Linux and Open Source for (Almost) Zero Cost PCI Compliance
Rafeeq Rehman 2
Some Introductory Notes
¡ Payment Card Industry (PCI) standard is not a government regula�on. ¡ Who needs to comply with PCI? ¡ Twelve major requirements covering policy, processes, and technology to protect Credit Card Data.
¡ What is Credit Card Data? ¡ Few Clarifica�ons ¡ Payment Card Industry (PCI) requires some tasks to be performed by external vendors depending upon merchant level. There is no other way around, unfortunately. ¡ Open Source solu�ons do need people. That is why it is almost free but not totally free.
9/10/11 3
What the Auditors Look For?
¡ Is PCI just a checklist?
¡ Are auditors genuinely interested in securing the PCI data?
¡ Does it ma�er if you use an open source or commercial product to meet PCI requirements?
¡ What if you meet PCI requirements while improving security and spending less money?
9/10/11 4 Is it viable to use Open Source for PCI Compliance?
¡ Is there a real company who uses Open Source so�ware to achieve PCI compliance? Is it even possible?
¡ PCI 2.0 focuses more on Risk based approach.
¡ PCI (or any compliance) is boring! Make it interes�ng by using Open Source.
9/10/11 5 PCI Biggest Expenses
1. Log Management (Storage and archiving, Monitoring and Aler�ng)
2. Vulnerability Scanning 3. Network Firewalls and Network Segmenta�on
4. Intrusion Detec�on System 5. Encryp�on for data-at-rest
6. File Integrity Monitoring 7. Iden�ty Management (Password controls, Two factor for remote access, Role based access)
9/10/11 6
Addi�onal PCI Needs
¡ Using secure protocols for a number of things (remote access, web traffic, etc.)
¡ Secure destruc�on of Storage
¡ Use of Network Time Protocol
¡ Pen Tes�ng
¡ Web Applica�on Tes�ng
¡ Web Applica�on Firewalls
9/10/11 7
PCI Compliance is Expensive
¡ A large number of commercial solu�ons needed to meet specific requirements
9/10/11 8
Affordable Informa�on Security
9/10/11 9 Why Open Source is Not Used Much?
¡ Integra�on
¡ Repor�ng – Compliance needs evidence!
9/10/11 10
Strategy
¡ Get rid of what you don’t need
¡ Network segment ¡ Reduces scope and a good security prac�ce
¡ Build processes and train people ¡ Only technology is not sufficient
¡ Focus on risk
9/10/11 11
Log Management
¡ Requirement ¡ Keep logs for one year minimum ¡ Ensure there is no log tempering ¡ Control/manage access to logs
¡ Use standards (Syslog) - Centralized Log Management using rSyslog or Syslog-NG
¡ Snare for Windows to Syslog ¡ Log Analysis using OSSEC ¡ Octopussy – Open Source Log Management
¡ OSSEC for file integrity monitoring of log files
¡ Logstash for searching, queries
9/10/11 12
Log Management Tools
9/10/11 13
Event Management/Correla�on
¡ Pandora – (h�p://pandorafms.org/)
¡ SEC – Simple Event Correlator ( h�p://simple-evcorr.sourceforge.net/)
¡ ZENOS – Open Source system monitoring and management (h�p://community.zenoss.org/)
¡ ZABIX – Open source monitoring ( h�p://www.zabbix.com/)
¡ Nagios – System monitoring (h�p://www.nagios.org/)
9/10/11 14
An�virus
¡ For non-commercial home use, Avast is a free so�ware and available at h�p://www.avast.com/
¡ ClamAV is free and available on mul�ple pla�orms ( h�p://www.clamav.net/)
¡ Integrate AV into other solu�ons like web servers
9/10/11 15
Iden�ty Management
¡ OpenLDAP is open source and free LDAP system available on mul�ple pla�orms (h�p://www.openldap.org/)
¡ 389 Server
¡ SourceID supports mul�ple protocols including SAML, Cardspace, Liberty, WS-Federa�on etc ( h�p://www.sourceid.org/)
¡ OpenSAML libraries (h�p://www.opensaml.org)
9/10/11 16
Firewalls
¡ Network ¡ Smoothwall (h�p://www.smoothwall.org/) ¡ Ne�ilter/iptables (h�p://www.ne�ilter.org/). Included in Linux distribu�ons as well. ¡ IPCop (www.ipcop.org)
¡ Hostbased ¡ Ne�ilter/iptables (h�p://www.ne�ilter.org/). Included in Linux distribu�ons as well.
¡ Web applica�on firewalls ¡ Mod security (h�p://www.modsecurity.org/)
9/10/11 17
IDS/IPS
¡ Snort IDS (h�p://www.snort.org)
¡ OSSEC – Host Based IDS (h�p://www.ossec.net)
¡ SAMHAIN – Host Based IDS ( h�p://www.la-samhna.de/samhain/)
¡ Snort Rules – Emerging Threats ( h�p://rules.emergingthreats.net/open-nogpl/)
9/10/11 18
Encryp�on and PKI
¡ Full Disk Encryp�on and USB Drive Encryp�on ¡ TrueCrypt (h�p://www.truecrypt.org/)
¡ PKI and Cer�ficate Server ¡ Fedora Linux Dogtag (h�p://pki.fedoraproject.org/) ¡ OpenSSL (h�p://www.openssl.org/)
¡ Email and File Encryp�on ¡ GnuPG (h�p://gnupg.org/) ¡ GPG4Win (h�p://www.gpg4win.org/)
9/10/11 19
Vulnerability Management ¡ Nessus (h�p://www.nessus.org) ¡ Nmap (h�p://www.nmap.org) ¡ Kismet Wireless detec�on and sniffing ( h�p://www.kismetwireless.net/) ¡ Backtrack (h�p://www.remote-exploit.org/backtrack.html) ¡ Web Applica�on Tes�ng with w3af ¡ OpenVAS Vulnerability Scanner (h�p://www.openvas.org/) is like Nessus – client/Server ¡ SSL crypto verifica�on and cer�ficate checking – SSLscan, available on Linux. Use yum to download
9/10/11 20
Pen Tes�ng
¡ Metasploit (h�p://www.metasploit.com/)
¡ Backtrack (h�p://www.remote-exploit.org/backtrack.html)
¡ Wireshark packet capture and analysis (h�p://www.wireshark.org/)
9/10/11 21
Conclusions
¡ PCI Compliance is a result of good security ¡ It is an end result, not a mean
¡ Focus on Good Security Prac�ces – You will achieve both security and compliance
¡ More money ≠ be�er security ¡ Auditors are really interested in security! ¡ For each requirement in PCI, open source so�ware is available (except where PCI requires third party involvement)
9/10/11 22
Ques�ons and Contact Info
Affordable Informa�on Security at
h�p://www.rafeeqrehman.com
9/10/11