Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #72 - More Fun with PCI DSS Compliance!

This week, the guys discuss one of their favorite topics, Payment Card Industry Data Security Standards (PCI DSS)! Companies that transmit, process, or store credit card data need to be compliant but PCI has its own nuances. What level of PCI compliance do you need? How do you determine what is in scope? How do you work with auditors? The guys answer these questions and more, plus share some wizard-like tactics to help you maneuver through the PCI requirements.


Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

 

Rogue HackerOne Employee Steals Bug Reports to Sell on the Side
Microsoft finds Raspberry Robin Worm in Hundreds of Windows Networks
New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers
Cyberattacks Against Law Enforcement Are on the Rise

IT Services Giant SHI Hit By "Professional Malware Attack"

Marriott Hit by New Data Breach and a Failed Extortion Attempt

Google Patches New Chrome Zero-Day Flaw Exploited in Attacks

Microsoft Quietly Fixes ShadowCoerce Windows NTLM Relay Bug
 OrBit, a New Sophisticated Linux Malware Still Undetected

US Govt Warns of Maui Ransomware Attacks Against Healthcare Orgs
Malicious NPM Packages Used to Grab Data From Apps, Websites
Why Your API Gateway is Not Enough for API Security?
Data of a Billion Chinese Residents Available for Sale on the Dark Web
Security Advisory Accidentally Exposes Vulnerable Systems

 

