Group to collect study materials and connect people studying for all CISSP Concentrations: ISSAP, ISSEP, ISSMP. All in one place. Easy to access. Join HERE.
Robust, reliable and scalable Log Management requires a huge effort from all companies trying to achieve and maintain PCI DSS compliance. PCI DSS v3 mandates the following requirements for all devices located in the Cardholder Data Environment:
10.1 Implement audit trails to link all access to system components to each individual user.
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual user accesses to cardholder data
10.2.2 All actions taken by any individual with root or administrative privileges
10.2.3 Access to all audit trails
10.2.4 Invalid logical access attempts
10.2 5 Use of and changes to identification and authentication mechanisms?including but not limited to creation of new accounts and elevation of privileges?and all changes, additions, or deletions to accounts with root or administrative privileges
10.2.6 Initialization, stopping, or pausing of the audit logs
10.2.7 Creation and deletion of system- level objects
10.3 Record at least the following audit trail entries for all system components for each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource.
10.5 Secure audit trails so they cannot be altered.
10.5.1 Limit viewing of audit trails to those with a job-related need.
10.5.2 Protect audit trail files from unauthorized modifications.
10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.
10.6.1 Review the following at least daily:
-All security events
-Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD
-Logs of all critical system components
-Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
10.6.2 Review logs of all other system components periodically based on the organization?s policies and risk management strategy, as determined by the organization?s annual risk assessment.
10.6.3 Follow up exceptions and anomalies identified during the review process.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
There are plenty outstanding commercial tools out there to fulfill the above list, such as Splunk, GFI Monitor or Tripwire. However, many companies do not have budget to spend thousand of pounds on commercial tools.
Recently, I stumbled across a very promising tool called – graylog2. It is an Open Source project, which I tested thoroughly. Its been running in my test lab for over 4 weeks without any glitches and I can definitely recommend it. It has potential to fulfill all relevant PCI DSS v3 requirements and will give any sysadmin a great amount of information for troubleshooting, etc.
I installed graylog2 without any problems on minimal version of CentOS release 6.5 (Final).
Download and install:
Open up your browser and go to http://localhost:9000. At this point you should see:
Configure Inputs. I settled on the standard Syslog Port UDP 514. graylog2 supports multiple other input formats:
Point your clients to the graylog2 server and start reviewing logs:
graylog2 can certainly fulfill all PCI DSS v3 requirements and do more. It is one of those rare tools, which allows sysadmins truly see what is happening in their networks.
- easy configuration,
- it supports multiple inputs – collect logs from Windows/*nix, Firewalls, Switches, IDS, FIMs, etc. in one place,
- it is scalable; it can be configured in multi-node mode with full replication and load balancing,
- it supports strong authentication with multiple users (PCI DSS Req. 7 and 8),
- it supports various plugins,
- it is FREE!
Any reputable IT accreditation (think CISSP, CISA, GIAC) comes with an ongoing, annual maintenance effort, usually in a form of the Continuing Professional Education (‘CPE’) credits. Typically, an individual holding such certification is required to gather minimum 20 CPEs per annum and 120 CPEs over 3 years.
Lots of IT Pros complain about lack of opportunities to earn CPEs, which can’t be further from the truth. Let me break it down for you, how easy it is to obtain 40 CPEs per annum.
2. Brightalk webinars (one a month) – 12 CPEs per annum.
3. Review of 2x IT related books – 4 CPEs per annum.
TOTAL = 40 CPEs per annum.
“Get the ‘must know’ details about PCI DSS 3.0 from one of the original authors of PCI DSS 1.0. PCI expert, Didier Godart, explains:
Which changes are most significant?
How the changes will impact you & what actions you need to take?
How to incorporate the updates into your priorities?
The latest changes to PCI DSS 3.0 involve clarifications, additional guidance, evolving requirements, better documentation and scoping, and importantly ?necessary action from IT and security teams.”
BrightTALK Webcast – CLICK HERE.
I strongly believe that it does protect cardholder data, if it’s enforced properly throughout the year.
Unfortunately, some people still think that PCI DSS is a silver bullet, which solves all security issues, without additional effort. A week-long assessment, co-signed paperwork and all aspects of security are solved for the next 12 months – that’s how some companies still operate and that’s why they get breached.
So, please consider the following points to improve your security and minimize the chances of your company being breached:
1. Any skilled IT Sysadmin can fool a QSA during the assessment. Systems / servers can be hidden, configuration settings can be tweaked, just to satisfy the QSA during the assessment.
2. A PCI DSS assessment does not prove anything except the fact that a company is believed to be compliant during the timeframe of the assessment, based on the evidence collected. That’s it!
3. Use PCI DSS as a framework to deploy software and hardware, which your staff will use to spot abnormalities, rather than just to satisfy QSAs. Examples: Log Aggregation, File Integrity Monitoring, Intrusion Detection System.
4. Educate your employees and ensure that they do understand the importance of PCI DSS and its requirements. I see lots of frustrated people, who do things automatically to satisfy evidence required for annual audit.
5. Don’t skip requirements. Deploy all mandatory hardware and software. Defense in depth and Layered Security are the only two terms, which can save your company.
6. Always remember: PCI DSS is a bare minimum. Do more! Act faster!
The market of Qualified Security Assessors (‘QSAs’) has grown rapidly since the introduction of PCI DSS version 1.0 back in 2005. The article aims to help companies to pick the right QSA.
1. Focus your search on individuals you would like to work with, rather than the QSA company itself. All QSA companies have been vetted by the PCI SSC. It is down to your preferences, whether you prefer smaller or larger QSA company. There are pros and cons of working with both, which is beyond the scope of this article.
2. Use social networks, such as LinkedIN, Facebook, Twitter to gather background information about those individuals you want to work with. Ensure that they have enough experience to be able to help your company. Study their credentials and previous employment records. There are plenty of QSAs out there, who do not have an awful lot of technical expertise. PCI DSS it is a technical standard and one has to be technically sound in order to be able to assess an environment thoroughly.
3. A QSA should be helpful. Most of the time, the initial PCI DSS meeting turns into long relationship. Yes, the primary objective of the final PCI DSS assessment is to assess the company. However, there are lots of work required pre and post assessment. You don’t want to work with someone, who has a “tick box” approach and is not willing to provide additional advice or recommendation.
4. A knowledgeable QSA will save your money. By making correct decisions and recommendations, skilled QSA will help you design and maintain the network in the compliant, but most importantly secure way. I see too often, where companies spend thousands of pounds on technologies, which they have to redesign or even scrap during the PCI DSS assessment.
5. Search for a QSA with experience in technologies you use in your company. It is very difficult for any QSA to assess technologies he is not familiar with. If you just deployed 100 new F5 Load Balancers, ensure that the QSA has enough expertise to assess them correctly.
Lets don’t forget that PCI DSS is a technical standard, which if executed correctly, it provides multiple layers of security controls to your organizations. If your company falls into scope for PCI DSS, you may as well design the network and deploy right technologies from day one, rather than just tick boxes to meet PCI DSS requirements.
In order to achieve the above, you need to find a knowledgeable security consultant, who will not only assess your company but also provide advice to make your network more secure.
For those, who are ISC(2) accredited (SSCP, CAP, CSSLP, CISSP, ISSAP, ISSMP, ISSEP, CCFP, HCISPP), there is a free OWASP Top 10 Course offered. It provides a very comprehensive overview of TOP 10 vulnerabilities and mitigation controls.
Log in to the ISC(2) and claim your free access.
As pure-payment protection, it offers undeniably higher levels of security and intuitive customer experience LONDON, Aug. 12, 2013 /PRNewswire/ — With the explosion in smartphones usage, the number of payments done via mobile devices has significantly?