Don't let wireless_detour_your_pci_compliance


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Don't let wireless_detour_your_pci_compliance

  1. 1. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Understanding the PCI DSS Wireless Requirements A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 © 2009 AirTight Networks, Inc. All rights reserved.
  2. 2. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Executive Summary The Payment Card Industry Security Standards Council (PCI SSC) has published a PCI DSS Wireless Guideline which acknowledges that wireless is a clear and present danger to network security and those who collect, store or transmit card holder data must take steps to assure that it is secure, whether or not wireless is deployed in the cardholder data environment. Though the PCI DSS already included wireless security requirements, this is the first time that the requirements for wireless security have been described unambiguously for all cardholder data environments (CDE). Organizations which handle payment card data must take steps to secure the CDE against wireless threats including unmanaged and unknown wireless devices in the environment and must scan all locations. This white paper helps those organizations understand how the PCI DSS 1.2 wireless requirements apply to them, how to meet those requirements in a cost effective way, and how to secure your network and cardholder data from wireless threats. © 2009 AirTight Networks, Inc. All rights reserved. 2
  3. 3. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Introduction Recent incidents have highlighted the growing popularity of wireless among cybercriminals to gain sensitive data from both wired and wireless networks. The TJX incident — the largest known wireless security breach in the U.S. history — is a prime example. Hackers used unsecured wireless as an entry point to access TJX networks worldwide. Over 90 million credit- and debit-card records and personal information such as social security numbers, driver’s license numbers, and military identification of more than 451,000 customers were stolen. A total of nine retail chains — including Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW — were victims of this heist. Forrester Research estimated the cost incurred to cover financial losses and lawsuit settlements to be one billion dollars. Notably the wireless networks that were hacked during this incident were not necessarily being used for processing cardholder data, but were connected to wired networks that were part of the cardholder data environment (CDE). This highlighted the need to comprehensively secure the CDE against all types of wireless threats including those initiated outside it and those initiated from “Rogue” wireless access points and clients installed unofficially inside the CDE. The Payment Card Industry Security Standards Council (PCI SSC) responded promptly by releasing the latest version 1.2 of the PCI Data Security Standard (PCI DSS) in October 2008. The PCI SSC’s Wireless Special Interest Group (SIG) followed it with a “PCI DSS Wireless Guideline” document in July 2009 that clarified the wireless security requirements for PCI compliance, provided guidance on implementing secure wireless LANs and outlined methods for protecting against threats from wireless devices outside the CDE and Rogue wireless devices. Understanding the Cardholder Data Environment Fundamental to achieving PCI compliance is to understand what comprises a CDE. The PCI SSC Wireless SIG defines the CDE as “the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment.” From a wireless security viewpoint, any wireless device that is deployed officially or unofficially becomes part of the CDE as long as it provides access to cardholder data in transit, or in process, or in storage. Any such device is evidently under the purview of PCI DSS. © 2009 AirTight Networks, Inc. All rights reserved. 3
  4. 4. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Officially deployed wireless access points (APs) and clients can violate PCI DSS requirements if they are misconfigured or provide CDE access to unauthorized users. Unofficially deployed Rogue wireless APs and clients can also compromise the security of the entire network and provide CDE access to unauthorized users. Depending on how wireless usage influences a CDE, the PCI DSS 1.2 wireless security requirements can be broadly grouped into two categories: • Those that address threats from unknown wireless networks and apply generally to all organizations wanting to comply with PCI DSS; and • Those that apply to organizations who have deployed an official wireless network inside the CDE. PCI DSS 1.2 Wireless Security Requirements for All “ [Generally applicable wireless requirements] apply to Organizations organizations regardless of their Irrespective of whether or not they have deployed a wireless network, use of wireless technology and organizations cannot afford to discount the presence of unknown or unmanaged regardless of whether the wireless wireless devices on their premises. Today all consumer computing devices (e.g., technology is a part of the CDE or laptops, smartphones, PDAs) have WiFi built in. WiFi APs are inexpensive and not. As a result, they are generally available off-the-shelf for anyone to autonomously deploy their own wireless applicable to organizations that network at work. wish to comply with PCI DSS. ” - PCI Security Standards Council The significant risk that these unmanaged wireless devices pose to the CDE has Wireless SIG prompted the PCI Security Council to highlight the following PCI DSS requirements as applicable to all organizations wanting to comply with PCI DSS. Regardless of © 2009 AirTight Networks, Inc. All rights reserved. 4
