whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Transcription

1 4 Best Practices for Building PCI DSS Compliant Networks

2 Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers and stealing cardholder data serve as powerful examples that any firm that stores, processes, or transmits cardholder data must take strict measures to protect this information. To foster greater protections for cardholder data worldwide, the PCI Security Standards Council was formed. This global council is represented by the major payment card brands, which include American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. In addition, more than 650 merchants, banks, processors, and vendors represent the council. This council also publishes the Payment Card Industry Digital Security Standards (PCI DSS). Payment card brands adopt these standards and mandate them as a condition of utilizing a card brands service. As a result, a payment card brand will also enforce compliance to these standards among its constituent merchants and financial institutions. PCI DSS broadly defines the following security requirements: 1. Build and maintain a secure network and systems 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy Within each category, PCI DSS offers guidance on recommended operational and technical measures to be taken. These standards are also regularly updated. In late 2013, the PCI Security Standards Council updated the PCI DSS framework to version 3.0, which became effective January 1, Complication While PCI DSS 3.0 defines security specific objectives, it does not specify specific security controls and how these controls are to be implemented. In other words, it defines the what, but not the how. Therefore, each organization must carefully consider how to not only implement PCI DSS 3.0 in their environment, but also demonstrate compliance. Simply using a firewall, intrusion detection, anti-virus, patch management, and related technologies may not be sufficient unless they are used with necessary operational controls. Together they satisfy PCI DSS objectives. Implications The consequences for non-compliance are extremely high. As illustrated by recent security breaches with trusted retailers, consumer backlash is harsh and can result in tremendous erosion to brand and stockholder equity. But this is not all. Violators may also experience severe losses due to business interruption, assessment of fixed and variable penalties, 2

3 obligation to pay investigation, and forensic costs and liability from defending against lawsuits. We recently saw Target become a victim of data theft where criminals accessed the credit and debit card information of an estimated 40 million individuals. Not just that, the attackers also garnered customer names, mailing addresses, addresses, and phone numbers. This incident caused a significant dent in the company s image and business. Prior to Target, Adobe Systems revealed that 2.9 million customers' sensitive and personal data was stolen in a security breach. The extent of the breach included encrypted credit card information and other data that was posted online. Further investigations revealed that Adobe failed to use best practices for securing passwords and had a weak encryption method, making it an easy target for criminals. Breach of confidential data could be from internal or external entities. Employees directly involved in the payment process such as cashiers, bank tellers, and even restaurant staff are often responsible for internal incidents. In networks of multiple critical network devices, the lack of knowledge or policy enforcement results in employees leaving the door open for attacks. Picking weak passwords, clicking on phishing links, or sharing company information on social or public platforms can leave your network vulnerable to external attack. Recommendations Companies and institutions that are required to comply with PCI DSS should constantly be on the lookout for ideas that help them consistently achieve compliance while saving time and cost. The following, often overlooked, best practices can help: 1. Network Segmentation One of the primary requirements of PCI DSS is to Build and Maintain a Secure Network and Systems. You can reduce your exposure to threats and the cost to implement and audit PCI DSS security controls by isolating cardholder data to specific systems and carefully controlling access to those systems. This can be done with internal network partitioning, which is accomplished using firewalls and routers. For example, protecting all cardholder data inside its own security zone with perimeter firewalls and routers enables companies to restrict access to only authorized users. The network administrator can allocate all cardholder data repositories in one network segment identified by a security zone (like Customer Data ). The administrator can then craft security controls that only permit certain authorized users to access the Customer Data zone, thereby preventing unauthorized internal or external access to the data stored in that segment. These network segments can be easily presented via compliance reports. The smaller the scope of an audit, the less effort, documentation, time, resources, and money is required to complete the audit process. 3

