Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Transcription

1 Tripwire PCI DSS Solutions: Automated, Continuous Compliance white paper Configuration Control for Virtual and Physical Infrastructures

2 Contents Contents 3 Introduction 4 Meeting Requirements with Tripwire Enterprise 5 Group 1: Build and Maintain a Secure Network 8 Group 2: Protect Cardholder Data 10 Group 3: Maintain a Vulnerability Management Program 12 Group 4: Implement Strong Access Control Measures 13 Group 5: Regularly Monitor and Test Networks 15 Group 6: Maintain an Information Security Policy 15 Tripwire Helps You Achieve and Maintain PCI Compliance 2 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

3 Introduction The major credit card companies collaboratively developed the Payment Card Industry Data Security Standard (PCI DSS) to protect sensitive cardholder account data from theft and fraud. Compliance is no longer an option; it s a requirement for all payment card network members and failure to meet requirements can result in monetary penalties or even the suspension or revocation of a company s right to accept or process credit card transactions. Fortunately, these standards amount to best practices that keep your systems, hardware, and data secure critical for maintaining customer trust and your reputation. That s why it is so important to keep IT systems in a known and trusted state. Achieving a known and trusted state is a challenging task for even the most technically adept and process-focused organizations. Tripwire software and services solutions have helped over 6,000 customers globally audit change and manage the assessments of configurations across the breadth and depth of the entire data center. Helping merchants, banks, and payment processors meet PCI DSS requirements is a natural extension of what we ve been doing all along. In fact, Tripwire software meets many of the more complex PCI requirements right out of the box. With Tripwire, you continuously collect information to generate needed reports and evidence of PCI compliance, making your audit a quick task instead of a lengthy manual project. Just ask Roni Wegner, Senior VP at CAPITAL Card Services: Since implementing Tripwire Enterprise, we easily prove compliance for PCI audit requirements, have reduced unplanned work, and greatly improved our change management process. Now, instead of spending time on service events, we can focus more on completing our IT projects, and adding additional value and efficiency to the company. Benefits Well Beyond Compliance Although your current focus may be on validating PCI compliance, Tripwire Enterprise can leverage industry standards and benchmarks to automatically assess configurations, determining the degree of risk for operational, regulatory and security vulnerabilities. Tripwire also helps continuously maintain a known and trusted state by establishing a secure baseline to measure change against, then monitor against that baseline through ongoing, tunable change detection. The result is a deliberate and controlled approach to maintaining system and application security, greater system uptime, and confidence that customer data is secure. Because Tripwire Enterprise maintains a record of all integrity checks and detected violations for use in audits, investigations, and historical reference, you have the information you need to help validate compliance all of which translates to less IT resources spent on audits, and more time devoted to strategic and innovative efforts. The Payment Card Industry Data Security Standard: Requirements that Just Make Sense The PCI Data Security Council ( org), a not-for-profit organization created to foster adoption of cardholder data security standards developed the PCI DSS. The standard can be broken into six main groups, with one or more specific requirements in each group. These main groups, taken verbatim from the PCI Data Security Council s Web site, require merchants, service providers, and acquiring banks to: Group 1: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Group 2: Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Group 3: Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Encrypt transmission of cardholder data across open, public networks 3 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

4 Group 4: Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique, traceable ID to each person with computer access Requirement 9: Restrict access to cardholder data Group 5: Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Group 6: Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Meeting Requirements with Tripwire Enterprise The requirements of the PCI DSS range from simple inspectand-verify activities to historical proof of compliance via continuous monitoring. Tripwire Enterprise can help address these requirements right out of the box with change audit reporting and a library of PCI configuration assessment tests. Also, Tripwire Enterprise produces evidence that required processes are followed properly in that when a change is made to the system, a change request was submitted, the work was performed, and then the change request was closed. Tripwire has also developed a comprehensive set of rules for the systems we monitor and the many applications our customers use. Our level of experience and knowledge makes creating rules for custom applications simple. Tripwire Professional Services can help assure that you get the most from your investment, from planning, to implementation, to ongoing education and maintenance. You will work with services staff who really understand the business of system and device security. If you are going to purchase any one tool to help achieve PCI compliance, buy Tripwire. James Summers, CISO, Vesta 4 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

