Wednesday, November 28, 2012

Essential Definitions

[Added direct links to sources]

These definitions together as a group collectively represent important fundamentals - underpinnings - to cloud security, cloud audit, and cloud compliance. If you've heard me speak... you've heard me stick to this script. It hasn't changed. The message is the same. The application and context in which I use them happen to be cloud computing.

Security goals
The five security goals are confidentiality, availability, integrity, accountability, and assurance.
SOURCE:  SP800-27-RevA            
Security
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems.  Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
SOURCE:  CNSSI-4009
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
SOURCE:  SP 800-53; SP 800-53A; SP 800-18SP800-27-RevASP 800-60; SP 800-37; FIPS 200FIPS 19944 U.S.C., Sec. 3542 
The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
SOURCE:  FIPS 140-2 
The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
SOURCE:  CNSSI-4009
Availability
Ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-53; SP 800-53ASP800-27; SP 800-60SP 800-37FIPS 200; FIPS 19944 U.S.C., Sec. 3542 
The property of being accessible and useable upon demand by an
authorized entity.
SOURCE:  CNSSI-4009
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
SOURCE:  SP 800-53SP 800-53ASP 800-18SP800-27SP 800-37SP 800-60FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
SOURCE:  FIPS 140-2 
The property whereby an entity has not been modified in an unauthorized manner.
SOURCE:  CNSSI-4009
Accountability
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.  This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
SOURCE:  SP800-27
Assurance
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
SOURCE:  SP800-27 
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE:  SP 800-37SP 800-53A 
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
SOURCE:  CNSSI-4009
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
SOURCE:  SP 800-37SP 800-53SP 800-53ASP 800-18SP 800-60CNSSI-4009  FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-66; 44 U.S.C., Sec 3542
Continuous Monitoring
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.  The process includes: 1)  he development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.
SOURCE:  CNSSI-4009

Monday, November 5, 2012

CoDeSys + digital bond + Shodan = US-CERT Warning


Big Picture:

[1] Company makes flawed code for control systems. [2] Security company exploits code and releases free tools. [3] Hacker search engine compiles list of more than 500,000 control systems. [4] Researchers identify increased activity attempting to exploit critical infrastructure.

Brief Details and Links:

CoDeSys is a development platform created by 3S. This package is used to program controllers in an impressive 261 companies. The products include everything from factory automation to critical infrastructure SCADA systems. An interested party, a SCADA security company named digital bond, created and released two tools. The first tool is a command-shell utility (codesys-shell.py).  This allows an unauthenticated user the ability to perform privileged operations, sans password. The second tool is a file transfer tool which allows for reading and writing files on controllers with a file system (codesys-transfer.py). Shodan, a powerful exploit search engine, has already identified more than 500,000 reachable Industrial Control System (ICS) devices. Given that the Shodan search engine can be scripted, how long do you think that it takes an interested python coder to identify, exploit, root, and establish control? Create a module for Metasploit?

Some Quick Lessons:
  •  Build secure access controls into sensitive systems.
  • Isolate sensitive systems from the Internet.
  • Have your products third-party tested by professionals.
  • Assume security measures you build into your products are going to be used by your customers. They will be tested. Hopefully by you.
  • Especially if security isn't your core competency or product set, have your products third-party tested by professionals. Even if it is.... have your products third-party tested by professionals.

Thursday, September 6, 2012

Smart Grid Security

This month’s HSDL release includes a smart grid security article from George Mason. If smart grid security is of interest, but you're not deep into it, then you may appreciate the volume of information out there. I'm posting this information here so that I have a short list in one spot.

Article:
Referenced Resources:
Additional of Interest: 

Tuesday, August 7, 2012

Black Hat Panel: Top Skills


Jennifer Granick moderated a panel containing many of our most respected peers in the industry. Jennifer was incredibly sharp as she guided Jeff Moss, Bruce Schneier, Adam Shostack, and Marcus Ranum through several topics ranging from information sharing, critical infrastructure, future attacks, and cyber insurance.

The topic that caught my attention began with: You're the CSO. What are you going to spend your money on in the next 10 years?

