Self-Defending Network Support for PCI

BRKSEC-2008

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

1

Session Description
This session discusses the Payment Card Industry (PCI) Data Security Standard, and how you use the network to help achieve PCI Compliance. We will cover the remote location, e-commerce sites, main campus, data center, and the network management for PCI. We will use the Cisco PCI Validated Architecture Solutions as a reference.

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

Agenda
Session Objectives Compliance and PCI Overview Applying the Network toward PCI Compliance Key Takeaways Q and A

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2

Session Objectives
At the end of the session, you should be able to:
Understand the 12 PCI Requirements Gain knowledge of where PCI applies within your company Apply technologies to help achieve PCI compliance

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

PCI Defined and Updates

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

3

The PCI Data Security Standard
Published January 2005, version 1.1 released September 7, 2006 Impacts all who
Process Transmit Store: Cardholder data
Payment Card Industry Data Security Standard January 2005

PCI Security Standards Council maintains the standard and certifications
http://www.pcisecuritystandards.org
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

7

PCI Industry Updates
US Level 1 Merchants Deadline was September 30, 2007: 77% are compliant
364 Level 1 Merchants (38 were given September 30, 2008 extension)

US Level 2 Merchant Deadline was December 31, 2007: 62% are compliant
1011 Level 2 Merchants (302 were given December 30, 2008 extension)

Europe Merchants: 2008 deadline Asia Merchants: 2009 deadline US Impact of non-compliance
Level 1 merchants: $25,000–$100,000 per month fine, and will increase over time Level 2 merchants: $5,000–$25,000 per month fine

Source: VISA January 2008
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

8

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

4

PCI Standards Update
New PCI Self-Assessment Questionnaires (SAQ) release
One SAQ four SAQs to reach more merchants

PCI DSS version 1.2 coming October 2008 Two Information Supplements released April 22, 2008
11.3 Penetration testing 6.6 Web Application Firewall

List of Qualified Security Assessors (QSA) continuously updated List of Approved Scan Vendors (ASV) continuously updated
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

9

VISA PCI Categories – US Merchants
Category Criteria
More Than Six Million Visa/ MasterCard/American Express/ Discover Transactions per Year Any Merchant that Has Suffered a Hack or an Attack that Resulted in an Account Data Compromise One Million to Six Million Transactions per Year 20,000 to One Million e-commerce Transactions per Year Less Than 20,000 e-commerce Transactions per Year

Requirement
Annual Onsite PCI Data Security Assessment Quarterly Network Scan

Level 1 Merchants

Level 2 Merchants Level 3 Merchants Level 4 Merchants

Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment

Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_manage ment/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

10

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

5

VISA PCI Categories Canadian Merchants
Category Criteria
More than Six Million Visa/ MasterCard/American Express/ Discover Transactions per Year Any Merchant that Has Suffered a Hack or an Attack that Resulted in an Account Data Compromise 150,000 to Six Million e-commerce Transactions per Year 20,000 to 150,000 e-commerce Transactions per Year One Million to Six Million Transactions per Year Less than 20,000 e-commerce Transactions per Year

Requirement
Annual Onsite PCI Data Security Assessment Quarterly Network Scan

Level 1 Merchants

Level 2 Merchants Level 3 Merchants Level 4A Merchants Level 4A Merchants
BRKSEC-2008 14327_04_2008_c2

Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment

Source: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

11

VISA PCI Categories Europe Merchants
Category Criteria
Processed > 6,000,000 Visa Transactions per Year, Compromised in the Last Year, Identified as Level 1 by Another Card Brand

Requirement
Annual Onsite PCI Data Security Assessment Quarterly Network Scan

Level 1 Merchants

Level 2 Merchants Level 3 Merchants Level 4 Merchants

One Million to Six Million Transactions per Year 20,000 to One Million e-commerce Transactions per Year Less than 20,000 e-commerce Transactions per Year

Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

6

VISA PCI Categories Latin America Merchants
Category Criteria
High Risk Merchants with 80% Transaction Volume (Capable of Storing Credit Card Data) Level 1 Merchants E-commerce Merchants with 80% Transaction Volume Any Merchant that Has Suffered Hack or an Attack Resulting in Account Data Compromise High Risk Merchants with Remaining 20% of Transaction Volume E-commerce Merchants with Remaining 20% of Transaction Volume 20,000 to One Million e-commerce Transactions per Year

