Meeting PCI-DSS 1.1.7 with MachineTruth Global Configuration Assessments

Explanation of PCI-DSS requirement 1.1.7

The process for reviewing firewall, router, and network device configurations and rule sets every six months involves several steps to ensure compliance with PCI DSS Requirement 1.1.7 and maintain network security controls and router configuration standards.

Organizations can effectively conduct these reviews by utilizing services such as MachineTruth™ Global Configuration Assessments to analyze the configuration settings of firewalls, switches, routers, applications, and other network devices. By conducting regular audits and involving key personnel from the IT and security teams in the review of the results, organizations can ensure that their network device configurations and rule sets comply with PCI DSS Requirement 1.1.7 and maintain strong network security controls.

FirewallDC

Conequences for failing to meet PCI-DSS 1.1.7

Compliance with PCI-DSS is crucial for maintaining the security and integrity of sensitive payment card information. Failing to meet the requirements of PCI-DSS can have significant implications for a company, including legal and financial consequences.

One specific requirement of PCI-DSS is 1.1.7, which addresses the need to test security systems and processes regularly. Failing to comply with this specific requirement can result in severe penalties, including hefty fines and potential legal action. Companies may also face damage to their reputation and loss of customer trust. In some cases, non-compliance with PCI-DSS requirements may lead to the inability to process payment card transactions, causing significant operational disruptions. Ultimately, the consequences of failing to meet PCI-DSS 1.1.7 can have far-reaching impacts on a company’s bottom line and long-term viability. Therefore, businesses must prioritize and invest in maintaining compliance with PCI-DSS to avoid these detrimental consequences.

Importance of securing inbound traffic

Securing inbound traffic is critical for maintaining the cardholder data environment’s security and integrity, as PCI DSS Requirement 1.2.1 mandates. Organizations can effectively prevent unauthorized access and potential security breaches by limiting inbound and outbound traffic to only what is necessary for the cardholder data environment. Traffic restrictions are crucial in controlling and monitoring data flow into the network, ensuring that only authorized and necessary sources and protocols are allowed entry. This helps to minimize the risk of unauthorized access and potential security breaches, as any unnecessary or unauthorized traffic is blocked from entering the network. By implementing and enforcing these traffic restrictions, organizations can significantly reduce the likelihood of data breaches and maintain compliance with PCI DSS standards. Therefore, organizations must prioritize and effectively secure their inbound traffic to safeguard their cardholder data environment.

Importance of securing outbound traffic

Securing outbound traffic is paramount for protecting an organization’s sensitive information and preventing potential risks such as data breaches, exposure to malware, and unauthorized access to critical data. Unsecured outbound traffic can lead to data leaks, theft of intellectual property, and compromise of confidential information, causing significant financial and reputational damage to the organization.

Implementing egress filtering, encryption, data loss prevention, and threat detection measures can help mitigate and/or minimize these risks. Egress filtering is the single most powerful tool in preventing data exfiltration. By implementing best practices around all network traffic leaving the network or segments, most data exfiltration can be disrupted. Encryption ensures that data transmitted outside the organization’s network is securely ciphered, preventing unauthorized access and data breaches. Data loss prevention tools enable organizations to monitor and control the transfer of sensitive data, thereby reducing the risk of data leaks and unauthorized access. In addition, threat detection methods allow real-time visibility into outbound traffic, enabling prompt detection and response to unauthorized or malicious activities.

By securing outbound traffic through these measures, organizations can significantly reduce the likelihood of data breaches, exposure to malware, and unauthorized access to sensitive information, thus safeguarding their critical assets and maintaining the trust of the card brands and customers.

Description of MachineTruth Global Configuration Assessment capabilities

This assessment leverages MicroSolved’s proprietary analytics and machine learning platform, MachineTruth, to review device and application configurations in mass at a global scale. The assessment compares device configurations against industry standard best practices, known vulnerabilities, and common misconfigurations. It also allows organizations to ensure control homogeny across the enterprise, regardless of using different vendors, products, and versions.

Adopted security standards and security policies can be used as a baseline, and configurations can be compared holistically and globally against these universal security settings. Compensating controls can be identified and cataloged as a part of the assessment if desired.

Various analytics can also be performed as a part of the review, including trusted host hierarchies, reputational analysis of various sources for configured rules and access control lists, flagging of insecure services, identification of deprecated firmware, log management settings, protocols, encryption mechanisms, etc. MachineTruth can hunt down, flag, and provide specific mitigation and configuration advice to ensure these issues are fixed across the enterprise, architectures, and various vendor products.

