Baseline Magazine - February 2008

PC I Requirement Implementation Technology Install and maintain a A firewall must be used to segregate traffic from public external and Stateful packet firewall configuration to internal untrusted networks. inspection firewalls protect cardholder data. _Application/Web Application Firewalls Password Auditing

Do not use defaults passwords and security settings

Most security products come with default passwords and configurations, which often don’t provide adequate protection. Resetting to an organization’s unique needs and threats is best practice.

System Hardening Tools

Credit Card Personal Account Numbers (PANs) should be truncated Data or masked whenever stored and necessary storage of these Encryption numbers should be eliminated. The full content of magnetic stripe data, PINs, and credit card validation numbers should never be stored. PANs that are stored should be encrypted.

Vendors and Products
Check Point Software Technology Fire Wall- 1, Secure Computing Side Winder G2
Sonic WALL Pro , Cisco PIX, Fortinet Fortigate, Juniper ISG
Citrix Application Firewall, F5 Networks Big-IP, Protegrity Threat Management System
Barracuda Web Application Controllers, Breach Security Web Defend,
Imperva Secure Sphere Web Application Firewall
LCPSoft LCP, DoubleUp Software PWDDoubleCheck, Elcomsoft Proactive Password
Auditor
Bastille Hardening, Microsoft Baseline Security Analyzer, PivX

Protect stored NetLib Encryptionizer, Protegrity Data Protection System, Vormetric Data Security cardholder data Expert, Application Security, Db Encrypt, Decru DataFort, RSA Security Database

Security Manager

Database Guardium Security Suite, IPLocks Suite, Protegrity Enterprise Security Reporter Monitoring Tizor Systems Mantra, Sentrigo Hedgehog

Encrypt transmission of Transmission of cardholder data over open, public networks should Transport Encryption VeriSign, Comodo, Thawte, Geo Trust, Entrust ^cardholder ^data ^across ^be ^protected ^by ^transport ^encryption ^such ^as ^secure ^socket ^layeropen, public networks (SSL), transport layer security ( TLS) and Internet Protocol Security ^Wireless ^Security ^AirMagnet ^Enterprise, ^AirDefense ^Enterprise, ^Cisco ^Wireless ^LAN ^Security_(IPSec) _VPNs. _Wireless _{transmissions} _must _use _WiFi _Protected _Management

Access ( WPA) encryption with a minimum of 104-bit encryption with 24-bit initialization value.

Any systems that can potentially be infected by viruses must Antivirus have antivirus systems that can detect and remove malware, and generate audit logs.

Use and regularly update antivirus software

IDS/IPS

Process and systems should be in place for identifying vulnerabilities and installing patches on a regular basis. Custom-developed applications should follow current secure coding techniques. Web-facing applications need to be reviewed for common vulnerabilities or protected using a Web application fire wall (not required until June).

Restrict access to Access should be limited to only authorized users who must have cardholder data by access to perform business duties. business, need-to-know

Develop and maintain secure systems and applications

Vulnerability Management Tools

CA Antivirus, McAfee Virus Scan, Symantec Norton Antivirus, Kaspersky Lab Antivi-
rus, Sophos Antivirus, Trend Micro Antivirus
Lumension Sanctuary, Bit9 Parity, Cisco IPS, IBM Proventia
Juniper IDP, McAfee IntruShield, TippingPoint/3Com IPS
Symantec Altiris SecurityExpressions, Mc Afee/Citadel Security Soft ware, Lumension
Security Management Console, Qualys Guard PCI, Shavlik Security Intelligence

Web Access Management

Provisioning

Assign a unique identity Actions by every user should be trackable by assigning each one to each person with an individual identity and by monitoring their activities. Strong computer access authentication techniques should be employed.

Database Monitoring Two-Factor Authentication

Identity Management

Restrict physical access Develop procedures to physically limit access to data center to cardholder data equipment containing cardholder information. Track and monitor all Implement a method to log access to cardholder data and maintain access to network this audit trail for at least a year, with three months of online resources and availability. Inspect audit trail daily for problems (can use log cardholder data harvesting, parsing and alerting tools to accomplish this).

CA SiteMinder, Evidian Web Access Manager, Entegrity AssureAccess
IBM Tivoli Federated Identity Manager, Oracle Access Manager
Entrust GetAccess, Novell Web Access Manager
BMC Software User Administration and Provisioning, CA e Trust, Hewlett-Packard
Provisioning Manager, IBM Tivoli
Guardium Security Suite, IPLocks Suite, Protegrity Enterprise Security Reporter, Tizor
Systems Mantra, Sentrigo Hedgehog
RSA Security (EMC) SecurID, VASCO Digipass, BioPassword, Entrust IdentityGuard,
Aladdin e Token, ActivIdentity ActivClient, CRYPTOCard CRYP TO-Shield, Authenex
Strong Authentication System
CA, IBM Tivoli Federated Identity Manager, MaXware SAP Net Weaver, Imprivata
OneSign, ActivIdentity ActivID, Novell Identity Manager, Sun Microsystems Identity
Manager
HID badge systems (Biometrics system are also acceptable)

Regularly test security systems and processes

Maintain a policy that addresses information security for employees and contractors

Badge-based

Access

Database Monitoring See Above

Network ConSentry LANShield, Cisco Systems ASA 5580 Series, StillSecure SafeAccess, Access Control Juniper Networks Unified Access Control

Log LogLogic 4, SenSage Event Data Warehouse, Q1 Labs Qradar, Arcsight Logger, Intel-aggregation tools litactics Log Acquisition Appliance, Prism Microsystems Event Tracker

Security Information Intellitactics, TriGeo Networks SIM, netForensics nFX Open Security Platform, RSA Management envision, ArcSight ESM

Net work Penetration Core Security Technologies Core Impact, Nessus (open source) , SAINT (open source), and Vulnerability IBM (ISS) Net work Scanner, Symantec, Mc Afee (Foundstone), Qualys, White Hat Scanning Security

The policy should include usage guidelines for all employee-facing Policy Creation Symantec BindView Policy Manager, Polivec Enterprise Governance Solution, NetIQ technology, information security duties to individual I T staffers and VigilEnt Policy Center, Cisco Security Policy Builder, Enterasys NetSight Policy Manager security awareness program component.