-Note: Som
-or until a rule is written to specifically deny it.
This condition is supported by Enterasys policy capabilities.
Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
-packet inspection firewall, and a broad range of WAN interfaces. Powerful management and configuration tools -- including industry-standard Command Line Interface, SNMP integration and client/server Java application management support -- provide extensive remote monitoring and diagnostic capabilities. Enterasys provide security and maintain performance when VPN and QoS features are enabled. When combined w
IP WAN routing, Enterasys XSR
functionality and firewall features. Enterasys XSR platform supports PPTP with IPSEC VPNs.
Enterasys Security Information and Event Manager (SIEM) integrates log and flow data with existing user identity information to provide detailed audits of user activity. Point-in-time snapshots of user profiles provide unique ability to accurately report user activity
Enterasys Intrusion Prevention System (IPS) provides a network-based and host-based IDS/IPS solution.
Enterasys Network Access Control (NAC) solution helps enforce access controls. NAC detects all devices and users that try to authenticate to network. Once a user or device successfully authenticates, NAC can track, modify, and control the privileges based on a complex security policy that specifies type of authorized devices,
Enterasys Network Management Suite (NMS) Console provides authenticated user login, along with detailed logs of network administrator actions, providing a historical view of resource provisioning actions, by user with
appropriate time stamps. Enterasys Host-based Intrusion Detection (HIDS) solution may be implemented to analyze log entries and forward specific change control items to a forensic database such as Enterasys SIEM.
Enterasys NMS Inventory Manager is a tool for efficiently documenting and updating the details of the ever-changing network. It simplifies the deployment and management of Enterasys devices. IT staff can perform a broad list of tasks including device administration on configuration files, schedule firmware updates, archive configuration data, or restore one or multiple devices to a known good state. Inventory Manager identifies unused ports and chassis slots and tracks moves, adds, and changes for Field Replaceable Units. Enterasys Inventory Manager also tracks configuration changes for Enterasys devices made by other Enterasys NMS applications, third-party management applications, or the command line interface.
In addition to the Enterasys capabilities, additional reviews should be performed on access control measures outside of the Enterasys capabilities.
Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
Question Yes No
8.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?
Test Procedure:
Verify that all users are assigned a unique ID for access to system components or cardholder data.
This condition is supported by Enterasys infrastructure devices where user accounts with passwords can be configured to control management access. Enterasys NMS has user level accounts and controls access to infrastructure components such as switches, wireless controllers/access points, security routers and more. Enterasys IPS, SIEM, and NAC have user accounts and role based access controls. In addition, If 802.1X is deployed, Enterasys NAC product can be used to ensure that an identity is not used in two locations at the same time. This ensures that systems or roles (user) that do have access to cardholder data cannot have two simultaneous logins. This would ensure a unique identity at the network layer for each user/system accessing protected information (card data).
8.2 In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? (i.e., password, two-factor authentication (e.g., token devices, smart cards, biometrics, or public key.))
Test Procedure:
To verify that users are authenticated using unique ID and additional authentication (e.g., a password) for access to the cardholder data environment, perform the following:
a. Obtain and examine documentation describing the authentication method(s) used.
b. For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
This condition is support by Enterasys in that authentication of users connecting to the network is supported by Enterasys devices for 802.1X, PWA, and MAC based authentication. Because the authentication mechanism deployed for authenticating users, such as passwords, token devices, or biometrics, is irrespective of the infrastructure devices, Enterasys can support any of these
mechanisms. For management access to Enterasys infrastructure devices, the authentication mechanism of a user account with password is implemented to control management access.
Enterasys NAC can generate reports for all identities that were provisioned access to cardholder data or systems containing cardholder data. Enterasys NAC can report 802.1x failed logins. Additionally, Enterasys infrastructure components can SYSLOG failed access attempts and Enterasys SIEM can correlate and report on these errors.
8.3 Is two-factor authentication incorporated for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties?
(Use technologies such as remote authentication and dial-in service (RADIUS);
terminal access controller access control system (TACAS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.)
Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
Question Yes No
Test Procedure:
To verify that two-factor authentication is implemented for all remote network access, observe an employee (e.g., an administrator) connecting remotely to the network and verify that both a password and an additional authentication item (e.g. smart card, token, PIN) are required.
This condition is supported by Enterasys XSR platform which supports VPN with certificates using RADIUS authentication of connecting users. For all Enterasys infrastructure; wired, wireless and wan (XSR) they support authentication using RADIUS protocol such as 802.1X with certificates (wired/wireless) or smart card/token for wired/wireless/VPN.
8.4 Are all passwords rendered unreadable during transmission and storage on all system components using strong cryptography?
Test Procedure:
a. For a sample of system components, examine password files to verify that passwords are unreadable during transmission and storage.
b. For service providers only, observe password files to verify that customer passwords are encrypted.
This condition applies to Enterasys in reference to the transmission of encrypted data, and not the storage of data. Enterasys supports VPN for the encryption of traffic over public network using Enterasys XSR platform and WPA, as well as other encryption techniques for the transmission of traffic over wireless networks.
8.5 Are proper user authentication and password management controls in place for non-consumer users and administrators on all system components, as follows:
The conditions defined in 8.5.1 and 8.5.4 through 8.5.16 direct the administration process of passwords and proper user authentication for all system components. All of these conditions are supported by Enterasys infrastructure devices with 802.1X, PWA, and MAC-based user/device authentication to the network with the capability to deny access to all network resources before successfully authenticating. For each authentication method, parameters may be configured such as re-authentication interval and maximum number of attempts before timeout. Moreover, Enterasys supports the creation and configuration of management accounts on all infrastructure devices with a lockout feature if a certain number of failed attempts at management access to reached. Enterasys IPS/SIEM can monitor SYSLOG of FAILED login attempts and Dragon SIEM can generate alerts and reports on failed logins, identifying brute-force attempts. The Enterasys patented Distributed Intrusion Prevention solution can take the message from Enterasys SIEM and locate and disable network access for systems attempting to brute-force system passwords.
8.5.1 Are addition, deletion, and modification of user IDs, credentials, and other identifier objects controlled?
Test Procedure:
Select a sample of user IDs, including both administrators and general users. Verify that each user is authorized to use the system according to company policy by performing the following:
a. Obtain and examine an authorization form for each ID.
b. Verify that the sampled user IDs are implemented in accordance with the authorization form (including with privileges as specified and all signatures obtained), by tracing information from the authorization from to the system.
Enterasys NAC can produce a report of identities used to gain network access (switch/wireless) and report on the level of access (role) granted to an identity over a given period of time. Example: Bob in past 30 days. Roles (level of access) can be verified in NMS Policy Manager to show level of control (ACLs) applied during each session.
8.5.2 Is user identity verified before performing password resets?
Test Procedure:
Examine password procedures and observe security personnel to verify that, if a user requests a password reset by phone, e-mail, web, or other
non-face-to-before the password is reset.
Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
Question Yes No
8.5.3 Are first-time passwords set to a unique value for each user and must each user change their password immediately after the first use?
Test Procedure:
Examine password procedures and observe security personnel to verify that first-time passwords for new users are set to a unique value for each user and changed after first use.
8.5.4 Is access for any terminated user immediately revoked?
Test Procedure:
Select a sample of employees terminated in the past six months, and review current user access lists to verify that their IDs have been deactivated or removed.
I Enterasys NAC, it would be a best practice to verify that
list against a list of terminations from HR.
8.5.5 Are inactive user accounts removed or disabled at least every 90 days?
Test Procedure:
Verify that inactive accounts over 90 days old are either removed or disabled.
If the customer
list against a list of terminations from HR.
8.5.6 Are accounts used by vendors for remote maintenance enabled only during the time period needed?
Test Procedure:
Verify that any accounts used by vendors to support and maintain system components are disabled, enabled only when needed by the vendor, and monitored while being used.
This capability will vary by system component. For example, if you are implementing TACAS on the switches, a complete log of system access by account is available for review.
e.g., the admin needs to create one).
