C. K. Lin (林傳凱), CCSK, QSA (2008)北亞區資深技術經理Dec. 1, 2015

網路營運建置與資訊安全維護要點

議程

持卡人資料流與持卡人資料網路環境

邊際網路資訊安全管理

應用程式資訊安全管理

弱點維護資訊安全管理

持卡人資料防護要點

Q&A

2

持卡人資料流與持卡人資料網路環境

3

4

– 因引進新科技而具備更多資安風險的企業 + 技術更高深的駭客 = 更多的攻擊行為

持卡人資料流

虛擬化Virtualization

State fundedAnonymous

雲Cloud

LulzSec

移動裝置Mobile/BYOD

新科技

新型攻擊手法

持卡人資料流經過應用程式系統及網路基礎建設 在任何評估活動之前,將所有持卡人資料流文件化是非常重要的 信用卡資產清冊應該定義所有儲存,處理及傳送持卡人資料的系統

持卡人資料流範例

5

Mobile Users

Router

FireWallWeb Server

Server

Desktop

Mail Server Database Server

Audit Logging Server

E-Commerce

ServerE-Commerce

DB Server

Wireless

AP

Internet

Application Server

符合資訊安全的持卡人資料流網路

6

Mobile Users

Router

FireWall Web Server

Server

Desktop

Mail Server Database Server

Audit Logging Server

E-Commerce

ServerE-Commerce

DB Server

Wireless

AP

Internet

Routers

w/FW Feature

PCI LAN

Corporate LAN

DMZEx. 賣場

邊際網路資訊安全管理

7

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8

8

使用不同的網路埠…

Poison Ivy

大多數的攻擊者客製化惡意程式以閃避貴公司標準的網際網路閘道與使用者端資訊安全防禦機制!

EvilGrab MW

….… 和不同的網路協定

APT?? Attacks24 millions

40 millions

95 millions

101 millions

130 millions

“他們”都知道, 但還是沒有準備好!!

9

95% 受訪的IT專業人員不相信現有的資訊安全保護機制能完全保護所有潛在的資安事件.

2/3 的APT解決方案提供商無法或沒有能力隔離一台被感染的主機

Source: IDG Research

Advanced Threat Appliance (ATA)• Superior detection via multiple scanning

techniques across over 100 protocols • Enhanced defense against “patient zero”

infection and subsequent lateral spread

TippingPoint 解決方案Req. 1.3 / 6.2 (補償性措施) / 11.4

10

IntegratedPolicy

Next-Generation Firewall• NGIPS with enterprise firewall• Granular application visibility and

control

In-line Threat Protection with Next-Generation Intrusion Prevention (NGIPS)• Inspects network traffic and blocks

against known vulnerabilities• Reliable network uptime track record

Security Management System• Centralized management across NGIPS

and NGFW• Single console to deploy devices and

policies

Digital Vaccine Labs• Industry-leading security intelligence• Delivers zero-day coverage

HPE ESP 提供完整的解決方案

11

TippingPoint SecurityManagement System

業界唯一高效能的 APT 完整解決方案 – 偵測, 阻絕 APT

ArcSight SIEM/Logger

TippingPointAdvanced Threat Appliance

(Others: FireEye…..)

TippingPoint IPS

TippingPoint NGFW

HPE ESP Logger/SIEM 不容竄改,輕輕鬆鬆符合法規

12

FISMAISO PCI DSS NERC SOX / JSOXNIST

告警

報表儀表板

報表範本

(多台Logger整合一份報表)

Req. 10 Track and monitor all access to network resources and cardholder data 10.2.1~10.2.6/10.5

HPE ESP 提供完整的解決方案ATA – HP ArcSight 整合

13

Req. 12 Maintain a policy that addressinformation security for all personnel12.5.2 / 12.5.3 /12.10/ 12.10.5

應用系統資訊安全管理

14

針對應用程式的網路犯罪活動

15

網路硬體

安全解決方案

• Switch/Router security• Firewalls• NIPS/NIDS• VPN• Net-Forensics• Anti-Virus/Anti-Spam• DLP• Host FW• Host IPS/IDS• Vuln. Assessment tools