Across the board, the answer was to spend your money on your employees... and that quickly folded into the types of skill sets needed. The answers given? Malware analysts, generalists, forensic analysis, response, cloud security, contracts, legal. You need people that can see the big picture and understand how the pieces fit together.

My takeaway for my customers? Invest in your people.

And a special note for my students. Continue reading, expanding, learning, pushing. Make yourself valuable and marketable. Love what you do. I've spoken with a few of you lately that have hit rough spots or failed in a big way. Don't quit. Don't give up. Don't you dare stop now. And in particular to one student who stepped up to the plate... I'm proud of you. Keep it up.

Monday, August 6, 2012

Re-post: Spreadsheet: ISO PCI HIPAA 800-53 FedRAMP CSA SANS SCSEM CESG

Re-posting this because this spreadsheet is a popular item. I've been pulled into so many directions over the last couple months that contributing here has been difficult. My apologies for that... here is the information about the spreadsheet:

Get the 'Common Authorities on Information Assurance' spreadsheet here. (xlsx)

...There are different spreadsheets floating around with ISO, PCI, NIST, HIPAA, and more so that you can play to your heart's content. Here's mine. Why do I do this? It's fun for me and it forces me to digest to a certain extent what's in there.

We have vCM and Archer, real tools for managing compliance. It does make a quick, compelling view into exactly why a (good) compliance management tool can be sooooo helpful. :) Have fun! It's under the documents tab.

The most complete set of controls? 
Recently a customer asked my opinion about what I thought was the most complete set of controls. There are several I like, and some that are far too narrowly focused to build a comprehensive program. My answer? NIST SP800-53. Here's a look at some commonly referred to sources.

Common Regulations, Standards, Audit Practices and Guides: SOX | GLBA |FFIEC | Basel II | FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAMPrivacy Act of 1974 | Safe Harbor | NYSE | PCI-DSS | COSO  | CESG | NIST |ISO 27001:2005 | ISO/IEC 27002-2005 | OGC ITIL | BCI | CobiT | ISACA | AICPA |ISACA | OECD | CSA | ENISA


Sunday, June 3, 2012

Helping a Friend: Resetting Windows Password

Helping a friend. As mentioned previously... the purpose of this blog is to post information that's easily referenced. 

So... Rebecca.. Here are the steps for breaking the password... Call your closet hacker brother "J" with questions:) He knows what to do... 

Word document with pictures is located here: Word Doc: Resetting Windows Passord

1.      Download this: http://pogostick.net/~pnh/ntpasswd/cd110511.zip

a.      Comes from website: http://pogostick.net/~pnh/ntpasswd/

2.      This is a zipped up .ISO file and needs to be burned to a CD.

a.      Generally, most computers today have built-in burner software.
b.      Unzip the file anywhere and double-click the cd110511.iso file.
c.      Burn the image (.iso) file to a CD.

3.      Put the newly created CD into the computer to break the password.

a.      Power off computer with CD in the drive.
b.      Power on the computer and immediately starting hitting the [F-12] key every two second until the boot options menu comes up.
c.      Select boot from CD
d.      After the CD boots (into a LINUX micro-kernel…)

4.      Select the account and break the password:

a.      Initial Screen – Just hit the [Enter] key.

b.      Next you see the following line.  
Select: [1]Just hit the [Enter] key.

c.      Next you see [Windows/system32/config] Just hit the [Enter] key.

d.      Next you see [1]: Just hit the [Enter] key.

e.      Now you see [1] : again (for option Password reset…) – Just hit the [Enter] key.

f.       Next we select the account to change. 
[Adminstrator]Just hit the [Enter] key.

g.      Next we blank (clear) the password. Select: [q] > - Type 1 and hit the [Enter] key.

h.      Now it’s time to quit. 
Type ! and hit the [Enter] key. 
Type q and hit the [Enter] key.
Type y and hit the [Enter] key.
Type exit and hit the [Enter] key to exit program.

i.       Power off computer: Hold the power button for 6-8 seconds until it turns off.
j.       Power on and the password for the administrator account should be blank.

5.      The same steps can be followed for any account on the system.


Tuesday, May 22, 2012

Must Reads: Useful Books for Managers

Again - as stated in other places - this blog is my own little personal digital shelf. I can find easily direct others to information later. I will share this one a lot.