In addition, Enterasys NMS system tracks user accounts and the activation, disablement, or deletion of them. An audit of Enterasys NMS l activated, deactivated, created, or
en, etc.
8.5.7 Are password procedures and policies communicated to all users who have access to cardholder data?
Test Procedure:
Interview the users from a sample of user IDs to verify that they are familiar with password procedures and policies.
8.5.8 Are group, shared, or generic accounts and passwords prohibited?
Test Procedure:
For a sample of system components, examine user ID lists to verify the following:
a. Generic user IDs and accounts are disabled or removed.
b. Shared user IDs for system administration activities and other critical functions do not exist.
c. Shared and generic user IDs are not used to administer any system components.
Enterasys NMS system tracks user accounts and the activation, disablement, or deletion of them. An audit
8.5.9 Must user passwords be changed at least every 90 days?
Test Procedure:
a. For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days.
b. For service providers only: review internal processes and customer user documentation to verify that customer passwords are required to be change periodically and that customers are given guidance as to when, and under what circumstances, passwords must change.
8.5.10 Is a minimum password length of at least seven characters required?
Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
Question Yes No
Test Procedure:
a. For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to be at lest seven characters long.
b. For service providers only: review internal processes and customer user documentation to verify that customer passwords are required to meet minimum length requirements.
8.5.11 Must passwords contain both numeric and alphabetic characters?
Test Procedure:
a. For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to contain both numeric and alphabetic
characters.
b. For service providers only: review internal processes and customer user documentation to verify that customer passwords are required to obtain both numeric and alphabetic characters.
8.5.12 Must an individual submit a new password that is different from any of the last four passwords he or she has used?
Test Procedure:
a. For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as any of the last four passwords he or she has used.
b. For service providers only: review internal processes and customer user documentation to verify that new customer passwords cannot be the same as any of the last four passwords he or she has used.
8.5.13 Are repeated access attempts limited by locking out the user ID after no more than six attempts?
Test Procedure:
a. For a sample of system components, obtain and inspect system configuration settings to verify that invalid logon attempts.
b. For service providers only: review internal processes and customer user documentation to verify that customer accounts are temporarily locked-out after not more than six invalid access attempts.
Enterasys SIEM can monitor server logs and alarm on any threshold of failed login attempts. Failed login attempts can be stored in Enterasys SIEM SYSLOG. Thresholds and remediation can be set to identify a console that is repeatedly attempting access (e.g., brute force attempt) and automatically isolates that system for a user-defined amount of time (e.g., 30 minutes) or requires an administrative release.
8.5.14 Is the lockout duration set to a minimum of 30 minutes or until administrator enables the user ID?
Test Procedure:
For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
8.5.15 If a session has been idle for more than 15 minutes, must the user re-enter the password to re-activate the terminal?
Test Procedure:
To verify that two-factor authentication is implemented for all remote network access, observe an employee (e.g., an administrator) connecting remotely to the network and verify that both a password and an additional authentication item (e.g. smart card, token, PIN) are required.
Enterasys infrastructure products (e.g., switches, wireless, routers, etc) have the ability to set an idle timeout for console and remote sessions. This parameter can be verified using Enterasys Inventory username (UID) and the password to be re-entered.
8.5.16 Is all access to any database containing cardholder data authenticated? (This includes access by applications, administrators, and all other users.)
Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
Question Yes No
Test Procedure:
a. Review database and application configuration settings and verify that user authentication and access to databases includes the following:
All users are authenticated prior to access.
All user access to, user queries of, and user actions on (e.g., move, copy, delete), the dataset are through programmatic methods only (e.g., through stored procedures).
Direct access or queries to databases are restricted to database administrators.
b. Review database applications and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).
Enterasys NAC can grant access to the cardholder data servers to only users that have authenticated using 802.1x. Enterasys SIEM can provide continuous monitoring and alarming for all data flows accessing the cardholder data environment. Enterasys SIEM can alarm on unauthorized applications.
Enterasys NAC and Enterasys SIEM also offer integrated USER ID to EVENT matching allowing for