  5. 5. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance whether an organization runs or bans wireless, it needs to ensure that the CDE is not plagued with such Rogue wireless devices. These are minimum wireless scanning requirements. Conduct Wireless Scans At Least Quarterly at All Locations “ Although [use of a wireless analyzer for scanning] is PCI DSS Requirement 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. technically possible for a small number of locations, it Organizations must scan ALL their sites at least quarterly to detect Rogue or is often operationally tedious, unauthorized wireless devices that may be attached to the CDE. Sampling of few error-prone, and costly for sites for scanning is not allowed. Scanning only the CDE wired network does not organizations that have serve the purpose as it cannot detect Rogue wireless devices. several CDE locations. For large organizations, it is recommended Walking around with a wireless analyzer for conducting scans is a time-consuming that wireless scanning be process, limited in scope (in terms of ability to discover Rogue APs and relevance automated with a wireless IDS/ over a longer time duration), cannot scale for large premises and is costly if IPS system. ” - PCI Wireless Security Standards multiple sites have to be scanned. Using a wireless IPS (WIPS) for scanning is a much more convenient and Council Wireless SIG comprehensive alternative. A WIPS gives you: • 24x7 monitoring of wireless devices • Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG) • Instant detection of Rogue wireless APs • Automatic blocking of Rogue APs and other wireless threats or hack attacks • Location tracking capability to physically hunt down Rogue and other threat posing wireless devices Monitor Wireless Intrusion Alerts PCI DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusion- prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date. Unless a wireless network is segmented from the CDE (requirement 1.2.3) using a firewall, the network should be monitored for wireless intrusion attempts. A WIPS should be configured to send automatic threat alerts and instantly notify © 2009 AirTight Networks, Inc. All rights reserved. 5
  6. 6. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance concerned personnel about potential risks and attacks. Eliminate Wireless Threats PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the- middle attack, denial-of-service attack, and ad-hoc networks. PCI DSS 1.2 Wireless Security Requirements for Known WLAN inside CDE Organizations that run a wireless network as a part of the CDE need to comply with the following PCI DSS requirements to run a secure wireless network, over and above the requirements (11.1 – Conduct wireless scans at least quarterly at all locations, 11.4 – Use a WIPS to monitor wireless intrusion alerts, and 12.9 – Use a WIPS to eliminate wireless threats) discussed in the previous section. These are secure wireless deployment requirements. Change Default Settings PCI DSS Requirement 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings. Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization. © 2009 AirTight Networks, Inc. All rights reserved. 6
  7. 7. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors. Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details. Use Strong Encryption and Authentication PCI DSS Requirement 4.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters. Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP- encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control. Restrict Physical Access PCI DSS Requirement 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices. Physical access to authorized wireless devices should be restricted to minimize tampering of these devices and exposure of cardholder data. Physical access to © 2009 AirTight Networks, Inc. All rights reserved. 7
  8. 8. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance wireless APs can be restricted by mounting them high up on the ceilings or walls, and by installing them inside tamper-proof enclosures. Access to laptops and handheld devices should be restricted by using strong passwords. Sensitive information on these devices should be encrypted to prevent unauthorized access even if the device gets stolen. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices. Maintain Logs of Wireless Activity PCI DSS Requirement 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. Archive logs of wireless activity over one year on a central server where the logs cannot be tampered. Review wireless access logs daily to check for any anomalous activity. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary. Develop and Enforce Wireless Usage Policies PCI DSS Requirement 12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access. How AirTight Networks Can Help You Meet PCI Compliance The PCI requirement for conducting wireless scans at all sites can become very demanding. Walking around with wireless analyzers is too tedious and costly for organizations with large number of sites. Many small- and medium-sized businesses do not have the IT resources that they can dedicate for wireless © 2009 AirTight Networks, Inc. All rights reserved. 8
  9. 9. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance scanning. Additionally, for organizations that do not have a known WLAN AP in the CDE and are subject only to the minimum scanning requirements, a full Wireless IPS (WIPS) capability may not be required. Built on its leading WIPS technology, AirTight Networks offers SpectraGuard Online, a SaaS-based wireless security solution for PCI compliance. This solution automates wireless scanning and requires no IT intervention, thus making PCI wireless scanning and compliance a low cost and no effort affair. Depending on the needs of the organization, SpectraGuard Online can be upgraded seamlessly to provide full wireless IPS capabilities. SpectraGuard Online is a true “hands off” solution. The customer installs pre- configured wireless sensors (plug-and-play), responds to a few wireless setup questions and, within 72 hours, begins to receive wireless vulnerability alerts by email. Users can choose to receive PCI Wireless Compliance report by email monthly or quarterly. Customer data is hosted in a secure SAS70 certified datacenter designed for security and high availability. SpectraGuard Online offers four service modules to choose from with pricing as low as $20 per month per location. Modules Services Basic Wireless Wireless Wireless Compliance Alerts IDS IPS Automated wireless scanning     Compliance report delivered by email monthly or quarterly     Real-time email alerts for Rogue AP detection and wireless intrusion -    Archiving of alerts for one year -    Access to wireless IDS console - -   24x7 full wireless monitoring - -   Troubleshooting and customizable unlimited reporting - -   24x7 full wireless intrusion prevention and automatic incident response - - -  RF heat maps - - -  Location tracking to physically locate and remove Rogue APs - - -  © 2009 AirTight Networks, Inc. All rights reserved. 9
  10. 10. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Using SpectraGuard Online customers: • Incur no capital expenditures • Pay only for the wireless security features required • Grow as needed • Have an affordable and predictable total cost of ownership • Do not need to be concerned with hardware or software obsolescence • Can seamlessly upgrade to get full wireless IPS capabilities Comparing Cost of PCI Wireless Scanning: SpectraGuard Online versus Full Onsite WIPS versus Wireless Analyzer 5 Cost of PCI Compliance (Million $) Wireless analyzer 4 3 On-site WIPS 2 1 SpectraGuard Online 0.5 500 1000 2000 3000 5000 Number of sites Estimated one year expense for PCI wireless scanning. For SpectraGuard Online and on-site WIPS, one wireless sensor per location is assumed. Cost for scanning with a wireless analyzer includes logistics cost such as travel and lodging. The total cost of ownership for SpectraGuard Online is radically less expensive — 60 to 75 percent lower — than any competitive WIPS solutions on the market today. For large enterprises with hundreds or even thousands of sites across the globe, PCI compliance wireless scanning using the SpectraGuard Online automated, hosted solution is dramatically less expensive in both manpower and cost than walk-around scanning using any wireless analyzer. h Conclusions The PCI Security Standards Council has made it clear that wireless security is a concern that all merchants, regardless of whether or not wireless is deployed, must address. Scanning all sites for wireless vulnerabilities and threats such as Rogue APs and eliminating them from the cardholder data environment (CDE) is mandatory. © 2009 AirTight Networks, Inc. All rights reserved. 10
  11. 11. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance A wireless IPS (WIPS) can automate wireless scanning, alerts monitoring, ABOUT compliance reporting and threat prevention. AIRTIGHT NETWORKS AirTight Networks’ SpectraGuard Online delivers PCI wireless scanning and AirTight Networks is the global wireless intrusion prevention as a SaaS. It makes wireless scanning for PCI leader in wireless security and compliance solutions providing compliance easy and cost-effective. Organizations can choose the features customers best-of-breed they need depending on their size and use of wireless, and save significantly technology to automatically as compared to on-site WIPS installations or manual scanning using a detect, classify, locate and wireless analyzer. block all current and emerging wireless threats. AirTight offers both the industry’s leading wireless intrusion prevention system (WIPS) and the world’s first wireless vulnerability management (WVM) security- as-a-service (SaaS). AirTight’s award-winning solutions are used by customers globally in the financial, government, retail, manufacturing, transportation, education, healthcare, telecom, and technology industries. AirTight owns the seminal patents for wireless intrusion prevention technology with 11 U.S. patents and two international patents granted (UK and Australia), and more than 20 additional patents pending. AirTight Networks is a privately held company based in Mountain View, CA. For more information please visit The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 © 2009 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.