Life is incredibly short. In my 20s I laughed at the idea of a mid-life crisis. In my late 30s, quickly approaching 40... I sneezed, blinked, opened my eyes and 20 years flew by.

I heard a preacher say, "You will be the same person with the same problems 20 years from now. The only things that will change this are the books you read and the company you keep." Towards that end, I'm sharing a list of books created by Rob Davis, someone I know well and highly respect.
-----------

[Rob Davis] Below are a few books I've found very useful over the years.
MUST READ FOR FIRST LINE MANAGERS IN ANY FUNCTIONAL GROUP
First, Break All the Rules: What the World's Greatest Managers Do Differently
Influencer: The Power to Change Anything
The Effective Executive: The Definitive Guide to Getting the Right Things Done
What Management Is: How It Works and Why It's Everyone's Business
MUST READ FOR SECOND LINE MANAGERS AND ABOVE IN FIELD SALES
Developing The Leader Within You
Integrity: The Courage to Meet the Demands of Reality
The Extraordinary Leader : Turning Good Managers into Great Leaders
Good to Great: Why Some Companies Make the Leap... and Others Don't
The Channel Advantage

Monday, May 14, 2012

Spreadsheet: ISO PCI HIPAA 800-53 FedRAMP CSA SANS SCSEM CESG

Get the 'Common Authorities on Information Assurance' spreadsheet here. (xlsx)

[2016-02-03 Update]
-- PCIv3.1 controls spreadsheet: http://www.cloudauditcontrols.com/2016/02/pci-dssv31-controls-guidance-testing.html
-- NIST SP 800-53A r4 spreadsheet: http://www.cloudauditcontrols.com/2016/02/sp-800-53a-revision-4-controls.html

Just back from London... where the joke was for me to close a deal at Hogwarts:).

I had some time on the plane to clean and organize material into a single source document. I have much more interesting stuff than this, but alas, I can't share it unless you're a customer. And I like you. And you know how to get into Hogwarts.

There are different spreadsheets floating around with ISO, PCI, NIST, HIPAA, and more so that you can play to your heart's content. Here's mine. Why do I do this? It's fun for me and it forces me to digest to a certain extent what's in there.

We have vCM and Archer, real tools for managing compliance. It does make a quick, compelling view into exactly why a (good) compliance management tool can be sooooo helpful. :) Have fun! It's under the documents tab.

The most complete set of controls? 
Recently a customer asked my opinion about what I thought was the most complete set of controls. There are several I like, and some that are far too narrowly focused to build a comprehensive program. My answer? NIST SP800-53. Here's a look at some commonly referred to sources.

Common Regulations, Standards, Audit Practices and Guides: SOX | GLBA | FFIEC | Basel II | FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAMPrivacy Act of 1974 | Safe Harbor | NYSE | PCI-DSS | COSO  | CESG | NIST | ISO 27001:2005 | ISO/IEC 27002-2005 | OGC ITIL | BCI | CobiT | ISACA | AICPA | ISACA | OECD | CSA | ENISA

Thursday, April 26, 2012

Getting Comfortable... ??

Now more than ever it's important to improve your technical, professional, and soft skills. The landscape is more competitive than ever, and the technologies shaping our world are evolving more quickly than at any other point in history.  This isn't a time to get comfortable with your knowledge set. Take the time to invest in yourself and reap the benefits.

Watch a Video!
Quickest way to get up to speed on a number of technologies? YouTube. Check it out! Seriously. For example, check out Chad Sakac's videos at http://www.youtube.com/user/sakacc.

Attend a Webcast!
Maybe you missed one? Want to check out topics that have presented before? Check out http://www.brighttalk.com

Try Hands on Labs!
Hands on Labs are growing in popularity because they can be managed easier with cloud platforms and reset instantly, allowing the resources used for someone else to be released as a baby-powder fresh clean slate for your learning pleasure.

Grab a book!
This is the list of books I've been giving students for years. Full disclosure - two of these are mine. They were written to give IT professionals a kickstart with a different skillset.

Wednesday, April 11, 2012

SP800-53A(3) Mapped to HIPAA

I reviewed NIST SP 800-66(R1) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. I've posted the enhanced version of that effort which includes additional links to VMware, Cisco, EMC, and RSA healthcare portals.  Download the spreadsheet under the Documents tab.

