Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

Transcription

1 Meeting PCI-DSS v1.2.1 Compliance Requirements By Compliance Research Group

2 Table of Contents Technical Security Controls and PCI DSS Compliance...1 Mapping PCI Requirements to Product Functionality...2 Requirement #1 Install and maintain a firewall configuration to protect cardholder data...2 Requirement #2 Do not use vendor- supplied defaults for system passwords and parameters...6 Requirement #3 Protect stored cardholder data...8 Requirement #4 Encrypt transmission of cardholder data across open, public networks...11 Requirement #5 Use and regularly update anti- virus software...11 Requirement #6 Develop and maintain secure systems and applications...13 Requirement #7 Restrict access to cardholder data by business need- to- know...17 Requirement #8 Assign a unique ID to each person with computer access...18 Requirement #9 Restrict physical access to cardholder data...20 Requirement #10 Track and monitor all access to network resources and cardholder data...21 Requirement #12 Maintain a policy that addresses information security...26 About Compliance Research Group...28

3 Technical Security Controls and PCI DSS Compliance PCI DSS provides highly specific guidance for the credit card industry as to a minimum required set of security controls. In the credit card industry, Qualified Security Auditors (QSA s) assess and determine where the organization is in compliance, and where there are issues and gaps to be resolved. These findings are communicated in the QSA s Report on Compliance (ROC). Identifying applicable security controls and technologies that can address specific requirements in PCI DSS is important for organizations in the credit card industry. At a minimum, PCI-DSS compliance requires, among other things: A firewall and Intrusion Prevention System (IPS). Note that most modern IPS devices will provide firewall functionality as well. A Database Monitoring system (DAM, or DBM) and/or an Application Monitoring system to monitor, protect, and log all access to sensitive data A Log Management system to store all logs in a secure manner, for audit purposes. A Security Information & Event Management system (SIEM) to bring all the required event and asset data together, for log event correlation, incident detection, response, and reporting purposes. There is also a critical distinction to make here. There are some requirements in PCI DSS where the kind of technology that must be deployed in order to achieve compliance is very clear. An example is 1.3.6, which specifies stateful packet inspection, which is traditionally delivered by a firewall or IPS that can determine and make security decisions using the state of sessions. However, there are also many areas in PCI DSS where the requirement is stated more as an objective, with little guidance as to how to achieve the objective , which requires documentation and business justification for all services, protocols, and ports allowed is an example of this. Actually meeting this objective requires significant knowledge of services, ports, and protocols in use on the network. Obtaining this information can likely be done in many ways, including by looking at logs, at system configurations, or at network traffic itself. In this example, PCI DSS delivers no guidance as to how to develop this information. So an organization seeking to meet this requirement has choices to make, and might consider utilizing configuration management tools, network monitoring devices, log management and SIEM solutions, or some mix of all three to collect the required information, and to then document the business rationale for each port, protocol, and service. The point is that many different security technologies and controls can be of assistance in meeting the requirements in PCI DSS. In creating this paper, Compliance Research Group undertook an extensive evaluation of the functionality provided by each of the Nitro products, and researched them vis a vis all requirements in PCI DSS. This document maps functionality from several Nitro Security solutions (NitroView ESM, NitroView DBM, NitroGuard IPS, NitroView ADM, and NitroView ELM) to each specific requirement of PCI version Our goal in analyzing the fit for the Nitro products has been to identify those areas where the product directly addresses requirements, and additionally those areas where the product helps to identify compliance gaps by providing audit and event information that is critical to proving or disproving compliance. For more information on specific Nitro products that may be used to address each requirement, please visit: nitrosecurity.com/regulatory-compliance/standards/pci/ 1

4 Mapping PCI Requirements to Product Functionality Requirement #1 Install and maintain a firewall configuration to protect cardholder data PCI Requirements 1.1 Establish firewall configuration standards that include the following: A current network diagram with all connections to cardholder data, including any wireless networks NitroView ESM can actively discover all network devices and build a full network topology map. Discovery results can be filtered and sorted by type, including by assets containing cardholder data and subject to PCI Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone NitroGuard IPS includes an integrated stateful inspection firewall capable of filtering traffic at the protocol, IP and port level, either in direct response to inspected traffic (as a firewall) or in response to higher level policy violations detected by NitroView using deep application inspection, database activity monitoring, or system-wide event correlation Description of groups, roles, and responsibilities for logical management of network components NitroView monitors for changes in network components and integrates with Authentication and Identity Management systems, including Active Directory, to apply user- group and role- context to changes, as well as all other managed security events and logs. 2

