Closing Wireless Loopholes for PCI Compliance and Security

Similar documents
Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

PCI Wireless Compliance with AirTight WIPS

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

Ensuring HIPAA Compliance in Healthcare

PCI DSS 3.1 and the Impact on Wi-Fi Security

How To Protect A Wireless Lan From A Rogue Access Point

PCI v2.0 Compliance for Wireless LAN

Wi-Fi, Health Care, and HIPAA

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

How To Secure Your Store Data With Fortinet

PCI Solution for Retail: Addressing Compliance and Security Best Practices

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

Understanding WiFi Security Vulnerabilities and Solutions. Dr. Hemant Chaskar Director of Technology AirTight Networks

Don t Let Wireless Detour Your PCI Compliance

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Air Marshal. White Paper

Ensuring HIPAA Compliance in Healthcare

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Technical Brief. Wireless Intrusion Protection

How To Protect Your Data From Being Stolen

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

All You Wanted to Know About WiFi Rogue Access Points

Wireless Security Strategies for ac and the Internet of Things

WHITE PAPER. Ensuring Compliance with DoD Wireless Policies

SecurityMetrics Vision whitepaper

Overlay vs. Integrated Wireless Security The pros and cons of different approaches to wireless intrusion prevention

Wireless Local Area Network Deployment and Security Practices

Designing, Securing and Monitoring a/b/g/n Wireless Networks

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Industrial Communication. Securing Industrial Wireless

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

WHITE PAPER. Best Practices for Wireless Network Security and Sarbanes-Oxley Compliance

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

Security Awareness. Wireless Network Security

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

74% 96 Action Items. Compliance

GFI White Paper PCI-DSS compliance and GFI Software products

INFORMATION ASSURANCE DIRECTORATE

Cisco Unified Wireless Network Solution Positioning for the New PCI DSS Wireless Guideline

Using AirWave RAPIDS Rogue Detection to Implement Your Wireless Security and PCI Compliance Strategy

A Decision Maker s Guide to Securing an IT Infrastructure

Why Is Compliance with PCI DSS Important?

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Achieving PCI-Compliance through Cyberoam

Link Layer and Network Layer Security for Wireless Networks

Case Study: Fast Food Security Breach (Multiple Locations)

Payment Card Industry (PCI) Data Security Standard

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Achieving PCI Compliance Using F5 Products

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

PCI DSS Requirements - Security Controls and Processes

Wireless (In)Security Trends in the Enterprise

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Enterprise A Closer Look at Wireless Intrusion Detection:

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Franchise Data Compromise Trends and Cardholder. December, 2010

Wireless Network Analysis. Complete Network Monitoring and Analysis for a/b/g/n

Observer Analyzer Provides In-Depth Management

Becoming PCI Compliant

March

Passing PCI Compliance How to Address the Application Security Mandates

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI Data Security Standards (DSS)

Wireless Network Security

Miami University. Payment Card Data Security Policy

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Wireless Security with Cyberoam

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

How To Manage Security On A Networked Computer System

Achieving Compliance with the PCI Data Security Standard

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Data Security Standard

Transcription:

Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop security countermeasures to protect information on wired networks, wireless networks have created unique opportunities for exploitation. Increasingly, the trend is to capitalize on loopholes in network security through a wireless access point. Merchants who process payment cards need dedicated wireless monitoring systems that offer full traffic analysis and comprehensive security solutions to identify wireless security loopholes, provide solutions, and document compliance Table of contents Introduction.... 2 PCI Core Requirements... 2 Rogue APs and Clients.... 3 Insecure WLAN.... 3 Recommendations.... 3 AirMagnet Enterprise... 4 Industry Leading Threat Detection.... 4 Rogue Detection... 4 Vulnerability Detection.... 5 Unauthorized Connections.... 5 Periodic vs Full-Time... 5 for audits.