4 2. Network Security Basics Perimeter network defenses are diminished when fundamental weaknesses persist in network security. These can be mitigated by doing the following: Use Secure Protocols Log ACLs Secure Shell or SSH is secure as the SSH client and server uses digital signatures to verify their identity. When sent unencrypted over the network, device username and passwords are very easy to capture by unwarranted users. This security threat can be greatly diminished when SSH is used for remote shell login to network devices. Additionally, when SSH is used, all communication between the client and server systems is encrypted. Therefore, any attempts to spoof the identity of either side of a communication does not work, as each packet is encrypted using a key known only by the local and remote systems. SNMPv3 deals with the problems of simple authentication and enhances the security of SNMP operations over SNMPv1/v2c models. By introducing proper message security, SNMPv3 provides Confidentiality, Integrity, and Authentication, which are required to perform network management operations securely. Therefore, it is advisable to perform SNMP requests using SNMPv3 for increased security and to detect unauthorized connections via monitoring of network devices. Logging access control list (ACL) activity provides insight into traffic as it traverses the network or is dropped by network devices. If a device is attacked, the number of system messages for denied packets can be very large. ACL logs help detect anomalies in network traffic and determine if there has been an attack. Review Vendor Defaults and Disable Unnecessary Services A serious security risk exists when a network device is configured and continues to operate with its default settings. The primary threat is that default passwords are not secure and unauthorized users can easily gain access to your network. Default logins and services are a means to complete the initial setup of the device and it is strongly recommended that once the device is installed, these defaults be immediately changed for security reasons. Regularly Archive Device Configuration Files Device configurations are not easy to build. These configuration files sometimes run into thousands of lines of code and are fine-tuned and perfected over a period of time. Making device configuration changes without a backup and to later discover that the change is the cause of network issues, is a waste of valuable admin time and hard work. Just as any important data is backed up so also configuration files must be archived for disaster recovery purposes, especially for critical network devices. Network Architecture Separating management services from the production/operational segment of the network helps reduce the possibility of an attacker gaining access to critical systems. Designing the network to process management traffic such as SNMP, 4

5 SSH, Syslog, etc. separately helps provide security engineers the flexibility to allow access for informational protocols and deny access to suspicious traffic, therefore reducing the opportunity of breach. 3. Business-as-Usual Meeting PCI DSS objectives is an ongoing process. Technical controls will eventually lose their affect as human errors occur, new vulnerabilities are discovered, and networks evolve. In order to ensure technical controls remain effective, it s important to implement supporting operational controls. Therefore, the following PCI DSS processes should be adopted: Inventory and manage router and switch lifecycles Know what s running in your network. Take an inventory of network devices especially critical routers and switches. Keep IOS and firmware updated and periodically review device configurations for compliance with current security controls. Create configuration baselines against which device configurations can be compared to ensure that regulatory standards are met. Maintain updated device data and confirm that there are no obsolete devices that may potentially open up security vulnerabilities in the network. Properly configure and test new devices prior to deployment Before deployment, all device configuration changes must go through an approval process to ensure recommended guidelines are followed and security controls are satisfied. Test the device with the new configuration and ensure that there is no disruption in network operations as a result of the change. Have the last known good configuration ready so that, in case of an issue, you can restore the network to its previously stable state. Review, approve, and schedule subsequent configuration changes All configuration changes must go through an approval process so that any missed or overseen aspect can be corrected. Having the device configuration reviewed helps ensure that all the necessary policy controls are met, which otherwise stand the chance of being bypassed intentionally or due to negligence. Repetitive tasks like frequent configuration changes and backups can be scheduled to run regularly without the intervention of the administrator. This not only saves time but also reduces human errors. Automate changes for speed and accuracy Repetitive and bulk execution tasks can be automated to save time and increase accuracy. Bulk password changes, SNMP community string changes, VLAN changes, etc. on hundreds of multi-vendor devices can take up all of the administrator s time. Automation solves this problem enabling the administrator to invest time in other network management activities. Eliminate the boring yet important configuration changes that, even with the smallest errors, can bring the entire business operations to a stop. 5

6 Create and maintain configuration archives for disaster recovery No one can prevent a disaster, but preparing for one is just about the next best thing. Having all of your configurations stored, catalogued, and backed up allows you to recover from a hardware failure or a bad configuration change in minutes instead of hours. Major network downtime due to configuration changes can be averted by quickly replacing changes with the previous configuration. Assess device compliance according to operational and regulatory policy Device compliance is not just a onetime task that it is implemented and then forgotten. Compliance with internal and external controls must be maintained throughout and should be assessed and monitored continuously. The network is constantly undergoing change. To stay protected it is mandatory to assess policy effectiveness and compliance with security controls regularly and frequently. 4. Save Time and Improve Results by Using Purpose-built Tools The importance of building and maintaining a secure network is critical to achieving PCI DSS compliance. It requires a mix of operational and technical controls to not only implement and maintain proper network segmentation and compliance, but to also do so within a mature dayto-day IT management framework. An automated solution can provide tremendous value in the following ways: Configure and maintain standardized configurations for routers and switches Consistently enable secure services like SSH, SNMP v3, ACLs, etc. Disable default and unnecessary services Review and approve configuration changes prior to deployment Use re-usable change templates to bulk deploy config changes quickly and consistently Monitor device configurations for unauthorized change Remediate non-compliant changes Archive and organize device configurations Design network architecture for security and ease in manageability Restore or rollback failed devices and bad configuration changes Assess device configurations for compliance to technical controls and facilitate audits and certification 6

