sergey gordeychik, security metrics for pci dss compliance
DESCRIPTION
TRANSCRIPT
![Page 1: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/1.jpg)
Measuring SecuritySecurity Metrics for PCI DSS Compliance
Sergey Gordeychik
Security Lab by Positive Technologies
![Page 2: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/2.jpg)
What is PCI DSS?
QSA audits?
ASV scans?
Pentests?
Web applications security assessment?
![Page 3: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/3.jpg)
What is PCI DSS?
Building up the process of maintaining IS in secure (and compliant) condition!•The process of monitoring and audit (ISO 27001 A.15.2…)
QSA audits?ASV scans?Pentests?Web applications security assessment?
![Page 4: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/4.jpg)
What is PCI DSS?
Building up the process of maintaining IS in secure (and compliant) condition!•The process of monitoring and audit (ISO 27001 A.15.2…)
QSA audits?ASV scans?Pentests?Web applications security assessment?
![Page 5: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/5.jpg)
Black-and-white approach
Technical orientation of PCI provokes auditors into black-and- white (red-and-yellow) resultNot in compliance!In compliance!
Reality is much more complicated…
![Page 6: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/6.jpg)
Example: Updating Oracle
Auditor: There are some problems with Oracle
Company:Consultation with developersWaiting for approvalTestingDeployment
![Page 7: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/7.jpg)
Example: Updating Oracle. What to do?!!
Speed up the process?
Update at one’s own risk?
Restrict access to firewall?
Migrate the application to terminal?
Implement customized IPS?
![Page 8: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/8.jpg)
What is good and what is bad?
How to measure the current level of compliance in nonbinary format?
How to divide the process of compliance maintenance into measurable tasks?
How to assess planned and current expenses?
![Page 9: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/9.jpg)
Security metrics
Explicitly measured, no "expert opinion"
Available for calculations and analysis (automatically, if possible)
Rendered quantitatively (not just "high", "medium", "low")
Measured in units that fit for analysis (such as "errors", "hours", "cost")
Comprehensible and pointing to the problem area and possible solutions (the "So what?" test)
![Page 10: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/10.jpg)
Compliance
With respect to requirements
![Page 11: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/11.jpg)
Compliance
With respect to hosts
![Page 12: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/12.jpg)
Compliance
With respect to hosts and requirements
![Page 13: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/13.jpg)
Compliance
How many PCI requirements do we violate?
What violations are the most common?
What issues should be addressed in the first place?
![Page 14: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/14.jpg)
Good, but not enough!
Allows you to trace a course of action
Allows you to observe the dynamics
Unable to provide a comprehensible engineering estimate!
![Page 15: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/15.jpg)
Labor input metrics
Allow you to assess planned and current labor input in achieving the goal• Labor input in making the system match the
compliance• Justification of chosen compensatory security
measures•Assessment of spent resources
Differentiation of types of modifications•Patch installation•Version update•Configuration modification•Code change…
![Page 16: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/16.jpg)
Labor input metrics
![Page 17: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/17.jpg)
Process metrics
Are generated on the basis of Compliance and the derivatives•Quantity and percentage of workstations with anti-
virus software installed•Quantity and percentage of hosts that comply with
patch-management requirements•Quantity and percentage of DBMS servers that
comply with password requirements•Quantity and percentage of network devices that
comply with security requirements
![Page 18: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/18.jpg)
Process metrics
Example with Oracle•Convergence on hosts: from 20 days to eternity
•Maximum compliance level: 23%
Perhaps it’s better not to think of installation of Oracle patches at all?
![Page 19: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/19.jpg)
Comparison with the world level
What about others?
Is my level acceptable?
Perhaps I needn’t do anything?
![Page 20: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/20.jpg)
Web applications vulnerability research, 2008.
Scope of research:•Automatic mode – approximately 10000 hosts•Detailed analysis – approximately 1000 hosts
Results:•Most websites security level is low•Detection of vulnerabilities and their exploitation
methods is automated
Web Application Security Consortium preliminary data
![Page 21: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/21.jpg)
Distribution of websites according to the amount of detected vulnerabilities (the year 2008)
![Page 22: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/22.jpg)
The most common vulnerabilities
![Page 23: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/23.jpg)
To compromise a website attackers usually exploit…
Analysis of a compromised website exposes a pack of vulnerabilities, one third of which could be exploited by an attacker
![Page 24: Sergey Gordeychik, Security Metrics for PCI DSS Compliance](https://reader033.vdocuments.us/reader033/viewer/2022061219/54b900cb4a795901168b462d/html5/thumbnails/24.jpg)
How soon can these issues be solved?
Whitehat Security