Transcript

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez hello and welcome to cyberants podcast this is your co-host zach fuller joined
by mike rotondo and laura chavez today we are talking about payment card
industry data security standards or pci dss compliance everybody's favorite
topic and we just happen to have two pci professional
certified wizards here on the call which uh you can guess which too they're the bearded
ones so anyway that being said let's talk about pci in a little bit here but before we do mike why don't you kick us
off at the news rogue hacker one employee steals bugs reports to sell on the side a hacker one employee stole a
vulnerable vulnerability report submitted through the bug bounty platform disclosed them to affected customers to claim financial rewards
the rogue worker had contacted about a half dozen of hacker one customers and collected bounties and a handful of disclosures the company set on friday
hacker one is a platform for coordinating vulnerability disclosures intermitting monetary rewards for the bug hunter submitting the security
report so be careful microsoft finds raspberry robin worm in hundreds of windows networks
just saying raspberry robin worm makes me think of pastry microsoft says that recently spotted windows worm has
been found on the networks of hundreds of organizations from various industry sectors the malware dubbed raspberry
robin spreads via infected usb devices and was first spotted in september 2021 by red canary intelligence analysts
cyber security firm sequoia also observed it using qnap nas devices as cnc servers in early november while mike
microsoft said it found malicious artifacts linked to the worm created in 2019. once the usb devices attached on
msi exec process using command.exe to launch a malicious file stored on the
infected drive and in fact new windows devices communicates with its command control servers and executes malicious payloads
using several legitimate windows utilities like fod helper msie exec and odbc conf new
red alert ransomware targets windows linux vmware esxi servers a new ransomware operation called red alert or
n13v i like red alert better encrypts both windows and linux vmware esxi servers
and attacks on corporate networks the new operation was discovered by malware hunter team who tweeted
various images of the gang's data league site the ransomware has been called red alert based on a string used in the
ransom note however from a linux encrypter obtained by bleeping computer the threat actors called the error
operation n13v internally the linux encrypter is created to target vmware esxi servers with command line options
that allow the thread actors to shut down any virtual running running virtual machines before encrypting the files so make sure
you're patched cyber attacks against law enforcement are on the rise a los angeles-based cyber security company has registered an
increase in malicious activity targeting law enforcement agencies at the beginning of q2 2022 threat
actors are hacking email and other accounts which belong to law enforcement officers and their internal systems the
emerging trend consists of threat actors sending fake subpoenas and emergency data requests to their victims from hacked law enforcement email accounts
the threat actors are targeting major technology companies to collect sensitive information about targets of
interest the replies received by the bad actors contain sensitive details which could are being used to leverage
extortion or cyber essence such and since have been especially notable in cyber criminal group activities such as
lapses and recursion group i.t services giant shi hit by a professional malware attack
shi international is an international msp has confirmed that the malware attack hit its network over the weekend
as the shi provides serviced over 1500 corporate enterprise and public sector sector and academic customer
organizations uh after the attack shi added a message to his website one customers and
visitors information systems are undergoing maintenance due to sustained outage lastly marriott hit by a new data breach
and failed extortion attempt marriott international was hit by a data breach after an unknown threat actor breached
one of its properties and stole 20 gig worth of documents that contain non-sensitive internal business files
and some credit card information this is important the attackers really breached one of the chain's uh
properties bwi airport marriott and only had access network from for a limited time the threat actor used
social engineering to trick one associate at a single marriott hotel into providing access to the associate's
computer train your people on social engineering please this is the third data breach marriott has confirmed since
2018 after exposing the personnel information personal information of 5.2 million hotel costs
including contact and personal data in a data breach disclosed in 2020. a couple of key headlines there's another
google patch for a zero day microsoft is quietly fixed at shadow course windows ntlm relay bug orbit a new sophisticated
linux malware is still undetected there's a maui ransomware out there npm packages that are grabbing data from
websites and apps api issues and the date of a billion chinese residents available for sale on the dark web so if
you need data on a billion chinese residents you can find it now already my copy
yeah with that laurel what do you got i got my copy too it only cost me uh
like 50 cents awesome so thanks for the news mike i got a couple exploits to talk about today first is with the
marval global msm software if you're using marvel in any facet inside of your
infrastructure to do management or those types of activities keep a look out for version 14 because
there is a remote code execution for that and the payload is available for download and use today
so make sure you patch your marval and for the other one is kind of an interesting
piece there's um this this app that's out there it's called um remote mouse
or uh as they call it uh wi-fi mouse and it's essentially an app that you can download on an android phone
i'm not sure if they have it for your apple devices but on android you can download this app and you can control
your mouse um on your computer with it so it's uh you
know more of i call it fun wear than useful wear however if you do if you did decide to download wi-fi mouse look out
for 1.7 there's a remote code execution that will install a file of choice
