Your SlideShare is downloading. ×
Facilitate PCI ComplianceUsing Tango/04 Multiplatform, Real-Time Solutions
Contents   Contents   Contents ..............................................................................................
Executive Summary   Executive Summary   The Payment Card Industry Data Security Standard pertains to any company that stor...
Introduction   Introduction   If your organization stores, processes or transmits credit card information, you are require...
The Details Behind PCI DSS   The Details Behind PCI DSS   First and foremost, PCI DSS is a multifaceted standard applicabl...
The Details Behind PCI DSS   to identify high volume processors who are subject to stricter validation requirements. The b...
The Details Behind PCI DSS   Recent Incentives and Penalties Announced by Visa   In December 2006, Visa announced the PCI ...
PCI DSS Requirements   PCI DSS Requirements   Now that we understand the evolution of PCI DSS and the importance of compli...
PCI DSS Requirements   Compliance Benefits   PCI DSS is of great benefit to the consumer in terms of protecting their pers...
Achieving PCI DSS Compliance   Achieving PCI DSS Compliance   Similar to complying with other regulations such as Sarbanes...
Achieving PCI DSS Compliance   We recommend that you only consider automated tools that have the capacity to send alerts t...
Tango/04 Solutions for PCI DSS Compliance   Tango/04 Solutions for PCI DSS Compliance   The Tango/04 Computing Group7 is a...
Tango/04 Solutions for PCI DSS Compliance   Full Operating System Level Coverage   The VISUAL Security Suite agents for th...
Tango/04 Solutions for PCI DSS Compliance   Record-level and Field-level Database Auditing   The Data Monitor module captu...
Tango/04 Solutions for PCI DSS Compliance   When more complex business-level controls are required (such as changes to dor...
Tango/04 Solutions for PCI DSS Compliance                                            Figure 2 – The SmartConsole   Within ...
Tango/04 Solutions for PCI DSS Compliance                             Figure 3 – Sample Enterprise View of a Compliance Sc...
Tango/04 Solutions for PCI DSS Compliance   In addition to real-time alerts, VISUAL Security Suite can be configured to au...
Tango/04 Solutions for PCI DSS Compliance   A sample report depicting User Inactivity on the Windows platform is shown bel...
Tango/04 Solutions for PCI DSS Compliance                                         Figure 6 – Data Monitor Report Segment  ...
Tango/04 Solutions for PCI DSS Compliance   Ease of Use   VISUAL Security Suite is fast to deploy and easy to use so     C...
Tango/04 Solutions for PCI DSS Compliance   Although VISUAL Security Suite can be used exclusively as a security complianc...
Summary   Summary   If you’ve read this far, it’s likely that you’re required to comply with PCI DSS and are looking for i...
Appendix A – Tango/04 Security Solutions   Appendix A – Tango/04 Security Solutions   VISUAL Security Suite: List of Contr...
Appendix A – Tango/04 Security Solutions   Beyond platform specific abilities, a full array of other third party products,...
Appendix B – PCI DSS Requirements   Appendix B – PCI DSS Requirements   PCI DSS is a private industry standard applicable ...
Appendix B – PCI DSS Requirements   Mapping of Tango/04 Solutions to PCI DSS Detailed Requirements   Build and Maintain a ...
Appendix B – PCI DSS Requirements   once from several platforms and domains, modifying a system setting, or ending a proce...
Appendix B – PCI DSS Requirements                                        Figure 8 – Data Monitor Report Segment   During c...
Appendix B – PCI DSS Requirements   released, appropriate software patches to protect against exploitation by employees, e...
Appendix B – PCI DSS Requirements   that you’re able to immediately attend to the potential security infraction. Along wit...
Appendix B – PCI DSS Requirements                     8.5.13 Limit repeated access attempts by locking out the user ID aft...
Appendix B – PCI DSS Requirements   Sub-requirement 10.2: Implement automated audit trails to reconstruct the following ev...
Appendix B – PCI DSS Requirements                     10.3.1 User identification                     10.3.2 Type of event ...
Appendix B – PCI DSS Requirements                     10.5.5 Use file integrity monitoring/change detection software on lo...
Appendix B – PCI DSS Requirements   Sub-requirement 11.4 Use network intrusion detection systems, host-based intrusion det...
Upcoming SlideShare
Loading in...5
×

Vss pcicomus-en

343

Published on

PCI Compliance with Tango/04's VISUAL Message Center

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
343
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Vss pcicomus-en"

  1. 1. Facilitate PCI ComplianceUsing Tango/04 Multiplatform, Real-Time Solutions
  2. 2. Contents Contents Contents ................................................................................................................................................ 1 Executive Summary ............................................................................................................................. 2 Introduction........................................................................................................................................... 3 The Details Behind PCI DSS ................................................................................................................ 4 Background....................................................................................................................................... 4 Compliance vs. Validation................................................................................................................. 5 Recent Incentives and Penalties Announced by Visa ....................................................................... 6 PCI DSS Requirements ........................................................................................................................ 7 Compliance Benefits ......................................................................................................................... 8 Achieving PCI DSS Compliance.......................................................................................................... 9 Automated Tools - Continuous Monitoring and Real-Time Alerts ..................................................... 9 Continuous Monitoring and Real-time Alerts................................................................................................... 9 Tango/04 Solutions for PCI DSS Compliance .................................................................................. 11 Full Operating System Level Coverage .......................................................................................... 12 Databases, Web 2.0 Enablers and other Middleware ..................................................................... 12 Record-level and Field-level Database Auditing ............................................................................. 13 Third Party Security Products, Network Appliances and Device Integration ................................... 13 Business Application Monitoring ..................................................................................................... 13 VISUAL Security Suite Output ........................................................................................................ 14 Business and Enterprise Views..................................................................................................................... 14 Real-time Alerts ............................................................................................................................................. 16 Automated Actions ........................................................................................................................................ 16 Compliance Reports...................................................................................................................................... 17 Ease of Use .................................................................................................................................... 20 Tango/04 Solutions and the PCI DSS Requirements...................................................................... 20 Valid for Cross Compliance ............................................................................................................ 20 Extendability ................................................................................................................................... 20 Maximize Your Return on Investment ........................................................................................................... 21 Summary ............................................................................................................................................. 22 Multiplatform Cross Compliance ..................................................................................................... 22 Field Proven in Different Industries ................................................................................................. 22 Unique Extensibility......................................................................................................................... 22 Appendix A – Tango/04 Security Solutions...................................................................................... 23 VISUAL Security Suite: List of Controls .......................................................................................... 23 Tango/04 Solutions Offer Extensive Coverage for the System i ..................................................... 24 Technology Alliances outside of IBM ............................................................................................................ 24 Professional Services ..................................................................................................................... 24 Appendix B – PCI DSS Requirements .............................................................................................. 25 Mapping of Tango/04 Solutions to PCI DSS Detailed Requirements.............................................. 26© 2007 Tango/04 Computing Group Page 1