I reverse mapped HIPAA to SP800-53A(3) controls based on SP800-66 guidance. 800-53A withdrawn controls were remapped to the specified replacement controls. Ping me if you have any questions. You need additional guidance in order to appropriately implement the HIPAA security rule. This is not enough to stand on its own - BUT it is an interesting look at the similarities in controls across authorities.

Tuesday, April 3, 2012

The Psychology of Acceptable Risk

Let's keep this simple.
Consider residual risk and acceptable risk. Controls are put in place to address known and unknown risk. Your remaining risk that isn't covered is called Residual Risk. If it's not small enough, you add more controls until it gets to the point you are willing to accept the residual. The threshold for the acceptable amount of risk is called Acceptable Risk. Now that that's covered, note the relationship between assurance and acceptable risk.
Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application.
(NIST SP 800-37 and SP 800-53A)
What influences your risk tolerance? 
There are lots of interesting angles here. Think about this for a minute. What is it about an environment, a product or solution, that builds enough confidence that you are willing to accept the residual risk and place it into operation?

Can a vendor affect how much risk you are willing to accept?
I believe quite simply, the answer is yes. What other influential factors affect how you feel about a product or solution? Is it *right* that security can be subjective? Certainly, there are additional measures that build your confidence in a particular system such as third party reviews, configuration to *someone's* best practices, penetration testing, or borrowing trust from another system's ability to manage the new system's risk. We often tell others you have to meet a certain stringent, concrete standard to be considered secure. Well, yes, that's right, but there's also the influence of a vendor's history, reputation, communications, sales team, support, engineers, and more that drive your trust in a product or solution to meet your needs.

Where did this come from? 
I thought about this while walking the floor of RSA several weeks ago. It was interesting how much credibility I gave certain products because of their track record, despite any real experience with a particular platform. My biases crept into the picture, thinking about how company "X" *always* seems to deliver sub-par solutions, and company "y" always seems to deliver results. Even if testing of X demonstrated marked gains, my gut is to hesitate and prefer the trusted partner to "get it right". 

Thursday, March 29, 2012

The Organized Auditor: Document Tagging


Tabbles = Tagging Data
Here's an interesting concept. Tagging has been around for quite some time. There are tagged file systems for Linux, and tags for everything in social media. I started looking at ways to tag my data sets to solve - or help solve - the efficiency problem. I want to use my time thinking and processing with data. I'm a knowledge worker, and my effectiveness is tempered by how quickly I can find information. I depend on my formal and informal relationships every day because I have multiple avenues for getting answers. Tagging data provides another avenue for finding information I've already taken the time to collect. I clearly see the problem. So did a cool little company calling themselves Yellow blue soft that put up a website at http://www.tabbles.net. Their about page says it all. "We are a small, dynamic and international team who is wondering why file-management is lagging 30 years behind and no one seems to care or even notice. We do."

Messy Data.
How do you organize your documents? Organizational Behavior was the best class I've ever taken. I had no idea how often I would refer to the simple precepts we learned to understand how data and people naturally organize themselves. One interesting aspect of this organizational problem (i.e. information organically organizing itself) is that the relational complexity of the data set exponentially grows from their interconnected geometric relationships. 

Enterprise Content Management. 
You've created and enforce the best folder hierarchies on your hard drive... and transferred them to a file share for others to also use. It makes perfect sense to you, but for some reason others feel the need to change it. Over time, it becomes unwieldy and difficult to navigate. Entering stage left, Enterprise Content Management (ECM). That's great for the enterprise. What about your personal data? Is there a way to help identify and tag relationships between data sets?

Unstructured vs. Semi-Structured vs. Structured Data.
Call it what you want. There's a wealth of information about this online. Here's a simple example of the business problem. Consider your repository of [1] compliance information organized by authorities [2] vendor information organized by company, [3] customer information organized by the internal or external customers, [4] projects organized by your internal or external projects, and [5] technology information organized by subject. This is an example of the unstructured data problem. Tagging documents facilitates reviewing content I've tagged as containing specific information regardless of where it sits in my folder structure. It's a question of efficiency. It's not that you can't manage what you have. You've hacked through it for years. The question to consider is whether you can do it more efficiently. 