so the coding is really well done on this and it even allows the piece for the payload to be put in so you can
call down whatever you'd like um to be executed on the phone uh so keep an eye out for that again you know some of the
software is against more fun where than does uh for practical use and with all fun stuff comes
well flaws like this so that's all i have for exploits zach pci
today are we that's that's right that's right we're going to dive in deep to pci
but before we do let's take a quick commercial break and we will be right back want even more cyber rants be sure
to subscribe to the cyber rants podcast get your copy of our best-selling book cyber rants on amazon today
this podcast is brought to you by silent sector the firm dedicated to building world-class cyber security programs for
mid-market and emerging companies across the u.s silent sector also provides industry-leading penetration tests and
cyber risk assessments visit silentsector.com and contact us today ladies and gentlemen are you ready for
some compliance work here let's dive in let's talk a little bit about
payment card industry standards the pci compliance this is something that
a lot of organizations have to deal with at some level and we're going to talk about the various levels we're going to talk
about some of the requirements how to scope and all that good stuff that you need to know
but let's start out with just pci in general i mean what how how would you guys advise people on
uh understanding whether or not they have to abide by pci at some some capacity
let's say a new organization um that's dealing with credit cards how do they determine
um one do we need this and two what at what level do we need so no i
think it's a good question zach um and you know mike please please jump in here but i you know i think that the
basic simple response is if you store processor transmit credit cards in pretty much any volume whether it's a
point of sale terminal uh that that is you know taking taking actual physical cards
uh or you're doing you know electronic what they refer to as card not present uh transactions i believe even even if
you're outsourcing the pro the processing part to a third-party processor
um you're still responsible for uh some components of the data security standard
yeah in addition there are a lot of companies that um that are that are credit card companies that are requiring
you to follow pci whether you store data or not whether the cards even come into your network um
you know we went through this with one of my customers where they were just literally transacting everything outside the
environment and um and the payment processor and the bank
wanted you to fill out pci requirements they had their own online portal that you had to use so
it's a good idea for everybody to be aware if you're taking a credit card above pci and take whatever necessary steps
because you're going to be asked eventually to at least answer some of the questions and you dance them intelligently
and properly otherwise you're going to create additional issues for yourself what could happen if you
if you don't abide by the rules if you don't abide by the rules okay so
i'll there's a lot of um there's there's a lot of myth around what can what can occur if you're if
you're not compliant so i'll give you i'll give you two real world stories that that mike and i well
you know mike mike has been part of both of you so mike and i have been working on pci a lot together over the last
decade um so you might remember these mike but um we we there was one client that had
gone out of compliance okay so any and here's something to remember to do that your merchant bank
is going to tell you usually if you're if you're required to um to report to them because you're going to be
processing over a million cards they're going to know about it you're going to be high on their radar they're going to
have a a pci consultant inside the bank assigned as you to sign to you basically
your business and they're going to communicate with you and tell you that you know you need to submit the scans and you need to submit at this date um
your report on compliance or your self-assessment questionnaire whichever it is um but
if you if you choose not not to go down the pci path and so my first story comes from an organization that that was
processing well over five or six million transactions a year from each one of the brands
and um they looked at the fines that the bank was giving us the bank gave them 12 months out of courtesy to try to line up
and they they've failed to get in line and so then the bank basically started imposing um fines of doing business and
the fine was was set at 5500 a month okay this this fine the organization
very large billion dollar organization looked at this fine and said oh well it's cheaper to pay the fine than it is
to try to become compliant so we'll just pay the fine for a while until we can figure out what to do do you remember this mic
oh yeah so so this went on for about 24 months that
the organization stalled their pci compliance initiatives because
they wanted it far more inexpensive to pay the fine to the bank and continue to process versus you know
becoming compliant which is which was true i mean it really was true i think it ended up costing 13 million dollars
for that short-sighted yeah clearly yeah it was very okay so that's story one of
what can happen if you're that at least i know about mike do you have any other
ones that are at least that high of fine uh not regarding fines i mean i have a
lot of stories of stupid decisions by management but other than that
well speaking of a stupid decision for management that's kind of where my second story comes in okay so uh we
worked we worked mike and i worked with a client that was was pci uh they were they were pci
obligated right so they were going down this this path pci well one of their large customers
executed some business with them but in the master services agreement it stated that the
service provider would become pci level 1 compliant within 12 months or
pay 1 million dollars per month until compliant and management signed
signed the master services agreement agreeing to this not realizing the level of work
that was required to become pci compliance so let's just say like
four months out of that that that timer erupting with the million dollar
a million dollar a month kind of thing going on um the the organization then set a motion this massive path right to
