March

Transcription

1 SecureTrack Supporting Compliance with PCI DSS 2.0 March

2 Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions... 3 SecureTrack Support for PCI DSS Requirements... 5 Build and Maintain a Secure Network... 5 PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data... 5 PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters... 8 Protect Cardholder Data... 9 PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks... 9 Maintain a Vulnerability Management Program... 9 PCI Requirement 6: Develop and maintain secure systems and applications... 9 Implement Strong Access Control Measures... 9 PCI Requirement 7: Restrict access to cardholder data by business need-to-know... 9 Regularly Monitor and Test Networks PCI Requirement 10: Track and monitor all access to network resources and cardholder data PCI Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors 12 Conclusion: Automating PCI DSS Compliance Ensuring Compliance with PCI DSS 2/13

3 Introduction Since 2004, the major US credit card companies have cooperated on the implementation of a common data security standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI standards provide guidelines for organizations that process card payments in order to help them prevent credit card fraud, cracking and other security threats. By aligning with the industry best practices defined by PCI DSS, companies can increase the trust of both customers and partners. The Importance of Network Security Operations The majority of the PCI DSS requirements relate to network security. On the one hand, they are designed to ensure that network security practices eliminate or minimize known risks. On the other hand, they ensure that the organization defines well-structured policies, procedures and practices that can be tracked and audited. Data is only as secure as the pathways that provide access to it. PCI DSS requires firewalls to limit external access to sensitive data, combined with a formal process for monitoring all changes to firewall configuration. The standard defines a number of aspects of firewall operations that must be tracked and audited regularly, including clear definitions of roles and responsibilities. Within the organization, PCI DSS specifies ways to strictly limit access to sensitive data. While some requirements relate to technologies such as encryption, the majority are concerned with organizational practices such as defining and enforcing need to know status, changing default passwords and installing software updates. In addition to documenting organizational procedures, PCI DSS demands that organizations continuously track and demonstrate compliance through internal and external audits. Supporting PCI DSS with Automated Solutions Establishing PCI DSS compliance can be extremely resource intensive. For medium to large organizations, the many tasks involved in documenting, tracking and auditing network security procedures manually can take days. With Tufin SecureTrack, the leading automated firewall operations, auditing and compliance solution, companies can substantially reduce the time and cost of PCI DSS compliance as it applies to the management of firewalls, routers and related network security infrastructure. SecureTrack often reduces the amount of time required for audit preparation by more than 50%, while enabling continuous compliance with the PCI standard. Tufin SecureTrack is enabling countless organizations to meet the PCI requirements relating to network security, data safety, access control, and accountability. Automatic PCI DSS audit makes it easy to prepare quickly and thoroughly for an internal or external audit. Continuous change tracking and analysis monitors firewall policy changes, reports them in real-time and maintains a comprehensive, accurate audit trail for full accountability. Powerful security policy simulation and risk analysis enables security managers to query complex rule bases and simulate a broad range of scenarios. Configurable security alerts warn security managers whenever any change that could affect cardholder data security is implemented. Audit trail and reporting capabilities enable periodic audits by IT security teams and external auditors with intuitive, customizable reports. Multi-vendor best practices derived from extensive industry experience compare the current device configuration with best practice recommendations. The table below indicates the specific PCI requirements addressed by Tufin SecureTrack. Ensuring Compliance with PCI DSS 3/13

4 PCI DSS Requirement Description Tufin Security Suite Coverage Requirement 1 Requirement 2 Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3 Protect stored cardholder data N/A Requirement 4 Encrypt transmission of cardholder data across open, public networks Requirement 5 Use and regularly update antivirus software or programs N/A Requirement 6 Develop and maintain secure systems and applications (includes installing the latest security patches) Requirement 7 Restrict access to data by business need-to-know Requirement 8 Assign a unique ID to each person with computer access N/A Requirement 9 Restrict physical access to cardholder data N/A Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Requirement 12 Maintain a policy that addresses information security for all personnel The SecureTrack PCI Audit Report can be used both by organizations that are self-certifying and by organizations undergoing an on site assessment by a Qualified Security Assessor (QSA). SecureTrack reports are based on the Payment Card Industry Data Security Standard v 2.0 (October 2010), which can be found at: In the same location, you can also find PCI Self Assessment Documents. Visa merchant levels for PCI classification can be found on the Visa site: The rest of this paper explains in more detail how SecureTrack, with a rich set of automated and intuitive tools can help your organization ensure real compliance with PCI DSS. Ensuring Compliance with PCI DSS 4/13