5 The table below provides some key Tripwire Enterprise capabilities against specific requirements in the PCI DSS. Group 1: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees Internet-based access through desktop browsers, or employees access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network Establish firewall configuration standards that include the following: A formal process for approving and testing all external network connections and changes to the firewall configuration. Quarterly review of firewall and router rule sets. Tripwire Enterprise monitors the state of firewalls and routers, detecting, responding to, and reporting on any unauthorized changes to configuration files, rule sets, and if necessary, the operating system underlying the firewall. Tripwire also generates and distributes quarterly reports with difference from expected firewall and router configuration standards in order to ensure these systems stay in a known and trusted state. Further, Tripwire automates many of the tasks ensuring compliance and keeping a record of the activities making evidence easy to produce and that can be automated as well. With Configuration Assessment tests from Tripwire you can check each device s conformance to policy. 1.2 Build a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment: Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443). System administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN). Other protocols required by the business (e.g., for ISO 8583). Deviations from the known and trusted state caused by unauthorized change can be rapidly detected and recovered with Tripwire Enterprise. Tripwire can provide proof the entire network conforms and shows any deviations to help ensure the only traffic coming in are for those protocols necessary for the cardholder environment. This helps minimize the occurrence of connections from untrusted networks. 5 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

6 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. The firewall configuration should include the following: Restricting inbound Internet traffic to IP addresses within the DMZ (ingress filters). Not allowing internal addresses to pass from the Internet into the DMZ. Implementing stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network). Placing the database in an internal network zone, segregated from the DMZ. Restricting outbound traffic to that which is necessary for the cardholder data environment. Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration. Denying all other inbound and outbound traffic not specifically allowed. Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes). Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic. Restrict outbound traffic from payment card applications to IP addresses within the DMZ. Tripwire Enterprise performs regular scans of firewalls (network or personal) and routers, detecting, responding to, and reporting on any deviations from the established configuration standard across the cardholder environment, including the wireless environment. Tripwire can also restore device configurations to a previously authorized state (rollback), retaining a copy of the suspect configuration for analysis and possible later redeployment (roll forward). Lastly, Configuration Assessment tests from Tripwire can be developed to check each device s conformance with your specific configuration policy. With regular scans, Tripwire Enterprise can provide visibility into any deviations from the known and trusted state to minimize cardholder connections between publicly accessible servers and any system storing cardholder data. Tripwire can also provide further visibility through Configuration Assessment tests which can be developed to check each device s conformance with your specific configuration policy. 1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). In addition to detecting unauthorized change, Tripwire can alert you to potentially unsafe configurations when they occur which may permit internal addresses to be translated and revealed on the Internet. Detailed device configuration audit trails from Tripwire provide you with the who, what, when information for quick restoration to known and trusted configurations. 6 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

7 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information Always change the vendor-supplied defaults before you install a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default SSID, passwords, and SNMP community strings. Disable SSID broadcasts. Enable Wi-Fi Protected Access (WPA and WPA2) technology for encryption and authentication when WPA-capable. Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers). Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function). Configure system security parameters to prevent misuse. Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Tripwire can validate configurations for default passwords and community strings against established standards and detect any systems or network devices (including wireless) that are out of compliance with those standards. With Configuration Assessment, Tripwire Enterprise tests servers, databases, network devices and applications for compliance with standards and auditing guidelines developed by recognized sources such as the Center for Internet Security (CIS) and the Payment Card Industry Data Security Council (PCI DSC). Through continuous monitoring and analysis, Tripwire identifies systems and devices out of compliance, alerts to potentially unsafe configurations, tracks progress on remediation efforts for identified compliance issues, and ensures that once compliant, you remain compliant. Also, with regular scans Tripwire can provide visibility into any deviations from the known and trusted state by not only tracking changes to configurations, but also tracking the removal of applications, utilities, drivers, etc. With Tripwire s attention to directives from industry thought leaders and a proven history of helping companies successfully secure their systems and data, you can trust Tripwire to help you achieve and maintain continuous compliance. 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. Tripwire Enterprise tests network systems and devices to ensure only communications protocols with encryption are running and will alert you to potentially unsafe configurations when they occur. 7 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

