safend Securing Your Endpoints Achieving PCI Compliance with the Safend Data Protection Suite Introduction As security threats increase and become more sophisticated, organizations face pressure to implement strong processes and technology solutions to ensure compliance and the safety of critical assets. The risks associated with a data breach can be devastating, regardless of whether it is due to a simple mistake, or a stolen end-point device such as a laptop. The impact goes beyond fines and lost revenue, to negatively impacting an organization s brand identity and equity, or jeopardizing customers trust. Compliance Driver The PCI Data Security Standards Council (PCI DSS) is a one of many global organizations concerned with protecting individual s privacy and personal information. PCI DSS Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection". Their mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard, and Visa. The council issues security compliance requirements to merchants that process, store, or transmit cardholder information. The PCI DSS v1.2 published in November 2008 contains the current set of requirements for credit card merchants. Specifically, the PCI DSS objectives ensure that compliant organizations build and maintain a secure network; protect cardholder data; maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy. As of January 11 th, 2011, Version 2.0 of the PCI DSS standard is scheduled to go into effect. The updated standard provides greater clarity, as well as aligns with industry changes and best practices.
Key Challenges Despite the clear and present danger of data leakage and loss, implementing effective endpoint data protection remains an uphill battle for most organizations. Securing endpoints - without impacting employee productivity and system performance - demands a highly-flexible solution that takes into account the dynamics of real-world work environments. Many end users view external devices and outbound communications as personal, and view encryption of any kind as a headache - often balking at and circumventing imposed security measures. As a result, today s data protection solutions need to be transparent without compromising the data security within an organization. All possible endpoint data leakage avenues must be managed with powerful, enforceable, tamper-proof security. Endpoint data can exit organization boundaries in any number of ways: it can be carried away on an unencrypted storage device, stolen with the laptop it is stored on, or mistakenly sent to unauthorized email recipients. As the workforce continues to rely on and expand its use of mobile devices such as smart phones and laptops, opportunity for data leakage of sensitive information increases. Safend is a leading developer of endpoint security products. The Safend Data Protection Suite protects organizations against endpoint data loss, misuse and theft through its single server, single console, single agent architecture and contains the following components: Discoverer: locates, classifies and maps data stored on organizational endpoints and network shares Inspector: Inspects, classifies and blocks leakage of sensitive content through email, IM, Web, external storage and printers Protector: Granularly control ports and devices and encrypts external media Ecryptor: transparently encrypts internal hard drives Reporter: generates detailed graphical reports for compliance assessment Auditor: audits an endpoint for past and present connected devices and Wi-Fi networks. To learn more about the specific features of each component please visit http://safend.com/775-en/suite.aspx The goal of this paper is to introduce you to the PCI DSS compliance requirements and demonstrate how the Safend Data Protection Suite can assist you comply with PCI DSS regulatory requirements in your organization. 2 www.safend.com Copyright 2010 Safend Ltd
PCI Requirements and the Safend Data Protection Suite The following pages contain a review of the PCI compliance requirements developed by the PCI Data Security Council. The requirements are divided into 12 main categories, which are further divided into sub-requirements. Table 1 includes data from the PCI DSS "Understanding the intent of the requirements" document. It should be noted that sensitive authentication data should not be stored anywhere, under any circumstance. Cardholder data can be stored, but it must be protected. The requirements in 1.2 are augmented by additional clarifications and guidance in the 2.0 document. The most prominent guidance is that in preparation to a PCI DSS compliance exercise one should first map all its sensitive data, to make sure he can protect it. Safend s Discoverer is uniquely suited for the task as it quickly and unobtrusively maps data on all organizational endpoints. Data Element Storage Protection PCI DSS permitted required Requirements 3,4 Cardholder Primary Account Number Yes Yes Yes Data Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Full Magnetic Stripe Data No N/A N/A Authentication CAV2/CVC2/CVV2/CID No N/A N/A Data PIN/PIN Block No N/A N/A Table 1 3 www.safend.com Copyright 2010 Safend Ltd
The PCI DSS Council also released an additional document, The Prioritized Approach to Pursue PCI DSS Compliance which provides six security milestones that will help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance. Table two below summarizes the high-level goals and intentions of each milestone. Throughout this paper, we have noted the milestone goal next to the requirement defined by PCI DSS. Milestone Goals 1 Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don t need it, don t store it. 2 Protect the perimeter, internal, and wireless networks. This milestone targets controls for points of access to most compromises the network or a wireless access point. 3 Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. 4 Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. 5 Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data. 6 Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and fi nalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. Table 2 4 www.safend.com Copyright 2010 Safend Ltd
