SlideShare a Scribd company logo

PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates

Venafi
Venafi

PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates

Technology
1 of 10
2014 North American Community Meeting 2014 North American Community Meeting 2015 SIG Proposals Securing Cryptographic Keys and Digital Certificates
2014 North American Community Meeting 2014 North American Community Meeting Purpose  Clarify cryptographic key and digital certificate security − Protects data at rest and data in transit − Authorizes and authenticates servers, devices, software, cloud, and privileged administrators and users  Deliver guidance and new insights − Guidelines & implementation checklist − Recommended changes to the PCI DSS 2
Background  Trust-based attack vulnerabilities are increasing  Heartbleed showed how serious the impact could be “Heartbleed is catastrophic…This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.” - Bruce Schneier, Cryptographer 2014 North American Community Meeting 2014 North American Community Meeting 3 Heartbleed When, not if next Heartbleed-level response will be needed
Background Threats to keys and certificates 2014 are no longer theoretical. They have become an everyday attack. 2014 North American Community Meeting 2014 North American Community Meeting 4 2010 2011 2012 Attacks on CAs Stuxnet & Duqu Everyday Attack Method
Background “PKI is under attack…” 2014 North American Community Meeting 2014 North American Community Meeting 5 Scott Charney Corporate Vice President, Microsoft
Background Experts agree the problem is only going to get worse:  McAfee Labs Threat Report for Fourth Quarter 2013 noted that malware signed with legitimate certificates more than tripled between 2012 and 2013  Gartner predicts “50% of network attacks will use SSL by 2017”  University of Michigan found 99% of SSL certificates in use considered vulnerable by current NIST standard  Netcraft found 40% mobile banking apps don’t validate SSL certificates, vulnerable to man-in-middle attacks – Fandango & Credit Karma Settle Violations with FTC 2014 North American Community Meeting 2014 North American Community Meeting 6
Opportunity −Detail specifics for key and certificate security −Indicate how security of keys and certificate influence other security controls −Provide recommendations to mitigate threats, including  Apply key and certificate requirements to data in transit  Require encryption for data in transit within the CDE 2014 North American Community Meeting 2014 North American Community Meeting 7
2014 North American Community Meeting 2014 North American Community Meeting Objectives  Scope: Security strategies that protect keys and certificates 8 – Limit access and locations – Recommend algorithm and cryptoperiod – Ensure key retirement and replacement – Enable dual control – Respond to attacks – Secure entire key lifecycle – Provide clarity on asymmetric and symmetric cryptographic key security – Close gap between data encryption keys and key encryption keys – Use strong, protected, securely stored, and securely distributed keys
2014 North American Community Meeting 2014 North American Community Meeting Approach  Develop guidelines and checklist for QSAs and organizations − Research industry best practices and consult with industry experts − Indicate different options, combinations, and configurations for deploying key and certificate security − Highlight how security elements interrelate and impact each other 9 Experts to Engage
Participation & Support Co-submitter: Kevin Bocek, Venafi, Security Vendor Co-submitter: Gary Glover, SecurityMetrics, QSA Current participants (listed alphabetically by last name):  Brandon Benson, SecurityMetrics, QSA  David W. Buchanan, Delap, QSA  Mike Carmack, Bank of America, Financial Institution, ISA  Christine Drake, Venafi, Security Vendor  Eppy Thatcher, Townsend Security, Security Vendor  Patrick Townsend, Townsend Security, Security Vendor  Laurie Sanborn, Venafi, Security Vendor, Former QSA  Jeff Stapleton, Bank of America, Financial Institution, Former QSA  Charles Watts, Walmart, Merchant, ISA 2014 North American Community Meeting 2014 North American Community Meeting 10

Recommended

Usos de la SmartTV de Samsung
Usos de la SmartTV de SamsungUsos de la SmartTV de Samsung
Usos de la SmartTV de SamsungThe Cocktail Analysis
 
Präsentation Fachdidaktik I
Präsentation Fachdidaktik IPräsentation Fachdidaktik I
Präsentation Fachdidaktik IPhilippe Wampfler
 
26 Time Management Hacks I Wish I'd Known at 20
26 Time Management Hacks I Wish I'd Known at 2026 Time Management Hacks I Wish I'd Known at 20
26 Time Management Hacks I Wish I'd Known at 20Étienne Garbugli
 
Poemas liricos 5ºll
Poemas liricos 5ºllPoemas liricos 5ºll
Poemas liricos 5ºllprofesoreducaciontecnologica
 
E learning agosto 11 2012 marco saldaña (2)
E learning agosto 11 2012 marco saldaña (2)E learning agosto 11 2012 marco saldaña (2)
E learning agosto 11 2012 marco saldaña (2)marcosaldanav
 
