Stop Patching, for Stronger PCI Compliance

Presented at ToorCon San Diego 14 (2012), Oct. 21, 2012, 2 p.m. (20 minutes)

Too many organizations have their administrators running on the Patching Wheel of Death. PCI DSS says all vendor critical patches must be installed within 30 days, right? Wrong. Looking more closely at the PCI standard shows that it actually mandates a risk-based approach to patching. In this presentation, an experienced PCI QSA discusses how organizations that patch frequently and rely solely on vulnerability scanner or vendor recommendations are actually less PCI compliant. The wasted time spent on unnecessary patching could be better spent on more important ongoing compliance activities and long term fixes. An alternative approach is presented, showing how even applying simple contextual criteria when evaluating patches (in accordance with PCI DSS recommendations) can eliminate over 50% of monthly patch installations.

Presenters:

• Adam Brand
  Adam Brand is a Southern California-based Senior Manager with Protiviti and specializes in PCI compliance, vulnerability management and incident response. Adam has helped a number of clients streamline security processes so they are more efficient and effective and has also seen first-hand common causes of breaches. He also assists with incident response and enjoys reversing malware to get inside the head of attackers.

Similar Presentations:

• Notacon 9 (2012) / I'm a Hacker…and I'm a QSA (Hacking PCI Requirement 6.6. Why Your Web Applications are Still Not Secure)
• AppSec USA 2013 / OWASP PCI toolkit Session
• BSidesLV 2014 / Password Security in the PCI DSS