BREAKING NEWS - Really? - PCI Compliance is Mandatory

If you're thinking "That's hardly breaking news?" I would tend to agree. However, it is still providing plenty of copy even though the PCI DSS was introduced seven long years ago. At the time it was 'mandatory' and 'urgent' but the problem now is that, so many firms have avoided or delayed measures that overcoming the apathy often associated with PCI compliance is getting more difficult.

I read this last week on Bankinfosecurity.com

PCI SSC: Firms Must Perform Rigorous Risk Assessments

I couldn't agree more with one of the points made by Bob Russo, General Manager of the PCI Security Standards Council (PCI SSC). Mr. Russo is quoted as saying "The standard requires an annual risk assessment, because the DSS (data security standard) validation is only a snapshot of your compliance at a particular point in time. Therefore, it is possible that changes that have been made to a system since the previous evaluation could have undermined security protections or opened up new vulnerabilities"

In other words, real time file integrity monitoring coupled with  continuous server hardening checks is essential for PCI compliance - read more about both areas here.

And then two days later, I was sent a link to this article

Even the tiniest firms face fines for failing to protect credit card details

This is more interesting because the Daily Mail is about as mainstream as you can get in the UK - whatever you think about the newspaper's editorial leanings, this was published as contemporary, newsworthy copy for it's readers. The angle is about small firms needing to adhere to the PCI DSS requirements - again, not really news, as right from day one, anyone handling cardholder data has been burdened with a duty of care over it. Most small firms either run transactions directly to their bank or via an on-line service like Worldpay, so their main concerns for PCI compliance is to be aware of the risks and take care of the basics, such as

1. Don't write down, or store in any other form, cardholder details. If you need to regularly re-use a customers card details, you'll either need to ask for them again each time, or use your banks 'vault' facilities (based on tokenized card data)

2. Check you Pin Entry Device regularly and don't let anyone tamper with it. Card skimming is still one of the biggest card theft opportunities - see this video for the basics. In the UK, Chip and PIN has significantly reduced the risk but in the US and other parts of the world where card handling checks are limited to a superficial signature (that is rarely even checked against the card), card skimming still pays dividends. Of course, just because Track 1 data from a card is stolen in the UK, the card can still be cloned and used anywhere in the world where Chip and PIN is not enforced.

3. Make sure you are learning from the PCI DSS - work to use as many of the measures as you can. Even if you are using an online service to process a card payment transaction, the PC used to enter the details could be compromised by a key logger or other malware designed to steal data. Hardening your systems in line with Best Practice checklist guidance, Firewalling, Anti Virus, File Integrity Monitoring and Logging will all ensure your systems are secure and that you have the visibility of potential security threats before they can be used to steal card data.

If you can follow some of these basic steps then you'll be able to ensure that your company doesn't end up as headline news for the next card data theft story.

PCI DSS Section 10 - Backup event logs centrally

There are typically two concerns that need to be addressed - first, "what is the best way to gather and centralize event logs?" And second, "what do we need to do with the event logs once we have them stored centrally? (And how will we cope with the volume?)"

To the letter of the PCI DSS, you are obliged to make use of event and audit logs in order to track user activity for any device within scope i.e. all devices which either 'touch' cardholder data or have access to cardholder data processing systems. The full heading of the Log Tracking section of the PCI DSS is as follows -

"PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data"

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

Given that many PCI DSS estates will be geographically widespread it is always a good idea to use some means of centralizing log messages, however, you are obliged to take this route anyway if you read section 10.5.3 of the PCI DSS -

"Promptly back up audit trail files to a centralized log server or media that is difficult to alter"

The first obstacle to overcome is the gathering of event logs. Unix and Linux hosts can utilize their native syslogd capability, but Windows servers will need to use a third party Windows Sylog agent to transfer Windows Event Logs via syslog - you can download a free copy of our Log Tracker Agent via this link.

This will ensure all event log messages form Windows servers are backed up centrally in accordance with the PCI DSS standard. Similarly, Oracle and SQL Server based applications will also require a Syslog Agent to extract log entries for forwarding to the central syslog server. Similarly, IBM z/OS mainframe or AS/400 systems will also need platform-specific agent technology to ensure event logs are backed up.

Of course, Firewalls and Intrusion Protection/Detection System (IPS/IDS), as well as the majority of switches and routers all natively generate syslog messages.

So in terms of our two initial questions, we have fully covered the first, but what about the next logical question of 'What do we do with - and how do we cope with - the event logs gathered?'

