Upload
bagnalldarren
View
880
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Closing Wireless Loopholes for PCI Compliance and Security
Closing Wireless Loopholes for PCI Compliance and Security
AirMagnet Confidential 2
What is PCI-DSS?What is PCI-DSS?
A unified approach to safeguard sensitive data – Started in 2001 as separate proprietary programs– Standards consolidated under the naming of the Payment Card Industry
(PCI) Data Security Standard (DSS) Administered by the PCI Standards Council
– Founded by American Express, Visa, Mastercard Worldwide, Discover Financial Services and JCB International
Standards include the “Digital Dozen” – 12 core requirements
Who must comply with the standard?– All merchants who process payment for merchandise using payment
cards must comply What parts of the network does it apply to?
– Applies to any system component included in or connected to the cardholder data environment
What if I fail to comply?– Forfeiture of merchant's ability to process payment cards– Liable for damages under federal or state laws
AirMagnet Confidential 3
Compliance Requirements for Wireless Networks in v1.2Compliance Requirements for Wireless Networks in v1.2
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
Requirement 6: Develop and maintain secure systems and applications
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain an Information Security Policy
AirMagnet Confidential 4
What is PCI?What is PCI?
What Compliance Means for Merchants and Service Providers
– Everyone must comply with the standards
– Based on what category you fall into determines what level of validation you must provide (i.e. audits/scans)
– Annual penetration tests are required, although not required to be submitted
Components of PCI:
– On-site Audit – only for Service Providers and Level 1 Merchants
– Security Self-Assessment – PCI compliance attestation is primarily based on this.
– Network Scans – Must be conducted by a qualified 3rd party against all external-facing information resources
AirMagnet Confidential 5
The Table (Merchant Side)The Table (Merchant Side)
Compliance Validation Level (Due date in parenthesis)
Annual Onsite Assessment
Quarterly Scan
Compliance Questionnaire
Merchant Level 1 (9/30/04)
Any merchant - regardless of acceptance channel processing - >6M transactions)
Any merchant that has suffered a hack.
Any merchant that CC Association, determines should meet the L1 merchant.
Any merchant identified by any payment card brand as Level 1
Required Required
Merchant Level 2 (9/30/07-new)
1M to 6M transactions, regardless of acceptance channel processing
Required Required
Merchant Level 3 (6/30/05)
20K to 1M e-commerce transactions
Required Required
Merchant Level 4 (acquirer) <20,000 e-commerce transactions, or <1M transactions regardless of channel
Recommended
(annual scan only)
Recommended
AirMagnet Confidential 6
The Wireless Network Components: Build Secure NetworkThe Wireless Network Components: Build Secure Network
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data
– What companies are doing: Adding/changing firewalls
Performing architecture, FW and router rule audits/reviews
PCI v1.2
– Placing firewalls between wireless networks and cardholder networks
– Current network diagram
AirMagnet Confidential 7
The Need for New Types of OversightThe Need for New Types of Oversight
Focus of the network is shifting to the edge
– Traditional networks delivered security and control through centralization
– Mobility breaks the centralized model by opening the door to outbound connections
– Now internal-only traffic is also exposed
– New need for firewall level analysis at the edge
firewallNAT IDS
Traditional Wired Security• Single entrance/exit• Clients protected• Internal traffic protected
Rogue AP
Neighbor APs
Evil Twin
Eavesdropping
Wireless Security• All traffic in shared medium• Direct access to outside world• Internal traffic exposed
AirMagnet Confidential 8
Monitoring for the Mobile AgeMonitoring for the Mobile Age
A dedicated wireless monitoring system provides the full traffic and connection analysis that you expect on the wired side, but have lost in wireless
firewallNAT IDS
Rogue AP
Neighbor APs
Evil Twin
Eavesdropping
XX
X X
X
X
• See and find all wireless devices
• Automatically stop inappropriate connections
• Detect every vulnerability
• Enforce security policy in the air
AirMagnet Confidential 9
The Wireless Network Components: Build Secure NetworkThe Wireless Network Components: Build Secure Network
Build and Maintain a Secure Network
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
– What companies are doing: Disabling default passwords/services / hardening systems
Replacing non-secure protocols such as telnet with SSH and SSL, etc.
PCI v1.2
– Implementing secure wireless networks (WPA2, encryption settings, vendor defined SSIDs, etc.)
AirMagnet Confidential 10
Check for Weak ConfigurationsCheck for Weak Configurations
AirMagnet Confidential 11
Compliance Requirements for Wireless Networks in PCI DSS v1.2Compliance Requirements for Wireless Networks in PCI DSS v1.2
AirMagnet Confidential 12
The Components for Wireless Networks– Protect Cardholder DataThe Components for Wireless Networks– Protect Cardholder Data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
– What companies are doing: Implementing SSL/IPSec
Email policy along with encryption/auditing (of cardholder data)
PCI v1.2
– Stronger wireless encryption (WPA 2 or 802.11i)
– Prohibited to implement WEP after March 31, 2009.