5 PCI Requirements Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure NitroView ESM provides visibility into which protocols and applications are being used by which users, and what they are being used for. NitroView ESM ensures compliance by providing reporting showing actual services, protocols and ports in use. These reports can then be used by network security staff to validate and determine that all running ports, protocols, and services have a documented business need. NitroGuard IPS monitors network traffic to determine at various points in a network which protocols and ports are being used by which users. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs. NitroView ADM inspects application data to determine how specific services, application, and protocols are being used, identify policy violations, and identify rogue services and protocols. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs. NitroView DBM monitors database activity to determine how databases containing sensitive information are being access, by what ports and protocols, and can detect rogue databases and/or sensitive data contained in unknown or unauthorized databases. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs. NitroView Receiver collects log files from relevant network devices including servers, applications, databases, firewalls, and other devices, so that all services, protocols, and ports in use are identified. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs Requirement to review firewall and router rule sets at least every six months NitroView ESM is able to collect router configurations and rule sets for review, and identify when changes to router rule sets have been made. NitroGuard IPS s firewall and intrusion prevention rule sets are managed directly by NitroView ESM, simplifying the review of rule sets and the development of relevant reports. NitroView Receiver is able to collect various third party router and firewall logs to provide additional visibility into the rule sets used by third-party devices, simplifying the review of rule sets and the development of relevant reports Validation of firewall and router rules requires analysis of logs to determine that ports, protocols, IP addresses, and services that are the subject of rules in these devices are in fact being blocked and filtered as expected. NitroView ESM and ELM simplify the development of these reports, and make analysis of rules simpler. 3

6 PCI Requirements 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment. NitroView ESM and NitroGuard IPS add significant security capability to these connections by isolating security events occurring in this sensitive part of the network, and allowing the security manager to use prebuilt rules or create custom ones that can block attacks that make it past the firewall Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Secure and synchronize router configuration files Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment NitroGuard IPS restricts inbound and outbound traffic to the cardholder data environment, functioning as a stateful firewall. In addition, NitroGuard IPS can identify and block attacks, functioning as a network intrusion prevention system (IPS). NitroView ESM provides configuration change management for router configuration files, identifying when configuration changes are made, whether those changes adhere with approved configurations, and identifying differences between configuration files. NitroGuard IPS and NitroView ADM allow application use to be monitored from wireless networks, and unwanted protocols and traffic to be blocked. They also provide the network visibility that is required to validate that firewall rules for these wireless network segments are functioning properly, as specified in test procedures for Prohibit direct public access between the Internet and any system component in the cardholder data environment. NitroGuard IPS allows ports, protocols, and attacks to be monitored and blocked. This can include creating specific rules that block all communication and access between the Internet and the cardholder data environment Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment. When installed in the DMZ, NitroGuard IPS and NitroView ADM allow ports, protocols, and attacks to be monitored and blocked. This can include creating specific rules that block all protocols except those necessary for the cardholder data environment Limit inbound Internet traffic to IP addresses within the DMZ. NitroGuard IPS s internal firewall may be used to limit inbound traffic to IP addresses within the DMZ. In addition, NitroView ESM can detect and alert on inbound and outbound DMZ traffic, identifying unauthorized access attempts from IP addresses outside of the DMZ. This information can then be used by the NitroGuard IPS to block the unauthorized access. NitroView ESM can also validate that firewall rules implemented to support are functioning correctly. 4