"PCI DSS Section 10.6 Review logs for all system components at least daily"

This is the part of the standard that causes most concern. If you consider the volume of event logs that may be generated by a typical firewall this can be significant, but if you are managing a retail estate of 800 stores with 7,500 devices within scope of the PCI DSS, the task of reviewing logs from devices is going to be impossible to achieve. This may be a good time to consider some automation of the process...?

The Security Information and Event Management or SIEM market as defined by Gartner covers the advanced generation of solutions that harvest audit and event logs, and then parse or interpret the events e.g. store events by device, event type and severity, and analyze the details within event logs as they are stored. In fact, the PCI DSS recognizes the potential value of this kind of technology

"Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6 of the PCI DSS"

SIEM technology allows event logs to be automatically and intelligently managed such that only genuinely serious security events are alerted. The best SIEM technology can distinguish between true hacker activity running a 'brute force' attack and a user who has simply forgotten their password and is repeatedly trying to access their account. Naturally there is an amount of customization required for each environment as every organization's network, systems, applications and usage patterns are unique as are the corresponding event log volumes and types.

The PCI Event log management process can be approached in three stages, ensuring that there is a straightforward progression through becoming compliant with the PCI DSS standard and becoming fully in control of your PCI Estate. The tree phases will assist you in understanding how your PCI Estate functions normally and, as a result, placing all genuine security threats into the spotlight.

1. GATHER - Implement the SIEM system and gather all event logs centrally - the SIEM technology will provide a keyword index of all events, reported by device type, event severity and even with just the basic, pre-defined rules applied, the volumes of logs by type can be established. You need to get familiar with the types of event log messages being collected and what 'good' looks like for your estate.

2. PROFILE - Refinement of event type identification and thresholds - once an initial baselining period has been completed we can then customize rules and thresholds to meet the profile of your estate, with the aim of establishing a profiled, 'steady-state' view of event types and volumes. Even though all logs must be gathered and retained for the PCI DSS, there is a large proportion of events which aren't significant on a day-to-day basis and the aim is to de-emphasize these in order to promote focus on those events which are significant.

3. FOCUS - simple thresholding for event types is adequate for some significant security events, such as anti-virus alerts or IPS signature detections, but for other security events it is necessary to correlate and pattern-match combinations and sequences of event. SIEM only becomes valuable when it is notifying you of a manageable number of significant security events.

It is important to note that even when certain events are being de-emphasized, these are still being retained in line with the PCI DSS guidelines which are to retain logs for 12 months. At least 3 months of event logs must be in an on-line, searchable format for at least 3 months, and archived for 12 months.

Again, the archived and on-line log repositories must be protected from any editing or tampering so write-once media and file integrity monitoring must be used to preserve log file integrity.

It's much easier to see it in practise than read about it so please get in touch for a quick overview by webex - mail a request to info@newnettechnologies.com or go to http://www.newnettechnologies.com/contact-us.html

PCI DSS Compliance - Be in Control in Four Moves

The security standard calls for a broad range of security measures, but beyond the use of firewalling, intrusion protection systems and anti-virus software, the understanding of the requirements and responsibilities of the merchant are very often poorly understood.

This guide simplifies the scope of the balance of PCI DSS measures to just four areas.
- File Integrity monitoring
- Event Log centralization
- Security Vulnerability scanning for device hardening
- Change Management process
Understanding and implementing measures to address these four areas will make any QSA happy and get you compliant - and keep you compliant - in no time at all.

File Integrity Monitoring
As a mandated dimension of the PCI DSS, FIM verifies that program and operating system files have not been compromised.

Why is this important? The principal benefit of using FIM technology is to ensure that malicious code has not been embedded within critical application and operating system files. The insertion of a 'backdoor' or Trojan into core program files is one of the more audacious and elegant forms of hacking, and also one of the most dangerous.

The PCI DSS (Payment Card Industry Data Security Standard) specifies the following "Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly" and also that for log files "Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)".
Contemporary compliance management technology will provide pre-defined templates for all folders and files that should be tracked for File-Integrity, also allowing you to specify additional program folders and files unique to your environment, for instance, your core business applications.

File Integrity Monitoring technology conducts an initial inventory of all filesystems specified and 'fingerprints' all files using secure hashing technology, generating a unique checksum for each file. The system will then audit all files being tracked on a scheduled basis every 24 hours (even though the PCI DSS calls only for weekly checks) with any changes, additions, deletions or modifications being reported to you.
The latest generation of File Integrity Monitoring software also operate in a 'live tracking' mode for ultra-secure environments where file changes are detected and reported in real-time.

