Keeping Up with PCI:

Transcription

1 Pocket E-Guide Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls Payment Card Industry Data Security Standards (PCI DSS) requirements specify that the security controls you implement must be monitored and tested. This includes specifications for logging, monitoring and penetration testing. In this expert e-guide, get tips on establishing a process for logging activity and tying records to users, and three main requirements for testing security controls. Also, find out how to implement PCI network segmentation and how it may ease PCI compliance for your organization. Sponsored By:

2 Table of Contents Pocket E-Guide Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls Table of Contents: PCI DSS requirement: Monitoring and testing security How to implement PCI network segmentation Resources from SonicWALL Sponsored by: Page 2 of 7

3 PCI DSS requirements: Monitoring and testing security PCI DSS requirement: Monitoring and testing security Mike Chapple In addition to requirements specifying the security controls you apply to the systems and networks handling credit card transactions, the Payment Card Industry Data Security Standard (PCI DSS) also requires that you regularly monitor and test those controls. This includes specifications for logging, monitoring and penetration testing. ACTIVITY LOGGING One of the most burdensome requirements of PCI DSS is the requirement that you establish a process for logging a great deal of activity, tying activity records to individual users and storing those logs for future reference. Organizations approaching PCI DSS for the first time typically find large gaps between their current practices in this area and the PCI DSS requirements. For example, the standard requires that you log: All access to cardholder data All actions taken by an administrator All access to logs All invalid login attempts All identification and authentication mechanisms All creations or deletions of system-level objects That's a lot of activity. For each of those events, you need to store: User name Event type Timestamp Success/failure status Origination of event Identity of affected system/resource/data And, to top it all off, you need to retain this data for at least a year, with three months available immediately for online access. You'll also need to take steps to limit log access to those with a legitimate business need, back up your log entries to a centralized server and synchronize your system clocks to ensure consistent timestamps. Sponsored by: Page 3 of 7

4 PCI DSS requirements: Monitoring and testing security MONITORING SECURITY It's not sufficient to simply store voluminous log records: you also must review those logs on at least a daily basis to identify any suspicious activity. PCI requires that you perform these daily reviews for any logs of security-related systems along with authentication, authorization and accounting servers. This is where automation is your friend. It's virtually impossible to perform these reviews without the assistance of log monitoring tools (at the very least) or a security incident monitoring (SIM) system at best. In addition to monitoring your logs, PCI DSS requires that you place intrusion detection and/or prevention systems on your network in position(s) where they can monitor all traffic within your cardholder data environment. The IDS/IPS must be configured to alert security personnel to any suspicious traffic and to receive regular signature updates. It's a good idea to configure these systems to alert whenever they detect cleartext credit card numbers on the network. You can do this by using credit card regular expressions. Finally, you must deploy file integrity monitoring software on your systems to identify any unauthorized modifications of critical files on at least a weekly basis. The most well-known solution in this space is the Tripwire file integrity monitoring software, but you also may wish to investigate alternatives, such as Solidcore. TESTING SECURITY CONTROLS PCI DSS requires that you conduct regular testing of your security controls as well. There are three main requirements in this area: You must scan your airspace for any rogue wireless access points using a wireless analyzer at least quarterly. Alternatively, you may deploy a wireless IDS/IPS that is capable of detecting unauthorized wireless devices and alerting security personnel to their presence. You must conduct both internal and external vulnerability scans on at least a quarterly basis and after any significant network change. The quarterly external scans must be conducted by an Approved Scanning Vendor while the other scans may be performed by your staff. You must perform both internal and external penetration testing annually or after any significant change to infrastructure or applications. It's usually a good idea (although not a requirement) that you use an external vendor for these tests to ensure impartiality and have a fresh set of eyes reviewing your security controls. Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated." Sponsored by: Page 4 of 7

5 VS SONICWALL SPIRALING TCO NO CONTEST Tired of wasting IT budget deploying and managing so called best-of-breed network security and data protection solutions? If three-fourths of your budget is going toward the maintenance of these solutions, then your total cost of ownership (TCO) is spiraling out of control. But there s a smarter alternative SonicWALL s high-performance network security, security, and data protection solutions. SonicWALL is committed to improving performance and productivity by engineering the cost out of building and running secure networks. SonicWALL solutions strategically reduce the cost of acquisition, deployment, and management, providing you higher-performance protection at a lower TCO. See how at NETWORK SECURITY SECURE REMOTE ACCESS WEB AND SECURITY BACKUP AND RECOVERY POLICY AND MANAGEMENT 2009 SonicWALL, Inc. SonicWALL and the SonicWALL logo are registered trademarks of SonicWALL, Inc.

6 How to implement PCI network segmentation How to implement PCI network segmentation EXPERT RESPONSE FROM: Mike Chapple, featured expert I'm writing a standard for my company that addresses network segmentation and qualifies as PCI DSS compliant. I need qualified resources that reference on this topic; there are plenty of comments and talk on this subject but not much documented practice. Can you point me in the right direction for solid guidance on enterprise network segmentation? PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of card-processing networks. It follows the commonly used strategy of minimization: Store as little sensitive data in as few locations as possible and allow access to those who absolutely need it. When it comes to PCI DSS compliance, organizations commonly use network segmentation to wall off payment systems' credit card processing from the rest of their network, therefore placing the rest of that network outside the scope of the assessment. For example, consider a retail store that has a point-of-sale (PoS) network that handles credit card systems, as well as a back-office network consisting of 20 productivity workstations. The store can limit the scope of an assessment for PCI by using a firewall to place the card-processing systems on a network that is completely isolated from the productivity workstations. In this case, where a firewall is separating two networks with different switch fabrics, you've clearly achieved isolation. Other situations are a little more gray. For example, some assessors may consider the use of VLAN separation adequate for PCI DSS segmentation, but many (myself included) do not consider this adequate due to the fact that a single switch port misconfiguration could defeat the segmentation. As far as documentation, page 5 of the PCI DSS Requirements and Security Assessment Procedures is the authoritative reference on the topic. Like most standards, it provides a high-level goal while still offering flexibility in implementation.the relevant section reads: "At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented." Sponsored by: Page 6 of 7

7 Resources from SonicWALL Resources from SonicWALL Achieving PCI DSS Compliance Through Security, Reliability and Consistent Policy Control How to Accelerate PCI Compliance PCI DSS Ambiguities and How to Overcome Them About SonicWALL: SonicWALL is committed to improving the performance and productivity of businesses of all sizes by engineering the cost and complexity out of running a secure network. Over one million SonicWALL appliances keep tens of millions of worldwide business computer users safe and in control of their data. SonicWALL's award-winning solutions include network security, secure remote access, content security, backup and recovery, and policy and management technology. For more information, visit the company web site at Sponsored by: Page 7 of 7