7 PCI Requirements Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment. NitroView ESM can validate that network device rules in firewalls and routers that support are functioning correctly. In addition, NitroView ESM s network discovery and topology features will identify all active network routes to ensure there are no available backdoors into the cardholder data environment Do not allow internal addresses to pass from the Internet into the DMZ. NitroGuard IPS s internal firewall may be used to allow or disallow internal addresses to pass from the Internet into the DMZ Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ. NitroGuard IPS s internal firewall may be used to limit outbound traffic to IP addresses within the DMZ Implement stateful inspection, also known as dynamic packet filtering. (That is, only established connections are allowed into the network.) NitroGuard IPS performs stateful packet inspection, and can apply prebuilt or customer developed rules to network traffic to identify potential attacks. The product also can determine baseline behavior and anomalous behavior to determine potential attacks for which no rules are yet available Place the database in an internal network zone, segregated from the DMZ. NitroGuard IPS can be used to create a highly protected network zone for the database. NitroGuard IPS performs stateful packet inspection, and can apply prebuilt or customer developed rules to network traffic to identify potential attacks. The product also can determine baseline behavior and anomalous behavior to determine potential attacks for which no rules are yet available. In addition, NitroView DBM can be deployed in front of the database, and can be used to monitor all database access, and to identify potential attacks and provide a complete audit trail of all access Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies for example, port address translation (PAT). NitroGuard IPS can be used on appropriate network segments to identify internal addresses that are being used outside of their intended network segments. Simple rules can be created in the product that will trigger alerts, or blocking behavior by the NitroGuard IPS appliances. NitroView ESM can similarly detect internal addresses that are being used outside of their intended network segments through log analysis. 5

8 Requirement #2 Do not use vendor-supplied defaults for system passwords and other security parameters PCI Requirements 2.1 Always change vendor-supplied defaults before installing a system on the network for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. NitroView ESM and ELM can detect and alert on detected use of default passwords or known default accounts, including anonymous or guest account usage activity. NitroView DBM and NitroView ADM can detect and alert on detected use of default passwords or known default accounts, including anonymous or guest account usage activity. Detected password policy violations are logged and used by NitroView ESM and ELM for us in threat detection, and for report generation For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Simple rules can be created and implemented in NitroGuard IPS to detect unencrypted traffic in wireless LAN network segments. Nitroview ESM integrates with 3rd party solutions that provide in-depth reporting of wireless access points (including rogue access points) 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. NitroView ESM provides real-time asset-, threat-, and vulnerability reporting, which highly useful in the development of configuration standards for all IT devices Implement only one primary function per server. Nitroview DBM & ADM provide full visibility into application access to ensure that the Implement only one primary function per server PCI requirement can be enforced. NitroView DBM when deployed in front of specific database servers can ensure that each database server is limited to a single function. NitroView ESM correlates network device information, flows, and application logs together to simplify detection of instances where more than one primary function is being provided by a single server. 6

9 PCI Requirements Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device s specified function). NitroGuard IPS augments efforts to disable unnecessary services and protocols on various network devices. When deployed on appropriate network segments, NitroGuard IPS will alert on protocols and services that rules are deployed for. Similarly, NitroView ESM can identify all services and protocols in actual use across the network, allowing for easy reporting, and facilitating tests of which services are allowed on various devices Configure system security parameters to prevent misuse. NitroGuard IPS can augment efforts to deploy proper configurations across the IT infrastructure. For example, configurations of servers to disallow FTP access can be easily supplemented with IP rules that examine network traffic for FTP access to various IP addresses, and either alert upon this type of traffic, or block it Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. NitroView DBM, NitroView ADM, and NitroGuard IPS can monitor and detect on-system behaviors including driver use and file system access, on-network services and protocols (including for example HTTP services, HTTPS access, P2P protocols and access), and network file system access. By identifying which services, protocols, and access are present, network security managers can then determine which are unnecessary and need to be removed, and from which IT assets. 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non-console administrative access. While the Nitro products do not perform encryption for administrative access themselves, they are highly useful in detecting unencrypted administrative access. NitroGuard IPS and NitroView ESM can detect the presence of unencrypted console access (for example Telnet). Both products can provide alerts and audit events for these types of access, and they satisfy part of the test procedure for this requirement. In addition, NitroGuard IPS can block these access attempts at the network level, if deployed on an appropriate network segment. 7