Requirement
Annual Onsite PCI Data Security Assessment Quarterly Network Scan

Level 2 Merchants

Quarterly Network Scan Annual Self-Assessment

Level 3 Merchants

Quarterly Network Scan Annual Self-Assessment

Source: VISA AIS Program http://www.visalatam.com/e_merchant/ais3.jsp
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

13

VISA PCI Categories – AsiaPac Merchants
Category Criteria Requirement
Annual Onsite PCI Data Security Assessment Quarterly Network Scan Level 2 Merchants Level 3 Merchants Level 4 Merchants One Million to Six Million Transactions per Year 20,000 to One Million e-commerce Transactions per Year Process < 20,000 e-commerce Transactions and < One Million Transactions Regardless of Channel Quarterly Network Scan Annual Self-Assessment Quarterly Network Scan Annual Self-Assessment

Level 1 Merchants

Processed > 6,000,000 Visa Transactions per Year

Quarterly Network Scan Annual Self-Assessment

Source: VISA http://www.visa-asia.com/ap/au/merchants/riskmgmt/ais_how.shtml
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

14

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

7

VISA PCI Categories - US, Europe and Canada Service Providers
Category
Level 1 Service Providers

Criteria
All VisaNet Processors (Member and Nonmember) and All Payment Gateways

Requirement
Annual Onsite PCI Data Security Assessment Quarterly Network Scan

Level 2 Service Providers

Any Service Provider that Is Not in Level 1 and Stores, Processes, or Transmits More than 1,000,000 Visa Accounts/Transactions Annually

Annual Onsite PCI Data Security Assessment Quarterly Network Scan

Level 3 Service Providers

Any Service Provider that Is Not in Level 1 and Stores, Processes, or Transmits Fewer than 1,000,000 Visa Accounts/Transactions Annually

Quarterly Network Scan Annual Self-Assessment

Source: VISA http://usa.visa.com/merchants/risk_management/cisp_service_providers.html?it=c|/merchants/risk_ management/cisp.html|Defining%20Your%20Service%20Provider%20Level#anchor_3
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

15

The Payment Card Industry (PCI) Data Security Standard
Build and Maintain a Secure Network 1. 2. 3. 4. Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
BRKSEC-2008 14327_04_2008_c2

5. 6. 7. 8. 9.

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security
16

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

8

Applying SelfDefending Network to PCI

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Cisco PCI Validated Architectures
Cisco Validated Design includes:
Recommended architectures for networks, payment data at rest and data in-transit Testing in a simulated retail enterprise which include POS terminals, application servers, wireless devices, Internet connection and security systems Configuration, monitoring, and authentication management systems Architectural design guidance and audit review provided by PCI audit and remediation partners

Validated Design Small Retail Store

PCI Audit Partner:

Retail Solution Partners:

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

9

PCI Solution for Retail End-to-End Architecture
VPN

Retail Store
Cisco Integrated Services Router

Data Center
WAN Aggregation WAN
Store WAN Routers

Internet Edge
Adaptive Security Appliance Edge Routers

VPN
Cisco Catalyst Switch

Internet VPN

Cisco Aironet® Wireless LAN Access Point

Core
Cisco Catalyst® Switches Cisco Catalyst Switches WEB Application Firewall WEB Servers

DMZ

Service Aggregation
Cisco Catalyst Switches with Service Modules

VPN

Server Access

Storage
MDS 9000 SAN Switches

Remote

Authentication Monitoring Security System Management POS Server POS Desktop PCs Electronic and Laptops Cash Register Payment Devices Mobile Payments Network Management Network Services
Cisco Public

POS Transaction Key Management Database Servers Disk Arrays

Teleworkers Customers Partners

Tape Storage

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

19

Data Center Architecture
Overview
WAN Routers
Security services and QoS limit traffic in from business network If the WAN connects to a public network, Virtual Private Network encryption is required IPSec tunnels encrypt traffic to store routers
WAN WAN Aggregation

Data Center
Store WAN Routers

Core

Cisco Catalyst Switches

Service Aggregation

Core Switches
High-speed switching and segmentation between the other layers Server Access

Cisco Catalyst Switches with Service Modules

Storage
MDS 9000 SAN Switches

Service Aggregation Switches
Application services include quality of service, content filtering, and load balancing Security services include access control, firewall, intrusion prevention
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Authentication POS Transaction Monitoring Security System Management Network Management Network Services Key Management Database Servers Disk Arrays

Tape Storage

20

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

10

Internet

PCI Solution
Internet Edge
Edge Routers
Access Lists limit the traffic allowed in from the internet IPSec and secure web traffic is allowed in from the Internet
Internet Edge
Edge Routers Customers, e-Commerce Store Backup Network Teleworker Partners, Employees

Service Aggregation Switches
Application services include quality of service, content filtering, and load balancing Security services include access control, firewall, intrusion prevention
Service Aggregation
Cisco Catalyst Switches with Service Modules

Outside
Cisco Catalyst Switches

DMZ Cisco Catalyst Switches

VPN
Adaptive Security Appliances ACE XML Gateway

De-Militarized Zone (DMZ)
Creates a limited access zone Connects web servers and e-commerce application servers
External Web Servers Web Application Server

Virtual Private Network (VPN)
Connects IPSec tunnels from employee, partners or store routers
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Inside

Data Center Core
Cisco Catalyst Switches

21

PCI Solution for Retail
Store Components
Retail Store
Cisco Intelligent Services Router

Intelligent Services Router
WAN

Security services limit the traffic allowed in and out of the store network Routing, QoS and Filtering of business data flows

Cisco Catalyst LAN Switch

Cisco Aironet Wireless LAN Access Point

Cisco Catalyst LAN Switches
Segmentation, Quality of Service

Aironet Wireless Access Points
Connect wireless clients to the store network Security and Identity services enforce central policy for encryption and authentication

Business Servers and Hosts
Cisco Security Agent enforces file access and host FW policy
POS Server POS Electronic Cash Register Desktop PCs and Laptops Payment Devices Mobile Payments Mobile POS and Pricing

RSA file and database security management encrypt stored data RSA Key manager enforces key management policy
22

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

11

PCI Solution: Remote Location
Small Store
Wireless Controllers Security Manager MARS ACS Alternate WAN Connection Primary WAN Connection WCS

Centralized Management Servers

Cisco Integrated Services Router Cisco IOS® Security + Ethernet Switch Cisco 802.11AG WLAN Access Point
Inventory Management

Mobile POS

PoS VLAN/ WVLAN

CSA
POS Cash Register POS Server

Store Worker PC

Data VLAN/ WVLAN
23

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

PCI Solution: Remote Location
Medium Store
Security Manager MARS Alternate WAN Connection Cisco ISR IOS Security Cisco Catalyst Switches
Power over Ethernet and Security

Primary WAN Connection Cisco ISR IOS Security
+Wireless LAN Controller

ACS WCS

Centralized Management Servers

Management VLAN
Cisco 802.11a/b/g
WLAN Access Points

Mobile POS

Store Worker PC POS POS Server Inventory Data VLAN Management WVLAN

PoS VLAN/ CSA WVLAN

Personal Shopper/PDA for Partner Device for Enhanced Customer Service Inventory Management
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Vendor/Guest WVLAN

24

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

12

PCI Solution: Remote Location
Large Store
Security Manager Alternate WAN Connection Cisco ISRs IOS Security Wireless Controllers Primary WAN Connection MARS ACS WCS Cisco Catalyst Switches Distribution and Access

Centralized Management Servers

Management Cisco 802.11a/b/g VLAN
WLAN Access Points

Store Worker PC Mobile POS

Data VLAN and WVLAN
Inventory Management

PoS POS VLAN/ WVLAN CSA
BRKSEC-2008 14327_04_2008_c2

POS Server Vendor Device for Personal Shopper/ PDA Inventory Management Customer Service
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

Vendor/Guest WVLAN

25

Network Environment Blue Print
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort

CSM

NCM/CAS

ASA WAP Cisco Catalyst Switch
Store Worker PC

7300 WAN ISR

ASA

ASA

CS-MARS

IPS 6500 Switch AXG WAP CSA Credit Card Storage

WAP AXG CSA E-commerce CSA Wireless Device

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

13

Cisco Security Manager (CSM) Topology-Centric View

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

PCI Requirement 1
Install and Maintain a Firewall Configuration to Protect Data Configuration standards, documentation Segment card holder data from all other data FW to public connections (Inbound and Outbound) Wireless Personal Firewall

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

14

Requirement 1: Install and Maintain a Firewall Configuration to Protect Data
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