  3. 3. Executive Summary Executive Summary The Payment Card Industry Data Security Standard pertains to any company that stores, processes or transmits credit card information. If this applies to your company, you are required to be compliant with this private industry standard today. Depending on the volume of credit card transactions you process, the task of demonstrating compliance may include an annual on-site audit conducted by an external auditor. In any case, you don’t want to operate your business in a non-compliant state because the associated penalties can be severe. For instance, if a data breach occurs while you are noncompliant, you can be fined up to $500,000 per incident and suffer revocation of your right to accept or process credit card transactions. This could certainly be fatal to your business. So let’s agree that noncompliance is not an option. In that case, how do you begin to put together a strategy that will help you meet the robust requirements of PCI DSS year after year? It’s clear that a sustainable compliance plan must include the use of automated software technology. As a result, this paper includes a description of VISUAL Security Suite, the Tango/04 multiplatform, real-time security solution for achieving compliance with various regulations and "Tango/04 software certainly simplifies industry standards. We explain how the product can successfully be our auditing process. used in your efforts to meet PCI requirements to protect your credit Tango/04 pre-sale activities, post-sale card data assets while actually reducing overall compliance costs. implementation and support services exceeded our expectations. The Tango/04 employees are intelligent, For a number of years, the Tango/04 security solution has been used helpful, funny, patient and honest. The by many companies world-wide to facilitate sustainable compliance training they provided was outstanding" with various regulations. Our technology is field proven and has been David Dresdow, Team Leader adopted by 7 of the 18 largest banks in the world to facilitate their JD Edwards System Administration security strategies. Stora Enso In fact, Stora Enso Inc. – a multi-billion dollar integrated paper, packaging and forest products company with multiple locations in the US and across the globe – is just one of our customers using Tango/04 software to ease their auditing procedures. Other well known companies using Tango/04 products include BankBoston, CocaCola, Pfizer, Shell, Office Depot and Nike. Please visit our website at www.tango04.com to view testimonials from satisfied customers and to learn more about our Security and integrated Business Service Management solutions.© 2007 Tango/04 Computing Group Page 2
  4. 4. Introduction Introduction If your organization stores, processes or transmits credit card information, you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). Depending on the number of transactions you process, you may also be required to demonstrate compliance through an annual on site audit and validation process. The good news about the PCI DSS requirements is that they are explicit and well defined, unlike some regulations such as Sarbanes-Oxley (SOX) and the associated COBIT control objectives. Simply understanding the control objectives of SOX can be difficult because they are vague in many areas and wide open to interpretation. Despite the direct nature of PCI DSS however, the associated requirements are very rigorous and can be quite challenging for many organizations. Some of the specific challenges to PCI compliance include the tracking and monitoring of access to all networks and systems containing cardholder information, encryption of cardholder data, authentication of users who access systems with credit card data and the installation and maintenance of firewalls. Disregarding the challenges, however, there are many benefits to compliance. Among them is the protection of consumer credit card information according to industry best practices, a significant reduction in the risk of a potential data breach, the avoidance of costs associated with a breach and the enhancement of your company’s image. Conversely, the consequences of noncompliance can be financially damaging as a function of monetary penalties in addition to higher interchange rates on credit card transactions. If an actual data breach occurs due to noncompliance, the cost can be enormous as a result of imposed fines, time spent responding to and containing the breach as well as various law suits. The negative press associated with a breach can also lead to the loss of existing customers as well as new customer opportunities – none of which is good for your business. In this white paper we discuss the evolution of PCI DSS primarily as a result of collaborative efforts between Visa and MasterCard, describe the requirements at hand and explain recent incentives and deadlines put forth by Visa to comply by certain dates. We also examine how the Tango/04 multiplatform, real-time security solution can be used to help you comply with PCI DSS while simultaneously increasing the efficiency of your business processes and generating a positive return on investment (ROI).© 2007 Tango/04 Computing Group Page 3
  5. 5. The Details Behind PCI DSS The Details Behind PCI DSS First and foremost, PCI DSS is a multifaceted standard applicable to organizations that store, process or transmit credit card information that includes the customer’s Primary Account Number (PAN). The intent of the standard is to protect consumers by offering a single approach to safeguarding sensitive data for all credit card brands. Before we get into the specifics of PCI DSS, let’s step back for a moment and discuss the independent efforts of individual credit card companies that led to the evolution of this widely accepted standard. Background When customers provide their credit card information at a store, over the web, on the phone, or through the mail, they want to know that their account data is safe. In order to address this need for customer assurance, Visa created the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data – wherever it resides – ensuring that members, merchants, and service providers maintain the highest information security standard. To protect their own customer information, MasterCard implemented a similar version of data security requirements called the Site Data Protection (SDP) program in 2002. Both Visa and MasterCard categorized their merchant base into 4 levels focused primarily on the annual volume of transactions 1 processed as shown below . • Level 1 – any merchant with more than 6,000,000 overall transactions per year as well as any merchant who has already experienced an account compromise (Visa and MasterCard); • Level 2 – any merchant processing 1,000,000 to 6,000,000 overall transactions per year (Visa); all merchants processing 150,000 to 6,000,000 e-commerce transactions per year (MasterCard); • Level 3 - any merchant processing 20,000 to 1,000,000 e-commerce transactions per year (Visa); any merchant processing 20,000 and 150,000 e-commerce transactions per year (MasterCard); • Level 4 - any merchant processing less than 20,000 e-commerce transactions per year and all other merchants, regardless of acceptance channel processing less than 1,000,000 transactions per year (Visa); all other merchants (MasterCard). There are also similar levels defined for service providers or organizations that process, store or transmit cardholder data for members, merchants or other service providers. The reason for the level categories is 1 It should be noted that the level definitions also include other criteria in some cases – for specifics regarding Visa levels, visit http://visa.com/cisp. For specific MasterCard levels, visit http://www.mastercard.com/us/sdp/merchants/merchant_levels.html© 2007 Tango/04 Computing Group Page 4
  6. 6. The Details Behind PCI DSS to identify high volume processors who are subject to stricter validation requirements. The basic concept is that the risk of a data compromise increases proportionately with the volume of transactions processed. Over time, Visa International and MasterCard Worldwide worked together to align their individual data security programs and formed a single, industry wide standard for data security in December 2004 known as the Payment Card Industry Data Security Standard. In short order, PCI DSS proceeded to be endorsed by American Express, Discover Financial Services, and JCB (a construction and agricultural equipment manufacturing company), even though some of these companies also had their own forms of data security standards. Finally, in September 2006 the five major credit card payment networks announced the formation of an independent body called the PCI Security 2 Standards Council. Its purpose is to own, maintain and distribute information about PCI DSS to affected organizations. Advisors to the Council include representatives from well know companies such as Bank of America, Wal-Mart, Microsoft and PayPal. Compliance vs. Validation All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS right now! The fundamental difference between Level 1 and lower level merchants and service providers is the amount of third-party validation that must be done to meet the certification process. Specifically, • Level 1 merchants and Levels 1 and 2 service providers must undergo an on site PCI security audit on an annual basis. • Levels 2, 3 and 4 merchants and Level 3 service providers must submit an annual Self- Assessment Questionnaire and do not require an on site audit. • Network scans are required to be completed quarterly by all level merchants and service providers. The only exception here is for Level 4 merchants, where a quarterly Network scan is recommended but not required. So where do we stand in terms of industry compliance? According to Visa USA President and CEO John Coghlan, at year end 2006, only about 20 percent of the top 200 merchants were in compliance with the PCI standards. However, statistics from Gartner predict that by end of 2007, 75 percent of Level 1 merchants and 30 percent of Level 2 merchants will be compliant.3 The anticipated increase in compliance may in part be fueled by the deadlines associated with incentives and fines publicized by Visa at the end of last year. 2 To learn more about the PCI SSC, please visit their website at https://www.pcisecuritystandards.org/ 3 http://www.itcinstitute.com/display.aspx?id=4020© 2007 Tango/04 Computing Group Page 5
  7. 7. The Details Behind PCI DSS Recent Incentives and Penalties Announced by Visa In December 2006, Visa announced the PCI Compliance Acceleration Program (PCI CAP), offering $20 million in financial incentives as well as new sanctions in an effort to further PCI DSS compliance.4 In essence, PCI CAP sets a Sept. 30, 2007 deadline for compliance aimed at Level 1 merchants and a 5 December 31, 2007 deadline for Level 2 merchants. Noncompliant merchants will face monthly fines up to $25,000 and be charged higher interchange rates which are the commissions they pay on transactions. (Prior to these new penalties, merchants and service providers were only assessed monetary fines if an actual data breach occurred). Those who can validate compliance by September 30, 2008, however, may qualify for a refund of up to three months of the higher commissions, but will have to attest that they made strenuous efforts to comply by the earlier date. Visa has also stated that it will reward acquiring banks whose members are fully compliant by September 30, 2007 and has set aside $20 million as an incentive. As of mid- August 2007, Visa had already paid out about $7 million to compliant companies. 4 http://usa.visa.com/about_visa/press_resources/news/press_releases/nr367.html 5 “PCI Compliance Deadlines Have Retailers Scrambling”, SearchCIO.com, 09/13/2007.© 2007 Tango/04 Computing Group Page 6
  8. 8. PCI DSS Requirements PCI DSS Requirements Now that we understand the evolution of PCI DSS and the importance of compliance, let’s take a closer look at the requirements themselves. Specifically, version 1.1 of the PCI Data Security Standard is comprised of 12 high level requirements further broken down into just over 200 sub-requirements. These 12 high level requirements fall under 6 different principles as shown below. (Note that PCI DSS version 1.1 and all supporting documentation can be found at www.pcisecuritystandards.org). Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security These 12 security requirements apply to all “system components” which are defined as any network component, server or application that is included or connected to the card holder data environment.© 2007 Tango/04 Computing Group Page 7
  9. 9. PCI DSS Requirements Compliance Benefits PCI DSS is of great benefit to the consumer in terms of protecting their personal information from unauthorized use or disclosure. Compliance with the standard is also good for companies because a data breach can be very costly and wreak havoc on a company’s image. Beyond that, implementation of PCI DSS can actually reduce compliance costs over the long run. That’s because once it’s been implemented, the vigorous standard instills security best practices across the entire enterprise, which makes it easier and less expensive to meet new requirements that may be imposed in the future. The concept applies both to completely new sets of regulations and standards as well as potential revisions to PCI DSS. That being said, achieving and maintaining compliance with this comprehensive standard is not trivial and is bound to be difficult for many companies.© 2007 Tango/04 Computing Group Page 8
  10. 10. Achieving PCI DSS Compliance Achieving PCI DSS Compliance Similar to complying with other regulations such as Sarbanes-Oxley or HIPAA, compliance efforts are most successful when they are coordinated with business users and overall corporate objectives. Involving executive management from the very beginning facilitates corporate support, which is an essential component of a successful and ongoing compliance strategy. Implementing the controls necessary to comply with PCI DSS also creates opportunities to improve the efficiency of business processes which in turn yield increased productivity and cost savings. Another cost benefit of compliance is that it decreases the likelihood of a data breach, which can be extremely expensive. Case in point is the realization in January 2007 of a security breach that impacted the TJX Companies based in Framingham, Massachusetts and resulted in the exposure of more than 45 million credit and debit card holders over an 18 month period. As of August 2007, the breach had cost TJX more than $250 million. A large portion of the cost has been related to containing the intrusion, bolstering data security procedures and systems, notifying customers and responding to an increasing list of lawsuits.6 Had TJX been compliant with PCI DSS early on, it’s likely that the breach would not have occurred, or if it did, the exposure of consumer information would have been minimized. An important aspect of complying with PCI DSS is the implementation of continuous monitoring. You need to know, on a 24/7 basis, of any unauthorized attempts to access your critical files. That leads us to the concept of automated software technology. Automated Tools - Continuous Monitoring and Real-Time Alerts PCI DSS Requirement 10, Regularly Monitor and Test Networks, consists of seven first level sub- requirements. In particular, sub-requirement 10.2 calls for the implementation of automated audit trails for all system components in order to reconstruct specific events. It couldn’t be more clear – to satisfy this condition, companies need to utilize automated software technology. Although technology solutions in the form of automated software tools do require an up-front investment, they generally render a positive ROI. Beyond that, automated tools also provide consistent, accurate and reliable monitoring and reporting – something you’ll need to demonstrate compliance to an outside auditor. Continuous Monitoring and Real-time Alerts A major advantage of automated software tools is their ability to run 24/7, constantly keeping watch over your implemented PCI DSS security plan and critical data assets. Continuous monitoring is a vital component of a sustainable compliance plan. 6 Cost of Data Breach at TJX Soars to $256m”, Ross Kerber, The Boston Globe , August 15, 2007.© 2007 Tango/04 Computing Group Page 9
  11. 11. Achieving PCI DSS Compliance We recommend that you only consider automated tools that have the capacity to send alerts to you in real- time when a suspicious security event takes place. Real-time warnings are invaluable to your business because they allow you to minimize risk exposure and attend to security incidents as they occur. Once again, consider the TJX data breach that spanned an 18 month period. Had continuous monitoring and real-time alerts been in place, the company would have known the instant the first unauthorized data access event occurred and been able to immediately respond with defensive actions. Continuous auditing is a major trend and since real-time alerting is technologically available today, there’s no reason not to know about a potentially serious security issue before it’s too late. In the next section we examine the Tango/04 toolset that is currently in use by many companies worldwide in support of their compliance strategies.© 2007 Tango/04 Computing Group Page 10
  12. 12. Tango/04 Solutions for PCI DSS Compliance Tango/04 Solutions for PCI DSS Compliance The Tango/04 Computing Group7 is a leading developer of Security and Infrastructure Monitoring, Reporting and Business Service Management solutions. Its VISUAL Security Suite is a multiplatform security solution that can easily become a part of your automated processes for achieving sustainable PCI DSS compliance. As shown in Error! Reference source not found.1 below, VISUAL Security Suite receives audit information from various sources within your enterprise. Figure 1 – Overview of VISUAL Security Suite Conducive with PCI DSS requirements, its monitoring engine offers agents for your different platforms, network components, applications, logs and databases. In many cases, the monitors can run remotely (agentless), reducing deployment time and avoiding interference with other applications. In addition, each monitor retrieves only the information you are interested in, allowing you to filter out all irrelevant data. This powerful filtering feature minimizes the monitoring process and keeps overhead down resulting in little to no performance impact on your system. 3 For detailed information about Tango/04, its solutions and customer case studies, please go to www.tango04.com© 2007 Tango/04 Computing Group Page 11
  13. 13. Tango/04 Solutions for PCI DSS Compliance Full Operating System Level Coverage The VISUAL Security Suite agents for the System i, Windows, Unix, Linux and AIX can keep track of: • Changes and access to all files and objects, including financial databases, configuration files, sensitive information, etc. Specifically, the tracking of: − Deletes, copies, edits, renames, restores, and read-only access to specific data − Unauthorized access attempts • Authority failures, such as: − Persistent failed sign on attempts − Object access denials • System configuration changes, such as: − Creation and modification of user profiles − System value changes • Command use, so you can: − Watch suspicious users − Monitor use of sensitive commands. We have a library of standard controls you can leverage based on our experience with many different types of industries and security projects. However, new, custom checks can easily be added. For instance, system access times may be well defined at your company, and it is simple to define the time during the day when a login attempt (even if it is allowed by the operating system) should be considered suspicious. Other controls can be less direct, but equally important. For example, unusually increased storage occupation or bandwidth consumption can be a symptom of a suspicious activity (such as a virus sending out spam from a compromised workstation). Because VISUAL Security Suite allows you to monitor several performance indicators in addition to traditional security events, you can define a comprehensive list of controls. Please refer to Appendix A for a list of common controls per platform. Databases, Web 2.0 Enablers and other Middleware VISUAL Security Suite can extract information and continuously audit several databases and middleware such as Web Application Servers, including the IBM WebSphere Application Server. Platform-specific controls can be set. Log files can be scrapped, formatted, and correlated in real time from several sources. Different adapters (WMI, JMX, SNMP, syslogs, text files, message queues, etc.) are also available to maximize the integration capabilities.© 2007 Tango/04 Computing Group Page 12
  14. 14. Tango/04 Solutions for PCI DSS Compliance Record-level and Field-level Database Auditing The Data Monitor module captures all Changes, Inserts, Deletions and Reads to files you specify so you know Who, What, When and How. This is exactly the level of detail you need to help you comply with PCI DSS requirements 10.2 (Implement automated audit trails for all system components to reconstruct events) and 10.3 (Record specified audit trail entries - such as user identification, type of event and date and time of event – for all system components for each event). Specifically, Data Monitor provides you with record- level audit data for each transaction including: • Type of event such as update, insert, delete or read • Before and after image of record changed, clearly indicating the changed fields • User that made the change (including the real user in application transactions) • Timestamp • Context data and platform specific information (such as the name of the application for SQL Server and library/program for DB2 on the System i). With this level of visibility, you’re able to keep all users (including database administrators and privileged users) under control by tracking every action to your sensitive files. As the control is done at the database level, it doesn’t matter where the change came from or which tool had been used to make the change. In addition, the before and after images of record changes allow you to revert a change back to its original value when necessary. Third Party Security Products, Network Appliances and Device Integration VISUAL Security Suite can monitor, correlate, inspect and immediately alert you of any log file, regardless of where it resides and the application that has produced it. In addition, it is easy to centralize the control of all disperse information, effectively monitoring the activity of network devices such as routers, switches, firewalls, and so on. Third party applications such as Intrusion Detection/Prevention Systems, antivirus products, vulnerability scanners, Virtual Private Networking (VPN), and the like, can also be easily integrated. Business Application Monitoring One area where most security products fail is the ability to extract relevant security information from different business applications. Home grown applications are particularly difficult for most products. However, as your level of maturity increases, there is a strong need to go from basic audit controls on operating systems and equipment to business-level controls. VISUAL Security Suite can help you to automate the control of your existing applications. It includes a universal log reader (Applications Agent) which can read virtually any log at blazing speed. By using advanced BNF (Backus Normal Form) grammar definitions that can be created and modified easily, integration of practically any application events can be done in real time. In other cases, instead of text files, application security logs and events are stored in data tables, which can easily be integrated with the VISUAL Security Suite Data Adapter.© 2007 Tango/04 Computing Group Page 13
  15. 15. Tango/04 Solutions for PCI DSS Compliance When more complex business-level controls are required (such as changes to dormant accounts in banks, excessively discounted sales, or other domain specific checks) Data Monitor can be a perfect tool to inspect every single one of millions of transactions in real time. Integrity checks can be placed to make sure no unauthorized changes are done from outside the applications, bypassing the applications integrity controls. Examples of business applications that can be monitored with VISUAL Security Suite include SAP R/3, Siebel, JD Edwards, SWIFT, legacy (RPG/COBOL), and practically any custom application running in any environment, from mainframes to standalone desktop workstations. Modern Java applications can also be monitored by using JMX (Java Management Extension) technology. The information presented in this section is merely a subset of the kind of audit data you can collect with VISUAL Security Suite. Please refer to Appendix A for a more complete listing by platform. VISUAL Security Suite Output Once the audit information you specify has been collected, it can be accessed and presented to you in a variety of ways: • Business and Enterprise views • Real-time alerts • Automated actions • Reports Let’s examine each one of these output mechanisms. Business and Enterprise Views One of the key features of VISUAL Security Suite is that it allows you to centrally manage your security paradigm by consolidating events across all platforms in a single view. This is accomplished using the VISUAL Security Suite SmartConsole, shown below in Figure 2.© 2007 Tango/04 Computing Group Page 14
  16. 16. Tango/04 Solutions for PCI DSS Compliance Figure 2 – The SmartConsole Within the SmartConsole, the left most pane contains your business view as a series of hierarchical folders that are color coded to quickly draw your attention to important events. Although a default security configuration is shipped with VISUAL Security Suite, you are free to customize this view to best fit your corporate needs. Note that the folders under the iSeries and Windows Security branches are green, indicating no imminent issues. However, there is a problem with the Infrastructure node as indicated by the red folder. Expanding any of the folders and then double clicking on the problem node will reveal underlying messages pertaining to the issue. These related messages contain detailed information about the problem and many soft-coded variables that can be passed to messages sent via email or to your cell phone. The uppermost right pane in Figure 2 summarizes your business services and the pane below it identifies the most probable root cause of the failure. Although this figure shows both security and infrastructure configurations, you can install the security portion alone and either grow into infrastructure monitoring at a later date or continue to use whatever infrastructure monitoring you may already have in place. In addition to business views, security information can also be presented in an enterprise view or dashboard accessible through the web. Enterprise views can be especially useful for CISO’s who need a high level glimpse of current security status but not the underlying details provided by the SmartConsole. Figure 3 below presents a sample enterprise view of a sample compliance scenario.© 2007 Tango/04 Computing Group Page 15
  17. 17. Tango/04 Solutions for PCI DSS Compliance Figure 3 – Sample Enterprise View of a Compliance Scenario Similar to the business view shown in Figure 2, the color of the icons provides visual information regarding status. For instance, at a high level you can quickly see there is a problem with the System i because its icon is red. The detail shown to the right under System i indicates a potential problem Object Access because the icon is yellow. Double-clicking on any icon allows you to drill down for specific information about the problem. Real-time Alerts Besides visual notification, with VISUAL Security Suite you can also define alarms and actions to send alerts regarding urgent situations in real-time. These alerts can take various forms such as email, SMS messaging, sound or video. Having real-time access to your security information facilitates compliance with PCI DSS and minimizes exposure if a malicious security event occurs, such as an unauthorized user accessing your credit card files. Being notified the instant a suspicious activity occurs gives you total control - even if the incident occurs after hours or over the weekend. Automated Actions© 2007 Tango/04 Computing Group Page 16