Monday, March 26, 2012

CAESARS Framework Extension: Continuous Monitoring

You may be familiar with Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture Report (CAESARS). Trolling through older draft posts I created a few months ago, I ran across this little gem. On the face of it, you might think, "cool!"... until you realize how difficult it *really* is technically to make all of this work. I personally think it's a matter of time. The market needs _something_ delivering real time feedback.

Lately I've been speaking with people about continuous monitoring using the analogy of SAP's answer to ERP. Walmart's real-time view into their supply and distribution systems are legendary. Hiccup? They're on it.

Remember the 90s? Remember the large scale SAP implementations that failed? Remember _why_ the implementations failed and how much money it cost the companies that tried? What about the ones that were able to succeed and how much SAP helped with a competitive advantage?

I believe there are lessons to be learned from those times. Remember the buzz acronym BPR? Business Process Re-engineering. Some of the challenges are technical. Some are business related. Alignment, execution, focus, scope, roles, expectations. You may ask, "Are we discussing SAP or CAESARS?" ... Yes.

Now... take a peek into the NIST IR-7756 Continuous Monitoring Framework at http://csrc.nist.gov/publications/PubsDrafts.html. This is very interesting work that is moving in the direction of continuously assessing and providing assurance and remediation for your critical infrastructure. The authors of this version (Peter Mell, David Waltermire, Larry Feldman, Harold Booth, Alfred Ouyang, Zach Ragland, and Timothy McBride) have done a fantastic job of visually communicating the process and integration points.


Friday, March 23, 2012

Faster than a speeding bullet, more powerful than a locomotive, able to leap tall buildings in a single bound!

Superman's 1941 release opened famously with, "Up in the sky, look: It's a bird. It's a plane. It's Superman!" before going into the narration explaining the origins of the world's favorite superhero. I recently read through the opening narrative thinking about a baby Vblock growing up to be the superhero... Overactive imagination? Time for a vacation? :)

Several people have asked me questions about VCE's Vblock platform. Why is it any different than just buying each of the components and building it yourself? This video explains what happens behind the scenes to build a Vblock. Why does this matter to auditors? Repeatable process = Repeatable results. That's Super. 

Tuesday, March 20, 2012

EMC Acquires Pivotal Labs

Why Auditors Care: This is another step in the right direction to tackle the challenge of complex data analysis characterized by our IT infrastructures. Developers need tools to engage large disparate data sets and create solutions. My discussion is on the data produced by the infrastructure components, not the data housed by the infrastructure, which tends to be the focus of 'Big Data' discussions.


Excerpt from Full Story:
Pivotal Labs enhances EMC’s powerful portfolio of products and services, which are designed to enable organizations to store, analyze and take action on ‘Big Data’ – datasets so large they break traditional IT infrastructures.  Earlier this year EMC introduced the Greenplum Unified Analytics Platform (UAP) that delivered, for the first time, a scale-out infrastructure for analyzing both structured and unstructured data. Today EMC announced general availability of Greenplum Chorus – another industry first, delivering a Facebook-like social collaboration tool for Data Science teams to iterate on the development of datasets and ensure that useful insights are delivered to the business quickly.  EMC brought Data Science and its chief practitioner – the Data Scientist – to the fore a year ago at the world’s first Data Scientist Summit.  With the addition of Pivotal Labs, EMC can now take datasets perfected in Greenplum Chorus and enable customers to rapidly build out Big Data applications using modern programming environments such as Ruby on Rails.


News Summary:
  • EMC has acquired San Francisco-based Pivotal Labs, a privately-held provider of agile software development services and tools. 
  • EMC will invest to expand Pivotal’s reach on a global scale, bringing Pivotal’s agile consulting services expertise to an even greater number of both emerging start-ups and the world's largest businesses looking to embrace Cloud, Big Data, Social and Mobile in developing next-generation applications. 
  • Pivotal’s agile project management tool (Pivotal Tracker) is currently used by over 240,000 developers around the world. EMC plans to continue to invest in Pivotal Tracker to accelerate innovation in the platform and increase adoption. 
  • With the addition of Pivotal, EMC adds to its portfolio the gold-standard in agile software development for customers building ‘Big Data’ analytic applications. 
  • The all-cash transaction is not expected to have a material impact to EMC GAAP or non-GAAP EPS for the full 2012 fiscal year.
  • An online event titled “Social Meets Big Data: Live Webcast ” with executives from EMC and Pivotal Labs will be broadcast today, Tuesday, March 20 - 9:45 A.M. Pacific, 12:45 P.M. Eastern and 4:45 P.M GMT.  Event details can be found at http://bit.ly/qduws  or at EMC.com.

