PCI DSS is a unified approach to protecting sensitive customer information, primarily credit card information. Back in 2001, we had multiple programs that were all trying to do the same thing but they were proprietary programs that were from each card carrier. American Express had their own program. Visa had their own program and so forth. For a retail vendor or somebody that had to take these different types of cards, they had multiple standards that they needed to comply with and it made it really kind of difficult for those vendors to do that. So the idea was to consolidate all these security requirements under one umbrella for one unified approach to securing customer’s card data and that’s where this PCI payment card industry and data security standard (PCI DSS) comes from. This allows us to have a good standard set of rules that applies to all types of customer credit card information. There are twelve core requirements that are like chapter titles. These are big topics where there’s a lot of detail and specifics ---referred to as the digital dozen. Today we’ll zero in on these twelve areas, look at the ones that apply to wireless specifically and what you need to do in order to really be in compliance with those. Who’s affected by the standard? Obviously anyone who processes payment using credit cards or handles any of that information needs to comply with a standard. It applies to any part of the network or components that are connected to parts of the network that hold credit card information. So this is a very far reaching definition. Anything that is outward facing that carries or is connected to systems that can carry credit card information. This applies to a lot of things and of course wireless is certainly in that category. If we don’t comply with these rules, a lot very serious things that can happen, fines, breaches, loss of ability to actually process credit cards, etc.
Lets focus on the big requirements that pertain to wireless and specifically we’re going to dig deeper into the version 1.2 PCI standard. The first requirement is to maintain a firewall, something that is actually looking at the traffic and can protect the data from the untrusted outside world. This has a big topological impact on the network but also we will spend a lot of time looking at how to replace this concept of what a firewall does for us on the wired side by looking at what we lose when we move to a wireless world. Secondly, we want to make sure that we use good passwords and we’re not using those default passwords that come built into the infrastructure itself, then we will spend some time looking at encryption, so we can make sure we know how to actually protect the cardholder information while it is in flight through the network, then we will look at what it means to maintain and develop your secure systems, track and monitor all of the network access. Obviously you want to know who is attempting to access this important information. And then we’ll look at how to actually test your security systems, process it, what PCI says about actually verifying the security policy is in place and how to maintain your information security policy. So those are the big categories, whether or not we will drill into the specifics of what those are instead of just, you know, saying with this very level views.
What is PCI and what are the components of actually complying? There are various levels of PCI that vary depending on how big of a card processor you are, how much business you do because obviously you want to have different rules for a mom and pop store that handles credit cards versus really big organization that has lots and lots of credit cardholder information in it’s database, things like that. PCI does have a notion of what type of vendor are you, so it can have an appropriate set of rules that line up with the risk associated with that credit card information. What you would do to potentially go through a PCI compliance, would be to do an onsite audit for the various smaller level merchants, your level 1 merchants. You can have security self assessments and you can go to network scans that are preformed by third party services. They can come in and give you very deep external facing penetration testing, vulnerability testing, things like that.
This is just a quick table to give you a view of where these various merchant levels kind of start. Merchant level one are your very large transaction processors – getting more than six million transactions or has had some type of exposure. This is obvious if you’ve had some type of problem where information has been compromised and you automatically go up to level one that requires your regular onsite assessment plus a quarterly scan. When we get down to merchant level two where you’re between a million to six million transactions, you’re kind of transitioning over to this quarterly scan model. This is something where, on a regular basis, you know, once every three months you can do an audit of your environment to look for the various things that might constitute a violation with PCI. This is something that you can certainly do with a WiFi analyzer. You can do this with our mobile tools that you can set up on a laptop but we’ll also certainly be able to do this in a more continuous basis and a more complete way if you have a monitoring system that’s doing this all the time. And as we get down into merchant levels three and four, these are your smaller processors and they do require the quarterly scan. It is recommended down at the merchant level four, but not required.
First and foremost is the requirement to install and maintain a firewall configuration to protect data. Obviously network managers make sure they have firewalls and router rules and to protect the boundary between the trusted inside world and the untrusted outside world. What we see more and more, even as a result of PCI Version 1.2 is a firewalls between a wireless component of the network and the trusted core wired network. And that certainly is an improvement over what people have been doing in the past but it still leaves a very important set of vulnerabilities.
In a traditional network we have multiple layers of security that protect our trusted resources from the outside world where traffic has to go through a firewall that knows the direction the traffic is travelling. You have an IDS system that is looking for bad traffic, things that could harm the network and you can have NAT make sure that people from the outside world will have a hard time seeing the IP addresses and who’s behind this secured area. This is a really good approach to security and as we move to wireless, we have to remember that a very interesting thing has happened in that our topology of having these layers that protect our end users and our data have kind of evaporated in terms of a wireless concept. Our end users that are back here protected by our wired firewall, when they send information wirelessly it could be heard outside the building that does not have to go through the corporate firewall at all. It’s not protected by NAT anymore. Those MAC addresses are directly visible to anyone who’s listening out there on the wireless side. So all of this traffic, even if it’s internal, even if it doesn’t go out to the internet this is traffic that all of a sudden we don’t have a way of looking at traffic coming in. We don’t have a way of seeing who’s talking to who. We don’t have a way of seeing if there’s a Ad-hoc connections out there. If there is somebody that is trying to listen to our conversations, if there is someone who is trying to take our approved users, our employee devices and trying to lure them into a connection outside of our network, we want do more than just putting a firewall between this wireless world and the core. We want to get the things that a firewall has offered on the wired side --knowing which direction traffic is flowing, know who is talking to who, look for the threat that can compromise things and actually protect those end users and get back to what we have standardize on in terms of security in the wired world.
With AirMagnet Enterprise, you have a system that actually monitors the airspace itself -- where the actual traffic is flowing. So instead of waiting for it to get to the wire to analyze it, as you see your end user clients that may be connecting outside the building, you’re only going to see that in the air. You’re going to need to monitor for vulnerabilities - who’s talking to who, do you have unauthorized associations, do you have somebody who is eavesdropping in on the network. Certainly we’re all very familiar with the TJX exploit. This is something you want to be able to look for. Is there somebody outside the building listening to your traffic, is there somebody outside the building trying to run attack tools that break your encryption. So the only place that you can reliably see this information is actually where the traffic flows and that’s in the air. So being able to have a monitoring system like this, it gets us back to what we’ve lost by moving to wireless and that is a notion of state full analysis between the untrusted outside world and all of my trusted users that I want to protect and that information that flows on their systems that we’ll protect. This is a fundamental concept that we want to make sure we have addressed and it’s obviously a really important issue on the first requirement for PCI.
Next we have a move to making sure that our basic configurations are strong. This is something that we saw a lot of early on in wireless and we still see today, where you can see networks that have default configurations with default passwords, default SSIDs, etc. Things that make it very easy for someone to scan the network, see a device, recognize a device that has an out of the box configuration. It’s kind of a red flag to anyone that would be a hacker that says, “I can recognize this device. I know that this is unconfigured device and it’s going to be really easy for me to break this system.”
AirMagnet can automatically look for devices that have these default configurations. So instead of you having to go through them manually and look at all your devices worldwide or anything that’s connected to your network, you can have a system that’s doing that for you automatically. It will alert you obviously if there a device out there that has it’s default configuration. Not only are you staying within compliance of PCI but this is just a good process to make sure that if there’s a weak device out there, you know about it proactively and again you’re looking at these things over the air instead of trying to deal with it from the configuration management side.
AirMagnet can look for other configuration problems such as Ad-hoc devices. This is something that I alluded to in the earlier network diagram -- you have devices that are connected to one another without even going through an access point. Obviously this is a security problem because it doesn’t allow us to use our authentication and encryption scheme. These may just be a couple of laptop devices that want to share information but they circumvent our security infrastructure. So this is a bad configuration for any type of network that has important information that you want to protect. So this is another type of configuration issue that is really focused on the client’s rights. We were looking at AP configurations and things like that but also we want to look at those client devices because a lot of times what we see on the security side with wireless networks, the most important vulnerabilities come from that client side and you may not even see that client connect to the network. If he has connected to the network in the past and has important information there, you want to make sure that those devices obviously, you know, stay within the security policy and don’t compromise any information.
Encryption obviously a really big topic. In the past people have been using SSL and IPSec and adding email policies that go along with encryption authentication and auditing. With wireless, we’ve seen a lot of maturity come around in terms of how we look at the various security standards that make up and are used in WiFi. The PCI standard is essentially saying, “WEP is not strong enough” and they are focused on moving us to WPA, WPA2 and the sister of WPA2, WPA.11i --these are essentially the same security requirements, it just depends on whether it came from the IEEE or the WiFi alliances. So if you see WPA2 and add it to .11i, they’re essentially the same thing. The PCI standard has said for new networks that are deployed after March 31st of 2009. you’re not allowed to implement WEP. You need something stronger, whether it is WPA, WPA2. For all existing networks, we have until June 30th, 2010 to move off of WEP.
Encryption is definitely something AirMagnet will be looking at in the traffic in flight. This view shows the types of information that AirMagnet can look at. For example, an important security measure is using 802.1x -- which is key rotation. AirMagnet can automatically identify a device that is unprotected by 802.1x. Perhaps I haven’t decided if I’m using WPA or WPA2 – In this case, we can look for anything that is not stronger than WEP and make sure that you would see any device that is unprotected by a 802.1x. So this is a really good way of looking at all of that traffic out there and making sure you see any weakness that can be exploited.
There are issues related to encryption that go beyond the WEP issue. Even if you have WPA deployed, right, you want to make sure that these mechanisms that make up WPA (ie rotating keys) is actually doing what it should. AirMagnet can watch all of that in flight again, so you can come back and see, “Well, maybe I’m not rotating my keys fast enough.” If I don’t rotate keys fast enough in .1x then I lose some of that security provided by, that make it stronger than WEP. So let’s look for those types of things automatically. Let’s alert if we have devices out there that are being slow enough that there are compromising our security. Let’s look to see if someone is trying to break our authentication and encryption schemes. So let’s look and see if there’s dictionary attacks out there. A very important point that is often missed is that your broadcast and multicast traffic, sometimes ends up being unencrypted and even though you put in a configuration on your network to say “encrypt that traffic”. It’s quite common to see devices that don’t pick up the config correctly and you’ll see this multicast traffic. If someone is eavesdropping out there in the environment, they can pickup IP addresses for switches and controllers that are on the wire and you’re all of a sudden exposing a lot of information that you didn’t intend to and that’s really something you don’t want to do. So being able to look for all the bits and bytes that are in the air and be able to identify those vulnerabilities is something else that AirMagnet can do for you. The plot thickens even more when we start looking at other vulnerabilities that have been discovered even in WPA. This applies to WPA, the first version, not WPA2. Last year there was a vulnerability discovered where if you’re using WPA in conjunction with QoS or Quality of Services, you can create a vulnerability where WPA is susceptible to fragmentation or chopchop attacks. This is something again that someone sitting outside the building could recognize this vulnerability, start injecting traffic into a conversation and start to recover what the clear text of the message is. This is something that AirMagnet Enterprise could identify early on. We had zero coverage for this vulnerability as soon as it was announced and this is again, the type of thing that is going to protect that credit card information, protect your encryption because we will make sure that if there is any type of assault on that encryption or authentication process, you’ll be able to identify that.
Here’s an alarm that shows you a potential chopchop attack that’s in progress. And something that I think is really important and helpful about the AirMagnet approach to wireless is that we very much understand that these alarms, these exploits, these vulnerabilities sometimes are very new to network professionals because we’ve been focused on the wired networking side for so long. Since some of these wireless hacks are new to most people, AirMagnet provides a very detailed description of what the attack is and how it works, why it matters, and what would you do in response to it so that you can learn about what some of these vulnerabilities and what some of these risks are as you’re using the system. This way you actually know what this threat is instead of just saying, “Yes, let’s check the box. I want to know about this potentially scary threat out there if it happens.” It obviously is a lot better to learn and understand why types of attacks or what types of approaches people use to compromise a wireless network.
Maintaining secure systems - what does that really mean? What this involves is making sure that systems are properly configured, properly managed and properly patched and up-to-date. So this is making sure that we look at our web application codes but also looking at the actual configuration and managing the configurations on the various wireless devices that are out there.
Again, this is something AirMagnet can do automatically. Not only can you verify for your PCI compliance but it’s also really helpful to know when devices have changed their configurations. It can be possible that either you’ve rolled out new firmware and devices that had to grab a new configuration and you got lots of access points, lots of locations out there. Maybe some of them didn’t pick this configuration up correctly. Maybe the device has had a hard rest and kind of came back into kind of a default configuration. So being able to see these devices, all of these potential vulnerabilities that if they’re not managed properly could create a weakness for us, we want to see where these configurations have changed and again, this is something that we have alarms for that you can say, “Let me know not only when I have a device that doesn’t meet by security policy but just let me know when a device changes.” It’s configuration whether there’s alarms for the security configuration changing, even some of the performance configuration changing. So you can be really up to speed and have an independent system that says, “Here’s what’s been changing in the network. Here’s what’s gotten out of whack from our security policy and how to go back in and remediate all of that.”
Requirement 10 looks at access control and monitoring. There are a lot of requirements around the log management and PCI so this is keeping a log of who has connected to the system, what they’ve been connecting to and what types of information is going back and forth. This is where you would implement a IDS/IPS. This is where you look at having a really good log and database of all of the policies and what’s been going on out there. So as we move to PCI 1.2, there is specific requirements for making sure that we keep logs for at a central server for who should be able to access and write to the systems we’re trying to protect. We want to make sure that we’re auditing and keeping logs of anyone who has invalid access attempts. We want to look for audit trails to make sure that those align with the type of, when somebody does connect to the network, it aligns with what their job role is and of course keeping audit trails, so if there’s anything that’s unauthorized that we have information there. We want to keep those trails for at least a year and have at least three months of that information being available for immediate analysis.
Keeping logs is a very simple automated function of the AirMagnet system. Of course, we’re always doing a fulltime wireless IDS/IPS, so when we start talking about looking at that traffic going back and forth and looking for vulnerabilities and what types of information is flowing, you have an IPS system that starts on the wireless side. All of that client information, all of those things going into the access points, you’ll be able to bring under the IPS umbrella. But also AirMagnet will be looking for unauthorized associations. So not only are we looking for data that is encrypted properly, but also for the unexpected. Maybe something unexpected happens to an AP where he loses his connection and tries to either roam or it accidentally connects to the hotspot across the street from the building This is a very bad thing to have happen and it’s something that hackers will try to make happen automatically. Sometimes you’ll see a hacker that tries to look like one of your official access points and get someone to associate to them. AirMagnet will be able to look for these unauthorized associations, look for any of those types of evil twin problems and alert you to a device that is approved and talking to anything else that is not approved. That’s an AP to a station, a station to an AP or even APs that are bridging. So this gives you a lot of coverage to again, get back to that core idea of who is talking to whom and make sure that they are actually doing the things that they’re supposed to.
Here is a high level view of what AirMagnet Enterprise is. All of these things that we’re talking about in terms of connection enforcement auditing, keeping a long of all the events, these are things that the system does automatically. So you have sensors that you can put in any location. You can have stores or distribution centers all over the world and have these sensors that automatically inspect the traffic. They do analysis to look for weakness and any types of attacks. You can automatically enforce your policies of making sure that if somebody does connect to someone they shouldn’t, you can break that connection and then it all filters back to the server and database where you keep records of all of the connection attempts, anything that went wrong. All of this is in the database and of course we can generate reports. So these PCI requirements are almost line by line specifying what the AirMagnet Enterprise System and our approach to security does for you. If we also look at how to regularly test the security system, you can use AirMagnet Enterprise or you can use a mobile wireless analyzer – Airmagnet WiFi Analyzer. So either way you want to approach the problem - whether it’s continuous monitoring or you want to just do the quarterly walk through an area and do that periodic audit, you have tools that allow you to do that in a really automated fashion and the nice thing is you can do a combination of these things. You may want to put monitoring systems in a distribution center and then periodically walk around each store every month. You have tools that can do either/or and they share a common reporting methodology. They share a common way of assessing these security problems. So this allows you to say, “I want to take this field audit that I did and actually save it in the same way and have the same look and feel and the same report that I have for my enterprise core system.”
Requirement 11 of the PCI requirements are almost line by line specifying what the AirMagnet Enterprise System and our approach to security does for you. In terms of regularly testing the security system, you can use AirMagnet Enterprise or you can use a mobile wireless analyzer – Airmagnet WiFi Analyzer So either way you want to approach the problem - whether it’s continuous monitoring or you want to just do the quarterly walk through an area and do that periodic audit, you have tools that allow you to do that in a really automated fashion and the nice thing is you can do a combination of these things. You may want to put monitoring systems in a distribution center and then periodically walk around each store every month. You have tools that can do either/or and they share a common reporting methodology. They share a common way of assessing these security problems. So this allows you to say, “I want to take this field audit that I did and actually save it in the same way and have the same look and feel and the same report that I have for my enterprise core system.”
Here is an example of a AirMagnet WiFi Analyzer alarm showing rogue devices by either MAC address, by offender type, by which channel they use -- any type of rule that you want to assess to identify devices that aren’t supposed to be out there in your environment. AirMagnet WiFi Analyzer is a mobile software application that proactively detects over 130 network problems including security and performance alarms. Users are powered with everything that is needed to quickly pin down any wi-fi issue. This includes detection of rogue devices, configuration problems with the authorized devices, detecting denial of service attacks, security hacks, RF management issues, device overloading issues, excessive bandwidth usage, etc.
For requirement 12, we need to maintain a policy that looks at information securities. This is how we add and change our policies and it applies very much to wireless. This is actually the soft spot in many enterprises where since wireless is so new, the wireless policies and procedures typically isn’t as in-depth or up to date as the wired policy. Being able to define what that wireless security policy is in the first place is sometimes tricky. So what we do is we do allow you an interface to build this policy out in the first place where you set the rules, you decide which types of security you want to use, what types of authentication, what types of behavior is approved or not approved then you can create a record based on those rules. For example, if you wanted that ability to show what wireless security policy is, once we’ve built those rules, we can just generate a report.
Then of course AirMagnet can really proactively look at alerting on any of these violations, if we see a problem, we see a threat out there, we can block it. We can trace it. We can locate it. We can do all the things that you would want to do to say, “Once I see a problem, how do I actually go about taking care of that problem and protecting ourselves from it?” We can escalate those problems and notify our staff or other management systems. So as we create our security policy, we don’t want to just have a wireless silo of information. We want to let people know whether it’s on the IT team or the security team or even our other wired managed systems. We want to filter. We want to send this information up to these other management systems so they have a really good unified view. So this gives us a very straightforward way to get from kind of a soft concept of what wireless security and what the wireless policy is to actually setting the rules, sharing those rules with other people and integrating all of that with our other big management systems. So very, very important way to kind of get more mature on the PCI and security for wireless in general.
The AirMagnet System has compliance reports for a lot of different standards including PCI. If you have multiple standards that you have to comply with for your organizations, say, you know PCI and Sarbane-Oxley or PCI and HIPAA if you’re in healthcare, we have really complete reporting for all of these standards. Reports start at a high level and will identify what you specifically need to do in order to be any compliant. And frankly, the reports themselves go into far more detail than we’ve been able to go into today. Iif you wanted to learn more about what PCI requirements are and line by line what they dictate, that’s in the report. Once you’ve set your rules, the reports will show more details of what your overall view of compliance is -- how many violations do you have, what types of violations are they and how many of your devices at a really aggregate level are in or out of compliance with these various rules. Then reports will go down to the level of device by device, violation by violation, what actually went wrong and how do I go about solving this. And of course in the AirMagnet Enterprise system, all of these reports can be run automatically. You can set the system to say, “I want to generate this PCI compliance report every Friday at five. Email it to person X, Y and Z.” Whoever needs to get a record of this and when we think back to our, that requirement to have at least a years worth of records and three months of them readily available, this is a system that is just generating these reports like clockwork. You have a complete history for as long as you’ve been running the system. So this makes it almost, you know, kind of an afterthought to even stay in compliance because it’s happening all automatically.
Here’s a quick view of what the compliance reports look like. This is the tell me what each section of PCI says that I have to do to maintain compliance. And then we can shift gears and say at a high level, what do things look like in terms of compliance.
The pie chart at the top is showing you how many violations we have per sections of the PCI standard and then right below it we’ll show you how many devices are either in compliance and they’re shown by devices labeled in green or devices that are out of compliance in red and again, per each section. So you know really quickly for sections 1.2.3, through 1.3.5, pretty much everybody is in compliance but in the second section we’ve got some devices that have problems, so we may want to go take a look at those.
We can drill down a little bit more and say specifically what types of violations and what types of issues have we seen that have triggered these violations and what do we do about them.
We can keep drilling down and what we end up with at the most granular level is a device by device report card where we show did they pass or fail each section. So this is down to the Mac address level where if you do see devices that are out of compliance, you can really quickly get down to very detailed information about what went wrong and what do I need to do to go fix this type of problem.
So just a quick summary. We’ve talked about a lot of things that pertain to PCI. The AirMagnet Enterprise system is a complete automated approach to getting compliance with the PCI rules because again, we’re looking at all the traffic, all the time. We’re looking at all the channels. We’re looking for the vulnerabilities, the threats, somebody that is sniffing your network, somebody that is kind of eavesdropping on your traffic. You can do this for all locations so it doesn’t just have to be all on one campus and then you can keep a database and actual enforce all these policies that we’ve been talking about. So this gives us a really kind of easy ways to come back and understand what is PCI require and how do we actual do it.
Closing Wireless Loopholes for PCI Compliance and Security
What Compliance Means for Merchants and Service Providers
Everyone must comply with the standards
Based on what category you fall into determines what level of validation you must provide (i.e. audits/scans)
Annual penetration tests are required, although not required to be submitted
Components of PCI:
On-site Audit – only for Service Providers and Level 1 Merchants
Security Self-Assessment – PCI compliance attestation is primarily based on this.
Network Scans – Must be conducted by a qualified 3rd party against all external-facing information resources
The Table (Merchant Side) Recommended Required Required Compliance Questionnaire Recommended (annual scan only) Merchant Level 4 (acquirer) <20,000 e-commerce transactions, or <1M transactions regardless of channel Required Merchant Level 3 (6/30/05) 20K to 1M e-commerce transactions Required Merchant Level 2 (9/30/07-new) 1M to 6M transactions, regardless of acceptance channel processing Required Required Merchant Level 1 (9/30/04) Any merchant - regardless of acceptance channel processing - >6M transactions ) Any merchant that has suffered a hack . Any merchant that CC Association , determines should meet the L1 merchant. Any merchant identified by any payment card brand as Level 1 Quarterly Scan Annual Onsite Assessment Compliance Validation Level (Due date in parenthesis)
The Wireless Network Components: Build Secure Network
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data
What companies are doing:
Performing architecture, FW and router rule audits/reviews
Placing firewalls between wireless networks and cardholder networks
Complete IDS and Archiving Inspection Scan all traffic and channels Analysis Automatically identify threats and problems Enforcement Stop threats and enforce policies Correlation Put all the individual events in context Alerting Notify staff and escalate based on severity Archiving Store all events and compliance records Sensors Server + Backup AirMagnet Enterprise Core Functions + AirMagnet Enterprise Core Components
The Components for Wireless Networks– Monitor and Test Networks
Requirement 11: Regularly test security systems and processes
What companies are doing:
Vulnerability assessment scanning and penetration testing
File integrity monitoring
Use wireless analyzers on a quarterly basis or deploy WIDS/WIPS
Wireless assessments: rogue device discovery
WIDS/WIPS should alert on unauthorized access or other security events
WIDS/WIPS should respond to unauthorized access
AirMagnet WiFi Analyzer: Mobile Security, Performance, Compliance
The Components for Wireless Networks– Maintain Security Policy
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
What companies are doing:
Security awareness training
Adding/updating incident response procedures
Reviewing contracts with third parties who process or store cardholder data