8 Group 2: Protect Cardholder Data Requirement 3: Protect stored cardholder data Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed and not sending PAN in unencrypted s. 3.1 Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. Tripwire validates and reports on the removal of certain types of data such as files and database tables, automating this process if desired Protect encryption keys used for encryption of cardholder data against both disclosure and misuse. Restrict access to keys to the fewest number of custodians necessary. Store keys securely in the fewest possible locations and forms. Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following: Secure key storage. Periodic key changes. As deemed necessary and recommended by the application (for example, re-keying); preferably, automatically. At least annually. Destruction of old keys. Prevention of unauthorized substitution of keys. Replacement of known or suspected compromised keys. Tripwire Enterprise can monitor file ownership/access control by reporting and alerting on changes to these critical files. It does not secure the files themselves or tell you whether the appropriate people have access, it monitors who has access and lets you decide whether it s appropriate. Tripwire Enterprise provides continuous monitoring of changes to encryption keys that are held in a file, alerts when are modified or substituted, and tracks the issue until remediated. 8 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

9 Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, or divert data while in transit Use strong cryptography and encryption techniques such as secure sockets layer (SSL)/transport layer security (TLS), internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open public networks that are in the scope of the PCI DSS are the Internet, Wi-Fi (IEEE x), global system for mobile communications (GSM), and general packet radio service (GPRS). For wireless networks transmitting cardholder data, encrypt the transmissions by using Wi-Fi protected access (WPA or WPA2) technology IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following: Use with a minimum 104-bit encryption key and 24 bit-initialization value. Use ONLY in conjunction with Wi-Fi protected access (WPA or WPA2) technology, VPN, or SSL/TLS. Rotate shared WEP keys quarterly (or automatically if the technology permits). Rotate shared WEP keys whenever there are changes in personnel with access to keys. Restrict access based on media access code (MAC) address. Tripwire Enterprise searches configuration files for required security settings, alerting to deviations from defined policy such as weak encryption algorithms or expired SSL certificates. Once a configuration file is compliant, Tripwire monitors and alerts if applications are not using predetermined ports or the right level of encryption during transmission. Because Tripwire records and reports on all monitoring activity, providing evidence of ongoing monitoring for an audit becomes a quick task rather than an overwhelming project. 9 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

10 Group 3: Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Many vulnerabilities and malicious viruses enter the network via employees activities. Anti-virus software must be used on all systems and desktops to protect systems from malicious software. 5.1 Deploy anti-virus mechanisms on all systems commonly affected by viruses (particularly personal computers and servers). Note: Systems affected by viruses typically do not include UNIX-based operating systems or mainframes. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Tripwire Enterprise detects systems with out-ofcompliance signatures, reporting if updating does not occur. Tripwire s approach relies on detecting variance from a compliant state. This approach complements antivirus software, which relies on pattern matching or virus definitions. And because Tripwire tracks and reports on system changes, if a day zero attack occurs, Tripwire detects damaged systems before a virus definition is even available. By targeting for quarantine and repair only damaged systems, Tripwire shortens and simplifies that process. Tripwire Enterprise monitors and validates changes to antivirus software, including the uninstallation of such software. Tripwire also helps enforce change policies around anti-virus patch approval and maintenance windows. 10 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

11 Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. Tripwire Enterprise validates that the actual patch installed matches the expected patch installed. Tripwire also ensures there is an audit trail verifying all expected patches have been implemented, as well as mitigating the risk of any failed patches. (Tripwire does not ensure patches are up to date.) Testing of all security patches and system and software configuration changes before deployment. Removal of test data and accounts before production systems become active. Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers. Tripwire Enterprise validates that security patches are properly deployed to target systems, and identifies any systems incorrectly or incompletely patched. Because Tripwire validates proper patching, using Tripwire as part of the patch deployment process mitigates the risk and impact of failed patches and generates an independent audit trail for verification of proper deployment. Tripwire also provides an independent audit mechanism to ensure conformance to security standards. By managing patches in this manner, organizations further reduce the risk that a failed patch will impact systems at a later date. 6.4 Follow change control procedures for system and software configuration changes. The procedures must include the following: Documentation of impact Management sign-off by appropriate parties Testing of operational functionality Back-out procedures Tripwire Enterprise tracks, validates and automatically reconciles changes with leading CMDB and ITSM solutions and maintains an archive of configurations for roll-back. 11 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