Saim Alkan: Texten im Internet
Saim Alkan: Texten im InternetSaim Alkan: Texten im Internet
Saim Alkan: Texten im InternetHotelfachschule Garmisch-Partenkirchen
 
Yanci
YanciYanci
YanciIMCED
 
Sistema de gestión de la Calidad y Mejora Continua
Sistema de gestión de la Calidad y Mejora ContinuaSistema de gestión de la Calidad y Mejora Continua
Sistema de gestión de la Calidad y Mejora Continuaisofacil
 

Recommended

Usos de la SmartTV de Samsung
Usos de la SmartTV de SamsungUsos de la SmartTV de Samsung
Usos de la SmartTV de SamsungThe Cocktail Analysis
 
Präsentation Fachdidaktik I
Präsentation Fachdidaktik IPräsentation Fachdidaktik I
Präsentation Fachdidaktik IPhilippe Wampfler
 
26 Time Management Hacks I Wish I'd Known at 20
26 Time Management Hacks I Wish I'd Known at 2026 Time Management Hacks I Wish I'd Known at 20
26 Time Management Hacks I Wish I'd Known at 20Étienne Garbugli
 
Poemas liricos 5ºll
Poemas liricos 5ºllPoemas liricos 5ºll
Poemas liricos 5ºllprofesoreducaciontecnologica
 
E learning agosto 11 2012 marco saldaña (2)
E learning agosto 11 2012 marco saldaña (2)E learning agosto 11 2012 marco saldaña (2)
E learning agosto 11 2012 marco saldaña (2)marcosaldanav
 
Saim Alkan: Texten im Internet
Saim Alkan: Texten im InternetSaim Alkan: Texten im Internet
Saim Alkan: Texten im InternetHotelfachschule Garmisch-Partenkirchen
 
Yanci
YanciYanci
YanciIMCED
 
Sistema de gestión de la Calidad y Mejora Continua
Sistema de gestión de la Calidad y Mejora ContinuaSistema de gestión de la Calidad y Mejora Continua
Sistema de gestión de la Calidad y Mejora Continuaisofacil
 
Quadro-capability
Quadro-capabilityQuadro-capability
Quadro-capabilityMerry Owen
 
O caminho para o vale perdido
O caminho para o vale perdidoO caminho para o vale perdido
O caminho para o vale perdidocidineia
 
MGTI Café L'illo
MGTI Café L'illoMGTI Café L'illo
MGTI Café L'illoAlbert Coronado
 
Tratados de libre comercio e inversión extranjera directa en El Salvador
Tratados de libre comercio e inversión extranjera directa en El Salvador Tratados de libre comercio e inversión extranjera directa en El Salvador
Tratados de libre comercio e inversión extranjera directa en El Salvador FUSADES
 
TOITURE TERRASSE SUR SUPPORT BOIS
TOITURE TERRASSE SUR SUPPORT BOISTOITURE TERRASSE SUR SUPPORT BOIS
TOITURE TERRASSE SUR SUPPORT BOISgervais PIACENTINI
 
Dossier fm
Dossier fmDossier fm
Dossier fmJonathan Delgado García
 
Bloc info families curses 2015 (1)
Bloc info families curses 2015 (1)Bloc info families curses 2015 (1)
Bloc info families curses 2015 (1)coless
 
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...Lars Jankowfsky
 
IMÀGENES DE MOSAICO
IMÀGENES DE MOSAICOIMÀGENES DE MOSAICO
IMÀGENES DE MOSAICOEugenia Fernandez Mele
 
D:\Boletin Oficial-5 04 10
D:\Boletin Oficial-5 04 10D:\Boletin Oficial-5 04 10
D:\Boletin Oficial-5 04 10diluro
 
Le Progressiste n° 2122
Le Progressiste n° 2122Le Progressiste n° 2122
Le Progressiste n° 2122guest7b6b16
 
Pj Retail Solutionsonline
Pj Retail SolutionsonlinePj Retail Solutionsonline
Pj Retail Solutionsonlinepaulj17947
 
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..Juan Carlos Sánchez
 
Telos (107 Paginas)
Telos (107 Paginas)Telos (107 Paginas)
Telos (107 Paginas)guest7655e1
 
Prevención del riesgo de ictus cardioembólico
Prevención del riesgo de ictus cardioembólicoPrevención del riesgo de ictus cardioembólico
Prevención del riesgo de ictus cardioembólicoECGPersonal
 
Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?Venafi
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...Venafi
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersVenafi
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking PointVenafi
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsVenafi
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA GraphicVenafi
 

