Keeping Up with PCI:

Keeping Up with PCI:

Implementing Network

Segmentation and Monitoring

Security Controls

Payment Card Industry Data Security Standards (PCI DSS)

require-ments specify that the security controls you implement must be

monitored and tested. This includes specifications for logging,

monitoring and penetration testing. In this expert e-guide, get tips on

establishing a process for logging activity and tying records to users,

and three main requirements for testing security controls. Also, find out

how to implement PCI network segmentation and how it may ease PCI

compliance for your organization.

Pocket E-Guide

Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls

Table of Contents

Sponsored by: Page 2 of 7

Keeping Up with PCI: Implementing

Network Segmentation and

Monitoring Security Controls

Pocket E-Guide

PCI DSS requirement: Monitoring and testing security

How to implement PCI network segmentation

Resources from SonicWALL

Table of Contents:

PCI DSS requirement: Monitoring and testing security

Mike Chapple

In addition to requirements specifying the security controls you apply to the systems and networks handling credit card transactions, the Payment Card Industry Data Security Standard (PCI DSS) also requires that you regularly monitor and test those controls. This includes specifications for logging, monitoring and penetration testing.

ACTIVITY LOGGING

One of the most burdensome requirements of PCI DSS is the requirement that you establish a process for logging a great deal of activity, tying activity records to individual users and storing those logs for future reference.

Organizations approaching PCI DSS for the first time typically find large gaps between their current practices in this area and the PCI DSS requirements. For example, the standard requires that you log:

• All access to cardholder data

• All actions taken by an administrator • All access to logs

• All invalid login attempts

• All identification and authentication mechanisms • All creations or deletions of system-level objects

That's a lot of activity. For each of those events, you need to store: • User name

• Event type • Timestamp

• Success/failure status • Origination of event

• Identity of affected system/resource/data

and Monitoring Security Controls

MONITORING SECURITY

It's not sufficient to simply store voluminous log records: you also must review those logs on at least a daily basis to identify any suspicious activity. PCI requires that you perform these daily reviews for any logs of security-related systems along with authentication, authorization and accounting servers. This is where automation is your friend. It's virtually impossible to perform these reviews without the assistance of log monitoring tools (at the very least) or a security incident monitoring (SIM) system at best.

In addition to monitoring your logs, PCI DSS requires that you place intrusion detection and/or prevention systems on your network in position(s) where they can monitor all traffic within your cardholder data environment. The IDS/IPS must be configured to alert security personnel to any suspicious traffic and to receive regular signature updates. It's a good idea to configure these systems to alert whenever they detect cleartext credit card numbers on the network. You can do this by using credit card regular expressions.

Finally, you must deploy file integrity monitoring software on your systems to identify any unauthorized modifica-tions of critical files on at least a weekly basis. The most well-known solution in this space is the Tripwire file integrity monitoring software, but you also may wish to investigate alternatives, such as Solidcore.

TESTING SECURITY CONTROLS

PCI DSS requires that you conduct regular testing of your security controls as well. There are three main requirements in this area:

• You must scan your airspace for any rogue wireless access points using a wireless analyzer at least quarterly. Alternatively, you may deploy a wireless IDS/IPS that is capable of detecting unauthorized wireless devices and alerting security personnel to their presence.

• You must conduct both internal and external vulnerability scans on at least a quarterly basis and after any significant network change. The quarterly external scans must be conducted by an Approved Scanning Vendor while the other scans may be performed by your staff.

• You must perform both internal and external penetration testing annually or after any significant change to infrastructure or applications. It's usually a good idea (although not a requirement) that you use an external vendor for these tests to ensure impartiality and have a fresh set of eyes reviewing your security controls.

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contribu-tor to SearchMidmarketSecurity.com, a technical edicontribu-tor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."

Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls

PCI DSS requirements: Monitoring and testing security

Description Line: SonicWALL VS Spiraling TCO

Tired of wasting IT budget deploying and managing so called best-of-breed network security and data protec-tion soluprotec-tions? If three-fourths of your budget is going toward the maintenance of these solutions, then your total cost of ownership (TCO) is spiraling out of control. But there’s a smarter alterna-tive—SonicWALL’s high-performance network security, email security, and data protection solutions. SonicWALL is committed to improving performance and productivity by engineering the cost out of building and running secure networks. SonicWALL solutions strate-gically reduce the cost of acquisition, deployment, and management, providing you higher-performance protection at a lower TCO.

See how at www.sonicwall.com/lowtco

NO CONTEST

VS

SONICWALL

SPIRALING TCO

© 2009 SonicWALL, Inc. SonicWALL and the SonicWALL logo are registered trademarks of SonicWALL, Inc.

NETWORK

How to implement PCI network segmentation

EXPERT RESPONSE FROM: Mike Chapple, featured expert

► I'm writing a standard for my company that addresses network segmentation and qualifies as PCI DSS compliant. I need qualified resources that reference on this topic; there are plenty of comments and talk on this subject but not much documented practice. Can you point me in the right direction for solid guidance on enterprise network segmentation?

► PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of

card-processing networks. It follows the commonly used strategy of minimization: Store as little sensitive data in as few locations as possible and allow access to those who absolutely need it.

When it comes to PCI DSS compliance, organizations commonly use network segmentation to wall off payment systems' credit card processing from the rest of their network, therefore placing the rest of that network outside the scope of the assessment. For example, consider a retail store that has a point-of-sale (PoS) network that handles credit card systems, as well as a back-office network consisting of 20 productivity workstations. The store can limit the scope of an assessment for PCI by using a firewall to place the card-processing systems on a network that is completely isolated from the productivity workstations.

In this case, where a firewall is separating two networks with different switch fabrics, you've clearly achieved isolation. Other situations are a little more gray. For example, some assessors may consider the use of VLAN separation adequate for PCI DSS segmentation, but many (myself included) do not consider this adequate due to the fact that a single switch port misconfiguration could defeat the segmentation.

As far as documentation, page 5 of the PCI DSS Requirements and Security Assessment Procedures is the authori-tative reference on the topic. Like most standards, it provides a high-level goal while still offering flexibility in implementation.The relevant section reads: "At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implemen-tation of network segmenimplemen-tation is highly variable and dependent upon such things as a given network's configura-tion, the technologies deployed, and other controls that may be implemented."

Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls

How to implement PCI network segmentation

Resources from SonicWALL

Achieving PCI DSS Compliance Through Security, Reliability and Consistent Policy Control

How to Accelerate PCI Compliance

PCI DSS Ambiguities and How to Overcome Them

About SonicWALL:

SonicWALL is committed to improving the performance and productivity of businesses of all sizes

by engineering the cost and complexity out of running a secure network. Over one million

SonicWALL appliances keep tens of millions of worldwide business computer users safe and in

con-trol of their data. SonicWALL's award-winning solutions include network security, secure remote

access, content security, backup and recovery, and policy and management technology. For more

information, visit the company web site at

http://www.sonicwall.com

.

and Monitoring Security Controls