Linux and Open Source for (Almost) Zero Cost PCI Compliance
Rafeeq Rehman 2
Some Introductory Notes
¡ Payment Card Industry (PCI) standard is not a government regula on. ¡ Who needs to comply with PCI? ¡ Twelve major requirements covering policy, processes, and technology to protect Credit Card Data.
¡ What is Credit Card Data? ¡ Few Clarifica ons ¡ Payment Card Industry (PCI) requires some tasks to be performed by external vendors depending upon merchant level. There is no other way around, unfortunately. ¡ Open Source solu ons do need people. That is why it is almost free but not totally free.
9/10/11 3
What the Auditors Look For?
¡ Is PCI just a checklist?
¡ Are auditors genuinely interested in securing the PCI data?
¡ Does it ma er if you use an open source or commercial product to meet PCI requirements?
¡ What if you meet PCI requirements while improving security and spending less money?
9/10/11 4 Is it viable to use Open Source for PCI Compliance?
¡ Is there a real company who uses Open Source so ware to achieve PCI compliance? Is it even possible?
¡ PCI 2.0 focuses more on Risk based approach.
¡ PCI (or any compliance) is boring! Make it interes ng by using Open Source.
9/10/11 5 PCI Biggest Expenses
1. Log Management (Storage and archiving, Monitoring and Aler ng)
2. Vulnerability Scanning 3. Network Firewalls and Network Segmenta on
4. Intrusion Detec on System 5. Encryp on for data-at-rest
6. File Integrity Monitoring 7. Iden ty Management (Password controls, Two factor for remote access, Role based access)
9/10/11 6
Addi onal PCI Needs
¡ Using secure protocols for a number of things (remote access, web traffic, etc.)
¡ Secure destruc on of Storage
¡ Use of Network Time Protocol
¡ Pen Tes ng
¡ Web Applica on Tes ng
¡ Web Applica on Firewalls
9/10/11 7
PCI Compliance is Expensive
¡ A large number of commercial solu ons needed to meet specific requirements
9/10/11 8
Affordable Informa on Security
9/10/11 9 Why Open Source is Not Used Much?
¡ Integra on
¡ Repor ng – Compliance needs evidence!
9/10/11 10
Strategy
¡ Get rid of what you don’t need
¡ Network segment ¡ Reduces scope and a good security prac ce
¡ Build processes and train people ¡ Only technology is not sufficient
¡ Focus on risk
9/10/11 11
Log Management
¡ Requirement ¡ Keep logs for one year minimum ¡ Ensure there is no log tempering ¡ Control/manage access to logs
¡ Use standards (Syslog) - Centralized Log Management using rSyslog or Syslog-NG
¡ Snare for Windows to Syslog ¡ Log Analysis using OSSEC ¡ Octopussy – Open Source Log Management
¡ OSSEC for file integrity monitoring of log files
¡ Logstash for searching, queries
9/10/11 12
Log Management Tools
9/10/11 13
Event Management/Correla on
¡ Pandora – (h p://pandorafms.org/)
¡ SEC – Simple Event Correlator ( h p://simple-evcorr.sourceforge.net/)
¡ ZENOS – Open Source system monitoring and management (h p://community.zenoss.org/)
¡ ZABIX – Open source monitoring ( h p://www.zabbix.com/)
¡ Nagios – System monitoring (h p://www.nagios.org/)
9/10/11 14
An virus
¡ For non-commercial home use, Avast is a free so ware and available at h p://www.avast.com/
¡ ClamAV is free and available on mul ple pla orms ( h p://www.clamav.net/)
¡ Integrate AV into other solu ons like web servers
9/10/11 15
Iden ty Management
¡ OpenLDAP is open source and free LDAP system available on mul ple pla orms (h p://www.openldap.org/)
¡ 389 Server
¡ SourceID supports mul ple protocols including SAML, Cardspace, Liberty, WS-Federa on etc ( h p://www.sourceid.org/)
¡ OpenSAML libraries (h p://www.opensaml.org)
9/10/11 16
Firewalls
¡ Network ¡ Smoothwall (h p://www.smoothwall.org/) ¡ Ne ilter/iptables (h p://www.ne ilter.org/). Included in Linux distribu ons as well. ¡ IPCop (www.ipcop.org)
¡ Hostbased ¡ Ne ilter/iptables (h p://www.ne ilter.org/). Included in Linux distribu ons as well.
¡ Web applica on firewalls ¡ Mod security (h p://www.modsecurity.org/)
9/10/11 17
IDS/IPS
¡ Snort IDS (h p://www.snort.org)
¡ OSSEC – Host Based IDS (h p://www.ossec.net)
¡ SAMHAIN – Host Based IDS ( h p://www.la-samhna.de/samhain/)
¡ Snort Rules – Emerging Threats ( h p://rules.emergingthreats.net/open-nogpl/)
9/10/11 18
Encryp on and PKI
¡ Full Disk Encryp on and USB Drive Encryp on ¡ TrueCrypt (h p://www.truecrypt.org/)
¡ PKI and Cer ficate Server ¡ Fedora Linux Dogtag (h p://pki.fedoraproject.org/) ¡ OpenSSL (h p://www.openssl.org/)
¡ Email and File Encryp on ¡ GnuPG (h p://gnupg.org/) ¡ GPG4Win (h p://www.gpg4win.org/)
9/10/11 19
Vulnerability Management ¡ Nessus (h p://www.nessus.org) ¡ Nmap (h p://www.nmap.org) ¡ Kismet Wireless detec on and sniffing ( h p://www.kismetwireless.net/) ¡ Backtrack (h p://www.remote-exploit.org/backtrack.html) ¡ Web Applica on Tes ng with w3af ¡ OpenVAS Vulnerability Scanner (h p://www.openvas.org/) is like Nessus – client/Server ¡ SSL crypto verifica on and cer ficate checking – SSLscan, available on Linux. Use yum to download
9/10/11 20
Pen Tes ng
¡ Metasploit (h p://www.metasploit.com/)
¡ Backtrack (h p://www.remote-exploit.org/backtrack.html)
¡ Wireshark packet capture and analysis (h p://www.wireshark.org/)
9/10/11 21
Conclusions
¡ PCI Compliance is a result of good security ¡ It is an end result, not a mean
¡ Focus on Good Security Prac ces – You will achieve both security and compliance
¡ More money ≠ be er security ¡ Auditors are really interested in security! ¡ For each requirement in PCI, open source so ware is available (except where PCI requires third party involvement)
9/10/11 22
Ques ons and Contact Info
Affordable Informa on Security at
h p://www.rafeeqrehman.com
9/10/11