12 Group 4: Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Although many organizations have policies regarding data protection, they lack a mechanism to detect when a change inadvertently compromises that protection. It is essential to ensure critical data can only be accessed in an authorized manner. 7.1 Limit access to computing resources and cardholder information to only those individuals whose job requires such access. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. Tripwire Enterprise can alert when access rights change to sensitive data to help provide evidence that the individuals you have assigned access still have access and that the control was in place over a specific time period. Producing this evidence enables companies to avoid expensive testing and validation of the control during an audit. Tripwire Enterprise tracks changes to access controls list such as in Active Directory or files to alert you to modified attributes or the addition of new users. Requirement 8: Assign a unique, traceable ID to each person with computer access Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: Control the addition, deletion, and modification of user IDs, credentials, and other identifier objects. Immediately revoke access for any terminated users. Remove inactive user accounts at least every 90 days. Enable accounts used by vendors for remote maintenance only during the time period needed. Change user passwords at least every 90 days. Require a minimum password length of at least seven characters. Use passwords containing both numeric and alphabetic characters. Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Limit repeated access attempts by locking out the user ID after not more than six attempts. Tripwire Enterprise detects new user IDs and modification or deletion of existing user IDs, generating evidence to verify that appropriate system access has been enforced. With Configuration Assessment, Tripwire offers specific tests to address these items explicitly (e.g. CIS for Windows 2003, CIS 8.3 for Red Hat and SUSE Linux) Set the lockout duration to thirty minutes or until administrator enables the user ID. If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users. (Tripwire capabilities are provided on the previous page.) 12 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

13 Requirement 9: Restrict physical access to cardholder data. Not applicable for the Tripwire Solution. Any physical access to data or systems that house cardholder data provides the opportunity for individual to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. Group 5: Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Tripwire Enterprise associates system changes with the individual user accounts responsible for them Implement automated audit trails for all system components to reconstruct the following events: All individual user access to cardholder data. All actions taken by any individual with root or administrative privileges. Access to all audit trails. Creation and deletion of system-level objects. Record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success of failure indication Origination of event Identity or name of affected data, system component, or resource. Tripwire Enterprise can track all change and events by user, recording this information in a Tripwire report file that cannot be modified or deleted. Tripwire Enterprise is an independent solution that generates and logs changes against monitored systems Synchronize all critical system clocks and times. Clocks are kept in sync by using specific utilities such as NTP. Tripwire Enterprise can check for the existence of these services as part of its PCI policy tests Secure audit trails so they cannot be altered. Limit viewing of audit trails to those with a jobrelated need. Protect audit trail files from unauthorized modifications. Promptly back up audit trail files to a centralized log server or media that is difficult to alter. Copy logs for wireless networks onto a log server on the internal LAN. Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Tripwire Enterprise monitors system log files and will detect if changes occur outside of a maintenance window or if the log size decreases, which is evidence of tampering. This information is recorded in Tripwire report files which are secured and monitored for integrity. 13 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

14 Requirement 11: Test security systems and processes on a regular basis to catch any vulnerabilities or breaches Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with changes in software Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and stop any unauthorized access attempts Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by scan vendor qualified by the payment card industry. Scans conducted after network changes may be performed by the company s internal staff Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, sub-network added to environment, or a web server added to environment). These penetration tests must include the following: Network-layer penetration tests. Application-layer penetration tests Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files, and configure the software to perform critical file comparisons at least weekly. Critical files are not necessarily only those containing cardholder data. For file integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider). With Configuration Assessment, Tripwire Enterprise tests system settings against established baselines and standards, identifying areas where controls are configured incorrectly or non-existent. Tripwire Enterprise can help with internal network vulnerability scans by using Configuration Assessment. Tripwire can do this by proactively assessing system settings such as startup procedures, auditing policies, account policies, security settings, user rights, and file and registry permissions. In all, Tripwire runs thousands of tests throughout the data center. Although audits are periodic, risks must be controlled continuously, so Tripwire utilizes remediation, reconciliation and reporting techniques to alert you when non-compliance is detected. Although Tripwire does not perform penetration testing, Tripwire Enterprise can validate noted vulnerabilities found during penetration testing are corrected. Such detection allows IT to have an audit of addressing these issues and better manage security testing. Tripwire Enterprise monitors all activity to critical applications, operating systems, network devices, and databases across the entire data center and alerts you to modifications, ensuring the integrity of your IT systems. Tripwire Enterprise continuously monitors file integrity across the entire enterprise as often as needed. It also provides robust, flexible reporting with rules already defined and tuned, covering the OS in an intelligent manner. When integrated with an enterprise management system as part of the change management process, Tripwire detects when someone circumvents security systems and processes designed for production systems. Such detection allows IT to address issues these unauthorized activities create, and better manage security testing. 14 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