Other options to consider are to track and identify actual changes to file contents, useful when tracking configuration files to provide you with a complete audit trail of change history - this can be applied to any form of files such as text and xml.

Continuous Vulnerability Scanning
All security standards and Corporate Governance Compliance Policies such as PCI DSS, GCSx CoCo, SOX (Sarbanes Oxley), NERC CIP, HIPAA, HITECH, ISO27000 and FISMA require Windows and Unix Servers, workstations, and firewalls, routers and switches to be secure in order that they protect and secure confidential data.

'Hardening' a device requires known security 'vulnerabilities' to be eliminated or mitigated. A vulnerability is any weakness or flaw in the software design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process. For the PCI DSS, it is a requirement that all 'within scope' sites are scanned for vulnerabilities every quarter. This gets expensive in a large scale, multi-site estates, as well as being a time-consuming management overhead.

Perhaps the biggest issue is that the results of any scan are only accurate at the time of the scan - any configuration changes made after the scan could render devices vulnerable and in a worst case scenario, devices could be left vulnerable to attack for a 3 month period. The ideal solution is to continuously track configuration changes. This is the only real way to guarantee the security of your IT estate is maintained. Using continuous configuration tracking technology allows you at any time to see the Compliance Score of any server and which settings need to be changed to re-harden the config. Any changes made should be reported, including Planned Changes which should also be reconciled with the original Request For Change or RFC record.

Secure, Centralized Event Log Management
Log analysis is a key weapon in the fight against any cyberattack. By gathering logs from all unix and windows servers, applications and databases, firewalls and routers, the method and pattern of an attack can be understood. Identifying the method and source of any attack allows preventative measures to be continually improved. This is why all security policies place log retention at their core. PCI DSS compliance requires logs to be gathered and reviewed daily, and retained for at least one year. Similarly for GCSx Code of Connection or CoCo compliance - Audit logs recording user activities, exceptions and information security events are to be retained for at least 6 months.

For any compliance initiative, it will be necessary to gather logs from all
- Network Devices
- Windows, Unix and Linux servers
- Firewall or IPS and IDS devices, Email and Web Servers
- Database and Application servers - even IBM Mainframes
- All other potentially useful sources of log information

Although the scope of most compliance standards will be largely satisfied at this stage, far greater value can be extracted from Centralizing Event Logs. Contemporary event and audit log management technology ensures all event logs are analyzed and correlated automatically, applying a comprehensive series of rules pertinent to any Security or Governance policy. Any breach of compliance will be alerted immediately allowing pre-emptive action to be taken before a problem arises. The best log management solutions provide pre-defined rules templates, allowing you to be in control of compliance straight out of the box.

The following is a checklist of features available in today's best log management software -
- All Security and Governance Policies supported via pre-packed Compliance Rule Templates
- Real Time Security Warnings i.e. violation of file integrity monitoring rules
- PCI DSS and GCSx Code of Connection supported 'out of the box'
- Web-based Dashboard and integration with Servicedesk as standard
- Powerful, keyword-based Event Log mining across any combination of devices and applications
- Complete solution for all Security Information and Event Management (SIEM) requirements
The latest generation of centralized log server software allows you to focus on true exceptions and important events by masking off the sometimes overwhelming flood of logs. Use the pre-built Compliance Templates and build your own keyword and logic-based correlation rules, allowing you to manage what really matters to your organization from a security and compliance standpoint.

Change and Configuration Management
ITIL Best Practises identify Change Management as one of the key, central processes that should be understood and assimilated into an IT Service Delivery operation. Change Management as a process is intended to ensure that when changes are made, they are first verified as being completely necessary and adding some value to the organization, and if so, that changes are then well planned, documented and clearly communicated to ensure any potential negative impact from the change is understood and eliminated or minimized. The entire experience and knowledge of the enterprise is harnessed and greater efficiencies can be gained from 'one visit' fixes - i.e. a number of required changes can all be delivered during one planned maintenance window. A well maintained Configuration Management Database (CMDB) will often be used as a means of better understanding the 'downstream' effects of changes and or their impact on a number of critical business services.