If needed, the MachineTruth platform can verify network segmentation and serve as proof of these implementations to reduce the compliance scope to a subset of the network and data flows.

How MachineTruth helps organizations meet PCI requirements

MachineTruth Global Configuration Assessments help organizations simplify the process of meeting PCI-DSS 1.1.7 and other relevant regulatory requirements. By working across vendor platforms, and reviewing up to several thousand device configurations simultaneously, even the most complex networks can be reviewed holistically and quickly. Work that would have taken several man-years to perform with traditional methods can be accomplished quickly and with a minimum of resources.

Multi-level reporting also provides for an easy, prioritized path to mitigation of the assessments, and if you need assistance, MicroSolved’s extensive partner network stands ready to help you make the changes across the planet. The output of the assessment includes technical details with mitigations for each finding, a technical manager report with root causes, and suggestions for improvement across the enterprise, as well as an executive summary report that is designed to help upper-level management, boards of directors, auditors, and even business partners performing due diligence, understand the assessment outcome and the state of security throughout the organization’s networks. The reporting is excellent for establishing the true state of network compliance, even on a global scale.

This not only allows organizations to easily and rapidly meet PCI-DSS 1.1.7, but also allows them to quickly harden their networks and increase their security posture at a rate that was nearly impossible in the past. Leveraging the power of AI, machine learning, and analytics, even the most complex organizations can make solving this compliance problem easy.

How to Engage with MicroSolved, Inc.

To learn more about a MachineTruth Global Configuration Assessment or the 30+ years of security expertise of MicroSolved, Inc., just drop us a line at info@microsolved.com. You can also reach us at +1.614.351.1237. Our team of experts will be more than happy to walk through how the platform works and discuss the workflow and costs involved with this unique option for meeting PCI requirements and other relevant regulatory guidance. While MicroSolved is a small firm with more than 30 years in business, some clients prefer to work through our larger partners who are likely already on established vendor lists. This is also possible, and the protocols and contractual arrangements are already in place with a number of globally recognized professional services firms. Whether you choose to work with MicroSolved directly, or through our partner network, you will receive the same excellent service, leading-edge insights and benefit from our proprietary MachineTruth platform.

Consumers are Changing their Minds about Data Breaches

Per this article in Fast Company, it now seems that some 72% of consumers expressed an impact in their perception of a retail brand following a breach announcement. However, only 12% actually stopped shopping at the breached stores.

This appears to be a rising tide in the mind of consumers, with an increase in both attention and action versus previous polls.

Add to that the feelings of fatigue that we have been following on social media when breaches are announced. TigerTrax often identifies trending terms of frustration around breach announcements, and even some outright hostility toward brands with a breach. Not surprising, given the media hype cycle today.

TigerTrax also found that a high percentage of consumers were concerned to a larger extent about information privacy than in the past. Trending terms often include “opt out”, “delete my data” and various other conversation points concerning the collection and sharing of consumer information by vendors.

Retailers and other service providers should pay careful attention to this rising tide of global concern. Soon, breaches, data theft and illicit data trafficking may show significant increases in consumer awareness and brand damage is very likely to follow…

Twitter Stream About Online Card Fraud & Crypto Currency

The other day, I was discussing the idea that as the world moves more strongly toward chip and pin credit cards, that the levels of online credit card fraud were likely to skyrocket. Joel, the @SCADAHacker took me to task, and I thought I would share with you our conversation (with his permission, of course.) Here it is:

@lbhuston: Time to Get Moving on Chip and PIN? ow.ly/tvyZa <There are downsides to this too. It will help physical, but up online fraud.

@scadahacker: @lbhuston Please explain your reasoning on this and why it would be any different than current mag-based cards for online purchases. [sic]

@lbhuston: @SCADAhacker The threat won’t be different, but the criminals that now work physical card fraud will migrate their value stream to online.

@lbhuston: @SCADAhacker In other words, the crime rings powered by card fraud will simply compensate for the controls by switching fraud vector.

@lbhuston: @SCADAhacker This has been historically valid, & I think applies here. Most of those rings already have online fraud skills, they extend.

@lbhuston: @SCADAhacker Make sense? Sorry, hard in 120 char bursts. Sorry for the multiples. 🙂

@lbhuston: @SCADAhacker The really sad thing is that it is the best path forward. Chip cards work, for now. Also look for forgery to accelerate. 🙁

@scadahacker: @lbhuston Agree.  Good point my friend!

