Payment Card Industry (PCI) Data Security Standards (DSS) October 2012

Payment Card Industry (PCI) Data Security Standards (DSS)
Challenges and Issues for zSeries Systems
Vanguard Integrity Professionals
www.go2vanguard.com
October 2012
1
Overview
Session Overview
The PCI Data Security Standards apply to any company that transmits, processes or stores credit card
“cardholder” data.
While many companies are exempt from PCI, companies are not exempt from protecting their sensitive data
which includes customer, company confidential and Personally Identifiable Information (PII).
This presentation provides an overview of the PCI Data Security Requirements, why they evolved, why they
are important and how the requirements can leveraged by all companies to improve their overall
compliance program. Several of the requirements will be discussed in detail, the “hidden meaning” of the
requirement will be revealed, and examples will be provided showing how RACF controls can be
implemented, and supporting evidence collected, to demonstrate compliance.
2
The Problem:
Credit Card Breaches
As long as we have a Black Market for Credit Cards, we’ll continue to have Cardholder Breaches
Albert Gonzalez, dubbed his operation: “Operation Get Rich or Die Tryin’”
Convicted for breaches at:
TJX Corp (45M)
Heartland Payment Systems (100M)
Hannaford Bros Co (4.2M)
7-Eleven (TBD)
2 Unidentified Companies (TBD)
Albert also infiltrated these companies for over 40 million cards:
BJ's Wholesale Club
Barnes & Noble Inc
Office Max
Dave & Buster's
DSW shoe stores
Forever 21
3
The Cost of a Credit Card Breach
Forrester Report: Costs Associated with a Credit Card Breach
4
The PCI DSS Infrastructure
The PCI Security Council, Sponsoring Organizations, QSA’s and PFI’s
PCI Security Council &
Sponsoring Organizations:
Qualified Security Assessor (QSA):
(264 companies as of August 2011)
PCI Forensic Investigator (PFI):
(15 companies as of August 2011)
5
Top PCI Challenges
for zSeries Systems
Challenges
1. Interpreting PCI DSS for zSeries Systems
6
Top PCI Challenges
for zSeries Systems
PCI DSS High Level Requirements
Build and Maintain a Secure
Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes.
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel.
7
“Interpreting PCI DSS for zSeries Systems”
Requirement 7.2
Requirement 7: Restrict access to cardholder data by business need to know
PCI DSS Requirement
7.2 Establish an access control
system for systems components
with multiple users that restricts
access based on a user’s need to
know, and is set to “deny all”
unless specifically allowed.
Testing Procedure
7.2 Examine system settings and vendor
documentation to verify that an access control
system is implemented as follows:
This access control system must
include the following:
7.2.1 Coverage of all system
components
7.2.1 Confirm that access control systems are in
place on all system components.
7.2.2 Assignment of privileges to
individuals based on job
classification and function
7.2.2 Confirm that access control systems are
configured to enforce privileges assigned to
individuals based on job classification and
function.
7.2.3 Default “deny-all” setting
7.2.3 Confirm that the access control system
has a default “deny-all” setting
8
In
Place
Not in
Place
Target Date /
Comments
“Interpreting PCI DSS for zSeries Systems”
Navigating PCI DSS
Refer to “Navigating PCI DSS” for guidance for interpreting
the intent of a requirement.
Requirement 7.2 Guidance
Without a mechanism to restrict access based on user’s
need to know, a user may unknowingly be granted access
to cardholder data. Use of an automated access control
system or mechanism is essential to manage multiple
users.
This system should be established in accordance with
your organization’s access control policy and processes
(including “need to know” and “role-based access
control”), should manage access to all system
components, and should have a default “deny-all” setting
to ensure no one is granted access until and unless a rule
is established specifically granting such access.
9
“Interpreting PCI DSS for zSeries Systems”
PCI 7.2.3 – “Deny-all” Settings
Requirement 7: Restrict access to cardholder data by business need to know
7.2 Establish an access control system for systems components with multiple users that restricts
access based on a user’s need to know, and is set to “deny all” unless specifically allowed. This
access control system must include the following:
7.2.3 Default “deny-all settings
• The challenge for complying with PCI 7.2.3 is to
determine the meaning of a default “deny-all” setting.
PCI 7.2.3 Testing
Procedure
Confirm that the access
control systems have a
default “deny-all” setting.
• For a RACF system, the PROTECTALL feature would be the obvious default “deny-all” setting.
• However, if you stop there, you would be mis-interpreting the requirement.
10
“Interpreting PCI DSS for z/OS Software”
“Deny-all” Setting
“Deny-All” Settings
Some examples of RACF “deny-all” settings:

Profiles - Universal Access

Profiles - Warning

Global Access Table

Inactive RACF Classes

ID(*) on an access list with READ or higher
11
“Interpreting PCI DSS for zSeries systems”
What is a z/OS “System Component” ?
1st Systems Programmer
2nd Systems Programmer
RACF Engineer
RACF Administrator
 Master Catalog
 SDSF
 APF Authorized Datasets
 Session Managers
 LINKLIB Datasets
 SYS1.UADS Dataset
 The RACF Database
 Copies of the RACF
database
 SETROPTS Settings
 User Catalogs
 WebSphere

 RACF Database
 JES2 / JES3
 Parmlib Datasets
 OMEGAMON
 Multi-User Access Systems
 WebSphere MQ
 RACF Classes
 General Resource
Profiles
 Encryption Keys
 z/OS Security Patches
 DFSMS

 System Proclibs
 SVC’s
 Privileged Userids
 DB2 Table Trace
 Started Tasks
 CICS System Datasets

RACF Exits
 Oracle Databases
 SYS1.Parmlib
 DB2 System Datasets

RACF Tables
 RACF Classes for DB2
 SMF Log Files
 IBM Comm Server

IRR Prefixed Utilities
 IDMS
 System Exits
 Vendor Security Products

Logging Parameters
 ICSF Encryption Keys
 Magnetic Tape

12
RACF CDT
Group Membership
 Dataset Profiles
 General Resource Profiles
 User ID Attributes
 Group Connect
Authorities
 Role Based Access
Database Administrator
 IMS Databases
 DB2 Databases
QSA & Compliance Officers
 ?
Top PCI Challenges
for zSeries Systems
Challenges
1. Proper Interpretation of the Requirements
2. Reducing Scope
13
“Reducing Scope”
Current SMF Data Flow Diagram
SMF Data Flow Based on an “Interview”
RETPD:
20 days
SYSA.PARMLIB
(SMFPRM00)
SYS1.SMFMANxx
SMF.
DAILY(+1)
SYS2.SMF.UNLOAD
RETPD:
1 day
RACF Covering Profiles
SYSA.*
SYS1.SMFMAN*
SYS2.SMF*
SMF.**
PROD.SMF.**
BKUP.SMF.**
SEC.RACF.*
SAR.**
RETPD:
10 days
RETPD:
60 days
RETPD:
180 days
OFFSITE
ONLINE Reports
PROD.SMF.
WKLY(+1)
SAR.SEC.VIOL(+1)
SAR.SEC.ACCESS(+1)
SAR.RACF.CMDS(+1)
SAR.LOGONS(+1)
SEC.RACF.SMFD(+1)
BKUP.SMF.
WKLYY(+1)
RETPD:
60 days
SEC.RACF.
SMFW(+1)
SEC.RACF.
SMFM(+1)
14
RACF Compliance Reports
(stored on DASD volumes)
RETPD:
30 days
“Reducing Scope”
Reduced SMF Data Flow Diagram
SMF Data Flow Diagram
SMF.PARMLIB
(SMFPRM00)
RACF Covering Profiles
SMF.**
SMF.SMFMANxx
PCI 10.5.3
RETPD:
14 days,
onsite
RETPD:
365 days
Offsite
SMF.
DAILY(+1)
SMF.UNLOAD
RETPD: 1 day
PCI 7.2.1
PCI 7.2.2
PCI 7.2.3
PCI 10.2.3
PCI 10.5.1
PCI 10.5.2
PCI 10.5.3
E-Mail
SMF.
WKLY(+1)
SMF.RACF.SMFD(+1)
PCI 10.7.B
PCI 10.7.B
Remediation Activities
PCI 10.6
RACF Compliance Reports
RETPD: 90 days, onsite
1. Eliminated unnecessary SMF extract files
4. Increased the offsite retention period to from 180 to 365 days
2. Renamed datasets to eliminate 7 RACF dataset profiles
5. Increased the onsite availability from 60 to 90 days
3. Remediated the new RACF dataset profile to be PCI complaint 6. Created an SMF Data Flow Diagram to document the process
15
Top PCI Challenges
for zSeries Systems
Challenges
1. Proper Interpretation of the Requirements
2. Reducing Scope
3. Identifying “Not in Place” Requirements
16
“Identifying Not in Place Requirements”
Vanguard’s Findings Mapped to PCI Requirements
Vanguard’s Top 10 RACF Findings
Rank
Description of Finding
Percent
Occurrence
of Finding
PCI
Requirement
1
Excessive Number of User IDs with No Password Interval
67%
8.5.9
2
Data Set Profiles with UACC Greater than READ
52%
7.2.2 / 7.2.3
3
Inappropriate Usage of z/OS UNIX Superuser Privilege UID(0)
52%
7.2.2
4