Friday, March 16, 2012

PCI Practices for Protecting Management Infrastructure

[Update: Added content in a downloadable spreadsheet]

A peer asked me a question about best practices for hardening a management environment - not necessarily related to PCI. It just so happens I like the results of the PCI-DSS as a starting point to answering this question. This post covers PCI - of course - but it can also be applied to other management environments.

Controls Commensurate with Your Risk.
I've written in detail about the need to implement controls commensurate with your risk. There are several approaches, some quite lengthy and difficult to navigate. I'm not naive to the volumes of material and wide range of preferences... The objective here is to protect data, using a set of easy to navigate, understand, and effective controls. I have several friends at prominent security companies that fail to see the benefit of a structured approach to security, and instead prefer to wing it based on the latest technology and a security magazine article.

PCI just happens to care about credit card data. The management systems that connect into this sensitive environment must be protected. The PCI-SSC (the council) recognized this, and mandated controls to protect the management systems/functions connecting into a sensitive environment. Here is a compiled list of controls derived from the PCI-DSS (the PCI standard). I took some liberty to consolidate, clarify, and add brief commentary as appropriate.


Secure Management Environment Assumptions:
  • Not Internet accessible 
  • Is considered essential to protected environment
  • Does not store sensitive data (e.g. CHD, IP, ePHI, PII, etc)
  • Does not process  sensitive data (e.g. CHD, IP, ePHI, PII, etc)
  • Facility controls apply but are not discussed below.  


Original PCI Assumptions:
  • Not Internet accessible (PCI-DSSv2 Req. 1.2, 1.3, and appropriate subsections) 
  • Is part of the CDE (PCI-DSSv2 Req. 1.3 all) 
  • Does not store CHD. (PCI-DSSv2 Req. 3 and others) 
  • Does not process CHD. (PCI-DSSv2 Req. 6 and others) 
  • Facility controls apply but are not discussed below. (PCI-DSSv2 Req. 9) 

Systems fall within the scope for PCI compliance if they are used to manage the CDE. PCI scope encompasses all of the following for a merchant:
  • Primary systems: Any system, component, device, application, that processes, stores, or transmits cardholder data (CHD) 
  • Secondary systems: These systems can connect to the primary systems without going through a (specifically) Stateful Packet Inspection (SPI) firewall. 
  • Administrative systems: Includes all management tools and systems which have direct access to the primary (and peripheral) scope systems. 
Requirements Summary:
The current standard and navigation document provide additional guidance. These documents and many other supporting materials are found on the PCI Security Standards Council website: https://www.pcisecuritystandards.org/security_standards/documents.php

Key Administrative and General Configuration Requirements:
Applies to All Components

