Penetration Testing mailing list archives
re: PCI Compliance Scope
From: Timothy Shea <tim () tshea net>
Date: Thu, 12 Nov 2009 19:49:13 -0600
I don't think you are getting it. You will not be able to convince the PCI auditor that your log server is out of scope as having a log server is REQUIRED by PCI. Track 10 of PCI covers this. And your log server has to be managed in an a appropriate way such as limited access and method to ensure that log files aren't tampered with. And you have to prove it. Furthermore just because a system is logging data to your log server doesn't mean that it is automatically in scope of PCI. Your log server may contain log files from systems with CC data, PHI data, or your warez server. That doesn't mean your warez server needs to fulfill PCI or HIPPA requirements. I would suggest going to the PCI site and reading the standard before trying to challenge the auditor. t.s On Thu, Nov 12, 2009 at 4:18 PM, Danux <danuxx () gmail com> wrote:
Thanks all for your feedback, I will clarify the most common questions you asked: a) The Log Management server is a receiver so it is not able to reach PCI Assets. b) The Log Management server does not store PII/CC data. It seems like 80% of the audience thinks that if I am not storing PII/CC data in the Log Server and not direct access (push) to PCI assets then it should be out of scope. I asked the PCI Auditor that in my opinion the PCI goal was to protect CC data and since my Log Server is not able to reach PCI assets then it was out of scope. The PCI Auditor said exactly what David Glosser mentioned above, The goal in this point is to protect the Log Server from tampering. I totally disagree with that because I think PCI goal is to protect CC data and if no PII/CC is store in log server then it does not matter if someone is tampering it. Someone can tell me whether by getting usernames from log files you are gonna be able to bypass firewall to connect to PCI assets and or get passwords automatically and or steal/decrypt CC data? All this requires extra effort, usernames are not even considered PII since is something PUBLIC. Now, if the goal is to protect Log files then as i mentioned at the beginning of this conversation, all assets pushing info to Log server are in scope too!! because each one can reach it and therefore try to compromise it. CONCLUSION: Lets think as Auditors, if I want to convince PCI Auditor about putting my Log Server out of scope, I need trust resources. Do you have any documentation from trusted sources like NIST, Garner, so on where explains how to deal with this Scenario? Thanks all once again. I promise to let you all know the result of this point to know the real way in a PCI perspective to deal with. On Thu, Nov 12, 2009 at 3:34 PM, Eric Milam <emilam () coretechsg com> wrote:Its not my decision, last I checked I don't think the PCI Council allowed it as the only form of separation. Tracy Reed wrote:On Thu, Nov 12, 2009 at 12:42:35PM -0800, Eric Milam spake thusly:Basically the fear are base camps from which to launch an attack. As Erin stated below, if there are measures in place (not just vlans) to prevent access from the log machine to the Card Holder data environment then it may be that the device will be out of scope.Why not just VLANs? Do we not trust VLANs or are we worried about VLAN misconfiguration? Or switch compromise? Cisco commissioned a study by @Stake (IIRC) which made a pretty good case for VLAN security. Of course, that may just be Cisco getting the results it paid for. But it seemed reasonable to me.-- Daniel Regalado aka Danux Hacker Wanna Be from Nezahualcoyotl www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Tim Shea, CISSP 612-384-6810 tim () tshea net http://www.linkedin.com/in/timothyshea -- Tim Shea, CISSP 612-384-6810 tim () tshea net http://www.linkedin.com/in/timothyshea ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- PCI Compliance Scope Danux (Nov 12)
- RE: PCI Compliance Scope Gary Everekyan (Nov 12)
- RE: PCI Compliance Scope Erin Carroll (Nov 12)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope Tracy Reed (Nov 12)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope Danux (Nov 12)
- Message not available
- re: PCI Compliance Scope Timothy Shea (Nov 13)
- Re: PCI Compliance Scope Mohamed Farid (Nov 13)
- Re: PCI Compliance Scope Gary E. Miller (Nov 13)
- Re: PCI Compliance Scope rajat swarup (Nov 13)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- RE: PCI Compliance Scope Jason Hurst (Nov 13)
- Re: PCI Compliance Scope Danux (Nov 16)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- Re: PCI Compliance Scope Dotzero (Nov 16)