智慧財產

用戶資料

商業流程

交易秘密

應用程式

16

Sources: Gartner , Ponemon Institute, Annual Study: $U.S. Cost of a Data Breach, The Open Security Foundation

80% 86%

13%資料外洩的平均成本

<10%成功的攻擊是針對應用程式層

的應用程式存在安全漏洞

自動具備有折衷的解決方案

IT 預算花費在應用程式安全上$3.8m

應用程式安全的挑戰

17

內部開發

外包 商業應用 開源

生產/撰寫安全軟體

展示符合規範

驗證新版

保護傳統

應用程式

監控 / 保護正式環境的軟體

既有軟體

正確的方法 > 系統性, 前瞻性

18

在 SDLC 開發流程中，加入資訊安全管理 1

安全軟體保障 (SSA)

內部開發 外包 商業軟體 Open source

利用安全檢測的方式，彈性驗證上線前內部或外包廠商所交付的程式碼

2

檢測並且保護在正式環境中執行的軟體

3改善 SDLC 策略

完整的應用程式資安管理與防護

19

• Fortify SCA• 開發階段進行原始碼掃瞄

• REQ. 6 Develop and maintain secure systems and application (6.3)

• Fortify WebInspect• 上線前的 UAT 環境中，進行黑箱測試

• REQ. 6 Develop and maintain secure systems and application (6.5)

• Fortify Runtime• 上線後，進行即時監控

• REQ. 6 Develop and maintain secure systems and application (6.6)

• Fortify SSC• 白箱，黑箱，灰箱綜合分析

白箱 - 程式碼安全弱點審核分析工具

20

(2)歸類發現的安全弱點指出發生于那支程式

(3)指出安全弱點發生的程式碼列位置

(1)掃描的程式碼潛在的安全弱點並區分嚴重等級

(5)提供安全弱點說明解釋及修正建議

(4)多層次的追蹤分析技術

符合PCI DSS 中文報表範本,輕鬆管理應用程式資安問題

21

積極防禦部署架構, 彌補程式修改前的資安空窗期

22

攻擊者 Firewall IDS/IPS/WAF

Web Application with HP RASP

允許這類的網際網路存取?

符合攻擊特徵?

攻擊成功!

RTAL/AppView Web 線上系統監控 (ArcSight)

23

SQL 語句

弱點維護資訊安全管理

24

主動式Web應用程式資安弱點管理

25

HTTP Request Database call

WebInspect

Web Application弱點掃描

(針對線上環境)

RTA

阻擋可疑連線

整合WebInspect客製化數位疫苗以防護駭客攻擊

即時的掃描檢視

26

即時掃描儀錶板

網站樹狀結構

目前已發現的安全弱點

排除&允許的網站列表區塊

詳細的攻擊列表

即時掃描統計

支援 OWASP Top 10 2013 / PCI-DSS 3.0 Report

27

PCI DSS 3.0 報表

28

支援中文弱點檢視報表

29

Fortify + ArcSight 黑箱/白箱整合,弱點無處藏

30

持卡人資料防護要點

31

全面資料防護使用案例

HPE Atalla & HPE Security Voltage

PCI / 安全稽核 /驗證範圍縮減

Atalla NSP支付應用程式, EMV, 行動應用, 提供 FIPS Level 3+ 金鑰保護的安全設備

HP SecureDataP2P資料加密降低PCI高達90%的總成本；結合HP Secure Stateless Tokenization (SST) 與 HP Page-Integrated Encryption (PIE) 提供完整電子商務防護

資料去識別化與隱私保護

HP Enterprise Secure Key ManagerKMIP enterprise key management保護伺服器，儲存基礎建設與雲端環境免於資料遺失，不當使用操作與管理疏失的威脅

HP SecureData HP Format-Preserving Encryption (FPE)保護商務交易中的機敏資訊；同時也提供在Hadoop / Big Data或是測試環境中分析機敏資訊的能力

協同安全作業

HP Atalla IPC自動化企業資訊分級分類

HP Atalla Cloud Access Security Protection提供雲端服務風險可視度，資安治理與控制的防護

HP SecureMail 與 HP SecureData 提供Email security without PKI complexity using HP Identity-Based Encryption (IBE); protect sensitive PII and PHI throughout the enterprise and cloud