10 Requirement #3 Protect stored cardholder data PCI Requirements 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. NitroView ESM provides network-wide visibility into where cardholder data is, and who is accessing it. NitroView DBM & ADM can discover applications and users accessing credit card data. This added visibility is useful for identifying business that process credit card data NitroView DBM can help organizations to identify and protect cardholder data stored in databases. NitroView ADM and NitroGuard IP can further identify network traffic and flows within the network containing cardholder data, allowing organizations to identify and secure other IT systems housing and transmitting cardholder data. The Nitro products help organizations determine if requirement 3.1 is being violated, by whom, and from what IT resources. They also help the organization to verify 3.1 compliance across the organization, as required in the test procedures. 3.2 Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data includes the data as cited in the following Requirements through 3.2.3: NitroView ESM automatically locates & classifies sensitive data, and can trigger an event if specific patterns are seen within a given log file (for example, card numbers, PAN, masked PANs, etc.). NitroView DBM can identify sensitive data in databases, including information on how the data is stored, and how it is used in relationship to other activities such as authorization Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: Track data can be identified/detected by the Nitro Security product range in several ways: Automatically through content filtering using NitroView ADM Automatically through content filtering using NitroView DBM Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 3.2.1, and to identify violations to this requirement so as to remediate. The cardholder s name Primary account number (PAN) Expiration date Service code To minimize risk, store only these data elements as needed for business. 8

11 PCI Requirements Do not store the card- verification code or value (three- digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions. Card verification codes can be identified/detected in several ways, by matching 3- or 4- digit pattern matches which are seen within the context of a card transaction: Automatically through content filtering using NitroView ADM Automatically through content filtering using NitroView DBM Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 3.2.2, and to identify violations to this requirement so as to remediate Do not store the personal identification number (PIN) or the encrypted PIN block Card verification codes can be identified/detected in several ways, by matching 4- or more digit PIN pattern matches which are seen within the context of a card transaction: Automatically through content filtering using NitroView ADM Automatically through content filtering using NitroView DBM Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 3.2.3, and to identify violations to this requirement so as to remediate. 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). The Nitro products can detect unmasked PAN in several ways: Automatically through content filtering using NitroView ADM Automatically through content filtering using NitroView DBM Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 3.3, and to identify and alert upon violations to this requirement so as to remediate. 3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) The Nitro products can detect unmasked or cleartext PAN in transit several ways: Automatically through content filtering using NitroView ADM Automatically through content filtering using NitroView DBM Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 3.4, and to identify and alert upon violations to this requirement so as to remediate. 9

12 PCI Requirements If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts. Use of the NitroView ESM and DBM products can help ensure that key management is done securely through: Detecting the use of a common account between multiple users Detecting the use of a common account between multiple applications Unauthorized or malicious access to keyed systems, via brute force type attacks or other exploits. 10

13 Requirement #4 Encrypt transmission of cardholder data across open, public networks PCI Requirements 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. The Nitro products can detect unencrypted cardholder data transmitted through the corporate network or over the internet through several means: Automatically through content filtering using NitroView ADM Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 4.1, and to identify and alert upon violations to this requirement so as to remediate Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE i) to implement strong encryption for authentication and transmission. The Nitro products can detect unencrypted cardholder data transmitted through the corporate network or over the internet through several means: Automatically through content filtering using NitroView ADM Automatically through custom rules implemented in NitroGuard IPS Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 4.1.1, and to identify and alert upon violations to this requirement so as to remediate. 4.2 Never send unencrypted PANs by end-user messaging technologies (for example, , instant messaging, chat). The Nitro products can detect unencrypted cardholder data transmitted using end user messaging technologies (through the corporate network or over the internet) through several means: Automatically through content filtering using NitroView ADM Automatically through custom rules implemented in NitroGuard IPS Automatically through log filtering using NitroView ELM Manually through log searches and event filters using NitroView ESM Use of any of these products allows the organization to accomplish the testing procedures for 4.2.a and to identify and alert upon violations to this requirement so as to remediate. Requirement #5 Use and regularly update anti-virus software 11

