resources to maintain PCI compliance
Leveraging shared IT and Business resources to maintain PCI complianceLeveraging shared IT and Business resources to maintain PCI compliance
Leveraging shared IT and Business resources to maintain PCI complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Taming Information - InfoManagement2015
Taming Information - InfoManagement2015Taming Information - InfoManagement2015
Taming Information - InfoManagement2015Shiva Hullavarad
 
DigitalSignature Internal Auditor April2015
DigitalSignature Internal Auditor April2015DigitalSignature Internal Auditor April2015
DigitalSignature Internal Auditor April2015Shiva Hullavarad
 
Enterprise Content Management - Implementation Strategy
Enterprise Content Management - Implementation StrategyEnterprise Content Management - Implementation Strategy
Enterprise Content Management - Implementation StrategyShiva Hullavarad
 

Mehr von Shiva Hullavarad (7)

Leveraging shared IT and Business resources to maintain PCI compliance
Leveraging shared IT and Business resources to maintain PCI complianceLeveraging shared IT and Business resources to maintain PCI compliance
Leveraging shared IT and Business resources to maintain PCI compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Taming Information - InfoManagement2015
Taming Information - InfoManagement2015Taming Information - InfoManagement2015
Taming Information - InfoManagement2015
 
DigitalSignature Internal Auditor April2015
DigitalSignature Internal Auditor April2015DigitalSignature Internal Auditor April2015
DigitalSignature Internal Auditor April2015
 
Enterprise Content Management - Implementation Strategy
Enterprise Content Management - Implementation StrategyEnterprise Content Management - Implementation Strategy
Enterprise Content Management - Implementation Strategy
 
Ecm presentation \
Ecm presentation \Ecm presentation \
Ecm presentation \
 
ECM-article 2015
ECM-article 2015ECM-article 2015
ECM-article 2015
 

Kürzlich hochgeladen

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 

Kürzlich hochgeladen (20)