7 SolarWinds Network Configuration Manager (NCM) is a Network Change and Configuration Management (NCCM) solution that automates compliance management and saves loads of admin time. NCM facilitates continuous monitoring and replaces point-in-time audits with a continuous view of the state of the network. In line with the four best practices covered above, NCM can help reduce the time and effort needed to complete the following tasks: Ensure that all new devices inducted into the network are compliant Standardized configuration templates Review and approve all configuration changes before they are applied Configuration change request & approval Know whenever there is a configuration change in the network Real-time configuration change detection Quickly rollback bad/unwanted configuration changes before they cause network downtime Configuration archives Easily audit configurations and ensure they are compliant with PCI requirements PCI compliance report Ensure that all new devices inducted into the network are compliant: NCM helps you create standardized configuration templates that can be used as is, or as a baseline for new devices inducted into the network. Frequent configuration changes like VLAN changes, ACL changes, password changes, etc. can also be standardized into a template. This helps eliminate the need to create from scratch, and check the configuration on every occasion. Administrators can execute a new device configuration or a change quickly without errors. Create standard templates for frequent changes Standardize Frequently Used Configurations & Configuration Changes Import templates from thwack for ease of use 7

8 Review & approve all configuration changes before they are applied: Device configurations undergo frequent changes and any bad or unauthorized change can lead to network downtime. PCI requires that all configuration changes be approved before being implemented. This helps avert unwarranted changes and errors that cause security gaps and network downtime. With NCM, you can ensure that all configuration changes go through approval before they are implemented. You can also create permission levels to restrict access and assign rights for certain tasks. NCM gives you a clear picture of who changed what in the network. Set up a work flow to approve configuration changes Assign user roles and permissions to manage tasks Know when there is a configuration change in the network: With so many changes happening in the network, it s important to be aware of what configuration changed where, and if these changes are compliant to regulatory standards. Troubleshooting time is considerably reduced if network downtime can be correlated to a recent change in configurations. However, this is possible only if administrators are notified of all configuration changes in the network. Real-time configuration change detection in NCM throws an alert whenever there is a configuration change. 8

9 Receive alerts on all configuration changes in the network View detailed information of changes made to the device Identify Devices with Changed Configurations In the event of an issue due to a configuration change, administrators can also compare configurations with baselines. NCM highlights the configuration lines changes, added and deleted, so that the error can be quickly located and fixed. Easily compare changes and rectify errors Identify Configuration File Changes Quickly rollback unwanted configuration changes before they cause network downtime: Human errors are common and there is always a chance that something might go wrong after a new configuration or configuration change is executed on a device. In such a case, the easiest and best solution to reduce network downtime is to quickly replace the faulty configuration with the last known good configuration from backup. Maintaining regular and updated backup is also very helpful in the event of device failure. The administrator can quickly stack the new device; simply pick the configuration file from backup and get the device up and running in no time. With NCM you can automate the backup process and the administrator can schedule configuration backups according to requirements. 9

10 Quickly upload a configuration from the archive Rollback Configuration Easily audit configurations and ensure they are compliant with PCI requirements: PCI has a set of requirements specifically for network devices. With tens, hundreds, and sometimes even thousands of devices in the network, it can be a herculean task to manually check for device compliance. With PCI playing a vital role in securing cardholder data, satisfying these mandates is not just a one-time activity, but need to be continuously monitored and followed. A solution like NCM helps automate the audit process and greatly reduces admin involvement and effort in ensuring compliance. The PCI Compliance report can be run on a periodic basis and, instead of manually checking for non-compliance, the report automatically lists all violations. These can be then documented and fixed by the administrator accordingly. PCI Compliance Report lists all devices that are in violation so that they can be documented and fixed 10

11 Summary PCI DSS compliance means providing a level of information/data security for the consumer s payment card data. PCI compliance helps you: Mitigate fundamental security weaknesses with perimeter network defenses Prevent unauthorized internal or external access to confidential data Follow important network device management best practices Proactively prevent security breaches and safeguard company reputation and revenue Cardholder data is an extremely lucrative target for hackers. Experiencing a loss of any cardholder data can be catastrophic. The PCI DSS compliance standard provides reasonable and effective measures to protect this sensitive data while it s stored on a corporate network. Commensurate with the growing frequency and sophistication of threats, security measures and attitudes must likewise evolve. Accordingly, the new PCI DSS 3.0 standard expands both the scope and type of controls to implement for securing an IT environment. Organizations must acknowledge that PCI security is more than locking down a server, installing a firewall, and passing a perfunctory audit. Adopting mature network security practices and incorporating these practices into day-to-day IT operations is critical. As this approach takes hold, network and security administrators will appreciate how network configuration tools can provide them with consistent network security baselines and enable them to apply security measures with less effort SolarWinds, Inc. All rights reserved. SolarWinds, the SolarWinds logo, ipmonitor, LANsurveyor, and Orion are among the trademarks or registered trademarks of the company in the United States and/or other countries. All other trademarks are property of their respective owners. WP