to get all these this d scoped environment compliant so that's that's another place where i'd say that you
know be careful be careful of management's bad decisions because they may put you in a very very um
compromised position like this where now not only are you at risk of a million dollars a month you're gonna have to probably spend millions to become
compliant quickly enough that you don't suffer that fine yeah and here's here's real here's this is real important
management look at me look at me look at me talk to your technical people before you commit to anything
because you don't know what you're talking about for the most part um your technical people will have an idea of what the scope of what it's going to
take and the time it's going to take to be able to become pci compliant random guess of well 12 months sounds
fair is not right because it took them four months to define the scope and then the scope was far too
broad and then they had deprecated systems in that scope i mean it was just it was a mess it was bad
so well i'm scared i know i'm gonna get pci
i don't want to pay a million dollars a month well hey let's um let's dive in so those those were
obviously some some hefty fines and and they can you know stop your credit card processing all together i mean it could
be substantial for for companies now let's talk about um and obviously those
are some fairly sizable organizations with those that kind of money moving around large volumes of pro you know
credit card processing what um how does an organization go about determining
what level it has to align with if somebody's not telling them already or they're they want to be proactive and
not learn the month before that they have to be at a specific level what do um
how do they define that pci provides you with a handy dandy chart that tells you
exactly what you need to do typically it's a payment processor that will define what level you need to do
but we've run across issues with clients that have multiple payment processors due to multiple lines of business and
then you have a confliction between the two levels of compliance in which case you need to default to a
sac d uh which is the catch-all um but um you know there is a if you go to
pci i think it's dss.org um
yeah it's pci security standards council they changed it did they they did
all right so um but there are one two three four five six seven eight nine different levels
um a pci compliance that go from all the way from card not present to even still addressing the old
for those of you who remember the hand machines the hand imprint machines on up so
um even if you just pass everything off to a third party payment processor you
still have to have some level of compliance either forced on you by the bank or the payment processor um
even if you don't store it now if you're storing credit card data then you need to go through the full the full deal um but
uh yeah i mean so there is a thing that you know sake that's the easiest one to do self attestation it's a basic one
it's a good place to start but there are additional like aep which is
new e-commerce merchants who outsource all payment processors to pci dss validated third parties who have a
website that doesn't directly receive cardholder data but that can impact the security of the payment transaction
no electronic storage processing or transmission of any cardholder data on the merchant systems or premises
is what requirement for an aep so if that's you you need to get that done and you need to go through the saca or sac
um the sac questionnaire the self attestation questionnaire and
do what it says so yeah the other thing i think um you know previous to that is it's all based
on your transaction volume right so like mike said you're your payment processor or your merchant
bank are going to let you know pretty much what you need to do and so it comes down to how many transactions
of what type of credit card you're you're processing so you know visa has specific requirements
for what they consider to be like a level one vendor so you know check check the visa um processing requirements site and then
like discovery mastercard they're gonna have different requirements too um so if you're processing you know over a
million or a couple million uh a year you're probably going to be in that what they refer to as a level one
uh space where you you kind of required a third party and i guess that's that's the other the other kind of black magic of of pci
is that you know your your transaction volume determines whether or not you can you can do the self-assessment
questionnaires that mike was referring to or you've got to actually hire a third-party
assessor firm to come in and do what they they call a report on compliance or a rock
and that's got to be a qualified you know security assessor qsa right and
those those are kind of pay to play so you you you have to go through pci training and then you you pay the board money to be
on their list of approved qsa firms and um your processing volume will
determine so if you're processing like 10 million credit cards a year you can't self-assess you're gonna have to have a
third party come in and and do this for you and that's a lot i think a lot of the reason mike why um some of these
organizations are really trying to push off as much of the payment processing portion of this to third parties that
are just doing it right there already that's what their business is well i think there's the financial component i think there's also the risk component
right i mean people have come to realize what the risk is of storing credit card data
um and you know the the cost of
dealing with that risk and mitigating that risk and the amount of talent you have to have available and
all those things that go down line um so and and in still there's there are
companies out there running deprecated systems and you have some internal auditors that we both dealt with that were like oh we'll just take the
deprecated systems out of scope it's like yeah you can't do that that's called fraud
it is it is and it happens and you know i think that that's a good segue to
uh talking about a a couple pitfalls that i don't believe everybody's aware of
for for pci right if you're if you're gonna go if you're gonna go through this this assessment
there's a couple places that i won't call them i won't call them a pitfall trap but
they kind of are and um i'll talk about those real quick that's okay zach absolutely i'm i'm excited i'm
