Upload File

pci: compromising controls and compromising …...security", and that has an effect on...

  • Home
  • Documents
  • PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear
14
PCI: Compromising Controls and Compromising Security

Upload: others

Post on 17-Jul-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

PCI: Compromising Controls

and Compromising Security

Page 2: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

PCI? At DefCon?

Compliance is changing the way companies "do security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander.

One result is that companies fear QSAs more than 0-days.

Page 3: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Who are we?

• James Arlen, aka Myrcurial

• Anton Chuvakin

• Joshua Corman

• Jack Daniel

• Alex Hutton

• Martin McKeay

• Dave Shackleford

Page 4: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Usual disclaimers

• We do not speak for our employers, clients or customers. Nor for our spouses, siblings, or offspring. But my dog will back me up.

• Our opinions are our own, the facts are as we see them.

• We aren’t lawyers…etc.

• These QSAs are not your QSAs.

Page 5: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

PCI. Discuss.

• PCI vs. Security. Is it really “vs.” security?

• PCI hampers the advanced. Right? Really?

• At least it is timely. And the three years cycle insures that.

• PCI has an impact on ALL of us, even if not under the heel of its hobnail boot. Or does it?

Page 6: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Obligatory Bell Curve Slide

Page 7: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

More accurate curves

Page 8: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

With pictures, even.

Page 9: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Zombie resistant housing?

Page 10: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

PCI and metrics.

• PCI could provide some very useful data about security postures, exposures, breaches, and all kinds of cools stuff.

• Could.

• Does it?

• Should it?

Page 11: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Moving forward

• How do we move forward?

• Who do we have to convince?

• What moves them?

Page 12: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Previous conversations

CSO Online Debate Part 1 of 2:

http://www.csoonline.com/podcast/513988/The_Great_PCI_Security_Debate_of_2010_Part_1

Network Security Podcast Part 2 of 2:

http://netsecpodcast.com/?p=391

Southern Fried Security Podcast – Special Episode:

http://www.southernfriedsecurity.com/episodes-0-9/special-episode---interview-with-josh-corman

ShmooCon 2010

http://www.shmoocon.org/2010/videos/PCI-Panel.flv

BSidesSF Panel Video

http://www.ustream.tv/recorded/5164678 (pt 1)

http://www.ustream.tv/recorded/5165234 (pt 2)

Page 13: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Contact us

• James Arlen @myrcurial

• Anton Chuvakin @anton_chuvakin

• Joshua Corman @joshcorman

• Jack Daniel @jack_daniel

• Alex Hutton @alexhutton

• Martin McKeay @mckeay

• Dave Shackleford @daveshackleford

Page 14: PCI: Compromising Controls and Compromising …...security", and that has an effect on everyone, hacker, defender, attacker, and innocent bystander. One result is that companies fear

Thank you

Please continue the conversation, learn, engage, act.

Compliance, and specifically PCI, is poised to steal security from those of us who care about it.


Understanding Bystander Involvement

The Bystander Borderline

Attacker Math

SSON - bystanderrevolution.com · W.3, W.4 Bystander Effect This lesson outlines one simple way to integrate the Bystander Revolution Bystander Effect video playlist and discussion

State Bystander Responsibility

DC HeroClix Bystander Tokens

Compromising Building

Compromising Theories

The Bystander-Effect: A Meta-Analytic Review on Bystander

Session One Introducing the Bystander

Emergency Situations: Bystander Behaviour (handout)

Bullying: Don't Be a Bystander

Compromising Electromagnetic Emanations of Wired … · Compromising Electromagnetic Emanations of Wired and Wireless Keyboards ... Compromising electromagnetic emanations of serial-

31 Days of Bystander Intervention

Radiation induced bystander effect

The Bystander-Effect: A Meta-Analytic Review on Bystander ... · The Bystander-Effect: A Meta-Analytic Review on Bystander Intervention in Dangerous and Non-Dangerous Emergencies

Best Practices Guide - Netwrix · Next, since compromising a user’s identity is one of the most common ways for an attacker to get into your network, you need to find all accounts

Young children show the bystander effect in helping situations · Young children show the bystander effect in helping situations ... Young children show the bystander effect in helping

Bystander effect in Psychology

Rising 8th Grade Summer Reading Assignment- Bystander by ... · PDF fileRising 8th Grade Summer Reading Assignment- Bystander by James Preller 1- As you read Bystander, apply your

STOMACH PAINS Iowa State Bystander UNITED …chroniclingamerica.loc.gov/lccn/sn83025186/1906-09-14/ed...Iowa State Bystander UNITED STATES CRUISER DES MOINES. Bystander Pub. Co. OES

1 Bystander effect Learning lite. 2 Why would we think about the Bystander Effect? Understanding the Bystander effect, what it is and why it happens enables

DON’T BE A BYSTANDER

Bystander effect

The Bystander Effect

Bystander Obligations at the Domestic and … · Bystander Obligations at the Domestic and International Level 47 Bystander Obligations at the Domestic and International Level Compared

Through the Eyes of a Bystander: Kelly A. McEvoy...Through the Eyes of a Bystander: Understanding VR and Video Effectiveness on Bystander Empathy, Presence, Behavior, and Attitude

Bystander-Upstander update

Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf · • Attacker POV to computer networks • Attacker profiles and public cases ... Product

Pluralistic Ignorance in the Bystander Effectrasmuskrendsvig.dk/papers/Rendsvig2014_Pluralistic...the bystander effect. This narrower focus is taken as the second step of the bystander

SSON - Bystander Revolution

Kitty Genovese Bystander Apathy

USING MOTIVATIONAL INTERVIEWING & BYSTANDER …

Bystander Intervention for Middle Schoolers

Bystander Effect Corpuz&Reyes BSPsyIII