15 Group 6: Maintain an Information Security Policy Requirement 12: Keep an up-to-date policy that covers all aspects of information security A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it Establish, publish, maintain, and disseminate a security policy that accomplishes the following: Includes a review at least once a year and updates when the environment changes. While Tripwire Enterprise does not produce governance documentation, it helps validate adherence to procedures so if a policy violation occurs, Tripwire provides evidence of that violation Monitor and analyze security alerts and information, and distribute to appropriate personnel. Tripwire Enterprise helps monitor changes that may indicate violations of policy, e.g., internal user making unauthorized changes. To aid incident response and recovery, Tripwire can automatically trigger third-party tools to immediately restore systems to their last known and trusted state. Tripwire Helps You Achieve and Maintain PCI Compliance Complying with the PCI DSS just makes sense. If an acquiring bank, service provider, or merchant meets the standard, they not only satisfy the audit, but have a system that enhances the data security of their customers. This also reduces the amount of time spent fighting fires caused by poor network and data security practices. Tripwire software and service solutions can help you meet many of the more complex PCI DSS requirements right out of the box. With Tripwire, you continuously collect information to generate needed reports and evidence of PCI DSS compliance, making your audit a quick task instead of a lengthy project. With out-of-the-box capabilities specific to PCI, purchasing Tripwire saved my staff three months of having to search out and stitch together a hodge-podge solution on our own. The time savings more than paid for the software license and training. Rachelle Osborn, Director of IT, Wesco 15 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

16 Below are examples of PCI DSS reports and policies that provide a view into the insight you receive with Tripwire Enterprise: PCI DSS Policy Example Windows 2000: Tripwire leverages industry standards, such as benchmarks from the Center for Internet Security (CIS), to offer breadth and depth in PCI DSS compliance policies. For each specified PCI policy test or policy test group Tripwire can tell you the number and percentage of nodes that are in full compliance with the test (or group), and the number of nodes that are not in full compliance. Vesta is using Tripwire Enterprise s configuration assessment to evaluate each system s compliance to both the benchmarks from the CIS and Internal Vesta security policies. Vesta likes that they are able to compare configuration policies against their systems with the same solution that audits its systems for change. With Tripwire doing both jobs, we only have one agent on the server performing both tasks, plus we are spared the time and expense of buying and managing two software packages. Ryan King, Vista Security Engineer PCI Dashboards: Easily create custom reports with drill-down capabilities to provide increased levels of detail. 16 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

17 PCI Compliance History: Understand the historic trend of compliance with specific PCI policies. This report calculates the number of passing and failing policy test results created for all specified nodes for each specified time interval. PCI Change Process Compliance Report: This report identifies authorized and unauthorized changes to specified nodes over a period of time. It shows the trend of effectiveness of change process controls and can show trends by location or IT services. PCI Change Variance Report: This report is typically used to compare the changes on the nodes after a patch/install has been completed. Any changes that are inconsistent across the nodes are flagged and reported on. Tripwire is highly effective at allowing us to identify, audit and investigate suspect changes. Richard Lindberg, Manager of Security Operations, MarketLive PCI Change by Node or Node Group Report: This report compares the quantity of changes (current and historical) for specified node or node groups (e.g. Locations) providing an overview of types of 17 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

18 changes and where the changes are occurring. Ease of Evidence from Tripwire Proof is automatically generated Historical records are automatically recorded Alerts generated allow management by exception PCI Changes by Severity Report: This is a high-level report showing unresolved changes by severity. This report would typically be run at the end of a shift to identify systems that have deviated from their known and trusted state. 18 WHITE PAPER Tripwire PCI DSS Solutions: Automated, Continuous Compliance

19 About Tripwire Tripwire helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency throughout their virtual and physical environments. Using Tripwire s industry-leading configuration assessment and change auditing solutions, organizations successfully achieve and maintain IT configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPPCI6