PCI Base 2.0 – Don’t Leave Rogue Detection Up in The Air!
I have been preparing for the PCI DSS 2.0 draft released on October 28th, 2010 which is to be ratified in January of 2011. PCI DSS 2.0 clarifies requirements in many areas.
The draft 2.0 released yesterday has shown that there is little change in wireless recommendations around detecting the presence of rogue wireless access points. Actually the draft adds a little more room for interpretation.
In PCI DSS Draft v2.0, requirement 11.1 states that to be compliant organizations are required to “Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly Basis.” With a note that states, “Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
As we examine this statement it seems to lend itself to more than one option. Perform a quarterly scan with a handheld scanner, rely on physically inspecting connections or implement an always-on wireless IDS/IPS solution. I vote for the latter. Why?
1.) Testing for rogue access on a quarterly basis is just not enough because threats can happen anytime. Detecting these threats should be done on a continuous basis as with all the PCI DSS recommendations. PCI Security Standards Council also agrees based on a whitepaper I found here.
To quote: Successful completion of a system scan or [assessment] for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.”
2.) Port scanning on the wired network is not enough, because it does not recognize “disguised” access points. The use of wired side port scanning requires organizations to go through the compensation control process to seek approval for deviating from the standard. The approval of the compensation control is dependant on who is assessing the solution, so after spending time going through the process it is not guaranteed that the compensation control will be approved. The only true way to identify rogue wireless is access is by monitoring the wireless network.
In June of 2009, the PCI Security Standards Council clarified this by releasing their Information Supplement: PCI DSS Wireless Guideline document found here.
On Page 10 it states “PCI DSS requirement 11.1 clearly specifies the use of a wireless analyzer or a wireless IDS/IPS system for scanning. Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify some unauthorized wireless devices; however, they tend to have high false positive/negative detection rates. Wired network scanning tools that scan for wireless devices often miss cleverly hidden and disguised rogue wireless devices or devices that are connected to isolated network segments.
3.) Physical inspection is just as ineffective, if not more, as port scanning. Wrongdoers do not necessarily need to physically attach to a switch to acquire cardholder data as seen with ad-hoc wireless bridges and evil twin access points. Also, physical inspection will do very little against reconnaissance activities or cracking tools that can lead to denial of service.
4.) I agree that NAC is valuable to have in any wireless environment, but I do not see it as a replacement for wireless IPS/IDS. These two technologies work simultaneously in securing the network. To secure cardholder data leverage a wireless IPS/IDS to detects rogue access points and NAC to assure that the device connected to the network has the proper anti-virus protection level, system update level and configuration.
Even though PCI DSS v1.2 (and soon to be in v2.0) requirement 11.1 does allow users to take more than one approach to detecting rogue access, I think it is clear that quarterly scans, physical inspection and wired side port scanning are ineffective. As you examine your network and look towards ways to meet the new PCI 2.0 compliance, I hope you consider these points when deciding how you will effectively detect rogue access and look towards continuous wireless intrusion protection solutions to meet this requirement.
If you want to find out how to properly secure your network with continuous wireless intrusion protection and also adhere to PCI compliance guidelines check out the Cisco PCI Compliance page.
For more information on the newly released PCI DSS v2.0, read Jason Lackey’s blog here.