  18. 18. Tango/04 Solutions for PCI DSS Compliance In addition to real-time alerts, VISUAL Security Suite can be configured to automatically respond to events that you define. For example, if a user changes a critical system setting, VISUAL Security Suite can send you a real-time alert and also initiate predefined actions such as reverting the system setting back to its original value, ending the user’s job and disabling his/her user profile to prevent further malicious actions. Compliance Reports VISUAL Security Suite includes a robust reporting system so you can perform forensic analyses, review events against security policies and comply with regulations and standards such as PCI DSS. We ship over 200 built-in reports to provide you with all the information you’ll need to satisfy your auditors. Figure 4 below shows a segment of the reporting system in addition to the data selection parameters for one of the reports. Figure 4 – Segment of the Reporting System and Sample Data Selection Screen It’s worth noting that our built-in reports can be customized so you can create your own sub report version. Furthermore, reports can be generated in different formats such as .pdf, .xls, .doc, .html and can also be scheduled and automatically emailed to the appropriate stakeholders.© 2007 Tango/04 Computing Group Page 17
  19. 19. Tango/04 Solutions for PCI DSS Compliance A sample report depicting User Inactivity on the Windows platform is shown below in Figure 5. This particular report will help you to meet PCI DSS requirement 8.5.5, which states that you should remove inactive user accounts at least every 90 days. Figure 5 – Windows User Inactivity Report As indicated in Figure 5, our report shows users defined on a particular domain, the number of days they have been inactive and whether or not their profile is enabled. By running this report you can identify users who have not signed on for 90 days (or any time period) and take appropriate action. A similar report is also available for the System i. Figure 6 below, presents a segment of a Data Monitor report showing detailed information about a data record change. As indicated, Data Monitor can capture and report the date and time of a file access, the type of access (read, update, insert, deletion, etc), the actual user and even the before and after images of the accessed data record.© 2007 Tango/04 Computing Group Page 18
  20. 20. Tango/04 Solutions for PCI DSS Compliance Figure 6 – Data Monitor Report Segment As shown in Figure 6 you can even instruct Data Monitor to hide sensitive field values in the generated reports, such as Social Security or credit card numbers. This feature is essential in order to ensure and protect the privacy of consumer information. The Data Monitor module also has many other advanced features including the ability to: • Select the files you want to monitor and even particular fields within those files; • Select particular users or user groups to monitor; • Store your audit data on a different LPAR or platform which might be more secure or where storage space is less expensive; • “Enrich” the audit data so, for instance, an account number can appear as a customer name on your reports, making them easier to read; • Include information on your reports that is not stored in the journal such as user group or class.© 2007 Tango/04 Computing Group Page 19
  21. 21. Tango/04 Solutions for PCI DSS Compliance Ease of Use VISUAL Security Suite is fast to deploy and easy to use so Complete Coverage for the System i you can immediately begin to monitor and protect your As a Premier IBM Business Partner, corporate assets as soon as you install the product. We Tango/04 provides the most complete offer Professional Services to help you configure business functionality on the market for auditing views, real-time alerts and automated actions to meet your System i security environments. With more than 15 years experience on this platform, specific compliance needs. We also train your designated Tango/04 works directly with IBM staff so they can add additional controls as you need them laboratories in Rochester, Minnesota to take due to changes in regulations or in your corporate advantage of new i5 technology developments. environment. We continuously invest in improvements and support for the latest versions of i5/OS in Because the SmartConsole component allows you to order to offer you the best solution on the centralize the management of your security controls market. across platforms, within a single view, your security staff (Refer to Appendix A for more information will be highly productive as they maintain the integrity of regarding our technology alliance with IBM) your compliance plan. Tango/04 Solutions and the PCI DSS Requirements The twelve high level requirements of PCI DSS are broken down into numerous sub-requirements totaling just over 200 individual items for which you must demonstrate compliance. Although achieving sustainable compliance can be quite challenging, the burden can be significantly eased with the use of our multiplatform, real-time security solution. Having the ability to consolidate events from different platforms into a single view through the SmartConsole will also simplify your compliance efforts and help you to be more productive. For specific details regarding the manner in which we meet many of the PCI DSS requirements, please refer to Appendix B. Valid for Cross Compliance We understand that many companies today are subject to multiple regulations such as PCI and SOX or HIPAA or GLBA. Despite the fact that the details of complying with these laws differ, they all share common objectives. That is, the intent of these regulations is to protect consumers, shareholders and patients from the disclosure of private information and financial misstatements. The Tango/04 security solution aptly supports this intent by providing you with the capabilities of real-time alerts, automated actions, visual status displays by PC or web, monitoring of data changes at the field level and overall abundant reporting. When used together, these aspects of our solution are very powerful and can be easily implemented at your company to help you successfully comply with multiple regulations. Extendability One of the best parts about the Tango/04 solution suite is that you can implement it in a step-by-step fashion. Start with your most critical platform and begin to define the security controls you need to monitor and report on. Because our solution is so easy to use, you’ll find that once you’ve defined a business view and associated it with alarms and actions, it’s a snap to define other security views.© 2007 Tango/04 Computing Group Page 20
  22. 22. Tango/04 Solutions for PCI DSS Compliance Although VISUAL Security Suite can be used exclusively as a security compliance solution, it shares a number of modules and agents with VISUAL Message Center, Tango/04’s solution for IT infrastructure monitoring and Business Service Management (BSM). This concept allows you to expand the scope of the solution in a progressive fashion over time as shown in Figure 7. Security BSM/SLM Applications Management Infrastructure Security BSM Operations Figure 7 – Extend the Tango/04 Security Solution to Infrastructure and BSM It also allows you to create dashboards in order to visualize the impact of security problems on your different business applications. Integrating IT with business operations will not only facilitate corporate support for your compliance activities, but will also help your company function more efficiently as a whole. As various departments work together, increases in productivity are achieved, resulting in overall cost reductions. Maximize Your Return on Investment Because Security, Infrastructure and BSM all share the same concepts in terms of installation, configuration and training time, your initial investment can be reused to monitor the status of services, SLAs, user experience and application availability. Security administrators, auditors and operation managers can all have different views of the SmartConsole to focus in on what they need to know. In essence, you have one console with many possibilities at your finger tips.© 2007 Tango/04 Computing Group Page 21