Introduction Compromising the cardholder data environment (CDE) through a wireless network has become such a concern that the PCI Data Security Standard (DSS) formed a PCI Wireless Special Interest Group (SIG) Implementation Team. In July of 2009, this team published the PCI-DSS Wireless Guidelines, a supplement to version 1.2 of the PCI standard. The supplement provides guidance on how the PCI-DSS applies to wireless and communicates methods for merchants to deploy secure wireless LANs. Frustrating to merchants is that even if an organization does not use wireless networking at all, the organization must verify that wireless networking has not been introduced to the CDE over time. According to the PCI Wireless Guideline, the organization must verify and continue to ensure that there are no WLANs attached to the network. This is because there are validation requirements that extend beyond the known wireless devices and require monitoring of unknown and potentially dangerous rogue devices that can allow access to the CDE. This paper will look at how to properly detect rogues in order to meet PCI compliance and how to close wireless security loopholes and actively protect the network with multiple layers of defenses, including intrusion detection systems (IDS). PCI Core Requirements Seven of core 12 requirements of the PCI-DSS are particular to wireless networks. It is these requirements that the PCI-DSS Wireless Guidelines further clarify and provide guidance to network operators. Requirement 1: Requirement 2: Requirement 4: Requirement 6: Requirement 10: Requirement 11: Requirement 12: Maintain a Firewall WIDS/WIPS ensure that devices meet standards set forth in internal and industry security policies track the flow of information, closing loopholes to achieve a standardized level of security. Use Strong Passwords WIDS/WIPS automatically identifies when a device or wireless implementation has security vulnerabilities, such as default passwords, that leave confidential data open to exploitation. Encrypt Transmission of Cardholder Data As of June 30, 2010, all networks are required to remove WEP in favor of WPA 2 or WPA.11i. WIDS/WIPS enables enterprises to validate that devices are using strong encryption components, and quickly identify those that are not. Develop and Maintain Secure Systems and Applications The most effective method of catching weaknesses is through continual, automated monitoring with WIDS/ WIPS that not only identifies when a device doesn t meet security policy, but also when a device changes. Track and Monitor All Access The monitoring features within WLAN IDS enable automatic tracking and recording of information in audit logs that are stored in secure, centrally managed databases in compliance with PCI v1.2. Regularly Test Security Systems and Processes Organizations need to perform quarterly scans using wireless analyzers for rogue device discovery, notification of unauthorized access or other security events. WIDS/WIPS systems are recommended for sites with multiple locations. Maintain an Information Security Policy Once a comprehensive wireless policy is developed, violations can be quickly identified using WLAN IDS, automatically escalating issues to the IT or security team for investigation and mitigation, and documenting issues for compliance audits. 2

Rogue APs and Clients in Wireless and No Wireless Environments White Paper In order to meet PCI compliance, all organizations need to meet basic standards of wireless auditing to detect rogue APs and rogue clients. Since a rogue device can show up in any location, all locations that store, process or transmit cardholder data must be manually scanned quarterly or have a wireless IDS/IPS implemented to automatically scan and protect the CDE. Many rogue access points are brought in by employees looking for additional network access and mobility. They simply bring in their personal APs and plug them directly into the corporate LAN without authorization. This is very dangerous, as most users are not aware of all the security issues with their wireless device and that they may have opened up a loophole for an attacker to gain entry into the network. Also, disgruntled employees or attackers can deploy an AP on the network in seconds and connect to it at a later time or from a location over a mile away using a high-gain antenna. Without a combination of wireless and wired tracing, these devices may appear invisible to network managers. PCI Requirement 11.1 Testing Procedure Verify that a wireless analyzer is used at least quarterly, or that a wireless IDS/IPS is implemented and configured to identify all wireless devices. We don t have wireless networks at our restaurant locations it s against policy, said Cameron Pumphrey, the Director of IT at Fuddruckers. Yet Pumphrey and his team discovered that employees were often connecting wireless routers for personal use at chain locations. We realized we needed to deploy a WLAN IDS that would allow us to see when wireless devices were attached to the wired network, said Pumphrey. Without it, our customer data could have been at risk and we could havebeen in violation of PCI compliance. Insecure WLAN Inside the Cardholder Data Environment The Wireless LAN is considered to be inside the CDE if any wireless traffic touches any network component that stores, processes or transmits card-holder data. The WLAN can easily be in the CDE even if the WLAN itself does not carry cardholder information. Again, the merchant must ensure audit the traffic to ensure the flow of information is secure. Vulnerabilities including unauthorized wireless device connections and unapproved AP associations threaten security and compliance. For example, two devices may connect peer-to-peer to share information, bypassing the security infrastructure. Or a wireless client may begin to roam and accidentally (or as part of a malicious attack) connect to a hotspot across the street from the building. Another vulnerability that is common is having default configuration settings on APs such as adminstreet from the building. Another vulnerability that is common is having default configuration settings on APs such as admin passwords or SNMP remote access enabled. As cell phones with wireless Internet access began to flood cell phone retailers in close proximity to our stores, we noticed a huge influx of those types of devices trying to access our wireless network, noted an IT administrator at a retail chain. That category of user is usually just trying to access any Wi-Fi connection they can see, and often times, they end up trying to get onto our network. Some organizations separate the WLAN from the CDE by setting up stateful packet inspection firewalls between the wireless network and their wired, trusted core. Although the firewall is used to block wireless traffic from entering the CDE, it leaves wireless transmissions even those originating behind the corporate firewall unprotected, with no way to track the flow of information. Recommendations for Closing Wireless Loopholes The PCI Wireless SIG Implementation Team recommends that use of mobile wireless analyzers or WIDS/WIPS systems to monitor for rogue APs and clients, factory default passwords, automatic network connection functions and SNMP access all of which violate wireless security policy and can leave the CDE vulnerable. The PCI Wireless SIG Implementation Team specifically advises against using wired-side or SNMP-based monitoring solutions for rogue device detection due to their high failure rate and inability to detect rogue clients. Wired discovery methods are notenough to ensure wireless security. APs scan only in approved regulatory channels, leaving the 5 GHz extended channels open to hidden rogue devices. It is further recommended that enterprises with multiple locations use WIDS/WIPS for wireless scanning. Only WIDS/WIPS technologies can offer the detection and containment necessary to track all devices, including clients, and protect against threats from rogues at all times. 3

