In this post, we get insights from Jacob Ansari, QSA (P2PE), PA-QSA (P2PE), CISSP, Director at Schellman & Company, LLC. Here he discusses his presentation “Stealing a March: Get Ahead of Changes to Compliance and the Threat Landscape” from the Europe Community Meeting in Barcelona.
There are some important PCI DSS deadlines coming up. Let’s start with the SSL/early TLS migration. Why is it important for organizations to migrate away from SSL/TLS?
Jacob Ansari: Using SSL v3.0 (or earlier) or TLS v1.0 comes with significant security risks. There are some fairly complicated reasons why the protocols themselves have fundamental weaknesses, so they can’t get fixed with a patch or a configuration change. Specifically, an attacker who’s monitoring the encrypted traffic can find weaknesses in the values and attempt to extract that key and decrypt the session. This isn’t particularly theoretical either; if the good guys can demonstrate it, the bad guys can use it maliciously. Therefore, it’s high time to move to more secure versions of TLS, namely 1.2.
What is the deadline? What are some major steps organizations need to be doing to meet the deadline?
Jacob Ansari: The deadline is June 30, 2018 for both merchants and service providers to no longer use SSL and early TLS as a security control. This is different from the provision in PCI DSS Appendix A2 that service providers must provide a secure service offering, which already needs to have happened. This is expressly no longer using the insecure protocols as security controls. Between now and the deadline, organizations that are still using these insecure protocols as a security control need a formal documented transition plan (i.e., a schedule for this transition) and a Risk Mitigation and Migration Plan (i.e., how to ameliorate the risks of using the insecure protocols between now and their deactivation).
Another major update to PCI DSS is the new language around multi-factor authentication. Can you provide a brief overview of what these changes mean for organizations?
Jacob Ansari: The new language calls for multi-factor authentication for all non-console administrative access to the cardholder data environment, even if from the organization’s corporate network. For a long time, many organizations mistook the intent of the original language and implemented two-factor or multi-factor authentication from the Internet to the out-of-scope corporate network, and didn’t require multi-factor authentication from that corporate network into the cardholder data environment. This seems to miss the point of the requirement and the new language supports this idea: administrative users (for a generous definition of administrative) accessed the cardholder data environment must use multi-factor authentication, even from within the corporate environment. Non-administrative users can follow this older model of requiring multi-factor authentication to the organization’s perimeter.
You discuss the importance of performing penetration testing to prove proper segmentation. What are some critical steps to perform such a test?
Jacob Ansari: Too often when security incidents occur, the network segmentation that should have helped prevent the attack didn’t really work as advertised. Testing the effectiveness of the segmentation should help with this, provided the penetration testing really does rigorously test those controls. This needs to involve more than just port scanning from outside network segments to determine if there are any open ports. It should test remote access mechanisms, try to hop through administrator workstations, and look at any shared services networks that might allow an attacker some advantage in getting into the in-scope environment.
Your presentation touches upon making security “business-as-usual”. Why is this important?
Jacob Ansari: Too often, we find our clients looking to meet the narrowest definition of the requirements, and then forget about their security controls between assessments. Organizations actually taking security seriously need some regular checkup on the effectiveness of their controls, need to understand whether what they’re doing actually works, and do the disparate parts of their security program fit together coherently. Taking this approach gives some more visibility and control and can hopefully help organizations treat their security program as no less essential to their business than their finance or operations or business development activities.
What are you most looking forward to at this year’s Europe Meeting?
Jacob Ansari: As always, I’m looking forward to connecting with colleagues I’ve known for years and meeting new people. Hopefully, I can answer some questions people have in the breaks and after hours and ask questions of others during those same times.