Leveraging PCI Compliance Managing Risk in Michigan

1

• Leveraging PCI Compliance Managing Risk in
  Michigan

Dan Lohrmann Chief Information Security
Officer State of Michigan West Michigan
ISACA October 16, 2008
2
Whats on Tap?

• First things first
• The Perfect Security Storm
• The Michigan Journey
• The Good, the Bad, the Ugly
• PCI Compliance Many Birds with One Stone
• Combining People-Processes-Technology
• Lessons Learned
• Next Steps

3
First things first

• A bit about me
• Former NSA analyst
• Former IT Director, Mantech International, UK
• Roles as State Agency CIO and e-Michigan CTO
• Over 23 years of IT experience
• Director, Michigans Office of Enterprise
  Security
• Emergency management coordinator
• Staff of 30 security professionals
• Homeland security liaison
• Cybersecurity manager

A bit about MDIT
4
Michigan in focus

• In 2001, IT services consolidated from 19
  agencies into one department - MDIT
• We now support all of the agencies with 378
  million annual budget
• Our 1,700 employees support and maintain
• Over 800 critical business applications
• Over 55,000 desktop computers
• Over 1,300 telecommunications locations

What role do we play?
5
What services do we touch?
All of them!

• Whenever a citizen
• Files an income tax return
• Pays or receives child support
• Wins the Lottery
• Compares schools
• Starts a business
• Applies for a drivers licenseor gets pulled
  over by a state trooper

And, like many of you, from 2005-2007 Michigan
endured the perfect security storm
6
The Perfect Security Storm

• Vulnerabilities
• MS Patches Never End
• Legacy Systems
• Multiple OS Versions/ Consolidation of Servers
• Configuration, Asset Mgt.

• Identity Theft
• Exploding of Attacks
• Hackers Viruses
• Privacy Data
• Homeland Security
• Organized Crime

• More with Less
• Budget Cuts
• Standardization (Too many Scanners, Tools)
• Operational Fires (Viruses) Continue
• Staffing Efficiencies Desired

• Compliance
• Payment Card Industry (PCI)
• HIPAA
• NIST (New Audits, SOX)
• Breach Laws, Notification

How has compliance tightened?...
7
The New Rules for CSOs
FISCAM Controls
Were here today to talk a little bit about the
Michigan Story and how we are weathering the
storm
8
The Good, the Bad the Ugly

• The perfect storm resulted in a set of conditions
  challenging security officials like never before
• In Michigan, there were pros and cons alike

9
The Michigan Story The Good

• We had an eager customer, the Department of
  Treasury, ready and willing
• Funding was available from Homeland Security
• Our CIO set a department-wide mandate on improved
  security

10
The Michigan Story The Bad

• Lack of motivation for change among someanother
  to do
• Culture and attitude hurdlesdont touch my
  server/were different
• Skill sets training for technical staff lacking
• Ownership questions and multiple audiences

11
The Michigan Story The Ugly

• Poorly administered change control -
  infrastructure move, add, change (IMAC) process
  not centralized
• Negative penetration test results, audit findings
• Multiple reports/purposes/metrics, moving
  vulnerability and requirement targets
• Lack of standard configurations and builds,
  multiple credit card solutions

We also had too many vulnerability scanning
tools
12
The Michigan Story Pick a Tool, Any Tool
13
The Michigan Story Many Birds with One Stone
If we could solve this one problem, we could
address multiple issues

• Audit findings
• Security holes from pen test
• Legal requirements/compliance
• Implement industry best practice
• Improve overall IT processes
• And
• Satisfy our Treasury customer

The answer was clear PCI Compliance was
necessary!
14
What is PCI Compliance?
Otherwise known as the Payment Card Industry
(PCI) Data Security Standard, PCI compliance

• Is a standard that applies to financial
  institutions, Internet vendors and retail
  merchants
• Spells out security measures and auditing
  procedures required to protect private
  information during transaction involving paycards
• Is used by all card brands to assure the security
  of the data gathered during transactions

Card Associations LLC https//www.pcisecuritystand
ards.org Mission Enhance payment account data
security by fostering a broad adoption of PCI-DSS
15
Cost of Non-Compliance
In the event of the a breach the acquirer can
make the merchant responsible for