Requirement 1 (Milestone 2): Install and maintain a firewall configuration to protect cardholder data. This requirement refers first and foremost to a network level firewall to protect against hackers infiltrating the network. The requirement describes defining and managing a firewall policy, both on the endpoint and on the enterprise routers. However, sub-requirement 1.1.2 refers to maintaining a stable network topology diagram, without which the various firewall zones could be rendered useless. Safend Protector, a component of the Safend Data Protection Suite offers a feature that blocks bridging of networks between WiFi, Bluetooth, or 3G Modems and the fixed enterprise network. Wireless bridging completely alters the network topology since it can connect two previously separate parts of the network, and create gaping holes in otherwise secure segments of the network. This feature helps an organization avoid breach of PCI requirements, and maintain good security practices by turning off non-secured wireless access, so that TJX-like vulnerability is no longer available to a would-be attacker. To learn more about TJX: http://datacompliance.netezza.com/data_auditing_blog/tabid/8146/bid/4793/how-did-the-tjx-databreach-happen.aspx http://www.zdnet.com/blog/ou/tjxs-failure-to-secure-wi-fi-could-cost-1b/485 For data in motion, Safend Inspector, the content aware component of the Safend Data Protection Suite, provides an additional protection layer for the sensitive data transferred over approved data transfer channels, such as a white-listed storage device, an approved WiFi connection, or even a machine s LAN connection. Inspector provides context to the protocol definitions in a firewall through fine tuning controls and ensuring that sensitive data is blocked regardless of the network location. Safend Inspector enforces an accurate, data-centric security policy on data transferred across multiple channels, including email, web (HTTP, HTTPS), FTP, external storage devices, CD/DVD burners, local printers, and network printers, without disrupting legitimate business processes and disturbing end user productivity. 5 www.safend.com Copyright 2010 Safend Ltd
Requirement 2 (Milestone 2): Do not use vendor-supplied defaults for system passwords/security parameters. This requirement applies to all systems, including the Safend Data Protection Suite. In an age when doing a web search for "Default Password" yields close to 1M results, and the top five Google first page results are each compilations of at least 1000 different equipment types, The Safend Data Protection Suite has no users or passwords that are hardwired or even pre-defined. Authentication is based on Active Directory groups, users and roles. The default settings of Windows for device and port connections are all open by default. Installing Safend Data Protection Suite provides a base policy where many of those ports are only selectively enabled, thereby significantly decreasing the attackable footprint of the protected system. Safend Protector can block WiFi, Bluetooth, FireWire, USB and many other ports and override the default Windows settings. Requirement 3 (Milestone 1): Protect stored cardholder data. Cardholder data stored inside the organization must be protected. This protection must combine multiple layers of defense and encompass all devices storing the sensitive data. Safend Discoverer, the newest addition to the Safend Data Protection Suite, allows security administrators to locate sensitive data-at-rest stored on organizational endpoints. Safend Discoverer helps identify gaps in data protection, and provides insight into what policies should be implemented using other components of the Safend Data Protection Suite. Section 3.4 in the PCI document details the recommended features for an encryption solution. Stored cardholder data is protected by Safend Encryptor, a component of the Safend Data Protection Suite, by encrypting the hard drives and removable storage devices where the data resides. Safend Encryptor encrypts all data on the drive using file based industry standard AES256 encryption, and safely stores the keys in a central location to allow recovery, if needed. The recovery is possible only with the right administrator credentials, in agreement with requirement 3.6 6 www.safend.com Copyright 2010 Safend Ltd
The next layer of protection keeps the data from being removed from its protected endpoint. Safend Protector's Granular Port and Device control will allow only specific users to take out specific data from specific machines. If data has to be physically transferred, removable storage is a common way to backup and transmit large amounts of data to partners. Safend Protector automatically and seamlessly encrypts any removable media connected to a computer. Safend Protector creates a full usage trail of the encrypted transferred files, and maintains control of the data, even when the removable storage is used outside the organization by a partner, or remote worker. Safend Protector also enables tagging of specific CDs, and can limit access to tagged CDs only, thereby blocking the connecting of any other CD or rewritable DVD, while still allowing encrypted burning of CDs and DVDs. Requirement 4 (Milestone 2): Encrypt transmission of cardholder data across open, public networks. Safend Inspector provides the protection layer for data transferred over open, public or approved data transfer channels, such as a white-listed storage device, an approved WiFi connection, or a machine s LAN connection. Inspector integrates with common secure file transfer solutions so that sensitive content can t be transferred unless properly authenticated. Safend Inspector enforces an accurate, data-centric security policy on data transferred across multiple channels, including email, web (HTTP, HTTPS), FTP, external storage devices, CD/DVD burners, local printers, and network printers, without disrupting legitimate business processes and disturbing end user productivity. In networks in which some of the data is physically transferred on CD, DVD or USB memory sticks, Safend Protector provides secure measures to protect any data transferred physically, by utilizing AES 256 bit encryption for removable media. Safend Protector also enforces secure usage of WiFi networks, by limiting access to WiFi networks by type, by MAC and by SSID. The type of network (encrypted, nonencrypted, Infrastructure/Peer to Peer) can be enforced, as can be white listing of certain MAC addresses or SSID networks. 7 www.safend.com Copyright 2010 Safend Ltd
