Downloaden Sie, um offline zu lesen
Hochgeladen vonWolfgang Kandek
Anatomie eines Angriffs
Das Dokument behandelt die Anatomie von Cyberangriffen, basierend auf dem Verizon Data Breach Investigation Report 2015, der zeigt, dass über 99% der Schwachstellen älter als ein Jahr sind und viele Angriffe durch Malware und Phishing-E-Mails initiiert werden. Es wird auf verschiedene Fallbeispiele eingegangen, in denen Mitarbeiter durch das Öffnen von infizierten Word-Dateien betroffen sind. Abschließend werden Empfehlungen zur Patch-Verwaltung und Härtung von Systemen gegeben, um Sicherheitsrisiken zu minimieren.
Anatomie eines Angriffs
- 1. Die Anatomie einesAngriffs Wolfgang Kandek, Qualys wkandek@qualys.com @wkandek 23. September 2015 Hamburg
- 2. Verizon Data BreachInvestigation Report
- 3. Verizon Data BreachInvestigation Report
- 4. Verizon Data BreachInvestigation Report
- 5. Verizon Data BreachInvestigation Report
- 6.
- 7. 2122 Data Breaches Finanzdaten,Produktdaten, Persönliche Daten, Benutzernamen/Passwörter
- 8.
- 9. > 99% über1 Jahr alt
- 10.
- 11. Aber 40 in2014
- 12. Aber 40 in2014 Und 50% innerhalb von 2 Wochen
- 13.
- 14. Malware auf dem Computer Exploit für bekannte Schwachstelle Geziehlte E-mail Spear Phishing Profilauf Social Media Exploit für 0-day Schwachstelle Bekannter Worm/Virus Infizierter USB Drive Betroffene Computer finden Command and Control Benutzer- namen/ Passwörter Daten Verlust Marke Finanz Sonstige
- 15.
- 16. 1. CTO (punkfan), ticket punk rock show, öffnet Word Datei, Script funktioniert nicht 2. Angestellter, Stellenangebot, öffnet Word Datei, Script funktioniert 3. COO (Griechenlandspezialist), Journalist, Zeitungsartikel, keine Zeit/Interesse 4. Angestellter, Informationsgesuch über privates Projekt, Word Datei nicht geöffnet 5. Angestellter, Informationen über eine Anstellung, Word Datei geöffnet, infiziert, aber nicht die nötigen Zugriffsrechte 6. Systemverwalter, Angebot einer Mitgliedschaft, Word Datei geöffnet, Script funktioniert, infiziert...
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31. Referenzen • Mr Robot– bei iTunes und Amazon https://de.wikipedia.org/wiki/Mr._Robot(Fernsehserie) • Verizon DBIR 2015 http://www.verizonenterprise.com/DBIR/ • Chevron https://www.rsaconference.com/events/us15/agenda/sessions/1983/ building-a-next-generation-security-architecture • BSI https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikatio nen/Lageberichte/Lagebericht2014.pdf • Härten https://www.virusbtn.com/pdf/conference_slides/2013/Niemela- VB2013.pdf
Hinweis der Redaktion
- #3 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #4 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #5 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #6 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #7 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #8 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #9 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #10 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #11 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #12 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #13 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #14 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #15 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #16 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #17 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #18 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #19 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #20 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #21 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #22 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #23 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #24 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #25 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #26 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #27 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #28 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #29 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
- #30 PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission For SSL implementations: - Verify that the server supports the latest patched versions. - Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). - Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.