Network Segmentation

Network Segmentation
June 30, 2015
12:00 Noon Eastern
Agenda
•
•
•
•
•
Presenters
Housekeeping
About Conexxus
Network Segmentation Presetation
Q&A
Presenters
• Carl Bayer (cbayer@Conexxus.org)
Program Manager
Conexxus
• Kara Gunderson (kgunder@citgo.com)
POS Manager
Citgo Petroleum Corporation
• Mark Carl (mcarl@echosat.com)
CEO
EchoSat Communications Group, Inc.
2015 Conexxus Webinar Schedule*
Month/Date
Webinar Title
Speaker
Company
June 30, 2015
Network Segmentation
Mark Carl
Echosat
July
Mobile Commerce
Wesley Burress
Don Friedman
ExxonMobil
P97
August
Point 2 Point Encryption – P2PE TBD
September
Asset Tracking in PCI 3.0
TBD
October
NACS Show in Las Vegas
No Webinar
November
Open
TBD
December
Conexxus – Year end review
TBD
No Webinar
If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at cbayer@conexxus.org.
* Update: June 9, 2015
About Conexxus
• We are an independent, non-profit, member
driven technology organization
• We set standards…
– Data exchange
– Security
– Mobile commerce
• We provide vision
– Identify emerging tech/trends
• We advocate for our industry
– Technology is policy
Future Events
The NACS Show
October 11-14, 2015
Las Vegas Convention Center
Las Vegas, Nevada
2016 Conexxus Annual Conference
May 1 – 5, 2016
Loews Ventana Canyon Resort
Tucson, Arizona
Network
Segmentation
Limiting Your PCI-DSS
Scope
Mark Carl
Who The Heck Are You?
• CEO at EchoSat, Inc.
• Formerly EchoSat’s CTO for 16 years
• Designed and developed EchoSat SPG
• Designed and developed PaySafe SPG managed firewall solution
• Provide gateway and technology for Heartland SmartLink Pro
• Servicing 20,000 petro merchants across many brands
• Securely delivering 12% of all petro transactions to the acquirers
• Level 1 PCI-DSS compliant service provider since 2008
Security Versus Compliance – Who
wins?
• Most large breaches occur within PCI-compliant networks
• PCI-DSS is not security, it’s a minimum standard
• Will the card brands issue fines even if you’re compliant?
• Absolutely. If you think they won’t, just ask Target
• Conclusion: You need a security expert, not a compliance expert
• Managed service providers should provide both
• Service providers can transfer responsibility under PCI3 12.8
• Make sure SOMEBODY is responsible
• Recognizing intrusion is as important as preventing it
Do I Have To Do This
Myself?
NO!
• Third Party Security Assurance (TPSA) is in your favor
• Defines Third Party Service Providers (TPSP’s)
• Explains TPSP and merchant responsibilities
• Does NOT relieve merchant from PCI-DSS responsibility
• PCI-DSS 12.8.2 requires written agreements with TPSP’s
• Merchants must acknowledge what’s being provided
What does PCI-DSS say about network
segmentation?
• Not a PCI-DSS requirement
• Used to reduce the assessment scope for PCI-DSS
• Can be physical or logical separation of components
• Must be assessed adequate by QSA, or transferred by service provider
• Isolates systems that store, process or transmit cardholder data
• This includes the devices that provide the isolation
No Separation
Entire network is within PCI scope
InterWebs
Security
WiF
i
PO
S
Backoffice
Physical Separation
Limiting PCI-DSS scope physically
InterWebs
Security
PO
S
WiF
i
Backoffice
Logical Separation
Limiting PCI scope logically
InterWebs
Security
WiF
i
Backoffice
PO
S
Why Do We Need to
Segment?
Meet Jim, Our Store Manager…..
How Do Attackers Work?
• Find an initial entry point, using phishing, etc
• Gather and analyze information from the entry point
• Leverage and expand access from the breach point
• Use expanded access for mass financial gain
Where’s the Threat?
Actual threat….
InterWebs
Threat
misconception….
Security
WiF
i
Jim’s PC
Backoffice
PO
S
Why is Jim Our Primary Threat?
Jim gets an email that his Apple ID has expired, and clicks the link…..
and Jim’s PC is now under the control of a hacker
InterWebs
Hacker launches
persistent aggressive
attack against POS
POS
How do we mitigate?
We block Jim’s PC from the POS….
…and permit only necessary traffic
Security
WiF
i
InterWebs
Jim’s PC
Backoffice
PO
S
How
do
we
mitigate?
We monitor Jim’s connections for viruses
InterWebs
and malware…
…and isolate the POS to the acquirer
Gateway/Acquirer
Jim’s PC
PO
S
NO!
Are We Done
We have to monitor, log and
Now?
alert!
InterWebs
Some examples……
Gateway/Acquirer
Jim’s PC
Log attempts to the POS from Jim’s PC, and alert
someone about intrusion attempts.
Log
and
alert
any new
onconnect
the POS
Log
and
alert
attempts
from devices
the POS to
to segment
anywhere
besidesbe
thethere
acquirer or other necessary
that shouldn’t
destinations
PO
S
Why Log and Alert?
Log, don’t alert….
Log, don’t alert….
Call 911….
Gateway/Acquirer
POS Vendor Updates
Some Server in China
PO
S
What’s On My POS
Know and understand what’s here, and why…..
Segment?
Vendor Zone Routers are PCI-DSS, not PA-DSS…..
Covered By PA‐DSS
Pinpad
POS
EPS
POS
Pinpad
Vendor Zone Routers
• May provide POS vendor back-door access to your CDE
• Likely provided by another third party
Vendor Support
• Must meet rules of PCI-DSS 12.8.2 and TPSA
• Requires logging, monitoring and alerting
• Significantly impacts your CDE
• Vendor must transfer under TPSA and 12.8.2
• Otherwise, you cannot meet 12.8.2 for your CDE
Vendor Zone Routers are PCI-DSS, not PA-DSS…..
InterWebs
THANK YOU
Thank you for attending today’s webinar:
Network Segmentation
If you found today’s webinar valuable, please consider
supporting Conexxus by becoming a member so we
can continue to bring you new and relevant content.
http://www.Conexxus.org/content/membership
Follow the link to learn more.