Closing Wireless Loopholes for PCI Compliance and Security

Closing Wireless Loopholes for PCI Compliance and Security

AirMagnet Confidential 2

What is PCI-DSS?What is PCI-DSS?

A unified approach to safeguard sensitive data – Started in 2001 as separate proprietary programs– Standards consolidated under the naming of the Payment Card Industry

(PCI) Data Security Standard (DSS) Administered by the PCI Standards Council

– Founded by American Express, Visa, Mastercard Worldwide, Discover Financial Services and JCB International

Standards include the “Digital Dozen” – 12 core requirements

Who must comply with the standard?– All merchants who process payment for merchandise using payment

cards must comply What parts of the network does it apply to?

– Applies to any system component included in or connected to the cardholder data environment

What if I fail to comply?– Forfeiture of merchant's ability to process payment cards– Liable for damages under federal or state laws

AirMagnet Confidential 3

Compliance Requirements for Wireless Networks in v1.2Compliance Requirements for Wireless Networks in v1.2

Requirement 1: Install and maintain a firewall configuration to protect data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks

Requirement 6: Develop and maintain secure systems and applications

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain an Information Security Policy

AirMagnet Confidential 4

What is PCI?What is PCI?

What Compliance Means for Merchants and Service Providers

– Everyone must comply with the standards

– Based on what category you fall into determines what level of validation you must provide (i.e. audits/scans)

– Annual penetration tests are required, although not required to be submitted

Components of PCI:

– On-site Audit – only for Service Providers and Level 1 Merchants

– Security Self-Assessment – PCI compliance attestation is primarily based on this.

– Network Scans – Must be conducted by a qualified 3rd party against all external-facing information resources

AirMagnet Confidential 5

The Table (Merchant Side)The Table (Merchant Side)

Compliance Validation Level (Due date in parenthesis)

Annual Onsite Assessment

Quarterly Scan

Compliance Questionnaire

Merchant Level 1 (9/30/04)

Any merchant - regardless of acceptance channel processing - >6M transactions)

Any merchant that has suffered a hack.

Any merchant that CC Association, determines should meet the L1 merchant.

Any merchant identified by any payment card brand as Level 1

Required Required

Merchant Level 2 (9/30/07-new)

1M to 6M transactions, regardless of acceptance channel processing

Required Required

Merchant Level 3 (6/30/05)

20K to 1M e-commerce transactions

Required Required

Merchant Level 4 (acquirer) <20,000 e-commerce transactions, or <1M transactions regardless of channel

Recommended

(annual scan only)

Recommended

AirMagnet Confidential 6

The Wireless Network Components: Build Secure NetworkThe Wireless Network Components: Build Secure Network

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data

– What companies are doing: Adding/changing firewalls

Performing architecture, FW and router rule audits/reviews

PCI v1.2

– Placing firewalls between wireless networks and cardholder networks

– Current network diagram

AirMagnet Confidential 7

The Need for New Types of OversightThe Need for New Types of Oversight

Focus of the network is shifting to the edge

– Traditional networks delivered security and control through centralization

– Mobility breaks the centralized model by opening the door to outbound connections

– Now internal-only traffic is also exposed

– New need for firewall level analysis at the edge

firewallNAT IDS

Traditional Wired Security• Single entrance/exit• Clients protected• Internal traffic protected

Rogue AP

Neighbor APs

Evil Twin

Eavesdropping

Wireless Security• All traffic in shared medium• Direct access to outside world• Internal traffic exposed

AirMagnet Confidential 8

Monitoring for the Mobile AgeMonitoring for the Mobile Age

A dedicated wireless monitoring system provides the full traffic and connection analysis that you expect on the wired side, but have lost in wireless

firewallNAT IDS

Rogue AP

Neighbor APs

Evil Twin

Eavesdropping

XX

X X

X

X

• See and find all wireless devices

• Automatically stop inappropriate connections

• Detect every vulnerability

• Enforce security policy in the air

AirMagnet Confidential 9

The Wireless Network Components: Build Secure NetworkThe Wireless Network Components: Build Secure Network

Build and Maintain a Secure Network

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

– What companies are doing: Disabling default passwords/services / hardening systems

Replacing non-secure protocols such as telnet with SSH and SSL, etc.

PCI v1.2

– Implementing secure wireless networks (WPA2, encryption settings, vendor defined SSIDs, etc.)

AirMagnet Confidential 10

Check for Weak ConfigurationsCheck for Weak Configurations

AirMagnet Confidential 11

Compliance Requirements for Wireless Networks in PCI DSS v1.2Compliance Requirements for Wireless Networks in PCI DSS v1.2

AirMagnet Confidential 12

The Components for Wireless Networks– Protect Cardholder DataThe Components for Wireless Networks– Protect Cardholder Data

Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks

– What companies are doing: Implementing SSL/IPSec

Email policy along with encryption/auditing (of cardholder data)

PCI v1.2

– Stronger wireless encryption (WPA 2 or 802.11i)

– Prohibited to implement WEP after March 31, 2009.

