Monday, November 20, 2006

PCI Requirement 2

This entry covers Requirement 2 for PCI Compliance. In essence there is aquite a bit of common sense that went into this requirement, but as we see in other aspects of life, you should not ignore pointing out the obvious.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.

–2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).
–2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wireless equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. TNT will allow you to control access by endpoints allowing only users from authorized devices to access your environment

- 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
–2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)
–2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)
–2.2.3 Configure system security parameters to prevent misuse
–2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

-2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. TNT will work with any encryption technology in place so that you can extend what you already have/own.

-2.4 Hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: “PCI DSS Applicability for Hosting Providers.” TNT’s solution is ideal for data centers, allowing the providers to audit, segment, and enforce entire customer environments with a single piece of technology. In fact if I were going to start a business, it would be to use TNT as a service offering to secure and audit the most sensitive data of customers.


Post a Comment

<< Home