- Tech>Protect: PCI Compliance Strategies
- Tech>Protect: Risks In Clouds, Part 2
- Tech>Protect: Risks In Clouds, Part 1
- Tech>Protect: Social Media - How to Protect Your Online Personality and Online Relationships
- Tech>Protect: "Everything You Need To Know I Learned In The Marines" + Other IT Security Lessons
Latest In Tech>Protect
About Donald E. Hester
Donald teaches IT Audit and Forensics at the University of San Francisco and Microsoft courses for Los Positas College, San Diego City College and various courses for the @ONE program of the California Community College's Chancellor's office. Donald is the Information Systems and Security Director, consultant and auditor for Maze & Associates. Donald's clients include local municipalities, non-profits, corporations and federal government agencies, and he specializes in a wide array of compliance programs and security assessments such as PCI, FISMA, COBIT, ITIL and ISO27002. He is a guest lecturer and speaker on security topics for CMTA, CSMFO, MISAC, CISOA, ISACA and others and he has served on various advisory committees and as a subject matter expert in information technology and security. Donald graduated with honors from the American Military University with a Bachelor’s Degree in Security Management with a concentration in Information Security. He has nearly 20 years of experience in the security field. His certifications include: CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, MCSA Security, MCDST, Security+ and CTT+. Donald is also a Chairman and past Treasurer for the Brentwood Veterans Memorial Building and Commandant and past Treasurer for the Delta Diablo Det. 1155 Marine Corps League.
TechEDge eNews Update
Tech>Protect: PCI Compliance Strategies
Last Updated on Wednesday, 26 January 2011 Written by Donald Hester Tuesday, 25 January 2011
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question. Here's a recent dialogue regarding Payment Card Industry compliance:
It begins with a reader question:
I am looking to be Payment Card Industry Compliant for our community college. I have been reading the rules and regulations of PCI and realize that you have to have an internal network penetration and application penetration test. As well as you need a file system monitoring software.
And my answer:
You are correct; you need to have internal scans, penetration tests and file monitoring for your cardholder data environment. There is a wide spectrum of ways you can solve these issues, from outsourcing these functions to doing them in house. Each has their benefits and drawbacks. It is important to remember that for the internal scans and penetration tests you do not need a PCI Approved Scanning Vendor, you only need a PCI ASV for external scans.
The important thing to remember about internal vulnerability scans is that simply running the scans occasionally is not the same as having a vulnerability management system, which is an actual process for finding and remediating vulnerabilities. Therefore, I would recommend that any solution you look at helps you to set up a process, not simply run vulnerability scans. For the internal vulnerability scans you can hire a group to set up, monitor and maintain the internal scan remotely, or you can purchase equipment and have your staff monitor and maintain the scans. Qualys has a great book on this called “Vulnerability Management for Dummies”. You can download it free from their site.
Rapid7, nCircle, Qualys and Nessus have the ability to setup a vulnerability management process, some better than others. Each one of them has different licensing. For example, Qualys licenses by IP address while Nessus licenses by scanner. Qualys out of the box has everything you need to setup a vulnerability management process while Nessus requires an additional service, Security Center, to be purchased beyond the scanner license for vulnerability management.
If your environment has all Windows systems you can use Microsoft Baseline Security Analyzer, a free Microsoft tool for scanning. In addition to looking for vulnerabilities, MBSA also looks for excessive administrator accounts, simple passwords and open file shares. The down side is it looks for missing patches not vulnerabilities and it creates reports per system. If you have 10 systems you have 10 reports. They are in XML format, so you could do some custom code to compile the report into a single report or dashboard. The question then is do you have staff to support the customization.
For the penetration testing there are no specific requirements on how to conduct the penetration test, so in theory, you could get an appliance that has built in tools like Metasploit, Core Impact or SAINT. These tools have out-of-the-box penetration tests and automated tools. You could purchase these tools and have your staff run them or outsource this function.
Outsourcing the penetration testing function is what most organizations do. Typically, you would need to have some sophisticated engineers who have been trained on penetration testing on staff in order to conduct penetration testing. The skill set is typically expense to maintain on staff just for the purpose of conducting annual penetration tests. However, the most cost effective solution is to share the expertise with other organizations. For example, having all of the community colleges pay a portion of a single penetration testing team that is set up to rotate from college to college would be the most cost effective solution, as opposed to outsourcing this function.
For file monitoring there are a number of out-of-the-box products available, such as TripWire, Solid Core, LogRhythm, nCircle and NNT, to name a few. The important thing to remember about File Integrity Monitoring is reporting. You want alerts with low false positives; otherwise, you will get lots of alerts that are just noise, causing you to miss something important to investigate.
Windows on a 64 bit platform has some file integrity built-in, however I have not seen a paper on how to set it up for PCI compliance. There may be something out there for that.
If you need help with these solutions, I can help you implement or even assist you in selecting solutions that meet your needs. I can also assist with the internal scanning. Feel free to give me a call if you have any questions.<>