Requirement 5 (Milestone 2): Use and regularly update anti-virus software or programs. An anti-virus solution is important to make sure than no malware finds its way into the internal network, and that any malware that does end up there, is quickly removed. Malware today is capable of extracting sensitive data and sending it back to the Malware's distributors, and is often used to harvest personal information and specifically credit card numbers. Safend Protector supplements solutions from vendors such as Symantec or McAfee by completely blocking the transfer of executables from and to removable storage devices. This protection enables blocking any USB borne threat, even if it is not yet recognized by the established vendors at the time of the attack. Furthermore, it can granularly limit U3 autorun support further enhancing the granularity of control over USB originating Malware. Security administrators can force a virus scan on removable storage devices which is conducted after the device is inserted by the end user and before the user is allowed to access the device, thus making sure the machine will not be infected before the virus scan is concluded. The device virus scan is conducted using popular antivirus software installed on the endpoint. 8 www.safend.com Copyright 2010 Safend Ltd
Non-encrypted removable storage devices will be scanned for viruses each time they are connected to a machine inside the protected organization. However, encrypted storage devices will only be scanned for viruses after they were used on an unprotected machine outside the organization using the Device Access Utility, in order to minimize the impact on end users in the organization. Requirement 6 (Milestone 3): Develop and maintain secure systems and applications. This requirement refers to internal IT systems and applications. Safend Protector is an external application, so it does not contribute to this requirement. The thorough penetration and security testing performed on The Safend Data Protection Suite, ensures that at least that part of a complete solution is secure. The Safend Protector is certified by Common criteria to EAL2, and FIPS 140-2. Requirement 7 (Milestone 4): Restrict access to cardholder data by business need-to know. In order to restrict cardholder data and make it available to the appropriate individuals, knowing where the information is stored is imperative. Discoverer, a component of the Safend Data Protection Suite maps and locates credit card data on endpoints and network shares, providing administrators with the prerequisite necessary to protect the data. 7.2.2 Discusses assigning rights to access data based on job function, as defined in the infrastructure. For most organizations this is usually Microsoft's Active Directory, with a minority of cases using other LDAP-based infrastructure from Novell. Safend Data Protection Suite supports seamless synchronization of roles and groups from these systems, and the recommended best practice is to assign each group its own policy. 9 www.safend.com Copyright 2010 Safend Ltd
7.2.3 Recommends a restrictive ("deny-all") default policy. In Safend's best practices document [1] there are two recommended policy layers. The lower layer is the machine policy, and the higher one is the user policy. The default policy if no known user is logged into the machine, is the machine policy which is very restrictive blocking all devices and logging all access attempts. Once a user logs in, a more permissive policy can be applied, on a need-to-know, need-to-use basis. Requirement 8 (Milestone 4): Assign a unique ID to each person with computer access. Safend Protector maintains unique IDs for computers, users, removable storage devices and even individual files, in all its logs, so that auditing is greatly enhanced and simplified. Any administrative access to the Safend Management Server requires membership of the admin group and is logged separately with the user ID. Those unique IDs are protected from thieves using hardware keyloggers by Safend Protector. Hardware keyloggers are inline devices which connect to input devices such as keyboards, keypads, or credit card readers, and record all keystrokes between the input device and the target computer. Most hardware key loggers are 10 www.safend.com Copyright 2010 Safend Ltd
no bigger than two AAA batteries, as seen below: All hardware keyloggers contain the following two components: Microcontroller interprets and processes the electrical signal from the input device and records it in memory Non-volatile memory usually flash storage, stores the data from the microcontroller and retains it even if power is lost They collect all transmitted data including users, passwords, and credit card numbers, and can later replay the information back to a potential thief. Safend Protector blocks or detects those devices, rendering them useless and protecting the unique IDs as required by PCI DSS. Requirement 9 (Milestone 5): Restrict physical access to cardholder data. In order to restrict access to card holder data, the first step is to know where the data is located. Discoverer maps and locates the card holder data providing the necessary visibility to ultimately restrict physical access. Physical access refers to physical entry points (doors, buildings) and also to the machines containing the sensitive data, or machines that can access them. Toward this end, Safend Protector can block the connecting of any non-authorized USB devices to any physical machine that is able to access cardholder data, so that cardholder data is secure. The recommendation of PCI DSS 1.2 only refers to network ports in requirement 9.1.2, but the very same requirement applies to USB ports. Requirement 9.9 refers to the inventory of removable media. Safend Inspector can keep track of content transferred to that media, while Safend Protector can encrypt as well as keep track of all such media. 11 www.safend.com Copyright 2010 Safend Ltd