5 SecureTrack Support for PCI DSS Requirements The PCI Data Security Standards lay down a specific list of guidelines that companies must follow in order to safely process credit card payments and store credit card information. This paper explains how SecureTrack can help your organization with each of the relevant requirements in the standard. 1 Build and Maintain a Secure Network PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity s trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee access, dedicated connections such as business-tobusiness connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1. Requirement 1.1 Establish firewall and router configuration standards that include the following: A formal process for approving and testing all external network connections and changes to the firewall and router configurations Current network diagram with all connections to cardholder data, including any wireless networks SecureTrack enables organizations to implement a formal change management process with comprehensive tracking and reporting of every change, including full accountability. The PCI DSS Audit report provides a concise summary of the changes made to each device. Tufin s SecureChange Workflow to define and enforce and automate a comprehensive process for handling security configuration changes. SecureTrack s Network Topology feature helps to create and maintain an accurate map of the network. 1 Descriptions of the requirements are excerpted from the PCI DSS standard, version 2.0, released October Ensuring Compliance with PCI DSS 5/13

6 Requirement Description of groups, roles and responsibilities for logical management of network components Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP Requirement to review firewall and router rule sets at least every six months Using Business Ownership Change Reports, administrators can assign responsibility for network resources to the appropriate individuals. The PCI DSS Audit verifies that Business Ownership is configured and reports to the owners of the different network segments. The PCI DSS Audit also checks whether rules are documented. Tufin SecureChange Workflow enables you to enforce the application of roles and responsibilities throughout the security change process along with a separation of duties. PCI DSS Audit automatically performs a policy analysis and reports on the services and ports that are open between external networks, the DMZ and the internal network. Custom lists of allowed protocols and risky protocols can be configured within the PCI report. Tufin SecureChange Workflow performs proactive risk analysis before changes are approved or implemented to prevent inappropriate use of potentially insecure protocols. SecureTrack provides tools that enable in depth periodic rule audit and review by security managers and external auditors. PCI DSS Audit checks which reports are scheduled and verifies that they run on a quarterly basis. Requirement 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. PCI DSS Audit checks that traffic from untrusted networks and hosts is limited to specific PCI protocols. In addition, the Audit checks for explicit cleanup rules. SecureTrack tests all firewall policies to report connectivity between the wireless network and the cardholder environment. Ensuring Compliance with PCI DSS 6/13

7 Requirement 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports Limit inbound Internet traffic to IP addresses within the DMZ Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment Do not allow internal addresses to pass from the Internet into the DMZ Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet Implement stateful inspection, also known as dynamic packet filtering. (That is, only established connections are allowed into the network.) Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. PCI DSS Audit reports permissive rules that originate outside the DMZ (at external and internal addresses). SecureTrack compliance alerts provide notification about any change that allows unauthorized traffic. SecureTrack analyzes firewall policies with configured DMZ and internal network zones to verify that inbound connectivity terminates in the DMZ networks and not the Internal networks. SecureTrack analyzes all relevant firewall rules to verify that no direct Internet connections are allowed to the cardholder application and database servers. PCI DSS Audit reports on critical databases and verifies that they located within internal networks and not in a DMZ. Rule and object usage reports identify unused unnecessary - rules and objects. Security Policy Analysis can identify whether specific protocols are allowed inbound or outbound and by which rules. Enables managers to simulate each firewall rule base and uncover rules that enable traffic that is not necessary for the cardholder data environment. PCI DSS Audit verifies that all inspected firewalls implement stateful inspection. SecureTrack analyses relevant policies to verify that the PCI database servers are not in defined DMZ networks. Ensuring Compliance with PCI DSS 7/13

8 PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system. Implement security features for any required services, protocols or daemons that are considered to be insecure for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc Configure system security parameters to prevent misuse. PCI Audit identifies servers that are allowed to implement more than one function. PCI DSS Audit automatically performs a policy analysis and reports on the services and ports that are open between external networks, the DMZ and the internal network. Custom lists of allowed protocols and risky protocols can be configured within the PCI report. SecureTrack compares current configuration with best practice recommendations, including over 50 different tests to ensure that firewalls are optimally tuned and defaults are changed. PCI DSS Audit checks which Best Practice Security Audits are activated and configured. Ensuring Compliance with PCI DSS 8/13