Crucially for any organization subject to Corporate Governance-driven security standards, changes to any IT system can affect its security. Installing application updates may introduce new vulnerabilities and making any configuration change may also render systems less secure and more prone to a security breach. The latest change and configuration management software tracks all changes to your infrastructure, exposing all unplanned changes and reporting clearly on the intended - and uniquely, the actual outcome - of any planned change. All network device configurations are automatically and securely backed up, with the option to remediate any unauthorized configuration change. Server configurations are tracked against either pre-defined security policies or your own personalized policy, with any deviations highlighted.
And once firewalls, servers, workstations, switches and routers are all in a compliant state, you need to ensure they remain that way. The only way to do this is to automatically verify configuration settings on a regular basis. Why? Because unplanned, undocumented changes will always be made while somebody has the admin rights to do so - legal or otherwise! The configuration change tracking solution will alert you when any unplanned changes are detected as well as keeping an audit trail of planned changes, reconciled with the request for change details.

This provides a unique 'Closed-Loop Change-Management Safety Net' - when changes need to be made to a device it is vital to ensure that changes are approved and documented - we make this easy and straightforward, reconciling all changes made with the RFC or Change Approval record. An open API allows integration with most service/help desks or other change management systems to establish a link between the change approval process and the actual changes that are made.

PCI DSS Compliance in 2010

The Payment Card Industry Data Security Standard, or PCI DSS, is still confusing for card payment merchants in 2010.

A recent survey of PCI DSS knowledge and understanding revealed the following facts:
• 35% of retail/hospitality/entertainment organisations surveyed still do not understand compliance requirements
• Whilst there is a strong understanding within Tier 1 merchants (6 million transactions per year), 44% of Tier 2 and Tier 3 merchants do not understand the PCI DSS requirements
• 90% are either still working on implementing PCI DSS compliance measures identified in pre-audit surveys, or are not compliant and doing nothing about it, or are leaving it to the last minute

What do you need to do as an IT Service Provider to your Organization?
A number of automated 'compliance auditing' solutions for PCI DSS are available that typically provide the following functions
Compliance Auditing (aka Device Hardening) - typically, 'out of the box' PCI DSS as well as 'made to order' reports allow you quickly test critical security settings for windows servers and desktops, unix servers, linux servers and network devices, including wireless devices, and firewalls. The best solutions will provide details on your administrative procedures, technical data security services, and technical security mechanisms. Generally, these reports will probably identify some security vulnerabilities within the configuration settings to begin with. Once repaired though, you can generate these reports again to prove to auditors that your servers are compliant. Using inbuilt change tracking you can ensure systems remain compliant.
Change Tracking - once your firewalls, servers, workstations, switches, routers etc are all in a compliant state for PCI DSS you need to ensure they remain so. The only way to do this is to routinely verify the configuration settings have not changed because unplanned, undocumented changes will always be made while somebody has the admin rights to do so! The PCI DSS compliance software solution will alert when any unplanned changes are detected for server software using file-integrity monitoring, or firewalls and intrusion protection systems, and any other network device within your 'Compliant Infrastructure'.
Planned Change Audit Trail - when changes do need to be made to a PCI DSS server, firewall or network device, you need to ensure that changes are approved and documented. An automated software solution for PCI DSS makes this easy and straightforward, reconciling all changes made with the RFC or Change Approval record
Device Hardening must be enforced and audited. A good PCI DSS compliance auditing solution will provide automated templates for a hardened (secured & compliant) configuration for servers and desktops and network devices to show where work is needed to get compliant, and thereafter, will track all planned and unplanned changes that affect the hardened status of your infrastructure. The state of the art in compliance auditing software covers registry keys and values, file integrity monitoring, host integrity monitoring, service and process whitelisting/blacklisting, user accounts, installed software, patches, access rights, password ageing and much more.
Audit Log Management - All audit and event logs from all windows servers, Unix servers, Linux servers, firewalls and intrusion protection devices must be analyzed, filtered, correlated and escalated appropriately. Audit Log and Event log messages must be stored in a secure, integrity-assured, repository for the required retention period which for PCI DSS is 12 months.
Correlation of Security Information and Audit Logs - in addition you should implement Audit Log and Event Log Gathering from all devices with correlation capabilities for security event signature identification and powerful 'mining' and analysis capabilities. This provides a complete PCI DSS compliance safety net to ensure, for example to name just a few, virus updates complete successfully, host intrusion protection is enabled at all times, firewall rules are not changed, user accounts, rights and permissions are not changed without permission and patches are implemented.