AirMagnet Enterprise: The Best Choice for Compliance AirMagnet Enterprise is a dedicated WIDS/WIPS solution for all enterprise wireless LANs. Using hardware sensors, AirMagnet Enterprise constantly monitors all WiFi channels, including the 200 extended 11a channels, identifying problems, threats, and blind spots where rogue devices can hide. The sensors can automatically block identified threats using both wired andwireless suppression methods. Individuals or departments can be immediately notified, per corporate policy. Reports can be automatically generated, both at a high level for management validation, or down to the level of device or violation for analysis by the IT or security department. All events are recorded and kept in a secured database for detailed audit reporting. Industry Leading Threat Detection The AirMagnet Intrusion Research Team constantly investigates the latest hacking techniques, trends and potential vulnerabilities in the industry to keep ahead of evolving threats. Their research drives the AirMagnet AirWISE engine which constantly analyzes all wireless devices and traffic using a combination of frame inspection, stateful pattern analysis, statistical modeling, RF analysis, policy analysis and anomaly detection, enabling AirMagnet to detect hundreds of specific threats, attacks and vulnerabilities such as rogue devices, unnapproved connections, spoofed devices, DoS attacks, man-in-the-middle attacks, evil twins, as well as the most recent hacking tools and techniques such as MDK3, Karmetasploit and 11n DoS attacks. All threats can be traced, located and blocked as they happen. Rogue Detection AirMagnet Enterprise uses multiple detection mechanisms to find rogue devices in the environment. Devices are traced using a suite of wired and wireless tracing methods to quickly determine if a device is connected to the wired network. Threats can be manually or automatically remediated with a combination of both wired and wireless threat suppression. Wireless blocking targets a threat at the source and specifically blocks the targeted device from making any wireless connections. Wired blocking automatically closes the wired switch port where a threat has been traced. Threats and devices can be located on a floorplan and set to trigger rogue alarms based on the device s location. Managers have access to over a dozen notification and escalation mechanisms, making it easy to alert specific staff members of issues or integrate wireless event data into larger enterprise management systems and operations. 4

Vulnerability Detection AirMagnet Enterprise uses built-in WLAN expertise to understand unexpected events in the environment which may leave an organization vulnerable. In this example, AirMagnet is alerting of an unauthorized AP association that could be due to a roaming configuration issue or due to a malicious attacker attempting to lure an AP to connect outside the organization. Unauthorized Connections Unsecured and unapproved device connections can open the door to malicious attacks. AirMagnet can look for problems such as Ad-hoc devices that are connected to one another without going through an access point. By connecting peer-to-peer, these devices may bypass detection for appropriate authentication and encryption and circumvent the security infrastructure. Periodic Scanning Vs. Full-Time Monitoring AirMagnet solutions include a mobile wireless analyzer for local scanning and a WIDS/WIPS solution for remote, full-time monitoring and security. While both AirMagnet Enterprise and AirMagnet WiFi Analyzer can be used to achieve PCI compliance, only AirMagnet Enterprise is the always-on solution best suited to enterprise clients with multiple locations. AirMagnet Enterprise AirMagnet WiFi Analyzer Detect Rogues and Vulnerabilities Interactive Network Testing Compliance Reporting Device Inventory Full-time Monitoring Proactive Containment Remote Monitoring and Reporting About AirMagnet Solutions The AirMagnet line of products from, include AirMagnet Enterprise, the leading 24x7 wireless intrusion prevention solution (WIPS), and the industry s de facto mobile tool set including AirMagnet WiFi Analyzer, AirMagnet Survey/Planner and AirMagnet Spectrum T. AirMagnet products are used by more than 9,500 customers worldwide, including 75 of the Fortune 100. For more information, visit the website or the AirWISE WLAN Experts Community. Contact : Phone 800-283-5853 or Email: info@flukenetworks.com. P.O. Box 777, Everett, WA USA 98206-0777 operates in more than 50 countries worldwide. To find your local office contact details, go to /contact. 2011 Fluke Corporation. All rights reserved. Printed in U.S.A. 5/2011 4057294A 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information