– For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
AirMagnet Confidential 13
Compliance Requirements for Wireless Networks in PCI DSS v1.2Compliance Requirements for Wireless Networks in PCI DSS v1.2
AirMagnet Confidential 14
Catch Encryption LoopholesCatch Encryption Loopholes
Validate strong encryption components
– 802.1x key rotations
– Dictionary attacks on authentication
– Multicast and broadcast traffic
– WPA Vulnerability
– Fragmentation and Chop-Chop Attacks
AirMagnet Confidential 15
Catch Encryption WeaknessesCatch Encryption Weaknesses
AirMagnet Confidential 16
The Components for Wireless Networks– Vulnerability ManagementThe Components for Wireless Networks– Vulnerability Management
Maintain a Vulnerability Management Program
Requirement 6: Develop and maintain secure systems and applications
– What companies are doing: Implementing/improving patch management
Implementing/improving standard system/device builds
Implementing/improving SDLC (to include security/PCI)
Implementing/improving change control procedures
Reviewing/testing web application code (adapting OWASP standards)
PCI v1.2
– Need effective wireless device patch management to get latest security updates
AirMagnet Confidential 17
Track Configuration ChangesTrack Configuration Changes
AirMagnet Confidential 18
The Components for Wireless Networks– Monitor and Test NetworksThe Components for Wireless Networks– Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
– What companies are doing: Implementing log management Implementing IDS/IPS with monitoring/alerting Updating log review/retention policies/procedures PCI v1.2
– Wireless logs should be enabled and write to central log server
– Automated audit trails for invalid access attempts
– Limit viewing of audit trails to those with job-related needs
– Protect audit trails from unauthorized modifications
– Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis
AirMagnet Confidential 19
Track and Prevent Improper ConnectionsTrack and Prevent Improper Connections
AirMagnet Confidential 20
Complete IDS and ArchivingComplete IDS and Archiving
Inspection
Scan all traffic and channels
Analysis
Automatically identify threats and problems
Enforcement
Stop threats and enforce
policies
Correlation
Put all the individual events
in context
Alerting
Notify staff and escalate based
on severity
Archiving
Store all events and compliance
records
SensorsServer + Backup
AirMagnet Enterprise Core Functions
+AirMagnet Enterprise Core Components
AirMagnet Confidential 21
The Components for Wireless Networks– Monitor and Test NetworksThe Components for Wireless Networks– Monitor and Test Networks
Requirement 11: Regularly test security systems and processes
– What companies are doing: Vulnerability assessment scanning and penetration testing
WIDS/WIPS
Wireless Analyzer
File integrity monitoring
PCI v1.2
– Use wireless analyzers on a quarterly basis or deploy WIDS/WIPS
– Wireless assessments: rogue device discovery
– WIDS/WIPS should alert on unauthorized access or other security events
– WIDS/WIPS should respond to unauthorized access
AirMagnet Confidential 22
AirMagnet WiFi Analyzer: Mobile Security, Performance, ComplianceAirMagnet WiFi Analyzer: Mobile Security, Performance, Compliance
AirMagnet Confidential 23
The Components for Wireless Networks– Maintain Security PolicyThe Components for Wireless Networks– Maintain Security Policy
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
– What companies are doing: Adding/changing policies
Security awareness training
Adding/updating incident response procedures
Reviewing contracts with third parties who process or store cardholder data
PCI v1.2
– Need to have a wireless policy and procedures
AirMagnet Confidential 24
Centralized Policy Centralized Policy
Set Rules Create a Report of
Rules Alert on Violations Block, Trace &
Locate Escalate Problems 12 Notification
Methods Integrate to Other
Systems
AirMagnet Confidential 25
PCI Reporting: Bringing it All TogetherPCI Reporting: Bringing it All Together
AirMagnet Compliance Reports
– Automatically identifies any potential PCI issues
– Complete overall view of compliance
– Details on each device and any actions required for compliance
Automated Compliance
– Set AirMagnet Enterprise to run compliance reports automatically
– Deliver reports to anyone in the organization
– Simple visibility and continuous archive of compliance
AirMagnet Confidential 26
Sample Compliance ReportSample Compliance Report
AirMagnet Confidential 27
Sample Compliance Report Sample Compliance Report
AirMagnet Confidential 28
Sample Compliance ReportSample Compliance Report
AirMagnet Confidential 29
AirMagnet Confidential 30
AirMagnet Enterprise: 24x7, Dedicated WLAN Monitoring and ProtectionAirMagnet Enterprise: 24x7, Dedicated WLAN Monitoring and Protection
Aligns your WLAN with your existing security practices
Full-time analysis of ALL traffic
Tracks ALL wireless devices
Monitors ALL channels
Detects ALL known attacks, threats, hacking tools
Automated device classification
Protects ALL locations, geographies
Automated threat suppression and event notification
Simple, centralized event investigation and prioritization
Full database and reporting of all events