Applicability of PCI Controls to Atalla Network Security Processor (NSP) PCI Requirements MatrixPCI DSS V3.1 APPLICABILITY MATRIX

REQUIREMENT CONTROLS ADDRESSED

DESCRIPTION

Requirement 3: Protect stored cardholder data

3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.5, 3.5.1, 3.5.2, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.6, 3.6.7

The Atalla Network Security Processor (NSP) device is a PCI-PTS validated Host Security Module (HSM). It provides hardware-based cryptographic processing for the support of financial applications. The NSP may be used to encrypt cardholder and other sensitive data. In order to meet PCI-PTS requirements, the NSP operates within its own key management domain. Keys are generated within the NSP, loaded manually through the SCA, or received as cryptograms from another PCI-PTS device.There is no persistent storage of any working keys or sensitive authentication data. The Atalla NSP does not store any information after processing the transactions.All configuration and security policy management are managed under dual control using the Secure Configuration Assistant (SCA). Security Administrators are authenticated using FIPS 140-2 level 3 smartcards.All configuration actions are logged for audit trail from initial installation.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

4.1 When used in conjunction with terminals that are equipped with the ability to encrypt sensitive cardholder data, the NSP is used to manage the keys and support host applications requiring sensitive data in the clear or as a pass-through operation.

Applicability of PCI Controls to Atalla Enterprise Secure Key Manager (ESKM)

PCI DSS V3.1 APPLICABILITY MATRIX

REQUIREMENT CONTROLS ADDRESSED

DESCRIPTION

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2.1 Atalla Enterprise Secure Key Manager (ESKM) supports administrator password complexity requirements and expiration policies. Newly enrolled ESKM administrators are assigned a temporary password which must be changed during their initial logon.

Requirement 3: Protect stored cardholder data

3.4, 3.4.1, 3.5.1, 3.5.2, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8

Atalla Enterprise Secure Key Manager (ESKM) provides the capability of managing encryption keys used for storing data at rest and in transit and works in conjunction with HP StorageWorks encrypting devices or HP NonStop server encryption options to provide keys for AES, DEA, DES and Triple DES algorithms. Key generation and retrieval for the keys to devices that store PAN data. ESKM keeps all records and auditing logs for changes and accesses to the keys used by the encryption devices.Atalla Enterprise Secure Key Manager (ESKM) offers a complete management console capable of either integrating with a Light-weight Directory Authentication Protocol (LDAP) structure for authentication purposes or maintaining local user and group accounts and permissions. In the event a customer chooses to implement a full disk encryption data protection scheme, accounts utilized for logical access must be managed independently of the native operating system storing the encrypted data. To provide further defense-in-depth, the Atalla ESKM provides options to require multiple credentials to implement critical actions such as substitution and retirement of encryption keys.

Applicability of PCI Controls to Atalla Enterprise Secure Key Manager (ESKM) Cont.PCI DSS V3.1 APPLICABILITY MATRIX

REQUIREMENT CONTROLS ADDRESSED

DESCRIPTION

Requirement 7: Restrict access to cardholder data by business need to know

7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.2, 7.2.3

Access to the ESKM is managed either through the management console, Command Line Interface via SSH, or directly using the serial console. ESKM administrators have no access to key values or encrypted cardholder data.

Requirement 8: Assign a unique ID to each person with computer access

8.1, 8.2, 8.4, 8.5, 8.5.1, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16

Access to the ESKM is managed either through the management console GUI via SSL/TLS, Command Line Interface via SSH, or directly using the serial console. All logins require passwords which support alpha-numeric values, may be as long as 30 characters in length and support password expirations, history, and other PCI DSS password requirements. Shared ESKM administrator IDs or passwords are neither required nor recommended. ESKM administrator privileges may be assigned on a fine-grained level so that each administrator role has only the permissions and capabilities required for that role.Atalla Enterprise Secure Key Manager (ESKM) supports administrator password complexity requirements and expiration policies. Newly enrolled ESKM administrators are assigned a temporary password which must be changed during their initial logon.