The keyloggers referred to in section 8 may also be used by would-be attackers to eavesdrop in the communication between credit card readers and their host computers, therefore stealing full CC data for each device they are connected to. The measures described in section 8 are also applicable to securing the connection of Credit Card readers. Requirement 10 (Milestone 4): Track and monitor all access to network resources and cardholder data. Access monitoring should include systems, endpoints, removable devices, and network resources. The Safend Data Protection Suite monitors all activity closely including removable storage access by machine, user, device, file type and even content. Safend Protector monitors all access to cardholder data files on PC (10.2.1), and has an extensive anti-tampering mechanism that warns administrators of any attempt to change or erase logs (requirements 10.2.3, 10.2.6, 10.2.7). Logging and monitoring user activity not only can be used to track down incidents when they occur; it can also help detour users from inappropriate actions. Users with administrative privileges, especially those with root or full system access privileges, require special consideration. The Safend Data Protection Suite works to establish automated audit trails to reconstruct user actions, such as copying data based on the record, the user s actions with a device, date and time and file properties information. 12 www.safend.com Copyright 2010 Safend Ltd
File Shadowing can establish a detailed audit trail for questionable file transfer. It includes a copy of the transferred file in the incident data for that transfer. Any data on each of the inbound and outbound channels can be shadowed including shadowing for specific file types. Collected shadow files are securely stored in a central repository and available for review by authorized administrators. Requirement 11 (Milestone 6): Regularly test security systems and processes. Continuous testing and auditing can be done easily with the Safend Data Protection Suite. Safend Reporter, a component of the Safend suite, can generate historical and graphical statistical data for reporting purposes. Regular audits to discover devices should be scheduled. Safend Auditor enables security administrators to check either on-demand, or during set intervals, for the existence of current device connections and/or all historic device connections on network endpoints. This data can be used immediately to improve security levels, where needed. Just as important as the deploying of security defenses, is the regular testing of the effectiveness of those defenses. Using Safend Data Protection Suite enables a security team to continuously improve device and data leakage protection, during normal security improvement efforts. Most organizations regularly test security controls and processes to ensure they are in use and are implemented properly. Safend s technology strengthens a security team s ability to perform a security self audit and uses regular scanning and management programs to pro-actively 13 www.safend.com Copyright 2010 Safend Ltd
prepare for audits, as well as protect the network and sensitive data assets. The Safend Solution performs these functions, as part of its on-going use as a security tool. Requirement 12 (Milestone 2): Maintain an information security policy for employees and contractors. Ultimately the standard on record is the documented information security policy. This establishes the standard that is expected of employees and contractors regarding the use of company resources, protection of company and customer data, and the methods for gaining approvals and access to these resources. Additionally, establishing an incident alert and management process to monitor, escalate and respond to violations of polices and to enforce actions taken when these situations occur. The Safend Data Protection Suite has an easy to follow workflow and documentation process, so that policy enforcement and policy changes can be easily created, modified, documented and shared. The Safend PCI Template Provides Built-In PCI Compliance The Safend Data Protection Suite comes bundled with a built in template to assist organizations meet PCI compliance regulations upon installing the solution. This feature specifies how to configure, operate, and maintain the product for PCI compliance. The built-in policies include the recommended settings that can be applied "as is" with a single click or can be modified to better accommodate your organization's security and business needs. To assist with customization of policy settings, the suite includes detailed guidance, explaining the specific impact of the policy security settings and the associated mapping of these settings to regulatory policy statements. Organizations achieve compliance quickly after deploying the product suite, while maintaining the flexibility and end-user productivity. 14 www.safend.com Copyright 2010 Safend Ltd
Conclusions Mobile technologies have created new challenges for IT departments. Traditional security has serious limitations an information perimeter with localized access control points no longer meets PCI requirements. Newer technologies have been able to leapfrog this barrier and transfer information without defined access controls. The Safend Data Protection Suite augments PCI safeguards and integrates with existing organizational access privileges, to control the flow of information from endpoints, through a single software product, with a single management server and a single lightweight agent. With more than 2,200 customers worldwide and 2.6 million licenses sold, Safend s solutions are deployed by multinational enterprises, government agencies and small to mid-size companies across the globe. To overcome often complex, costly processes, Safend can empower your organization to centralize and quickly deliver the detailed information required to enforce compliance with the complete range of regulations your organization. References [1] PCI Security Council s Understanding the Intent of the Requirements https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf [2] PCI DSS Prioritized Approach to PCI DSS Compliance https://www.pcisecuritystandards.org/education/prioritized.shtml 15 www.safend.com Copyright 2010 Safend Ltd