  23. 23. Summary Summary If you’ve read this far, it’s likely that you’re required to comply with PCI DSS and are looking for ideas on how best to do so. Clearly, you need to develop a compliance paradigm that’s comprehensive, sustainable and does not overburden your staff or your corporate bank account. While you’re at it, you might as well define a strategy that will benefit your company beyond compliance requirements. Namely, you want to develop a security plan that not only satisfies your auditing requirements but one that also provides the added benefits of increased productivity and overall cost reduction. Multiplatform Cross Compliance The Tango/04 security solution can assist you in attaining sustainable compliance across multiple regulations and standards. With our built-in real-time alerting capability, you’ll not only meet mandated PCI DSS requirements but you will also have instant awareness of the efficacy of your security plan. This enables you to address problems as they occur, before they propagate and when they are easiest to fix. With our multi-platform capabilities, we can consolidate security information across your enterprise in a single view, greatly simplifying the task of assessing compliance. Our rich reporting feature will also help you to satisfy the needs of your external auditor as you demonstrate compliance year after year. Field Proven in Different Industries The Tango/04 security solution is fast to deploy, easy to use and field proven. We have over one thousand customers across the globe and our technology has been adopted by 7 of the 18 largest banks in the world. In fact, Henry Schein Inc. – a Fortune 500 distributor of healthcare products with global operations based in Melville, NY – is just one of our customers to effectively meet compliance obligations year after year using VISUAL Security Suite. Our customer base also includes a number of well known enterprises such as BankBoston, CocaCola, Dole Fresh Fruit, Pfizer, Shell, Office Depot and Nike. Unique Extensibility Beyond security auditing, our software also offers infrastructure monitoring, application monitoring and business service management, so you can continue to align IT with the business side of the house using a single software solution. The beauty of our solution is that you can implement additional controls and functions in a stepwise manner and at your own pace. Consider the Tango/04 family of solutions to help you achieve your compliance goals, protect your corporate assets and facilitate business management. As you continue to grow into the Tango/04 solutions you will increase productivity levels and save money over time.© 2007 Tango/04 Computing Group Page 22
  24. 24. Appendix A – Tango/04 Security Solutions Appendix A – Tango/04 Security Solutions VISUAL Security Suite: List of Controls As previously discussed and illustrated (see Error! Reference source not found. on pageError! Bookmark not defined.), VISUAL Security Suite can collect auditing information from multiple platforms and make it available for you to filter and analyze within a single console. Below is a summary of the types of events we can monitor by platform: System i: DB2 UDB: Windows: • System access • Use of special editing tools • Changes in auditing • Profile and user activity or (e.g. DFU, STRSQL) configuration, privileges, inactivity • Exit point control directory services, domain • Adopted security • SQL statement level policies… • Sensitive commands auditing • Complete event log • Object access • File access at record level monitoring (real-time) • System values • Auto control of logs with • Spool files any format • Any type of log such as • Control of Active directory, QSYSOPR, QHST or IIS, firewall service, system audit log Exchange, Citrix, remote • Use of service systems access… • Message queues • Changes to system folders • Invalid logins • Inactive users SQL Server: Oracle: Linux, UNIX, AIX: • Instance status • SQL statements run by • Complete verification of • Changes to roles and sysda syslogs (real-time) users • User SQL statements • Changes made to system • Transaction log • Role and user monitoring configuration • Connections and access • Critical processes • Control of super users • SQL statements • Special permissions • Invalid logins • Locks • Relevant users • Changes to folders/objects • Table auditing (field level) • Table auditing (field level) • Changes in privileges and • Objects • Super user activity user accounts • Errors • Authentication • Change in security policies • Windows processes • Log monitoring • Sensitive command management • Suspicious processes© 2007 Tango/04 Computing Group Page 23
  25. 25. Appendix A – Tango/04 Security Solutions Beyond platform specific abilities, a full array of other third party products, including middleware, network equipment, appliances, firewalls, IDS, antivirus systems, etc. can also be integrated easily. Business applications logs can be monitored in real time, and custom business-specific controls are easy to create and maintain. Overall, Tango/04 offers the most comprehensive security solution on the market. Tango/04 Solutions Offer Extensive Coverage for the System i Although our security solutions are multi-platform capable, it’s important to stress our strength on the i5 platform for those of you that manage System i centric shops. Tango/04 is a Premier IBM Business Partner and key member of IBM’s Autonomic Computing initiative. In addition to receiving industry recognition on numerous occasions, our solutions have been validated by IBM and designated as IBM ServerProven. Other associations we have with IBM include: • IBM PartnerWorld for Developers (Advanced Member) • IBM ISV Advantage Agreement • IBM OS Early Code Release member • IBM ServerProven Solution Provider Technology Alliances outside of IBM In addition to our strong ties to IBM, the success of our solution also relies on the working relationships we have with other platform providers. These include: • Microsoft Developer Network (MSDN) • Microsoft Early Code Release member • Red Hat Linux Partner Professional Services We provide top notch professional services to help you install "Tango/04 pre-sale activities, post-sale and configure our products across your critical platforms to implementation and support services meet your specific security needs. We’ll work together with exceeded our expectations. The Tango/04 employees are intelligent, your staff to add the precise controls you need in order to helpful, funny, patient and honest. The achieve compliance year after year. We’re not happy with any training they provided was outstanding." implementation unless you are completely satisfied. David Dresdow, Team Leader JDEdwards System Administration In fact, since 2004 we’re proud to say that all of our projects for Stora Enso security, data protection and operations monitoring have been implemented on time and with full customer satisfaction. The loyalty and high rate of customer satisfaction is one of the best guarantees we can offer you.© 2007 Tango/04 Computing Group Page 24
  26. 26. Appendix B – PCI DSS Requirements Appendix B – PCI DSS Requirements PCI DSS is a private industry standard applicable to organizations that store, process or transmit credit card information. The intent of the standard is to protect consumers by offering a single approach to safeguarding sensitive data for all credit card brands. The standard consists of 12 high-level requirements as depicted in Table 1. Table 1 : PCI DSS Requirements 1. Install and Maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 12.Maintain a policy that addresses information security Each high level requirement is broken up into a number of detailed sub-requirements leading to a total of just over 200 individual checklist items. In practical terms, compliance simply cannot be achieved without the help of automated software technology. The Tango/04 security solution set can easily be used to support your PCI DSS compliance efforts. Our multi-platform, real-time technology is especially strong in helping you comply with Requirement 10. That being said, our solution can also be used to facilitate compliance with many of the other requirements as described in the remainder of this appendix where we present a mapping of our solution to specific PCI DSS requirements.© 2007 Tango/04 Computing Group Page 25
  27. 27. Appendix B – PCI DSS Requirements Mapping of Tango/04 Solutions to PCI DSS Detailed Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Detailed Description of top level requirement: Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Tango/04 Solution: Although our technology is not a firewall solution, we can help you support this requirement because VISUAL Security Suite can monitor logs and alerts coming from many system components including firewalls (in addition to antivirus software, IDS, applications, web servers and network devices). Events are sent to a centralized console where they are consolidated into a single view for further analysis. Beyond that we provide you with the ability to generate real-time alerts when a suspicious event occurs so you can take immediate action to the problem at hand. Our technology additionally includes the ability to perform actions (such as disabling a user at once from several platforms and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can be handled automatically. Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters Detailed Description of top level requirement: Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information. Sub-requirement 2.2.3 Configure system security parameters to prevent misuse Tango/04 Solution: Once system settings have been defined, VISUAL Security Suite can monitor those values and alert appropriate personnel in real-time when changes are made. Information concerning security policy exceptions is consolidated and presented in the Tango/04 console for quick visual identification. Color coding is possible to immediately attract attention according to the impact of the problem. Our technology also includes the ability to perform automatic actions (such as disabling a user at© 2007 Tango/04 Computing Group Page 26
  28. 28. Appendix B – PCI DSS Requirements once from several platforms and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can be handled immediately, minimizing risk. Protect Cardholder Data Requirement 3: Protect stored cardholder data Detailed Description of top level requirement: Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed and not sending PAN in unencrypted e-mails. Tango/04 Solution: Although we do not provide data encryption, we strongly support this top-level requirement in general by providing layers of defense that surround your critical data files. For example, our technology provides you with object access control by monitoring file reads, deletes, insertions, changes, restores and renames regardless of the platform or form in which the data is stored (e.g. database or spreadsheet). We also monitor object access denials so you know if a user has attempted to get to sensitive information such as cardholder data. In addition, we audit changes to file security itself, so you’ll know if someone has modified the list of users who have authority to the file. If any of these events occur, we can alert you in real-time so that you’re able to immediately attend to the potential security infraction. Along with alerts we can also execute automatic actions, such as disabling a user profile or ending their job in order to minimize risk and potential exposure while you execute other defensive measures. In many cases, malicious access or updates to your data occurs by an actual employee – someone who has been recognized as an authorized user. If this occurs, our solution has the ability to provide you with “who, what, when, how and where” type of information in addition to the before and after images of the data change. Multiple layers of defense such as these significantly add strength to the protection of your cardholder data. Sub-requirement 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Tango/04 Solution: This requirement is easily satisfied with the use of our Data Monitor module which tracks changes to critical files at the field level. Data Monitor has the capacity to hide sensitive fields within generated reports as shown in Figure 8.© 2007 Tango/04 Computing Group Page 27
  29. 29. Appendix B – PCI DSS Requirements Figure 8 – Data Monitor Report Segment During configuration, as you define the sensitive files you wish to audit, you simply indicate the fields within those files that you do not want to display. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Detailed Description of top level requirement: Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software. Sub-requirement 5.2: Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Tango/04 Solution: Although our technology is not an anti-virus solution, we can help you support this requirement because VISUAL Security Suite can monitor logs and alerts coming from many system components including antivirus software (in addition to firewalls, IDS, applications, web servers and network devices). Events are sent to a centralized console where they are consolidated into a single view for further analysis. Beyond that we provide you with the ability to generate real-time alerts when a suspicious event occurs so you can take immediate action to the problem at hand. Our technology additionally includes the ability to perform actions (such as disabling a user at once from several platforms and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can be handled automatically. Requirement 6: Development and maintain secure systems and applications Detailed Description of top level requirement: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently© 2007 Tango/04 Computing Group Page 28
  30. 30. Appendix B – PCI DSS Requirements released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. Sub-requirement 6.3: Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. 6.3.2 Separate development, test and production environments 6.3.3 Separation of duties between development, test and production environments Tango/04 Solution: The intent of these sub-requirements is to prevent developers from making changes and installing them directly in the production environment. VISUAL Security Suite can help you support these requirements because we are able to monitor user activity such as access to applications and command usage, including SQL statements executed. Along those same lines, we can also audit the movement of objects and programs from one environment to another, verifying that the promotion was done by an authorized user. We can also monitor object access such as a user reading or updating a critical data file. The ability to identify who is accessing what files helps you to maintain separation of duties, by making sure that users are not inappropriately updating information that doesn’t correspond to their job role. If the policy you define regarding separation of duties is not followed, we can issue real-time alerts to enable you to take immediate action. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Detailed Description of top level requirement: This requirement ensures critical data can only be accessed by authorized personnel. Sub-requirement 7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access. Sub-requirement 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed. Tango/04 Solution: Our technology is extremely capable in this area because access as well as modifications to critical data files on several platforms can be monitored and reported on. Specifically, our technology provides you with object access control by monitoring file reads, deletes, insertions, changes, restores and renames regardless of the platform or form in which the data is stored (e.g. database or spreadsheet). We also monitor object access denials so you know if a user has attempted to get to sensitive information such as cardholder data. If any of these events occur, we can alert you in real-time so© 2007 Tango/04 Computing Group Page 29
  31. 31. Appendix B – PCI DSS Requirements that you’re able to immediately attend to the potential security infraction. Along with alerts we can also execute automatic actions, such as disabling a user profile or ending their job in order to minimize risk and potential exposure while you execute other defensive measures. In many cases, malicious access or updates to your data may take place by an actual employee – someone who has been recognized as an authorized user. If this occurs, our solution has the ability to provide you with detailed tracking information including “who, what, when, how and where” in addition to the before and after images of the data change. As the control is done at the database level, it doesn’t matter where the change came from or which tool had been used to make the change. Real-time alerts can also be triggered when data files are inappropriately read or modified so you can react immediately to unauthorized data access attempts. Requirement 8: Assign a unique ID to each person with computer access Detailed Description of top level requirement: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Sub-requirement 8.5: Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects 8.5.5 Remove inactive user accounts at least every 90 days Tango/04 Solution: Continuous user profile monitoring and regularly scheduled reporting allows easy tracking of user accounts and access rights for your users. Procedures to keep authentication and access mechanisms in check include ongoing monitoring of user profile creation, deletion, changes to user profiles, and management of passwords. User activity such as log-ins and access to applications are also audited. Access right rules can be enforced using simple (IP address filtering) or complex custom rules (such as automatically holding user processes for a profile corresponding to an employee currently on vacation, until the incident is investigated). Correlation technology can be used to check authentication mechanisms. Real-time alerts can be executed when a suspicious event occurs (such as the granting of special authority to an existing user profile) and built-in reports can be run in order to provide user activity information to the appropriate management personnel. 8.5.9 Change user passwords at least every 90 days 8.5.10 Require a minimum password length of at least seven characters 8.5.11 Use passwords containing both numeric and alphabetic characters 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used© 2007 Tango/04 Computing Group Page 30
  32. 32. Appendix B – PCI DSS Requirements 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts 8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal Tango/04 Solution: On the System i, sub-requirements 8.5.9 through 8.5.15 all correspond to system values settings which are easily monitored with VISUAL Security Suite. When changes are made to these settings we can alert appropriate personnel in real-time and also perform automatic actions (such as disabling a user at once from several platforms and domains, modifying a system setting, or ending a process) so incidents can be handled immediately. In Windows and most Unix/Linux platforms, our technology can audit if the policy is set to the right value and generate real- time alerts in case of differences. Furthermore, we can also send alerts in real time when any changes to the security policy occur. With regard to 8.5.13, automated actions can easily be defined to disable a user ID if more that six failed attempts were detected. 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users Tango/04 Solution: Access and modifications to critical data files on several platforms can be monitored and reported on. As the control is done at the database level, it doesn’t matter where the change came from (i.e. applications, administrators or your users). Changes to data records are available on leading databases at the field level and reports show “before” and “after” images. Real-time alerts can also be triggered when data files are inappropriately read or modified so you can react immediately to unauthorized data access attempts. Regularly Monitor and Test Networks Requirement 10: Track and access all access to network resources and cardholder data Detailed Description of top level requirement: Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs. Sub-requirement 10.1: Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Tango/04 Solution: Our technology is able to monitor user activity such as access to applications and command usage, including SQL statements executed. Real-time alerts can be generated when sensitive commands are used so you can immediately react to the event.© 2007 Tango/04 Computing Group Page 31
  33. 33. Appendix B – PCI DSS Requirements Sub-requirement 10.2: Implement automated audit trails to reconstruct the following events for all system components: 10.2.1 All individual accesses to cardholder data. Tango/04 Solution: Data Monitor can track read, update, insert and delete actions taken against any file. For changed records, it will show “before” and “after” versions of the record. You can also mask or hide data in the reports such as credit cards. 10.2.2 All actions taken by any individual with root or administrative privileges. Tango/04 Solution: With VISUAL Security Suite we can audit commands and SQL statements executed, objects accessed, created, deleted, restored, file changes, authorization failures, user log-ons and much more. 10.2.3 Access to all audit trails. Tango/04 Solution: Authorized users can access our Reporting System which includes over 200 built-in reports that run over the collected audit data that we store in our own data files. You can also easily build custom sub-reports. In addition, we are also open about our file structure, so you can run query’s over the data as well. Besides historical reports, our real-time alerting capacity let’s you know instantly if a suspicious security event has occurred so you can address the situation on the spot. You also have the ability to automatically respond to events. For example, if a user is attempting to access a critical file after hours, we can call your cell phone and simultaneously end the user’s job and disable his profile to prevent any unwarranted updates to the file. 10.2.4 Invalid logical access attempts. Tango/04 Solution: We can track all invalid user log-ins, providing date/time of failed log-in, all user attributes (such as user class) as well as device and IP address of the attempt. 10.2.6 Initialization of the audit logs. Tango/04 Solution: VISUAL Security Suite can promptly alert you regarding any attempt to clear the audit logs where they are generated (for instance, the Windows Event Log on Windows servers). Our technology can also monitor changes to logs other than operating system logs, such as application logs, in real time. Attempts to clear the collected audit log events once they have been processed, correlated and archived (i.e, once they are stored in the historical event log repositories) can be monitored in real time as well (see requirement 10.5.5). 10.2.7 Creation and deletion of system-level objects. Tango/04 Solution: VISUAL Security Suite can easily audit the creation/deletion of all objects at any level. Sub-requirement 10.3: Record at least the following audit trail entries for each event, for all system components:© 2007 Tango/04 Computing Group Page 32
  34. 34. Appendix B – PCI DSS Requirements 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource Tango/04 Solution: VISUAL Security Suite audit entries include all of the above information and more. Below is an example of the information received when a user changed a system value: Figure 9 – Sample Message Triggered by a System Value Change The additional tabs shown above include additional information that can be passed as soft-coded variables to messages you can send by email or as a text message to a cell phone. The Data Monitor module can be used to track file access and can report on data file changes by showing the “before” and “after” image as previously shown in Figure 7. Confidential information can be masked on reports and shown as “Restricted” so actual data, such as credit card numbers, is not visible. The data can also be enhanced to render it more readable. For example, an account code that reads 374404534 can be enhanced to reflect that the account belongs to “JOHN SMITH”. We can also provide additional data such as the user class, group, country and accounting code. Real-time alerts can also be generated to immediately inform you of any suspicious security events. Sub-requirement 10.5: Secure audit trails so they cannot be altered.© 2007 Tango/04 Computing Group Page 33
  35. 35. Appendix B – PCI DSS Requirements 10.5.5 Use file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Tango/04 Solution: VISUAL Security Suite can promptly alert you regarding any attempt to change a file (including log files) in most operating systems and databases. Encryption technologies could also be integrated and used to further protect the historical event log repositories. Note, however, that encryption can be resource consuming and very intrusive when there is a need to extract forensic data or generate historical auditing reports. Consequently, our recommendation for this particular requirement is to use Data Monitor, the Tango/04 technology that permits you to monitor changes or deletions to a database at the record and field levels, including the monitoring of our own auditing database files. Sub-requirement 10.6: Review logs for all system components at least daily. Log reviews should include those servers that perform security functions like IDS and authentication (AAA) servers. Tango/04 Solution: Reports can be scheduled to run daily and automatically emailed to appropriate personnel. Reports can also be generated in various formats (e.g., .pdf, .xls, .doc) so you can easily sort and analyze the information. A major benefit of implementing our technology is that real-time alerts can be generated at the time a potential security breach is happening. This means that instead of finding out about a potential breach after the fact when reviewing logs, that you can be alerted immediately and you can even take automated actions based on the event and threat level. Sub-requirement 10.7: Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations. An audit history usually covers a period of at least one year, with a minimum of three months available online. Tango/04 Solution: A major advantage of our solution is that the audit data is stored in its own database. Because customers are urged to only monitor for exceptions or deviations from the security policy, the amount of information stored is reasonable from a DASD standpoint. This is extremely useful because it gives you the ability to run audit reports long after the journals have been removed from your system. With the Data Monitor product, which logs information about file updates, the data can even be stored on a different iSeries system or LPAR as well as a different platform such as a Windows server. This is a great advantage because of the added security and heavily decreased costs (disk space on Windows is much cheaper than on the System i). Requirement 11: Regularly test security systems and processes Detailed Description of top level requirement: Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.© 2007 Tango/04 Computing Group Page 34
  36. 36. Appendix B – PCI DSS Requirements Sub-requirement 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. Tango/04 Solution: Our technology supports this requirement because VISUAL Security Suite can monitor logs and alerts coming from many system components such as intrusion detection systems (in addition to firewalls, anti-virus software, applications, web servers and network devices). We also directly integrate with one of the most powerful and comprehensive exit point solutions for the System i which provides protection for more than 2,000 access functions. Events of interest from all sources are sent to a centralized console (either PC or web based) where they are consolidated into a single view for further analysis. We also provide the ability to generate real-time alerts when a suspicious event occurs so you can take immediate action to the problem at hand. Our solution also enables you to define an escalation list for critical events so you can be sure they are addressed. Our rich reporting system lets you conduct forensic analysis over events as a means of evaluating and improving the security systems and processes you have in place. Beyond that, our technology additionally includes the ability to perform actions (such as disabling a user at once from several platforms and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can be handled automatically, minimizing total risk exposure. Sub-requirement 11.5: Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files, and perform critical file comparisons at least daily (or more frequently if the process can be automated). Tango/04 Solution: The Data Monitor product has the ability to monitor any files on your system for changes. Reports can be run to see all forensic information about the change, including the “before and after” images of the records changed. Real-time alerts can also be fired so you know immediately if a record has been changed by an unauthorized user, outside of normal business hours or even if a change exceeds a predefined threshold. For example, you may want to be notified immediately if a customer service representative has given a customer more than a 15% discount on his/her purchase. Our technology can also provide you with real-time alerts when a suspicious security event occurs.© 2007 Tango/04 Computing Group Page 35

×