Started Task IDs are not Defined as PROTECTED IDs
44%
2.2.3
5
Production Batch Jobs have Excessive Resource Access
39%
7.2.2
6
Excessive Access to APF Libraries
37%
7.2.2
7
Data Set Profiles with UACC of READ
36%
7.2.2 / 7.2.3
8
Excessive Number of User IDs with the OPERATIONS Attribute
35%
7.2.2
9
RACF Database is not Adequately Protected
32%
7.2.2
10
Excessive Number of User IDs with the Special Attribute
31%
7.2.2
17
“Identifying “Not in Place” Requirements”
Is this Dataset Profile PCI Compliant?
INFORMATION FOR DATASET PCI.CREDIT.DATA (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
---------- ---------- ------------------------------- -------------- ---------PCI 7.2.3 YES
PCI 7.2.3 READ
00
PCI
NO
PCI 9.10.2 Render cardholder data unrecoverable
AUDITING
-------------FAILURES(READ)
Requirement Not in Place
7.2.2
User ids on access list
7.2.3
UACC not set to a deny-all setting
7.2.3
WARNING not set to a deny-all setting
7.2.3
ID(*) READ not set to a deny-all setting
9.10.2
ERASE not set to (YES)
10.2.1
AUDIT not set to (ALL)
11.5.b
NOTIFY not used to send alerts
PCI 10.2.1 Log all access to cardholder data
NOTIFY
----------NO USER TO BE NOTIFIED
ID
ACCESS
-------------*
READ
USER1 READ
PCIGRP READ
PCI 11.5.b
PCI 7.2.3
PCI 7.2.2 Role Based Access
ID ACCESS CLASS
ENTITY NAME
-------- ------- -------- -------------------------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST
18
“Identifying “Not in Place” Requirements”
PCI RACF Mini-Review
Making Management aware.
Why do I need a PCI z/OS RACF Mini Readiness Review?
The mini assessment is designed to give the administrator and their
management a real-time view (health check) of the integrity of their system.
The Mini assessment is an engagement that investigates areas in which we
frequently find problems. Each problem is then mapped to the applicable PCI
requirement.
This no charge offering, with an investment of only a few hours time, provides
you with insight that there are z/OS RACF “Not in Place” conditions that need
to be addressed. Mini Readiness Reviews can help you develop the
justification management needs to allocate resources to address the issues
identified.
19
Top PCI Challenges
for zSeries Systems
Challenges
1. Proper Interpretation of the Requirements
2. Reducing Scope
3. Identifying “Not in Place” Requirements
4. Proving Compliance
20
“Proving Compliance”
Supporting Documentation
Vanguard AdministratorTM
Version #
Product Name
Report Name
Report Masking Criteria
Report “Date and Time”
CPU ID
7.2.3 Deny-All Settings
Profile Names
Watermark
21
“Proving Compliance”
Supporting Documentation
7.2 Establish an access control system for systems components
Exhibit 7.2 – Cardholder Data Flow Diagram
Exhibit 7.2 – RACF Data Flow Diagram
Exhibit 7.2 – SMF Data Flow Diagram
7.2.1 Coverage of all system components
Exhibit 7.2.1 – RACF Databases
7.2.2 Assignment of privileges based on job classification and function
RACF Group Profiles
Exhibit 7.2.2 – RBAC Supporting Documentation
RACF User ID Profiles
Exhibit 7.2.2 – User IDs with System Level Administrative Privileges
Exhibit 7.2.2 – User IDs on Access Lists
RACF Dataset Profiles
Exhibit 7.2.2 – Cardholder Dataset Profiles
System Data Set Profiles
Exhibit 7.2.2 – Authorized Program Facility (APF) Data Sets
Exhibit 7.2.2 – DASD Volume Backup Data Sets
Exhibit 7.2.2 – LINKLIST Data Sets