Requirement

Summary Details

Reference

Supply a network diagram.
Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data.
1.1.2.a
Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system.
Document ALL services, protocols, and ports used. Use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. If these insecure services are not necessary for business, they should be disabled or removed.
1.1.5 (a-b),
2.2.2 (a-b)
Default passwords are not allowed.
All default passwords must be changed; every component must have a unique password.
2.1
Develop and use hardened configuration standards.
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Specific requirements include (among others):
• Configure system security parameters to prevent misuse (2.2.3)
• Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers (2.2.4.a)
2.2 (a-c),
2.2.3 (a-c),
2.2.4 (a-c)
Encrypt all non-console administrative access.
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
• Verify strong encryption for authentication (2.3.a)
• Disable Telnet, other remote login commands (2.3.b)
• Require encrypted administrative access (2.3.c)
2.3 (a-c)
Install all vendor supplied security patches, including all critical patches within one month of release.
Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
6.1 (all)
Restrict account creation and access rights to least privileges and job function using an automated access control system.
Limit access to system components and cardholder data to only those individuals whose job requires such access, including:
• Lease privileges (7.1.1)
• Documented roles and authorizations (7.1.2-3)
• Using an access control system (7.1.4, 7.2 all)
7.1 (all)
7.2 (all)
Provide all users with a unique user ID. Group IDs are not allowed.
All users must have a unique user ID before allowing them to access system components or cardholder data.
8.1
8.5.8 (a-c)
Authenticate all internal user IDs.
In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: something you know, have, or are.
8.2
Deploy two-factor authentication for all remote CDE access.
Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial- in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)
Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
8.3
Encrypt all passwords during transmission and storage.
Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
8.4
Enforce strong password controls.
Ensure proper user authentication and password management for non-consumer users and administrators on all system components including:
• First time passwords unique and require immediate change (8.5.3)
• Vendor account remote access only enabled when needed and monitored during use (8.5.6.a-b)
• Do not use group, shared, or generic accounts and passwords, or other authentication methods (8.5.8.a-c)
• Passwords change every 90 days (8.5.9)
• Additional strong password controls for construction (7 char; alpha-numeric), attempts (6), lockout (30 min), idle timeout (15 min), password history (4) (8.5.10-15)
8.5 (all)
SIEM – Log management: Track and monitor all access to network resources and cardholder data to unique users.
Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user, including:
• Detailed automated audit trails for all events on system components (10.2 all)
• Detailed automated audit trail entries containing all information (10.3 all)
• Audit trail protection (10.5 all)
• Daily log reviews (10.6)
• Audit trail retained for one year (10.7)
10.1
10.2 (all)
10.3 (all)
10.5 (all)
10.6 (all)
10.7 (all)
NTP – Implement time-synchronization technology.
Using time-synchronization technology, synchronize all critical system clocks and times (e.g. using NTP) and ensure that time is correct, protected, and received from industry accepted sources.
10.4 (all)
Perform quarterly vulnerability scans.
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
• Review the scan reports and verify that the scan process includes rescans until passing results are obtained, or all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved. (11.2.1.b)
• Internal (private) IPs must be performed by a qualified resource (e.g. formal training, experience). (11.2.1.c)
• External (public) IPs must be performed by an Approved Scanning Vendor (ASV). (11.2.2 all)
• Rescan after any significant changes. (11.2.3 all)
11.2.1 (all)
11.2.2 (all)
11.2.3 (all)
Perform annual penetration tests.
Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
• Network layer penetration test (11.3.1)
• Application layer penetration test (11.3.2)
11.3 (all)

Additional Key Network Requirements

Requirement

Summary Details

Reference

Prohibit direct public access between the Internet and any system component in the cardholder data environment (CDE).
If the management is determined to be part of the CDE, then a DMZ bounded by SPI firewalls must be implemented to separate the management from non-CDE networks, whether internal or external. There are several requirements regarding the specific configuration of the firewall to provide specific access controls, limiting the types of acceptable connections and addresses. See the standard for additional details.
1.3 (all)
IDS/IPS – Monitor perimeter access to the CDE and critical points inside the CDE.  
IDS/IPS devices should be implemented such that they monitor inbound and outbound traffic at the perimeter of the CDE as well as at the critical points within the CDE. Critical points inside the CDE may include database servers storing cardholder data (CHD), cryptographic keys, processing networks, or other sensitive components as determined by an entity's environment and documented in their risk assessment.
11.4 (all)

Additional Key Server Requirements

Requirement

Summary Details

Reference

Implement only one primary function per server.
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.
2.2.1 (a-b)
Deploy anti-virus software on all systems commonly affected by malicious software.
Primarily applies to Windows-based operating systems.
Specific requirements include (among others):
• Software must be enabled for automatic updates and periodic scans (5.2.a-c)
• Log generation must be enabled and logs retained in accordance with PCI DSS Requirement 10.7 (5.2.d)
5.1 (all)
5.2 (all)
Deploy File Integrity Monitoring (FIM) software.
Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files; configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. (11.5)
Use file integrity monitoring and change-detection software on logs to ensure that existing log data cannot be changed without generating alerts. (10.5.5)
Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity.
10.5.5
11.5