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 

Monitoring threats for pci compliance

  • 1. Treasury Institute for Higher Education 1 Monitoring threats for PCI Compliance PCI DSS Workshop, May 23, 2016 Step by step approach to evaluate threat risk and mitigate
  • 2. Introduction 2 About University of Alaska America’s Arctic university – land sea and space grant system. Geographically distributed across three major campuses – in Anchorage, Fairbanks and Juneau with 17 satellite campuses and 28 facilities. As of 2015, total enrollment is 32,000. . Speakers Shiva Hullavarad Manager of Compliance, Information & Record Systems University of Alaska System P: 907-450-8074 Email: sshullavarad@alaska.edu Raaj Kurapati Associate Vice Chancellor for Financial Service & Business Operations University of Alaska Fairbanks P: 907-474-7323 Email: rkurapati@alaska.edu
  • 4. Agenda 4  Threats & Vulnerability – why & how does it matter?  Types, Sources and Tools  Risks of non-compliance  PCI DSS 3.2  New technology(s) and unknown threats  5 basic steps for maintaining and achieving compliance  Vulnerability Assessment and Pen Test (VAPT) Available tools for VAPT Q & A
  • 5. Vulnerability Vs Threat 5 Vulnerability Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process They are weaknesses in networked environments, web applications and physical premises Threat Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function
  • 6. Advanced Persistent Threat 6 “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).” “ These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future.” ---- NIST H Hacker
  • 7. 7  pursues its objectives repeatedly over an extended period of time  adapts to defenders’ efforts to resist it  targetetted approach  is determined to maintain the level of interaction needed to execute its objectives Advanced Persistent Threat
  • 8. 8 Threat landscape – Moving target!! All entry points need to be secured from hackers: Wi-Fi, security cameras, wireless credit card processors, digital menu boards and more interface to networks via IP addresses 1980s 1ST GEN • Boot viruses 2ND GEN • Macro viruses • Email • DoS • Limited hacking 3RD GEN • Network DoS • Blended threat (worm + virus+ trojan) • Turbo worms • Widespread system hacking NEXT GEN • Infrastructure hacking • Flash threats • Massive worm driven • DDoS • Damaging payload viruses and worms 1990s Yesterday Today WEEKS DAYS MINUTES SECONDS Individual Computer Individual Networks Multiple Networks Regional Networks Global Infrastructure Impact Target and Scope of Damage
  • 9.  Bring Your Own Device: Personnel Vs Professional usage  Web Exploits: Cross-site scripting /SQL injection  Botnets: Updating and modification  Data loss: Student, finance, health, IP – data theft  Big Data: Ability to gather & store data equals greater liability  Targeted and Persistent attacks  Sponsored cyber operations: Attacks, espionage 9 Threats follow technology trends
  • 10. Threat – Detect, Response and Recovery 10 Source: Cisco Threat Report
  • 11. 11
  • 12. 12
  • 13. PCI DSS 3.2 - Threat is the main driver 13  Changing payment and threat environment  Breach reports and compromise trends  Feedback from industry 6Control Objectives 6Control Objectives 12Core Requirements290+Audit Procedures Key changes  Multi factor authentication for admins (8.3.1)  5 new sub requirements for service providers (3,10,11,12)  2 new appendices SSL/TLS migration deadline Designated entities supplemental validation
  • 15. 15 Retail Chain CC Data Security BreachResearchers view Source : krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/.
  • 16. Vulnerability Management Lifecycle 16  Business unit  IT Security  Compliance  Legal  Risk Services Source: FoundStone
  • 17. 17 Vulnerability management approaches  Focus on 5 key areas:  Prioritize Assets  Assess threats  Quantify Risk Level (assets, threats, vulnerabilities)  Remediate Vulnerabilities  Measure
  • 18. 18 Step 1:Prioritize Assets (Policy, Inventory & Prioritize)  Identify assets by:  Networks  Logical groupings of devices  Connectivity - None, LAN, broadband, wireless  Network Devices  Wireless access points, routers, switches  Operating System  Windows, Unix  Applications  IIS, Apache, SQL Server  Versions  IIS 5.0, Apache 1.3.12, SQL Server V.7
  • 19. Step 1: Continued… 19  Network-based discovery  Known and “unknown” devices  Determine network-based applications  Excellent scalability  Agent-based discovery  In-depth review of the applications and patch levels  Deployment disadvantages  Network- and agent-based discovery techniques are optimal  Agents - Cover what you already know in great detail  Network - Identify rogue or new devices  Frequency  Continuous, daily, weekly  Depends on the asset
  • 20. 20 Step 2:Assess threats – Goal: Protect most critical assets  Threat and vulnerability data have varied priority  Identify threats  Worms  Exploits  Wide-scale attacks  New vulnerabilities  Correlate with your most critical assets  Result = Prioritization of vulnerabilities within your environment
  • 21. 21 Step 3: Quantify Risk Level - (AVT)  The product of:  Assets  Vulnerabilities  Threats  Based upon the criticality of AVT  Focus your resources on the true risk
  • 22. 22 Step 4: Remediate Vulnerabilities Patch or Mitigate Impact on availability from a bad patch vs. the risk of not patching Patch or mitigate Recommendations: QA security patches 24 hours Determine if there are wide spread problems Implement defense-in-depth
  • 23. 23 Step 5: Measure  Current state of security metrics  Future Look:  Common nomenclature  Dashboard view of risk and vulnerabilities across disparate organizations  Technologies that will help answer the questions:  How am I trending over time?  How do I compare to my peers?  How do I compare outside my industry?
  • 24. 24 Assess Compliance  PCI DSS – Current standard  Assess the environment for the qualifying SAQ  Develop reports  Training  Upgrade
  • 25. 25 10 Steps to Effective Threat Management 1. Identify all the assets in your purview 2. Create an Asset Criticality Profile (ACP) 3. Determine exposures and vulnerabilities 4. Track relevant threats – realized and unrealized 5. Determine Risk - product of Assets x Vulnerabilities x Threats 6. Take corrective action if risk > cost to eliminate or mitigate 7. Create meaningful metrics and hold people accountable 8. Identify and address compliance gaps 9. Implement an automated vulnerability management system 10.Convince someone with a budget that vulnerability management is important
  • 26. Vulnerability Assessment and Penetration Testing (VAPT) 26  Vulnerability assessment is the process of scanning the system or software or a network to find out the weakness and loophole in that.  Vulnerability types  Access control,  Boundary condition,  Input validation,  Authentication,  Configuration Weakness,  Exception Handling etc.
  • 27. VAPT continued…  Penetration testing is the next step after vulnerability assessment.  Penetration testing is to try to exploit the system in authorized manner to find out the possible exploits in the system.  In penetration testing, the tester (QSA) intently exploits the system and find out possible exploits. 27
  • 28. VAPT – 8 Step process 28 1 • Scope 2 • Reconnaissance 3 • Vulnerability detection 4 • Information analysis and planning 5 • Penetration testing 6 • Privilege escalation 7 • Result analysis 8 • Reporting
  • 29. VAPT – Top15 Tools (OpenSource & Proprietary) 29 # Name License Type Operating System 1 Metasploit Proprietary Vulnerability scanner and exploit Cross-platform 2 Nessus Proprietary Vulnerability scanner Cross-platform 3 Kali Linux GPL Collection of various tools Linux 4 Burp Suite Proprietary Web vulnerability scanner Cross-platform 5 w3af GPL Web vulnerability scanner Cross-platform 6 OpenVAS GPL Vulnerability scanner Cross-platform 7 Paros proxy GPL Web vulnerability scanner Cross-platform 8 Core Impact Proprietary Vulnerability scanner and exploit Windows 9 Nexpose Proprietary Entire vulnerability management lifecycle Linux, Windows 10 GFI LanGuard Proprietary Vulnerability scanner Windows 11 Acunetix WVS Proprietary Web vulnerability scanner Windows 12 QualysGuard Proprietary Vulnerability scanner Cross-platform 13 MBSA Freeware Vulnerability scanner Windows 14 AppScan Proprietary Web vulnerability scanner Windows 15 Canvas Proprietary Vulnerability scanner and exploit Cross-platform
  • 30. 30
  • 31. Summary and Conclusions  Threats of data compromise are dynamic and global in scope  Assess the risk, vulnerability and threat – develop the risk tolerance model  Have risk mitigation plan in place  Vulnerability is more of a reputational risk to the institution than the financial threat  PCI DSS is an effective tool to ensure minimal risk 31