More Related Content

Viewers also liked

Quadro-capability
Quadro-capabilityQuadro-capability
Quadro-capabilityMerry Owen
 
O caminho para o vale perdido
O caminho para o vale perdidoO caminho para o vale perdido
O caminho para o vale perdidocidineia
 
Tratados de libre comercio e inversión extranjera directa en El Salvador
Tratados de libre comercio e inversión extranjera directa en El Salvador Tratados de libre comercio e inversión extranjera directa en El Salvador
Tratados de libre comercio e inversión extranjera directa en El Salvador FUSADES
 
TOITURE TERRASSE SUR SUPPORT BOIS
TOITURE TERRASSE SUR SUPPORT BOISTOITURE TERRASSE SUR SUPPORT BOIS
TOITURE TERRASSE SUR SUPPORT BOISgervais PIACENTINI
 
Bloc info families curses 2015 (1)
Bloc info families curses 2015 (1)Bloc info families curses 2015 (1)
Bloc info families curses 2015 (1)coless
 
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...Lars Jankowfsky
 
D:\Boletin Oficial-5 04 10
D:\Boletin Oficial-5 04 10D:\Boletin Oficial-5 04 10
D:\Boletin Oficial-5 04 10diluro
 
Le Progressiste n° 2122
Le Progressiste n° 2122Le Progressiste n° 2122
Le Progressiste n° 2122guest7b6b16
 
Pj Retail Solutionsonline
Pj Retail SolutionsonlinePj Retail Solutionsonline
Pj Retail Solutionsonlinepaulj17947
 
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..Juan Carlos Sánchez
 
Telos (107 Paginas)
Telos (107 Paginas)Telos (107 Paginas)
Telos (107 Paginas)guest7655e1
 
Prevención del riesgo de ictus cardioembólico
Prevención del riesgo de ictus cardioembólicoPrevención del riesgo de ictus cardioembólico
Prevención del riesgo de ictus cardioembólicoECGPersonal
 

Viewers also liked (15)

Quadro-capability
Quadro-capabilityQuadro-capability
Quadro-capability
 
O caminho para o vale perdido
O caminho para o vale perdidoO caminho para o vale perdido
O caminho para o vale perdido
 
MGTI Café L'illo
MGTI Café L'illoMGTI Café L'illo
MGTI Café L'illo
 
Tratados de libre comercio e inversión extranjera directa en El Salvador
Tratados de libre comercio e inversión extranjera directa en El Salvador Tratados de libre comercio e inversión extranjera directa en El Salvador
Tratados de libre comercio e inversión extranjera directa en El Salvador
 
TOITURE TERRASSE SUR SUPPORT BOIS
TOITURE TERRASSE SUR SUPPORT BOISTOITURE TERRASSE SUR SUPPORT BOIS
TOITURE TERRASSE SUR SUPPORT BOIS
 
Dossier fm
Dossier fmDossier fm
Dossier fm
 
Bloc info families curses 2015 (1)
Bloc info families curses 2015 (1)Bloc info families curses 2015 (1)
Bloc info families curses 2015 (1)
 
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
So gelingt der Umstieg von PHP4 auf PHP5: Erneuerung von Geschäftsanwendung...
 
IMÀGENES DE MOSAICO
IMÀGENES DE MOSAICOIMÀGENES DE MOSAICO
IMÀGENES DE MOSAICO
 
D:\Boletin Oficial-5 04 10
D:\Boletin Oficial-5 04 10D:\Boletin Oficial-5 04 10
D:\Boletin Oficial-5 04 10
 
Le Progressiste n° 2122
Le Progressiste n° 2122Le Progressiste n° 2122
Le Progressiste n° 2122
 
Pj Retail Solutionsonline
Pj Retail SolutionsonlinePj Retail Solutionsonline
Pj Retail Solutionsonline
 
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
¿Cuál es el estado actual de las tic en la educación datos para reflexionar..
 