From there, I went on to discuss another concern that I am focusing on at the moment, crypto currency.

@lbhuston: @SCADAhacker Sadly, another thing I am watching closely is the impacts of crypto currencies on old school political corruption. Few controls

@lbhuston: @SCADAhacker Many law enforcement & govt watchdog groups don’t have digital chops to even understand something like bitcoin. 🙁

@lbhuston: @SCADAhacker Here’s my derby talk from 2 years ago. bit.ly/QQ4Skq <The innovate crime 4 profit is why I follow a lot of this.

@scadahacker: @lbhuston Thanks bro!

As always, Joel and all of my readers are welcome. Thanks for reading what I have to say and for allowing me to voice my thoughts and concerns. If you don’t already follow Joel, you should, he is world class and in addition to being brilliant, is a heck of a nice guy, too. Reach out and Twitter and let me know what you think. Do you think card fraud is about to turn a corner? How will crypto currency influence the future political process? Am I just being paranoid? Give me a shout at @lbhuston and let me know what is on your mind.

PS – It looks like some of these ideas are being thought about around the world. Here are some other folks thinking along the same lines. Click here, here, here or here.

The Media Makes PCI Compliance “Best Defense”?

I have seen a lot of hype in my day, but this one is pretty much — not funny. Below is a link to a mainstream media trade magazine for the hospitality industry in which the claim that PCI compliance is the “best defense” hotels and the like can have against attackers and data theft.

Link: http://is.gd/cgoTz

Now, I agree that hospitality folks should be PCI complaint, since they meet the requirements by taking credit cards, but setting PCI DSS as the goal is horrible enough. Making PCI out to be the “best defense” is pretty ridiculous.

PCI DSS and other standards are called security BASELINES for a reason. That is, they are the base of a good security program. They are the MINIMUM set of practices deemed to be acceptable to protect information. However, there is, in most all cases, a severe gap between the minimum requirements for protecting data and what I would quantify as the “best defense”. There are so many gaps between PCI DSS as a baseline and “best defense” that it would take pages and pages to enumerate. As an initial stab, just consider these items from our 80/20 approach to infosec left out of PCI: Formalized risk assessment (unless you count the SAQ or the work of the QSA), data flow modeling for data other than credit card information, threat modeling, egress controls, awareness, incident response team formation and even skills gap/training for your security team.

My main problem with PCI is not the DSS itself, but how it is quickly becoming the goal for organizations instead of the starting line. When you set minimums and enforce them with a hammer, they quickly come to be viewed as the be-all, end-all of the process and the point at which the pain goes away so you can focus on other things. This is a very dangerous position, indeed. Partial security is very costly and, at least in my opinion, doing the minimum is pretty far away from being the “best defense”.

PCI Scope Reduction — Why not?

Bill Mathews, our Guest Blogger, is co-founder and CTO of Hurricane Labs (www.hurricanelabs.com), an information security services firm.

Limiting your PCI compliance scope can be beneficial in several ways. First it minimizes the amount of assets where PCI is applicable, but primarily it limits the number of places you can find credit card data on your network. The latter is the most important. PCI isn’t some huge, scary thing you should run away from and scope reduction won’t solve all your problems – but it can get you to a point where you understand what is really happening on your network. There are a few caveats and “gotchas” you will encounter along the way but the journey is worth it.

In order to reduce your PCI scope you must first classify your assets. This is much harder than it sounds for most organizations. You have to figure out what data goes where and how it flows. This mapping is crucial for proper scope reduction.  This type of awareness not only helps you with reducing your PCI scope but also helps you with general troubleshooting. Ultimately it will improve your process, It’s a win-win. If you don’t know where the data is then the bad guys will help you find it.

After you’ve happily mapped out your data flow and understand where things are and why; then you can move  to segmentation. Segmentation essentially allows you to split up your network into smaller chunks. This splitting up of your network makes implementing our next goal that much easier. Our next goal is implementing the principle of least privilege which essentially says, “if you don’t need access, you don’t get access.” I’ve often argued that proper implementation of least privilege will not only solve nearly all your compliance issues but goes a long way in solving all your security woes as well. Notice I said “proper implementation.” Many implementations of it are flawed. Following up this segmentation with a good access control test is very important, it’s one thing to have controls. It’s quite another to have them properly implemented.