• Any fines from PCI-Co (up to 500,000/incident)
• Cost to notify victims
• Cost to replace cards (about 10/card)
• Cost for any fraudulent transactions
• Forensics from a QDSC
• Level 1 certification from a QDSC

Costs add up quickly. If 50,000 credit cards
are stolen Not to mention the bad publicity
16
Digital Dozen Approach to PCI Compliance
17
The Michigan ApproachPeople

• Treasury takes business ownership
• MDIT Office of Enterprise Security forms
  cross-organizational team
• Gaining trust from multiple orgs
• Training, joint buy-in
• Executives buy-in
• Credit card users group makes business case and
  other financial incentives clear
• Cant afford to lose credit card authority
• Need e-Government growth
• Failing is not an option Reputation of the State
  is on the line

18
The Michigan ApproachProcesses

• Set uniform IMAC/change management
• Established common approach
• Iterative scans took time (plenty of war stories)
• Initially centralized, later federated
• Training built in, best and brightest selected on
  server teams
• Regular format/briefings to key business and
  technology management teams
• Agreed upon standard metrics and repeatable,
  explainable, supportable numbers (not an easy
  feat)

19
The Michigan ApproachTechnology

• Chose single tool (Qualys)
• Achieved common configuration and builds
• Developed good vendor relationships
• Provided training on tool
• Focused on business outcomes (agreed upon
  requirements)
• Gave the team authority, priority, clear
  roles/responsibilities
• Shared, repeatable knowledge base

How does Qualys work?
20
Qualys Categorization

• Level-1 Intruders can collect not-too-sensitive
  info like open ports, services
• Level-2 Intruders can collect sensitive
  information, like specific versions of software
  installed, to mount attacks
• Level-3 Intruders can collect specific info,
  including security settings
• Level-4 Intruders can hack the system as a
  non-admin user privileges, or can access highly
  sensitive information
• Level-5 Intruders can gain complete, admin level
  access to the system

21
The Michigan Process

• Integrates with other MDIT processes
• Affects old and new
• Three changes for remediationowned by server and
  application teams
• Patch Once installed, addresses many
  vulnerabilities patching servers is more
  complicated
• Update Synonymous with patch, used on
  applications not OS followed with version
  numbers
• Configure Changes to apps and services to add
  security includes removing/stopping services and
  configuring passwords

22
The Michigan Process Vulnerability Remediation
Tools
To speed up remediation of vulnerabilities,
including open ports, false positives, and known
solutions

• Phase I
• Refining and distributing to CSDs new
  spreadsheet of vulnerability, status and
  coordinator by server IP
• Facilitating meetings with CSDs and server
  support staff to work through the spreadsheet
  and successful processes
• Phase II
• Linking spreadsheet information to other
  information available about server, such as CMDB
  and server PDI scan info
• Building solution knowledge base
• Presenting all information in Web-accessible
  database, with access limited as appropriate by
  role (user ID / password)

23
The Michigan Process Executive Tech. Review
Board (ETRB)

• ETRB provides rapid resolution to questions
• Reviewing approved, denied, escalated exception
  requests
• Resolving technical disagreements
• Exceptions Process
• One form for OES, hosting center, and managed LAN
• Area may approve exception or defer to program
  board
• Program board may approve or deny exception
• Requester can appeal denial to ETRB for final
  ruling
• ETRB reviews approved exceptions identifying the
  cause using back-ground information received in
  advance, makes decisions on-the-spot and
  communicates itacross the organization

24
The ProofAs they say

• Significant DMZ vulnerabilities (Severity 3 or
  above)
• When we began in January 2006 318
• Today Zero None Nada!

25
Critical Lessons Learned

• PCI compliance is worth it
• Solves many complex problems
• Measurable Good Metrics
• Dont forget the vendors
• Market your progress (communication x3)
• Build Trust with WIN / WIN approaches
• The hardest parts are NOT technical...
• Entrust your staffand reward them

26
Michigans Next Steps

• Counties and locals
• Moving Up the Stack
• Applications
• Other systems (Moving
• PCI Target)
• Rolling into app lifecycle

27

Dan Lohrmann Lohrmannd_at_michigan.gov www.michigan.
gov/dit www.michigan.gov/cybersecurity