Found a great article where Bill Seiglein (on csoonline.com) discusses the differences of being compliant and being secure.

Favourite quote;

I use the analogy that there might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one

Wonderful analogy, really hits the spot and identifies the problems that appear when you try to use a compliance sheet as a checklist. You might miss things that are quite basic, while over-investing in controls that doesn’t do much to overcome the real problems.

A good example of this, to tie into my previous standards posts, might be companies using WEP in older wireless implementations. Insecure as hell but it is still considered “compliant” when the audit goes down.

Read the full article here!

And remember, being compliant does not mean that you’re secure.

I’m sitting here preparing for a meeting at which I will discuss our role in a clients PCI DSS project, and I thought it might do others good if I post what I’m thinking also.

First off, remember that all of this is from a perspective of a Panda AdminSecure/MalwareRadar point of view and it might not apply for other solutions.

Alright then. Which control objective’s and sub-objectives are we even directly responsible for when helping the client achieve compliance? By my thinking it should be:

Requirement 5: Use and regularly update anti-virus software or programs (all subs)

Even though the term anti-virus doesn’t really apply anymore, we can help with this

Those that we might be affected by/can help with are:

Requirement 6: Develop and maintain secure systems and applications
— 6.1 Ensure that all system components and software have the latest vendor supplied security patches installed. [...continued]

Requirement 11: Regularly test security systems and processes
— 11.2 Run internal and external network vulnerability scans at least quarterly [...continued]
— 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems [...continued]
— 11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files [...continued]

and how can we do that? My notes on all mentioned subcomponents below…

The main ones:

5.1: This point discusses deployment of anti-virus protections. With Panda solutions, there’s no problem here. Deployment can be done by pushing (RPC) or setting login scripts from within the console and there is also .exe’s and .msi’s available for those that have bigger deployment solutions.

5.1.1: This point discusses verifying correct operation in the solution at hand and seeing to it that it also detects and removes other threats such as spyware or adware. The function verification is really up to the client, but of course we’ll help ‘em if they need help heh… And spyware/adware has been a part of our signature since 2004.

5.2: This point discusses the monitoring of the chosen solution to ensure that it is working, it is updated and capable of generating logs. All of this can be monitored from within the AdminSecure console and scheduled reports can be set up to inform admins of the current status. There is also the possibility of using other logging and notification services such as syslog and snmp, but one should be aware that these units need to be reachable from the client computers as the warnings will originate from them.

and then the others that we might be able to help with:

6.1: This point discusses the need to ensure that all computers have all security related patches applied. We can help with this by offering scans with MalwareRadar (distributed by pushing (RPC), .exe’s or .msi’s) which does both low-level scanning with a huge (too huge for on-access scanners) signature and patch inventory on scanned machines. MalwareRadar is a part of AdminSecure as of version 4.02.01 (beginning of 2008 I think).

11.2: This point discusses running vulnerability scans periodically or after significant network changes. MalwareRadar might be applicable here, but I would not really classify it as a vulnerability scanner. From marketing they will however probably say that it applies

11.4: This point discusses and encourages the use of NIDS, NIPS, HIDS and HIPS. In this section we can help with the HIPS part via TruPrevent. Truprevent is more than just a HIPS but it has all feature’s of one. This component was released in late 2004 and has been optimized since for both capabilities and performance. Installs by default on both clients and servers. Read more here, here and here.

11.5: This point discusses the use of file integrity monitoring software. This is being done in part by our client protection with TruPrevent (see point above) on some critical system files and behaviours. It could however be locked down even further by customizing the ruleset. For a simple example, one may not modify the “hosts” file in certain ways. TruPrevent is not the answer to this point 100% though, as what they are really after is a checksum monitor like Tripwire.

Ok, that’s about it.

If anyone think I’m totally of target or if they have other ways of looking at this, please let me know!

PCI DSS stands for “Payment Card Industry Data Security Standard” and it was created by the larger players in the credit card business to ensure that those little 1′s and 0′s, that usually reside on your physical magnetic-strip card, does not end up in the hands of a criminal.The first version of the standard was developed and agreed upon in late 2004 and was (still is) intended to provide guidance for organizations that transfer, store or process credit card information in computer security related issues. The first standard was revised in 2006 to make it more up-to-date and more relevant to the current situation.The use of the word “Guidance” is used a bit freely in the description according to me, as if a requirement in the standard is not met by the merchant he might lose his right to handle the kind of data described in the standard, effectively shutting down their business (this is not a bad thing, btw).Before the PCI DSS was widely agreed upon, many of the CC companies had their own standards and recommendations regarding data security, such as: CISP/AIS (Visa), SDP (MasterCard), DSOP (AmEx), I&C (Discover) and DSP (JSB). The above mentioned was also the primary participants in the discussion that later led to the standard. Most of these financial actors still have their own security programs but they have aligned them so that they all have the same objective, help merchants become PCI DSS standard compliant.

The PCI Data Security Standard consists of 12 topics in 6 different categories. These are called “control objectives” and are:

• Build and maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

In order to verify whether or not the merchants/service providers are really compliant they have to undergo self-assessments, quarterly PCI Security Scans and possibly PCI Security Audits (Depending on the size and amount of sensitive information handled).

The PCI Security Scans are to be performed by a ASV (or, Approved Scanning Vendor) and is non-intrusive in their nature. This means that the scans should not interrupt day-to-day business or cause any damage to the systems evaluated. After one of these scans the ASV compiles a report detailing the different issues found, the associated risk (you will need a CISSP for this ) and also provide some guidance on how to remedy the issues. Every weakness found should also be categorised in a scale from one to five, five being worst case scenario. The PCI DSS considers level 3 to 5 as a failure to comply and a direct danger to cardholder data. This type of scans was the topic of discussion in the webinar that I based my previous related post on.

If you are a large merchant or service provider you might also be the subject of a PCI Security Audit which consists of a review of internal policies & documentation, internal penetration-testing & security evaluation and also interviews of selected personnel. This is done to actually verify that all guidelines in the PCI DSS has been implemented as they should.

One very interesting document regarding both types of audits was written in late 2006 by consultants from the German security company SRC. In that document (which contains a lot of good info) they listed the top 10 types of vulnerabilities found for both methods (internal/external). What’s very serious about the ones they listed are that they are very old. For example, I used one of them to compromise a network in 2002! This kind of vulnerability should not be present in any company that seriously tries to be secure. No matter the size. They are easily scanned for and can be exploited in under one minute. You can find the whole document here.

Other references on this subject:

PCI Security Standards

PCI Answers – This post was very interesting.

PCI Answers PCI Forum

PCI DSS News and Information

IT Governance PCI DSS information

Google…

That’s it for me now. If I’m mistaken about something or if someone has any questions please drop me a comment or an e-mail!

Cheers,