By no means are these the only things you should do; but in my opinion they are crucial for reducing your risk. Accomplish these few things and you’ll be well on your way to both reducing your PCI scope and having a well-balanced security posture on your network. Overall it is worth the effort it takes.


What Helps You with PCI?

Yesterday, at RSA much press attention was paid to a metric that 41% of all organizations tested needed temporary compensating controls to meet even the minimum security provided by PCI DSS compliance.

This led us to this discussion. If so many organizations need temporary controls to do the minimum, then what controls, in your experience, are the most worthwhile for those struggling to meet PCI?

Please leave a comment and tell us what controls you find most useful, easiest to leverage and worth the investment for PCI compliance.

As always, thanks for reading and we look forward to your input.

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce  that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…

Commentary on Security Assessment/PCI Scanning RFP Processes

Since MSI is a PCI scanning vendor, we are often included in various RFP/RFQ processes for the purchase of network scanning and assessment services. Over the last couple of years, one problem continually seems to raise its ugly head in RFP after RFP.

That issue is the lack of clarity in the RFP. Usually, the RFP issuer does not want to clarify the number of systems, applications, IP addresses or other relevant materials to the vendors. They want to keep that information private until after they award a contract. Below is a response I wrote this morning to a particular RFP issuer who is following this same pattern. Please read it and feel free to comment on the process, my response or any other items. I truly believe that only through communication, debate and eventual education can we find ways to take the customer and vendor pain out of these processes. Here is what I wrote in response to their posting about not wanting to reveal the number of IP addresses, except to the winner after the contract is awarded:

*Paste*

While I appreciate your process, I would suggest to you that your approach is not likely to achieve the best value for your organization.

Since you are choosing not to disclose the number of IP addresses to be assessed until after the winner is chosen, you essentially remove the very metric that the majority of scanning vendors use to create pricing models.

Thus, you force vendors to either respond with an hourly rate, or you force them to estimate the work and resources required. There is a risk to them and you in this estimation process. Their risk is that they could under estimate, thus causing themselves undue financial burdens. Your risk is that they will consistently overestimate, thus raising the prices that you get for a comparison and increasing the overall cost of the services you receive.

Of course, another possibility exists – that some vendors with ethical issues might respond to your lack of information by attempting to footprint your network and IP spaces to gather the relevant information themselves. Depending on their skills, tools and moral compass could cause a myriad of problems ranging from network congestion to denial of service attacks (inadvertent) as the various vendors who fit this model identify and map your visible Internet presence.

In our experience, the more information and clarity you can achieve in your requests for pricing information, the better. The clearer the scope of work, the more focused and relevant the responses will be and the more “real world” the costs. In every situation where we have seen prospects use the RFP process as a veil, the resulting engagements are damaged by scope creep, misunderstandings, miscommunications and higher than average costs in money AND relevant resources.

The most often quoted reason for RFP ambiguity that we have heard over the last 15 years is that the issuer did not want to “expose details to attackers”. After more than a decade and a half in this business, I have learned from experience that attackers already have exposure information. If they want it, they will simply map the network and gather it. They will also do so in ways that have little to no respect for your business processes, customer uptime commitments, maintenance schedules and other potential impacts to your business.

All of this said, again I respect your process and your right to proceed however you choose. Perhaps your intentions or requirements are not as presented above – which is fine. I simply wanted to address RFP/RFQ processes at large and I hope this information sparks discussion and comment among vendors and end-customers of security services alike.

*End Paste*

I went on to thank them for their inclusion in the process and to invite them to comment on this blog about the content. I hope they, and others do so. Please let me know your thoughts on this and other issues around RFP ambiguity. I would love to create a discussion between both vendors and customers about their ideas and feelings on the process!

Cisco’s PCI Ultimatum Movie was a Big Hit!

The movie premiered in Columbus yesterday and seemed to be a great way to learn about PCI requirements.

It was hilarious to see people you know on the big screen.

Check it out when it comes to a city near you. You can check out the trailers and such at http://www.businessofsecurity.com.

We have put up a separate blog site to follow the movie as it tours and to give follow up info. You can check it out at http://pcimovie.blogspot.com!

Respond in comments and let us know what you thought of it!

Added Note: It is our CEO who gets killed in the opening scene, persistent isn’t he…  😉

Also, the movie premier followed our State of the Threat presentation yesterday morning, adding even more info to what has quickly become one of the leading edge security presentations around!