POS VLAN
Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP

Data VLAN
Wireless Device

AXG

VLAN
Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

CSM Firewall Configuration

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

15

CSM Global Firewall Configuration

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

ASA: Inspection Rules

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

16

Network Compliance Manager (NCM)
Requirement 1 Status

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

PCI Requirement 2
Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters Change vendor supplied defaults Wireless: Change wireless vendor defaults, disable SSID broadcasts, use WPA/WPA2 Configuration standards for all system components Implement one primary function per server Disable all unnecessary and insecure services and protocols

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

17

Requirement 2: Do Not Use VendorSupplied Defaults for System Settings
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

PCI Requirement 2.1 for Wireless
Verify that the Cisco Controller is, by default, configured for administrative restriction and AAA authentication for administrative users Verify that no default SSID is enabled on the WLC Disable/remove default SNMP strings of “public/private” Create new community strings Verify that default community strings are no longer accessible Configure administrative user either via initial controller setup script or via CLI Configure wireless system for WPA authentication Disable SSID Broadcast

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

18

Cisco Wireless Configuration

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

PCI Requirement 3
Protect Stored Data
Keep cardholder data storage to a minimum Do not store the full contents of any track from the magnetic stripe (also called full track, track, track1, track 2 and magnetic stripe data), card-validation code or value, PIN Mask PAN when displayed, and render it unreadable when stored (hashed indexes, truncation, index tokens and pads, strong cryptography), disk encryption Document and implement key management processes

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

19

Requirement 3: Protect Stored Data
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Protect Stored Data: From What?
Cisco Security Agent (CSA) protects from:
Copying cardholder information to removable media (USB sticks, CD ROMs, etc.) Copying cardholder information to different file formats Printing cardholder information Saving information to a local machine

Plus typical worm/virus protection (think e-commerce)

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

20

CSA Information Protection Creation

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

CSA Action Rule

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

21

PCI Requirement 4
Encrypt Transmission of Cardholder Data Across Open, Public Networks Use SSL/TLS or IPSec, WPA for wireless If using WEP:
Use with a minimum 104-bit encryption key and 24 bitinitialization value Use only in conjunction with WPA/WPA2, VPN or SSL/TLS Rotate shared WEP keys quarterly (or automatically) Restrict access based on MAC address

Never send unencrypted PANs by e-mail

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Requirement 4: Encrypt Transmission of Cardholder Data Across Public Networks
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

22

GET VPN: Tunnel-less VPNs
A New Security Model
IPSec Point-to-Point Tunnels Tunnelless VPN

WAN

Multicast

Scalability—an issue (N^2 problem) Overlay routing Any-to-any instant connectivity cannot be done to scale Limited advanced QoS Multicast replication inefficient
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Data is encrypted without need for tunnel overlay—scalable any-to-any Routing/multicast/QoS integration is optimal—native routing Encryption can be managed by either subscribers or service providers Customized, per-application encryption
45

IronPort: PCI Compliance over Email
Automatic Detection and Encryption of Credit Card Info
Comprehensive Scanning for Cardholder Info Integrated Encryption and Remediation Auditable Reporting
“IronPort meets PCI compliance requirements in an easy to administer, transparent manner.” —Brian Burke, Director, Secure Content, IDC “IronPort has provided customers with an easy to deploy, use, and manage PCI compliance solution for email.” —Barry Johnson, Director, Risk Mitigation, IGXGlobal
46

Internet Users Outbound Mail IronPort Email Security Appliance

Comprehensive Detection:
• Credit Card Smart Identifier • Preloaded PCI Lexicons Dictionary • Embedded Attachment Scanning

Integrated Remediation:
• • • • Universal Message Encryption Quarantine, Archive Capabilities Notifications Reporting
Cisco Public

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

23

NCM Requirement 4 Status

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

47

Cisco Wireless Configuration

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

48

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

24

PCI Requirement 5
Use and Regularly Update Anti-Virus Software or Programs
Deploy anti-virus software on all systems commonly affected by viruses AV programs capable of detecting, removing, and protecting against all forms of malicious software, including spyware and adware Ensure that all AV mechanisms are current, actively running, and capable of generating audit logs

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

49

Requirement 5: Use and Regularly Update Anti-Virus Software
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