Telos (107 Paginas)
Telos (107 Paginas)Telos (107 Paginas)
Telos (107 Paginas)
 
Prevención del riesgo de ictus cardioembólico
Prevención del riesgo de ictus cardioembólicoPrevención del riesgo de ictus cardioembólico
Prevención del riesgo de ictus cardioembólico
 

More from Venafi

Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?Venafi
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...Venafi
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersVenafi
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking PointVenafi
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsVenafi
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA GraphicVenafi
 
Breaching the NSA
Breaching the NSABreaching the NSA
Breaching the NSAVenafi
 
The Evolution of Cyber Attacks
The Evolution of Cyber AttacksThe Evolution of Cyber Attacks
The Evolution of Cyber AttacksVenafi
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 
RSAC2013 CME Group case study
RSAC2013 CME Group case studyRSAC2013 CME Group case study
RSAC2013 CME Group case studyVenafi
 
Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Venafi
 
Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersVenafi
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflameVenafi
 

More from Venafi (14)

Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking Point
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA Graphic
 
Breaching the NSA
Breaching the NSABreaching the NSA
Breaching the NSA
 
The Evolution of Cyber Attacks
The Evolution of Cyber AttacksThe Evolution of Cyber Attacks
The Evolution of Cyber Attacks
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and Attacks
 
RSAC2013 CME Group case study
RSAC2013 CME Group case studyRSAC2013 CME Group case study
RSAC2013 CME Group case study
 
Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...
 
Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption Disasters
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflame
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

PCI SCC 2015 SIG Proposal: Securing Cryprographic Keys and Digital Certificates

  • 1. 2014 North American Community Meeting 2014 North American Community Meeting 2015 SIG Proposals Securing Cryptographic Keys and Digital Certificates
  • 2. 2014 North American Community Meeting 2014 North American Community Meeting Purpose  Clarify cryptographic key and digital certificate security − Protects data at rest and data in transit − Authorizes and authenticates servers, devices, software, cloud, and privileged administrators and users  Deliver guidance and new insights − Guidelines & implementation checklist − Recommended changes to the PCI DSS 2
  • 3. Background  Trust-based attack vulnerabilities are increasing  Heartbleed showed how serious the impact could be “Heartbleed is catastrophic…This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.” - Bruce Schneier, Cryptographer 2014 North American Community Meeting 2014 North American Community Meeting 3 Heartbleed When, not if next Heartbleed-level response will be needed
  • 4. Background Threats to keys and certificates 2014 are no longer theoretical. They have become an everyday attack. 2014 North American Community Meeting 2014 North American Community Meeting 4 2010 2011 2012 Attacks on CAs Stuxnet & Duqu Everyday Attack Method
  • 5. Background “PKI is under attack…” 2014 North American Community Meeting 2014 North American Community Meeting 5 Scott Charney Corporate Vice President, Microsoft
  • 6. Background Experts agree the problem is only going to get worse:  McAfee Labs Threat Report for Fourth Quarter 2013 noted that malware signed with legitimate certificates more than tripled between 2012 and 2013  Gartner predicts “50% of network attacks will use SSL by 2017”  University of Michigan found 99% of SSL certificates in use considered vulnerable by current NIST standard  Netcraft found 40% mobile banking apps don’t validate SSL certificates, vulnerable to man-in-middle attacks – Fandango & Credit Karma Settle Violations with FTC 2014 North American Community Meeting 2014 North American Community Meeting 6
  • 7. Opportunity −Detail specifics for key and certificate security −Indicate how security of keys and certificate influence other security controls −Provide recommendations to mitigate threats, including  Apply key and certificate requirements to data in transit  Require encryption for data in transit within the CDE 2014 North American Community Meeting 2014 North American Community Meeting 7
  • 8. 2014 North American Community Meeting 2014 North American Community Meeting Objectives  Scope: Security strategies that protect keys and certificates 8 – Limit access and locations – Recommend algorithm and cryptoperiod – Ensure key retirement and replacement – Enable dual control – Respond to attacks – Secure entire key lifecycle – Provide clarity on asymmetric and symmetric cryptographic key security – Close gap between data encryption keys and key encryption keys – Use strong, protected, securely stored, and securely distributed keys
  • 9. 2014 North American Community Meeting 2014 North American Community Meeting Approach  Develop guidelines and checklist for QSAs and organizations − Research industry best practices and consult with industry experts − Indicate different options, combinations, and configurations for deploying key and certificate security − Highlight how security elements interrelate and impact each other 9 Experts to Engage
  • 10. Participation & Support Co-submitter: Kevin Bocek, Venafi, Security Vendor Co-submitter: Gary Glover, SecurityMetrics, QSA Current participants (listed alphabetically by last name):  Brandon Benson, SecurityMetrics, QSA  David W. Buchanan, Delap, QSA  Mike Carmack, Bank of America, Financial Institution, ISA  Christine Drake, Venafi, Security Vendor  Eppy Thatcher, Townsend Security, Security Vendor  Patrick Townsend, Townsend Security, Security Vendor  Laurie Sanborn, Venafi, Security Vendor, Former QSA  Jeff Stapleton, Bank of America, Financial Institution, Former QSA  Charles Watts, Walmart, Merchant, ISA 2014 North American Community Meeting 2014 North American Community Meeting 10