Requirement 9: Restrict physical access to cardholder data

9.10.2 Atalla Enterprise Secure Key Manager (ESKM) works in conjunction with HP StorageWorks encrypting devices to provide keys for AES, DEA, DES and Triple DES data encryption algorithms to prevent loss or leakage without access to the encryption keys. To fully satisfy Requirement 9.10.2, the organization implementing Atalla’s ESKM must provide evidence of proper configuration of encryption and storage methods as well as secure key management practices.

Applicability of PCI Controls to Atalla Enterprise Secure Key Manager (ESKM) Cont.

PCI DSS V3.1 APPLICABILITY MATRIX

REQUIREMENT CONTROLS ADDRESSED

DESCRIPTION

Requirement 10: Track and monitor all access to network resources and cardholder data

10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.4.1, 10.4.2, 10.4.3, 10.5.1, 10.5.2, 10.5.3, 10.5.4

The ESKM creates and maintains various logs to capture all administrative actions, network activity, cryptography key requests, and system events among other items. Logs may be digitally signed for tamper detection/evidence and can be configured to transfer to a centralized logging server for monitoring/reporting and protected there.ESKM also runs a digital signature verification of its internal software at power up or restart to ensure the integrity of the software.

Applicability of PCI Controls to HP VoltagePCI DSS V3.1 APPLICABILITY MATRIX

REQUIREMENT

CONTROLS ADDRESSED

DESCRIPTION

Requirement 3: Protect stored cardholder data

3.4, 3.4.1, 3.5.1, 3.5.2, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8

Voltage SecureData meets and exceeds all requirements of Section 3.1. Data is persistently encrypted or tokenized from the point of capture (POS, Web form, data warehouse load, etc.) to the point of consumption by applications (lookup, payment, reversal, investigation, discovery, etc.). This meets PCI DSS and PCI Point-to-Point Encryption (P2PE) requirements, including from POS to processor.2. Voltage Format-Preserving Encryption, or AES FFX-mode, encrypts data without changing field formats or schemas, minimizing change and thus implementation costs. Any intermediate system that transmits or processes credit card PAN data does not need to change—the encrypted data retains the full format of a valid credit card field, strongly encrypted per PCI DSS requirements.3. Tokenization provides a method by which to replace live PAN or other data with a disassociated and randomly generated alias, with the reverse (de-tokenize) process performed by strictly controlled APIs via an independent and unrelated secure token mapping database. This removes applications from scope that do not need live card data.4. Voltage FPE is a published, proven, independently reviewed method of using AES in a mode that retains field format without sacrificing strength or security. FPE was developed through ten years of cryptographic research and public scrutiny, and is NIST recognized, and in draft NIST standard SP- 800-38G.5. Voltage Identity-Based Encryption (IBE) and FPE can be combined for one-way data capture at the POS “swipe”– preventing access to cardholder data and eliminating the ability to decrypt data outside the back-end acquirer or card processor. This removes payment stream and merchant back-end systems from scope.6. Voltage SecureData APIs also provide traditional strong AES encryption, SHA hashing, and random number generator per NIST and FIPS standards. The Voltage Security cryptographic toolkit has been FIPS validated on Windows, Linux and z/OS.7. Voltage SecureData also creates test (synthetic) data that cannot be reversed to eliminate live cardholder information from test and QA systems while still permitting full testing on valid format data that is realistic and preserves the important integrity characteristics of the source data without exposing the real data.8. Voltage Key Management is stateless and transparent, including automation of key rollover tailored to any business and operational requirements. Full separation of duties (data and keys) and PCI compliance reporting are standard with Voltage SecureData. Hardware Security Module (HSM) support is provided as standard for optional FIPS 140-3 rated hardware key protection for root keys.9. Voltage SecureData’s service-oriented design also aligns to network segmentation best practices, ensuring minimum audit costs and simplification of PCI compliance by abstracting the applications away from keys and live data through strictly policy controlled API. 10. Voltage SecureData is agnostic of underlying databases and application infrastructure, with a choice of integration options based on performance, architecture, and distribution requirements of components and legacy systems.11. Voltage SecureData provides a robust, highly scalable, and easy to manage redundant infrastructure without complex networking.

38

Q & A