i'm taking notes so like like mike was just saying right segmentation
segmentation is a big deal right and and so your your qsa it's okay
the qsa the assessor can sample okay they there's a if you if you draw if you pull down and you download pci
dss for like the first 20 pages are just all instructions on how to do it so make sure you read that part okay because
if there's no um there's there's no mystery behind this okay the qsas your pci professionals
your internal security assessors that you assign they're all going through the same document so all your instructions are laid out for you right in the
document so it's it's valuable for everybody who who even may be involved in this just to
download the recent one and read it just just the first 20 pages you don't need to get into the requirements portion but
just understand how it's done right what what the assessor is going to come in and do but there's a couple areas that pci
security standards council can't they they can't really articulate well
and they can't really decide your architecture for you right it's it's so they have to kind of keep keep
some verbiage in a general area and i'll talk about that first one segmentation so the qsa has the ability to come and
sample your system so if you've got 150 windows 10 systems and they're all exact okay they have to be exact
and the qsa can validate through deployment guides and hardening standards and other policies and
deployment technologies that they are all
then out of that hundred i don't need to look at all hundred as a qsa i can take 10 or 20 of them and do a sample set
okay of of evidence collection and um the other thing that allows a qsa to
to be able to not look at your whole environment is what what's referred to as network
segmentation right and a lot of my network engineers you know we this has been around for a long time making you
know virtual local area networks and and and putting things through access control lists and firewalls and things
like that they've been around a really long time okay the problem is is that companies pci tells you that you can use
segmentation to de-scope specific systems that aren't storing
processing or transmitting because those are the three kind of linchpins that you have in pci you're storing processing or
transmitting the data it's in scope so are the people and so are the systems that can impact the security of so those
are some other kind of magical terms in the in the guidelines but segmentation
is something that your architecture is founded upon right you either did it or you didn't or you did it to some
capacity but there's there's a place in pci that says that essentially page 12 and i'll just read
this is it segmentation of the card cardholder data environment from the remainder of the entities network is not
a pci dss requirement however it's strongly recommended as a method that may reduce the scope of the assessment
cost of the assessment cost and difficulty of implementing and maintaining control states and risk of
the organization's relative payment card account data okay so they're not telling you you got to do it but if you don't do
it then the whole of your network is in scope okay so if you if you didn't implement
segmentation properly the auditor can come in and tell you that your whole infrastructure's in scope not just the
systems that you have storing processing or transmitting while pci dss gives us a segmentation language it doesn't define
what segmentation is for you and your architecture and this is where the the magic trap happens is that you can have
an assessor that comes in and bullies you because you're you didn't set up network segmentation properly or you don't have
it defined right which a lot of organizations do not have what network segmentation is is a
definition in a policy or standard for their organization so step one
build a document about what network segmentation is in your environment okay and how you
delineate between a flat network that it's all connected together and everything can communicate versus a
segmented network and what components that you use in your business to provide the segmentation controls okay so that's
goal one that way if an assessor tries to argue with you you can hold up the standard and then you can validate that
the segmentation is in place right which is something that the qsa is asked to do is validate segmentations in place in
working okay and that's done with network packets many assessors think they're this guy
yeah exactly exactly they are not batman they are
i won't say it but yeah so papa a lot of papa smurf a lot of the assessors mike's got a big point okay a lot of these
assessors are interns and and college grads that are going into these large
firms and they're getting a very set curriculum and then they're getting sent out to do this stuff okay they're not engineers they're not extremely
technical individuals so there's a lot of room for for misunderstanding of technical controls
okay so it's your job um owning this audit right not to be intimidated by the assessor but to help
the assessor understand what controls are in place in your environment and how you meet these controls so define your
segmentation with a standard right a segmentation standard uh and then the other the other place
i'll talk about pitfall traps is what's called significant changes okay what
what the dss is going to refer to significant changes and they in pci 4 they've actually tried
to define what uh uh significant changes and on 26 i'll just tell you uh verbatim
here so there are certain requirements which which performance is specified upon
significant change in the entities environment okay so some of these activities are new hardware software
networking equipment to the cardholder data environment any replacement or major upgrades of hardware or software any
changes to the flow of storage of account data any changes to the boundary of the cardholder data environment and
or to the scope of the assessment any changes to underlying supporting infrastructure of the cargo to data
environment including but not limited to changes to directory services time servers logging and monitoring any
changes to third-party vendors service providers that support the court order data environment or requirements on
behalf of your entity that's a lot of okay what you need to do again is define
what a significant change is in your architecture pci is giving examples this this this