22
Top PCI Challenges
for zSeries Systems
Challenges and Solutions
1. Proper Interpretation of the Requirements
2. Reducing Scope
3. Identifying “Not in Place” Requirements
4. Proving Compliance
5. Staying Compliant
23
“Staying Compliant”
Ongoing Readiness Reviews
Requirement 7.2.3
System Settings
PROTECTALL Feature
Profile Settings
WARNING Attribute
Universal Access – UACC(NONE) Attribute
ID(*) on an Access List
Global Access Settings (GAC)
General Resource Back-Stop Profiles
Inactive General Resource Classes
Profiles that can bypass a “deny-all” Setting
TAPEDSN Feature
ICHBLP Profile
RACF Dataset Conversion Table
RACF Exits
24
“Staying Compliant”
Continuous Monitoring Tools - Intrusion Prevention
Vanguard Policy ManagerTM
1. User issues a
supported RACF
command
“Continuous Monitoring and Policy Enforcement”
of RACF Commands:
a)
Validates that the command issuer is authorized to
issue the command
b)
Validates that the command is compliant with userdefined policies
c)
Modifies commands to comply with written policies
prior to execution
PCI 7.2.3
d)
Fails non-compliant commands (e.g. unauthorized
changes to the PCI.CREDIT.DATA profile)
e)
Log all command activity to System Management
Facility (SMF)
PCI 10.2.2
PCI 10.2.7
25
“Staying Compliant”
Continuous Monitoring Tools - Intrusion Prevention
Monitor and Fail Non-Compliant RACF Commands
PCI 11.4.a
26
“Staying Compliant”
Continuous Monitoring Tools - Intrusion Detection
Monitoring RACF “Insufficient Access” Events
27
“Staying Compliant”
Continuous Monitoring Tools - Intrusion Detection
Vanguard Enforcer TM and Vanguard Advisor
TM
- Real-Time Alerts
PCI 11.4.b
PCI 11.4.b
28
References
PCI Security Standards Council
Payment Card Industry (PCI) Data Security Standards and Navigating PCI DSS 2.0
https://www.pcisecuritystandards.org/
NIST - National Checklist Program Repository, zSeries RACF STIG
http://web.nvd.nist.gov/view/ncp/repository?page_num=1
xBridge Systems - Achieving PCI Compliance on the Mainframe – White Paper
http://www.xbridgesystems.com/products/whitepapers/Xbridge_White_Paper_Achieving_PCI_Compliance_on_the_Mainfram
e_April_2011.pdf
Verizon Business - Verizon 2010 Payment Card Industry Compliance Report
http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf
Gartner Research Note - "Why Your IBM zSeries Mainframe May Not Be as Secure as You Think It Is and What You Can Do About It."
http://www.go2vanguard.com/gartner_request.php
Verisign Global Security Consulting Services - Compliance and the cost of a credit card breach
http://www.verisign.com/static/PCI_REASONS.pdf
COMPUTERWORLD - January 6, 2010 Update: Heartland breach shows why compliance is not enough
http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough
Ponemon Institute - PCI DSS Trends 2010: QSA Insights Report
http://www.ponemon.org/data-security
29
References
PCI Testing Procedures Referenced in this Presentation
7.2.1 Confirm that access control systems are in place on all system components.
7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
7.2.3 Confirm that the access control systems have a default “deny-all” setting.
10.2.2 Verify actions taken by any individual with root or administrative privileges are logged
10.2.3 Verify access to all audit trails is logged.
10.2.7 Verify creation and deletion of system level objects are logged.
