Many have argued that the PCI DSS, Payment Card Industry Data Security Standard is too complex to be realistic in a real-world environment. Cisco takes the opposite stance maintaining that the principles and security standards contained within the documentation should actually be considered a minimum. The true challenge being not in the implementation but in the ongoing management – the maintenance if you will.
This show promises to layout a simplified view of the standard with real-world, practical advice where anyone can find exactly how they would apply their unique situation. We have pulled out all the stops with our story-telling and top notch guests as we have members of the standards board, networking experts and certifies QSA auditors joining us.
PCI. It’s not just for Breakfast
It’s amazing how many networks fall into the “compliance required” category. For PCI it only takes one credit card transaction to be at risk…but rather than focus on the negativity of the required audit – this topic and the maturity of the standard is actually good for ANYONE interested in protecting their data. You may have the typically binary response as to whether this show applies to you…but I think you need to give it a go. You may be surprised….the show and the Shownotes are after the jump.
Fundamentals of PCI
We hope you are fans of all of our fundamental series. This is one of the latest, embedded in the full show but also here standalone for your convenience! There is a ton of info moving quickly in this one so hold on tight.
Five Reasons Audits Fail
Apparently, more people pass the CCIE lab exam than pass their first audit. There is no gray area – its pass or fail. We thought it might be good to explore the most common reasons (common but not obvious) that audits fail and provide some advice for where to remedy.
Top 5 Failure Reasons:
1. Requirement 3: Protect Stored Data
– Where’s my data? (Requirement 3.2 must be followed to the letter)
– Unencrypted spreadsheet data
– Unsecured physical assets
2. Requirement 11: Regularly Test Security Systems and Processes
– Testing systems
– App vulnerabilities (mainly web apps)
– Documentation proving testing
3. Requirement 8: Assign a unique ID to each person with Computer Access
– Password control…can’t be easy to guess!
– Watch those admin privileges closely
– Security Awareness Program helps a lot…but verify
4. Requirement 10: Track and monitor all access to network resources and cardholder data
– Tracking access and cardholder data
– Poor logging
– Poor IDS correlation
5. Requirement 1: Install and maintain a firewall to protect data
– Card numbers found in the DMZ
– Segmentation Flaws
– Don’t forget your network segmentation…
6. The Auditor works for YOU
Now remember YOU hire an auditor. Here are a few things to ask them to make sure they are qualified enough for you and provide the best service:
– Show me your resume
– Just understanding the PCI DSS specification is not enough.
The best QSAs will have a background in Information Security and experience working as a penetration tester, risk analyst
– doveryai, no proveryai (Trust but verify)
– Check out this report for companies, which have at least one QSA who failed to perform an adequate PCI DSS assessment.
– What is your stance on compensating controls?
7. You Mean Well…but does it show?
– The only requirement written in stone is requirement 3.2 (Do not store sensitive authentication data subsequent to authorization). All other requirements convey intent. For example, it’s perfectly OK to use a compensating control if you can’t assign a unique ID to every user (requirement 8.2) as long as you document and monitor all generic shared IDs. A good QSA will understand that, while a bad one will force you to waste valuable time re-architecting your system without making it secure just to meet the requirement verbatim
– What are the deliverables at the end of the engagement and your cost?
– Be wary of selecting a security vendor, who also happens to do PCI audits on the side, just to save a few bucks. A simple PCI audit which lasts a few weeks onsite will cost you $20K-$30K. More extensive PCI audits will cost on the order of $100K. So if you have allocated low budget towards a PCI audit, you are setting yourself up for failure.
8. Auditor on Retainer
Developing a relationship with an auditor that you can interact with over time, not just at the actual audits can help you roll with the inevitable changes of a dynamic network.
The PCI Design and Implementation Guide
– Christian Janoff, Retail Architect in the Industry Solutions Engineering Team here at Cisco, Sits on the Board of Advisors for PCI standards council, and the author of the PCI Design and Implementation Guide. He joins us to review the guide, illustrate the architectural approach and tell us where to get started.
Chat with an Auditor
The auditor viewpoint with special guest Aaron Reynolds from Verizon Business, the largest Qualified Security Assessor (QSA)
PCI Controls on an Access Point
– Wireless has always been a slippery slope for security. Chief Geek Jimmy Ray Pursers takes us in the lab with hands on configuration examples you can apply today.
As always, thanks again!