Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates
1. 2014 North American
Community Meeting
2014 North American
Community Meeting
2015 SIG Proposals
Securing Cryptographic Keys and Digital Certificates
2. 2014 North American
Community Meeting
2014 North American
Community Meeting
Purpose
Clarify cryptographic key and digital certificate security
− Protects data at rest and data in transit
− Authorizes and authenticates servers, devices, software, cloud, and
privileged administrators and users
Deliver guidance and new insights
− Guidelines & implementation checklist
− Recommended changes to the PCI DSS
2
3. Background
Trust-based attack vulnerabilities are increasing
Heartbleed showed how serious the impact could be
“Heartbleed is catastrophic…This means that
anything in memory—SSL private keys, user keys,
anything—is vulnerable. And you have to assume that
it is all compromised. All of it.”
- Bruce Schneier, Cryptographer
2014 North American
Community Meeting
2014 North American
Community Meeting
3
Heartbleed
When, not if
next Heartbleed-level
response
will be needed
4. Background
Threats to keys and certificates 2014
are no longer theoretical.
They have become an everyday attack.
2014 North American
Community Meeting
2014 North American
Community Meeting
4
2010
2011
2012
Attacks on
CAs
Stuxnet &
Duqu
Everyday
Attack
Method
5. Background
“PKI is under attack…”
2014 North American
Community Meeting
2014 North American
Community Meeting
5
Scott Charney
Corporate Vice President, Microsoft
6. Background
Experts agree the problem is only going to get worse:
McAfee Labs Threat Report for Fourth Quarter 2013 noted that malware
signed with legitimate certificates more than tripled between 2012 and 2013
Gartner predicts “50% of network attacks will use SSL by 2017”
University of Michigan found 99% of SSL certificates in use considered
vulnerable by current NIST standard
Netcraft found 40% mobile banking apps don’t validate SSL certificates,
vulnerable to man-in-middle attacks – Fandango & Credit Karma Settle
Violations with FTC
2014 North American
Community Meeting
2014 North American
Community Meeting
6
7. Opportunity
−Detail specifics for key and certificate security
−Indicate how security of keys and certificate influence
other security controls
−Provide recommendations to mitigate threats, including
Apply key and certificate requirements to data in transit
Require encryption for data in transit within the CDE
2014 North American
Community Meeting
2014 North American
Community Meeting
7
8. 2014 North American
Community Meeting
2014 North American
Community Meeting
Objectives
Scope: Security strategies that protect keys and certificates
8
– Limit access and locations
– Recommend algorithm and cryptoperiod
– Ensure key retirement and replacement
– Enable dual control
– Respond to attacks
– Secure entire key lifecycle
– Provide clarity on asymmetric and
symmetric cryptographic key security
– Close gap between data encryption keys
and key encryption keys
– Use strong, protected, securely stored,
and securely distributed keys
9. 2014 North American
Community Meeting
2014 North American
Community Meeting
Approach
Develop guidelines and checklist for QSAs and
organizations
− Research industry best practices and consult with industry
experts
− Indicate different options, combinations, and
configurations for deploying key and certificate security
− Highlight how security elements interrelate and impact
each other
9
Experts to
Engage
10. Participation & Support
Co-submitter: Kevin Bocek, Venafi, Security Vendor
Co-submitter: Gary Glover, SecurityMetrics, QSA
Current participants (listed alphabetically by last name):
Brandon Benson, SecurityMetrics, QSA
David W. Buchanan, Delap, QSA
Mike Carmack, Bank of America, Financial Institution, ISA
Christine Drake, Venafi, Security Vendor
Eppy Thatcher, Townsend Security, Security Vendor
Patrick Townsend, Townsend Security, Security Vendor
Laurie Sanborn, Venafi, Security Vendor, Former QSA
Jeff Stapleton, Bank of America, Financial Institution, Former QSA
Charles Watts, Walmart, Merchant, ISA
2014 North American
Community Meeting
2014 North American
Community Meeting
10