10.5.1 Verify that only individuals who have a job-related need can view audit trail files.
10.5.2 Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms
10.5.3 Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
10.6
Through observation and interviews, verify that regular log reviews are performed for all system components.
10.7.b Verify that audit logs are available for at least one year and processes are in place to immediately restore at least the last three months’
logs for analysis.
10.2.3 Verify access to all audit trails is logged.
11.4.a Verify the use of intrusion-detection systems and/or intrusion-prevention systems and that all traffic at the perimeter of the cardholder
data environment as well as at critical points in the cardholder data environment is monitored.
11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.
30
Thank You
Tamil
Hindi
Thai
Danke
Arabic
German
Russian
Simplified Chinese
Traditional Chinese
Korean
Japanese
Obrigado
Brazilian Portuguese
Gracias
Merci
French
Spanish
Grazie
Italian
31
©2011 Vanguard Integrity Professionals, Inc.
About Vanguard Integrity Professionals
Vanguard Integrity Professionals is the world’s leading solutions provider in the field of RACF®. Leveraging its robust suite of security
administration and auditing tools, a development and professional services team comprised of more than 30 of the top RACF experts in
the world, and a proven history of providing market leading solutions for over 20 years, Vanguard has established a reputation as the
best in the industry.
Vanguard offers the most comprehensive suite of security software solutions, professional services, and training of any vendor in the
world. More than 500 customers have partnered with Vanguard to ensure and protect the integrity of Information Systems and the
confidentiality of sensitive production data in the nation's largest financial, healthcare, retail organizations and government agencies.
Vanguard is also the developer and sponsor of Vanguard Security and Compliance™ (formerly, the Vanguard Enterprise Security Expo),
the most prominent and insightful security conference in the industry, which has trained more than 8,000 security experts since 1987.
Vanguard Professional Services provides customers with the industry's most comprehensive set of enterprise professional service
offerings in the RACF z/OS®, distributed and Network/Internet markets. Vanguard consultants, with an average of 25 years experience,
offer strategic consulting and training tailored to meet an organization’s unique business requirements, and can assist in the process of
managing risks to protect the integrity of information systems and confidentiality of your data. Vanguard consultants are highly
regarded and considered the best-of-the-best in their field.
Vanguard’s Software Solutions offer a robust set of tools for z/OS Security Server and Resource Access Control Facility (RACF) that
dramatically improve the efficiency of security administration and management, and address the demands of regulatory compliance and
reporting. The Security Server is transformed into a real-time intrusion detection and policy enforcement platform, extending System z®
security and audit capabilities across the enterprise. With Vanguard's solutions users are empowered to make immediate and informed
security decisions.
32