25

NAC Manager

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Adding NAC A/V Rule

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

26

NAC Rule List

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

NAC A/V Update

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

27

IronPort A/V
Industry Leading Defense in Depth Solution Preventive Defense + Reactive Defenses Virus Outbreak Filters + Anti-Virus Signatures

IronPort Virus Outbreak Filters

McAfee Anti-Virus Signatures

Sophos Anti-Virus Signatures

Ease of Deployment and Zero Management Automatic Updates Email Security: Highest Virus Transmission Medium
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

55

PCI Requirement 6
Develop and Maintain Secure Systems and Applications
Systems and software have latest vendor-supplied security patches installed; install relevant security patches within one month of release Establish process to identify new security vulnerabilities (subscribe to alert services, etc.) Develop SW applications based on industry best practices and incorporate security throughout SW development lifecycle Develop web application based on secure coding guidelines such as the Open Web Application Security Project Web-facing applications are protected against known attacks by installing an application layer firewall in front of web-facing applications, or review application code by a specialized application security organizations

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

56

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

28

Requirement 6: Develop and Maintain Secure Systems and Applications
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

OWASP’s 2007 Top Ten

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

29

Cisco Application Control Engine (ACE) XML Gateway
AXG in Action: Blocking XSS Attacks
1. Define hosts to protect

2. Define policies per host

We are going to validate GET and POST parameters

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

AXG in Action: Blocking XSS Attacks
1. Define acceptable range for each GET or POST query parameter

2. Attack detected and blocked

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

60

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

30

AXG in Action: Blocking XSS Attacks
1. Alternatively, use a blacklist approach using Cisco-verified signatures

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

PCI Requirement 7
Restrict Access to Cardholder Data by Business Need-to-Know
Limit access to computing resources and cardholder information only to those individuals whose job requires such access Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

31

Requirement 7: Restrict Access to Data by Business Need-to-Know
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

63

CSA Action Rule

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

64

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

32

When a User Attempts to Save a Change…

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

65

CSA Manager Event Log

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

33

PCI Requirement 8
Assign a Unique ID to Each Person with Computer Access
Identify all users with a unique user name before allowing access to system components or cardholder data In addition, employ one method of authentication (password, token devices [SecureID, certificates or public key], biometrics) Implement two-factor authentication Encrypt all passwords during transmission and storage

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

Requirement 8: Assign a Unique ID to Each Person with Computer Access
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

34

Cisco Secure Access Control Server (ACS)
Administration Accounts

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

Cisco ACS
Only Allow HTTPS Connections

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

35

Cisco ACS
Idle Timeouts and Failed Attempts

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

71

Cisco ACS
Map to Active Directory

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

72

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

36

PCI Requirement 9
Restrict Physical Access to Cardholder Data
Facility entry controls and monitor physical access to systems that store, process or transmit cardholder data
Cameras to monitor sensitive areas Restrict physical access to network jacks, wireless access points, gateways, and handheld devices

Distinguish between employees and visitors Visitor log in, physical token, authorization before entering area Physically secure card holder data media Destroy media when it is no longer needed

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

PCI Requirement 10
Track and Monitor All Access to Network Resources and Cardholder Data
Implement automated audit trails Record audit trail entries Secure audit trails so they cannot be altered Review logs for all system components at least daily Destroy media when it is no longer needed Retain audit trail history for at least one year, with a minimum of three months online availability

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

37

Requirement 10: Track and Monitor All Access to Network and Cardholder Data
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

CS-MARS: PCI DSS Requirement 10
Critical System Access Monitoring

PCI DSS Requirement 10: “Is Administrator Access to the End Systems Monitored?”

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

76

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

38

CS-MARS PCI Reports/Reporting

For Your Reference

PCI Reports Group

Detailed Monitoring and Reporting for PCI Requirements Comprehensive PCI Reports

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

CS-MARS for PCI Reporting

For Your Reference

Comprehensive and Detailed Reports and Reporting PCI Reports Group

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

39

NCM Requirement 10 Status

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

79

PCI Requirement 11
Regularly Test Security Systems and Processes
Use a wireless analyzer at least quarterly to identify all wireless devices in use Run internal and external network vulnerability scans at least quarterly and after any significant change in the network Perform penetration testing at least once a year and after any significant upgrade or modification Use NIDS/IPS, HIDS/HIPS Deploy file integrity monitoring software to perform critical file comparisons at least weekly