– For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

AirMagnet Confidential 13

Compliance Requirements for Wireless Networks in PCI DSS v1.2Compliance Requirements for Wireless Networks in PCI DSS v1.2

AirMagnet Confidential 14

Catch Encryption LoopholesCatch Encryption Loopholes

Validate strong encryption components

– 802.1x key rotations

– Dictionary attacks on authentication

– Multicast and broadcast traffic

– WPA Vulnerability

– Fragmentation and Chop-Chop Attacks

AirMagnet Confidential 15

Catch Encryption WeaknessesCatch Encryption Weaknesses

AirMagnet Confidential 16

The Components for Wireless Networks– Vulnerability ManagementThe Components for Wireless Networks– Vulnerability Management

Maintain a Vulnerability Management Program

Requirement 6: Develop and maintain secure systems and applications

– What companies are doing: Implementing/improving patch management

Implementing/improving standard system/device builds

Implementing/improving SDLC (to include security/PCI)

Implementing/improving change control procedures

Reviewing/testing web application code (adapting OWASP standards)

PCI v1.2

– Need effective wireless device patch management to get latest security updates

AirMagnet Confidential 17

Track Configuration ChangesTrack Configuration Changes

AirMagnet Confidential 18

The Components for Wireless Networks– Monitor and Test NetworksThe Components for Wireless Networks– Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

– What companies are doing: Implementing log management Implementing IDS/IPS with monitoring/alerting Updating log review/retention policies/procedures PCI v1.2

– Wireless logs should be enabled and write to central log server

– Automated audit trails for invalid access attempts

– Limit viewing of audit trails to those with job-related needs

– Protect audit trails from unauthorized modifications

– Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis

AirMagnet Confidential 19

Track and Prevent Improper ConnectionsTrack and Prevent Improper Connections

AirMagnet Confidential 20

Complete IDS and ArchivingComplete IDS and Archiving

Inspection

Scan all traffic and channels

Analysis

Automatically identify threats and problems

Enforcement

Stop threats and enforce

policies

Correlation

Put all the individual events

in context

Alerting

Notify staff and escalate based

on severity

Archiving

Store all events and compliance

records

SensorsServer + Backup

AirMagnet Enterprise Core Functions

+AirMagnet Enterprise Core Components

AirMagnet Confidential 21

The Components for Wireless Networks– Monitor and Test NetworksThe Components for Wireless Networks– Monitor and Test Networks

Requirement 11: Regularly test security systems and processes

– What companies are doing: Vulnerability assessment scanning and penetration testing

WIDS/WIPS

Wireless Analyzer

File integrity monitoring

PCI v1.2

– Use wireless analyzers on a quarterly basis or deploy WIDS/WIPS

– Wireless assessments: rogue device discovery

– WIDS/WIPS should alert on unauthorized access or other security events

– WIDS/WIPS should respond to unauthorized access

AirMagnet Confidential 22

AirMagnet WiFi Analyzer: Mobile Security, Performance, ComplianceAirMagnet WiFi Analyzer: Mobile Security, Performance, Compliance

AirMagnet Confidential 23

The Components for Wireless Networks– Maintain Security PolicyThe Components for Wireless Networks– Maintain Security Policy

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

– What companies are doing: Adding/changing policies

Security awareness training

Adding/updating incident response procedures

Reviewing contracts with third parties who process or store cardholder data

PCI v1.2

– Need to have a wireless policy and procedures

AirMagnet Confidential 24

Centralized Policy Centralized Policy

Set Rules Create a Report of

Rules Alert on Violations Block, Trace &

Locate Escalate Problems 12 Notification

Methods Integrate to Other

Systems

AirMagnet Confidential 25

PCI Reporting: Bringing it All TogetherPCI Reporting: Bringing it All Together

AirMagnet Compliance Reports

– Automatically identifies any potential PCI issues

– Complete overall view of compliance

– Details on each device and any actions required for compliance

Automated Compliance

– Set AirMagnet Enterprise to run compliance reports automatically

– Deliver reports to anyone in the organization

– Simple visibility and continuous archive of compliance

AirMagnet Confidential 26

Sample Compliance ReportSample Compliance Report

AirMagnet Confidential 27

Sample Compliance Report Sample Compliance Report

AirMagnet Confidential 28

Sample Compliance ReportSample Compliance Report

AirMagnet Confidential 29

AirMagnet Confidential 30

AirMagnet Enterprise: 24x7, Dedicated WLAN Monitoring and ProtectionAirMagnet Enterprise: 24x7, Dedicated WLAN Monitoring and Protection

Aligns your WLAN with your existing security practices

Full-time analysis of ALL traffic

Tracks ALL wireless devices

Monitors ALL channels

Detects ALL known attacks, threats, hacking tools

Automated device classification

Protects ALL locations, geographies

Automated threat suppression and event notification

Simple, centralized event investigation and prioritization

Full database and reporting of all events