9 Protect Cardholder Data PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. Requirement 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Policy Analysis locates any non-encrypted access as well as rules that accept services other than those specified. Compliance alerts notify administrators about any change that allows for non-encrypted access. Maintain a Vulnerability Management Program PCI Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software. Requirement 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. The Software Version Compliance Report provides a baseline test of software versions installed throughout the organization. PCI DSS Audit verifies that this report is configured. Implement Strong Access Control Measures PCI Requirement 7: Restrict access to cardholder data by business need-toknow To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. Ensuring Compliance with PCI DSS 9/13

10 Requirement 7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access. Policy Analysis enables security managers to simulate firewall policy by querying the rule base. Managers can use this tool to verify that access to cardholder data complies with policy. In addition, changes in access permissions are reported through SecureTrack s real-time reporting and alerting framework. Rule and Object Usage analysis identifies permitted access which is not used and should be removed. Requirement 7.2 Establish an access control system for system components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed.. Policy Analysis enables security managers to simulate the firewall policy by querying the rule base. Managers can use this tool to verify that access is limited according to need to know policies. Regularly Monitor and Test Networks PCI Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. Requirement Implement automated audit trails for all system components to reconstruct the following events: All individual accesses to cardholder data All actions taken by any individual with root or administrative privileges Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of systemlevel objects Configuration Change Monitoring maintains a detailed, read-only audit trail with full accountability for any configuration change made to supported devices. Ensuring Compliance with PCI DSS 10/13

11 Requirement Record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource. SecureTrack maintains an audit trail for full accountability and keeps track of the following details in firewall policy changes: Name of user that changed a security policy IP address originating the change Change nature (policy save, policy install events) Date and time Success or failure indication Affected device(s) Requirement 10.5 Secure audit trails so they cannot be altered Limit viewing of audit trails to those with a job-related need Protect audit trail files from unauthorized modifications Promptly back up audit trail files to a centralized log server or media that is difficult to alter Write logs for external-facing technologies onto a log server on the internal LAN Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). SecureTrack access to all audit trails through the user interface is in read-only mode. SecureTrack s database is encrypted to ensure that unauthorized or out-of-band changes to audit trails can not occur. SecureTrack supports back up of the configuration audit trail to a storage repository. Requirement 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). SecureTrack s database can store audit trail and configuration change data for a minimum of 12 months, typically much longer. Configuration change reports can be easily generated for all monitored firewalls and other devices by vendor type and/or time range. Ensuring Compliance with PCI DSS 11/13

12 PCI Requirement 11: Regularly test security systems and processes Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). SecureTrack features a set of vulnerability tests that analyze whether any potential security risks appear. It can be run after any change to the network. Maintain an Information Security Policy PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, personnel refers to full-time and part-time employees, temporary employees, contractors and consultants who are resident on the entity s site or otherwise have access to the cardholder data environment. Requirement 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: Addresses all PCI DSS requirements Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO and NIST SP ) Includes a review at least annually and updates when the environment changes. SecureTrack helps IT departments assess their compliance with PCI DSS. Compliance Policy enables security managers to define security policies based on PCI requirements and other industry standards and enforce these policies on every configuration change, or periodically. Ensuring Compliance with PCI DSS 12/13

13 Conclusion: Automating PCI DSS Compliance The PCI DSS standards provide guidelines for organizations that process card payments in order to help them prevent credit card fraud, cracking and other security threats. By aligning with the industry best practices defined by PCI DSS, companies can increase the trust of both customers and partners. A large number of the PCI DSS requirements concern network security to prevent external access to personal data and to restrict internal access to need to know. In addition to defining tools and technologies such as firewalls and encryption the standards demand that organizations define, document, enforce and audit operational procedures. Preparing for a PCI audit is an expensive, time-consuming project. Tufin SecureTrack is helping organizations around the world to comply with PCI DSS painlessly and costeffectively. With a specially designed PCI Audit report, SecureTrack makes it fast and simple to prepare for an internal or external audit. Providing in-depth information about the company s PCI compliance level, the automated PCI Audit report shows where improvements are needed and recommends how to address them. The PCI Audit centralizes many of the capabilities of SecureTrack in a single, convenient solution, to make it easier than ever to comply with PCI DSS. With SecureTrack, organizations are eliminating repetitive, manual tasks to cut the time and cost involved with PCI DSS audits by as much as half. No less important, SecureTrack s realtime change monitoring and compliance alerts enable security teams to achieve continuous compliance, the ultimate goal of PCI DSS. Learn more about Tufin SecureTrack at , 2009, 2010, 2011, 2012 Tufin Software Technologies, Ltd. Tufin, SecureChange, SecureTrack, Automatic Policy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Ensuring Compliance with PCI DSS 13/13