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

40

Requirement 11: Regularly Test Security Systems and Processes
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

Cisco ASA 5500 Series and IPS Network Environment Blue Print for PCI
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC

CSM

NCM/CAS ASA ASA 7200/ 7300 WAN ISR ASA IPS CSA E-commerce CSA ASA 6500 Switch WAP CSA Credit Card Storage

ASA IPS

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

WAP Wireless Device

Data Center

ASA IPS, Cisco IOS IPS, or ISR AIM IPS
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

IPS 4200, ASA-IPS or IDSM-2
Cisco Public

IPS 4200 or ASA-IPS
82

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

41

CS-MARS: PCI DSS Requirement 11
Wireless Access Detection

PCI DSS Requirement 11: “Is the Wireless Network Being Monitored and Are New Wireless Devices Identified?”

Cisco Wireless Controller

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Wireless Controller Configuration

For Your Reference

Scan for and Detect Rogue APs and Wireless Devices

Untrusted AP Policy Rogue Location Discovery Protocol………………………Disabled RLDP Action ……………………………………...Alarm Only Rogue APs Rogues AP advertising my SSID ………………….Alarm Only Detect and report Ad-Hoc Networks ………………Enabled

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

42

Cisco Security Manager
IPS Device-Centric Signature View

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

Cisco Security Manager
Policy-Centric Signature View

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

86

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

43

Cisco Security Agent (CSA) PCI Rule Modules

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

CSA PCI Requirement 11 Modules

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

44

CSA PCI Module Drill-Down

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

89

NCM Requirement 11 Status

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

45

PCI Requirement 12
Maintain a Policy that Addresses Information Security for Employees and Contractors
Establish, publish, maintain, and disseminate a security policy Develop usage policies for critical employee-facing technologies Implement a security awareness program Implement an incident response plan If cardholder data is shared with service providers, the SP must adhere to the PCI DSS requirements

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Requirement 12: Maintain a Policy that Addresses Information Security
Remote Location Internet Edge Main Office Network Management Center
ACS
POS Server

Mobile POS

CSA
POS Cash Register

CSA NAC IronPort ASA ASA 7200/ 7300 WAN ISR IPS 6500 Switch AXG Wireless Device CSA E-commerce CSA WAP

CSM

NCM/CAS

ASA

ASA

CS-MARS

WAP Cisco Catalyst Switch
Store Worker PC

CSA Credit Card Storage

WAP AXG

Data Center

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

46

CSM Workflow
“Enable Different Management Teams to Work Together”
What Is It?
Structured process for change management that complements your operational environment
Security Operations
Policy Definition
Create/ Edit Policy Undo Review/ Submit Approve/ Commit

Example
Who can set policies Who can approve them Who can approve deployment and when Who can deploy them
Policy Deployment

Network Operations
Policy Deployment

Generate/ Submit Job

Approve Job

Deploy

Rollback

Benefit
Provides scope of control

Firewall, VPN, and IPS Services

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

CSM Role-Based Access Control
What Is It?
Authenticates administrator’s access to management system Determines who has access to specific devices and policy functions
Cisco Security Manager
Cisco PIX® Firewall and Cisco ASA Cisco IOS Software

Example
Verifies administrator and associate administrators to specific roles as to who can do what AAA
Remote Access

Cisco Secure ACS

Benefit
Enables delegation of administrator tasks to multiple operators Provides appropriate separation of ownership and controls
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Home Office

94

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

47

NCM Requirement 12 Status

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Cisco Solution for PCI
Remote Location
Cisco Security Agent (CSA)
POS Terminal

Internet Edge

Main Office

Network Management Center
ACS NAC Cisco Security Management

CSA

POS Server

IronPort ASA 5500 WAP Cisco Catalyst Switch WAP
Store Worker PC

7300 Router WAN

NCM/CAS ASA ASA CS-MARS

ISR

IPS 6500 Switch AXG CSA CSA E-commerce AXG CSA Credit Card Storage

Wireless Device

Data Center Requirement 10 Requirement 11 Requirement 12
96

Requirement 1 Requirement 2
BRKSEC-2008 14327_04_2008_c2

Requirement 4 Requirement 5 Requirement 6
Cisco Public

Requirement 7 Requirement 8 Requirement 9

Requirement 3

© 2008 Cisco Systems, Inc. All rights reserved.

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

48

PCI Solution Mapping
PCI
1 2 3 4 5 6 7 8 9 10 11 12
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

ISR

ASA

CSA

MARS

WLAN

IPS n/a

NAC n/a n/a n/a n/a

6500

Iron Port n/a

CSM

NCM

ACE ACS XML n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a

n/a n/a n/a n/a

n/a n/a

n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

n/a n/a

n/a

n/a

n/a

n/a

n/a n/a n/a

n/a

n/a

97

Cisco PCI Services

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

98

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

49

Services from Cisco and Cisco Security Specialized Partners
Supporting your efforts to achieve compliance
Identify and remediate gaps in your current network environment relative to the PCI Data Security Standard Gap analysis and remediation plan Design and implementation

Supporting your efforts to stay compliant
Asset monitoring and support for configuration and change management Quarterly security gap analysis Periodic reporting of PCI-critical device status
*PCI compliance service capabilities may vary by region

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

99

Gap Analysis and Remediation Plan
Identifies Gaps in Your Network Components and Systems, Policies, and Processes
PCI Analysis Toolset
Collects data about devices and configurations (Cisco and third party) Analyzes your network for gaps relative to PCI Data Security Standard requirements Cisco engineer creates a tailored remediation plan that includes a prioritized set of actions for closing compliance gaps

For Your Reference

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

50

Design and Implementation
Best Practices for Implementing the Remediation Plan Recommendations
Security Policy Definition
Develop or refine your company’s high-level goals, procedures, rules, and requirements for securing its information assets

For Your Reference

Design Review, if necessary
Provide design review if the PCI gap analysis and remediation plan suggest it

Implementation
Implement your solution on time and on budget by following a thorough, detailed implementation process based on best practices Realize business and technical goals by installing, configuring, and integrating new system components in accordance with remediation plan recommendations
BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

101

For Your Asset Monitoring and Support for Reference Configuration and Change Management

Asset Monitoring
Monitor and manage devices critical to your PCI-compliant network in real time 24 hours a day, 365 days a year Identify anomalies, events, or trends that might adversely affect your network security Provide consolidated status reports that you can use with your stakeholders and third parties such as auditors

Configuration Management Support
Improve operational efficiency by maintaining an accurate, reliable system configuration database and managing configuration changes through an orderly, effective process

Change Management Support
Reduce operating costs and limit change-related incidents with a consistent and efficient change management process
BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

102

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

51

Quarterly Incremental Security Gap Analysis

For Your Reference

Assess for Changes that Might Affect Compliance

Provide Improvement Recommendations and Remediation Services as Needed

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

103

Summary

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

104

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

52

Summary
Key Take Aways
PCI is moving rapidly to global importance PCI Compliance encompasses Security Best Practices Work closely with Approved Scan Vendor and Qualified Security Assessor to understand expectations Use Cisco’s PCI Validated Architectures as a guide to ease design and implementation

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

105

More Information
Cisco Compliance information
http://www.cisco.com/go/compliance http://www.cisco.com/go/retail

VISA Cardholder Information Security Program
http://usa.visa.com/merchants/risk_management/cisp.html

MasterCard PCI Merchant Education
http://www.mastercard.com/us/sdp/education/pci%20merchant %20education%20program.html

PCI Security Standards Council
https://www.pcisecuritystandards.org/
BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

106

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

53

Relevant Security Sessions
BRKSEC-2004 BRKSEC-2006 BRKSEC-2007 BRKSEC-2011 BRKSEC-2012 BRKSEC-2020 BRKSEC-2030 BRKSEC-2031 BRKSEC-2041 BRKSEC-2052 BRKSEC-4012
BRKSEC-2008 14327_04_2008_c2

Monitoring and Mitigating Threats Inside the Perimeter: Six Steps to Improving Your Security Monitoring Deploying Cisco IOS Security Deploying Site-to-Site IPSec VPNs Deploying Dynamic Multipoint VPNs Firewall Design and Deployment Deploying Network-Based Intrusion Prevention Systems Understanding Host-Based Threat Mitigation Techniques Deploying Cisco Network Admission Control Appliance Secure Messaging Advanced IPSec with GET VPN
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

107

Q and A

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

54

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press® Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSEC-2008 14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

109

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily. Receive 20 Passport points for each session evaluation you complete Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

110

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

55

BRKSEC-2008 14327_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

56