section is called descriptions and examples okay this doesn't mean this is the
definitive definition of what uh significant changes in your architecture
but if you don't define it an assessor is going to come in and try to argue with you over what and what is not
considered a significant change so document that as well right define what significant changes are in your
environment and what things are going to be required as controls and so pci further goes on to talk about
you know penetration testing after significant changes right so they're going to tell you in 6 4 that you know
public-facing web applications need vulnerability scanning and penetration tests at least every 12 months or after
significant changes so if the assessor comes in and says well you made six significant changes in this quarter and
you didn't do any pen test fail you have to have some form of ammunition
of technical ammunition to come back and say no that's not correct these changes that were made were enhancements in fact and didn't you know
didn't change the core of the code that is tested after significant changes which happens in our agile schedule
every eight months is an example or whatever right every every fifth push is a prod that gets a pen test before
so keep that in mind and then if you're you know third party um if you're a third party uh service provider you're
gonna be required to do things more frequent and then significant changes again or become more complex to define
for you so if you're providing services for companies that are our piece are trying to be pci compliant and they're
outsourcing their services to you and you're that provider you come into that provider
crosshair you're required to do things more frequently so it's even more important that you define what a
significant change is in your complex environment where you may have vpcs dedicated to certain clients and you
know you're making changes you're doing updates you're doing vulnerability scanning and patching you've got to define what those with the
significant changes are or an assessor will come in and try to define that for you and you could lose your compliance
status if you if you don't if you don't write this stuff down yeah so the key component of that is
you can define your own risk you have to do your internal risk management and you can define your processes to find what
these things are and that's one of the common failings of a lot of companies is they allow the assessor to define these things
you can't do that and you have to push back on the assessor's assessment of what your risk truly is the other thing
is that a business justification will trump just about anything that pci is requiring if you can justify from the
business perspective that we have to do it this way because then
there's really not much they can say so define your risk define what's in there define your processes define those
things prior to the auditor um and and that will
minimize the pain of the audit and what you have to do but defining
your scope is critical because you have and this goes back to dealing with management
they'll say oh yeah we'll make the whole company pci compliant well if you've got a company that has five different
regions some of them international managed by different managers and they have different levels of
software and server types and you're running linux over here and you're running windows over here and this that and the other thing making the entire
environment compliant is very very difficult especially if you don't have dedicated staff for it doing it during your ktlo
isn't going to do it so you really uh need to get ahead of the audit and and
and get you know have an idea what you're going to do before you need to bring in someone who knows
a pcip from some firm that's not your auditor to go through and look internally or send one of your people to
training get them pcis trained and and let them help you determine what's going
on here and and make this as painless as possible yeah that's that's a good point mike and
i i want to talk training real quick i know i've had a mouthful this this episode so i apologize to everybody out
there but um training is super important okay because what what's going to happen is as you
start if you've got one individual in charge of internal pci compliance your your other department managers or
other silo managers may start arguing about things right about this or that or not understanding or why do we have to
do this i always recommend when i ran pci programs with mike you know we we always
made sure that everybody went to training i'd pick a random manager and an individual from a completely different group and we would send them
to pcip school or we'd have the security standards council will come to the organization
and give us the the class there in like a big break room or something you know but you want to get your people trained
because you know you need them on your side to help you win this fight and if you've got the standard red tape and
interdepartmental politics and bureaucracy that happened in a lot of big corporations odds are you've got
contention between other environments trying to get things done with the network manager or with the apps manager
or whatever the case may be send those people to school that way they're on your team they're all wearing the same jersey they all understand where the
lines drawn and then they they become part of your assessment team versus being like this
kind of um you know this bad fight internally just to get the control states in place so that you can be
compliant well outstanding we're running out of time here but uh this was excellent some excellent wisdom into the
world of pci so if you're dealing with that right now or gearing up to get ready for it
i hope you learned something here and uh shameless plug there's a lot more where
that came from in the book cyber rants available on amazon so we we have some white papers and things
through science sector as well on it so feel free to reach out let us know
what you'd like us to talk about on next episode struggles anything around assessments testing
compliance governance all the all the fun stuff that we do we love chatting
about it and i think pci mike and laura i think this is your favorite compliance requirement
i don't know no nothing beats my first love sock two sock two stock two all right
so all the only sec second only to sock two but um but thanks again for listening