14 PCI Requirements 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). While the Nitro solutions are not A/V products, they can be of great assistance in determining where across an enterprise IT network the organization is in compliance with 5.1, and where there is additional remediation required. NitroView ESM can determine system profiles either via active fingerprinting, integration of external vulnerability assessment (VA) scanning, and the ability to analyze event logs from enterprise antivirus systems. With this level of visibility into logs, NitroView ESM can determine which endpoints have failed A/V scans. Integration with vulnerability assessment systems also provides detail on patching information, which can be correlated along with asset detail for a full picture of AV capability as it relates to compliance with Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. The Nitro solutions can be of great assistance in determining where across an enterprise IT network the organization is in compliance with 5.1.1, and where there is additional remediation required. NitroView ESM can determine system profiles either via active fingerprinting, integration of external vulnerability assessment (VA) scanning, and the ability to analyze event logs from enterprise antivirus systems. With this level of visibility into logs, NitroView ESM can determine which endpoints are not effectively detecting malware. In addition, NitroView ESM supports bi-directional feeds with popular A/V and endpoint security systems providing application whitelisting, which is another means of positively identifying all authorized applications, and blocking all other applications, including malware. ESM delivers reporting for malware identified, and audit reports on application whitelist actions. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. NitroView ESM identifies error conditions and significant events from A/V products, and then alerts as appropriate. These can include alerting upon signature updates, signature update failures, malware detected, and other error conditions. This functionality eases the burden of the test procedures identified in 5.2, as this information and the resulting reports can be automatically collected and reports developed for the entire enterprise. 12

15 Requirement #6 Develop and maintain secure systems and applications PCI Requirements 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. NitroView ESM integrates with all major vulnerability assessment solutions to identify vulnerabilities associated with assets based on existing patch levels. 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues. NitroView ESM integrates with all major vulnerability assessment solutions to identify vulnerabilities associated with assets based on existing patch levels. 6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. These processes must include the following: NitroView ESM delivers a central security intelligence capability so that logs written by individual applications can be correlated against other security event information being logged elsewhere in the IT infrastructure. When coupled with rules that are easily created to alert/alarm on various conditions, the resulting security information capability provides the foundation for a best practices incident response capability Testing of all security patches, and system and software configuration changes before deployment, including but not limited to the following: NitroView ESM can determine system profiles either via active fingerprinting, integration of external vulnerability assessment (VA) scanning, and the ability to analyze event logs from enterprise VA systems. With this level of visibility into logs, NitroView ESM can determine which endpoints are out of date with available patches, and which have had configuration changes made. Integration with vulnerability assessment systems also provides detail on patching information, which can be correlated along with asset detail for a full picture of patching and configuration management as it relates to compliance with Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.) NitroView ADM and NitroGuard IPS, inserted inline for critical systems, can use policy rules tailored to data structures to validate all system input Validation of proper error handling NitroView ADM and NitroGuard IPS, inserted in-line for critical systems, can use policy rules tailored to data structures to validate all system input. 13

16 PCI Requirements Validation of proper role- based access control (RBAC) NitroView ESM, ADM, and DBM, when integrated with Active Directory and other identity and access control solutions, can determine user roles and groups, and correlate valid and invalid access, and provide reports which are useful in determining when improper access is occurring, so that compliance can be reported on Removal of test data and accounts before production systems become active NitroView ADM, inserted inline in front of critical systems, can examine an application s data and detect things like known test data, accounts, etc. if they are ever used in a live environment. Alerts can then be raised based upon detecting these events Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers NitroView ADM can examine an application s data and detect things like known test data, accounts, etc. if they are ever used in a live environment. For example, the product can detect use of ghost accounts that have been hard coded into applications. Alerts can then be raised based upon detecting these events, so that administrators can remove them. 6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: NitroView ESM collects and manages data from multiple sources and correlates them together to provide valuable insight into the use of applications. Web server logs may be the first place that the presence of non-secure forms, unprotected calls to scripts, and the presence of HTTP error codes (404, 500, etc) are observed. Security incidents specifically targeting web application vulnerabilities, such as SQL injection and cross-site scripting can be identified and alerted upon by both NitroView ESM and NitroGuard IPS. NitroView ADM can also detect protocol anomalies in web traffic, and/or the presence of sensitive information in web traffic. It can also see usernames associated with a specific session. NitroView DBM can examine login activity on the backend database (as well as transactions performed after logging). The two together can detect account pooling (which is a poor web application design practice) and even track users through pooled access, if it is in place. NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries 14

17 PCI Requirements Cross-site scripting (XSS) Developing and debugging secure web applications requires correlating information available from multiple sources. NitroView ESM collects and manages data from multiple sources and correlates them together to provide valuable insight into coding practices. Web server logs may be the first place that the presence of non-secure forms, unprotected calls to scripts, and the presence of HTTP error codes (404, 500, etc) are observed. Security incidents specifically targeting web application vulnerabilities, such as SQL injection and cross-site scripting can be identified and alerted upon by NitroView ESM, DBM, and NitroGuard IPS Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws. Developing and debugging secure web applications requires correlating information available from multiple sources. NitroView ESM collects and manages data from multiple sources and correlates them together to provide valuable insight into coding practices. Web server logs may be the first place that the presence of non-secure forms, unprotected calls to scripts, and the presence of HTTP error codes (404, 500, etc) are observed. Security incidents specifically targeting web application vulnerabilities, such as SQL injection and cross-site scripting can be identified and alerted upon by NitroView ESM, DBM, and NitroGuard IPS. NitroGuard IPS can also actively detect and block SQL attacks. When used in conjunction with DBM and ESM, more subtle threats to the database may be detected Malicious file execution Requirement refers to preventing malicious file execution in web applications code. When deployed on the appropriate network segment in front of a web application, the NitroGuard IPS and NitroView ADM solutions can augment this by identifying and in some cases blocking access to.exe files, and by preventing malicious file execution from attachments, Trojans, and other malware Information leakage and improper error handling NitroView ADM can detect improper information leakage, including cardholder data, when inserted inline in front of critical systems Broken authentication and session management NitroView ADM, DBM, and ESM can examine application access and login activity, and can detect discrepancies including broken authentication and session management. For example, applications that use guest account access or inappropriate administrative privileges on web applications to query databases can be identified and reported upon Failure to restrict URL access NitroView ADM can use custom rules to detect applications that are access prohibited URLs, and reports on this activity can be easily created. 15

18 PCI Requirements 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: NitroView ESM can gather log data from specific web security solutions such as web application firewalls, and can alert and report on potential security incidents. Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications 16

19 Requirement #7 Restrict access to cardholder data by business need-to-know PCI Requirements 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following: NitroView ESM gathers access control audit log data and can assist in identifying both authorized access and access attempts by unauthorized users (including orphaned user accounts). NitroView DBM and ADM provide visibility into users accessing cardholder data to ensure that the limit access to individuals whose job requires access to cardholder data PCI requirement can be enforced Assignment of privileges is based on individual personnel s job classification and function NitroView ESM integrates with Active Directory and other identity and access management solutions to help deliver a full picture of user roles and privileges and how they are used on the network, by correlating identity and roles to observed access, application use, and events. This functionality makes validating far simpler Implementation of an automated access control system NitroView ESM integrates with Active Directory and other identity and access management solutions to help deliver a full picture of user roles and privileges and how they are used on the network, by correlating identity and roles to observed access, application use, and events. This functionality makes auditing access control, as called for in far simpler. 17

20 Requirement #8 Assign a unique ID to each person with computer access PCI Requirements 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. NitroView ESM allows reporting and log analysis to determine if specific accounts have suspicious login patterns that can indicate problems such as shared or stolen logins. This allows auditing for compliance with In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: NitroView ESM can help organizations to determine where systems may not be compliant with 8.2, by detecting instances where a mismatch occurs between the user ID and secondary (token, biometrics, or other two-factor) authentication. Password or passphrase Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. NitroView ESM uses authentication information from RADIUS and other authentication systems to verify accounts, and to subsequently track user activity across networks and applications. 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography. NitroView ESM, IPS, and ADM can identify unencrypted passwords being used on a network. NitroView DBM can detect unencrypted passwords on a system. 8.5 Ensure proper user authentication and password management for non- consumer users and administrators on all system components as follows: NitroView DBM can track user and account activity, maintaining a clear audit trail of user activity including the addition of new user accounts, account deletion, and escalation of account privileges. Account grouping or pooling between users and applications can be detected by NitroView ESM, and by DBM Do not use group, shared, or generic accounts and passwords. NitroView ADM detects and reports upon the use of weak, shared, and generic passwords, which helps in testing for compliance with