RE: Any PCI Gurus?

[Matthew Reed <mreed () consolidatedgraphics com>]

Regarding segmentation, my understanding from reading DSS is that VLANS are not acceptable segmentation. This passage 
was taken from page 10 of DSS 2.0 which was released in October of last year. The document can be found at:
https://www.pcisecuritystandards.org/security_standards/documents.php

The passage I am referring to is:

"The PCI DSS security requirements apply to all system components. In the context of PCI DSS, "system components" are 
defined as any network component, server, or application that is included in or connected to the cardholder data 
environment. "System components" also include any virtualization components such as virtual machines, virtual 
switches/routers, virtual appliances, virtual applications/desktops, and hypervisors."

The words "included in or connected to the cardholder data" would include a logical network residing on or connected to 
the physical server that houses the data. For our interpretation of the standard, we replace "segmentation, 
segmentation, segmentation" with "air gap, air gap, air gap".

Matthew Reed, GSEC, CHPSE

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ben
Sent: Friday, January 14, 2011 5:59 PM
To: Shankl Shankl
Cc: security-basics () securityfocus com
Subject: Re: Any PCI Gurus?

Hi Shankl,

   I'm no QSA or PCI consultant (apply all normal disclaimers here),
but I think I can provide some insight on most of these.

On Thu, Jan 13, 2011 at 4:38 PM, Shankl Shankl <shankl () hotmail com> wrote:
> Heres a little scenario that I wanted to throw out there and get an opinion on by someone who knows PCI. I am starting
>
> to learn but couldn't help with this problem because I've never assisted in a PCI audit...
>
> (I would think this problem has been encountered by many companies that make network appliances)
>
> ====== Background =======
>
> 1) Company A is a small company (only 5 employees)
>
> 2) They provide a service which requires their customer, Company B, to install a small network appliance on their LAN
>
> in order to collect data from their onsite mechanical equipment.
>
> 3) Operating data is then pulled from these mechanical systems and then dumped to a remote server which processes the
>
> data and provides a dashboard for the customer to view (via SSL).
>
> 4) Company B bought a license for this service and was also handed over the keys to administer accounts and decide
>
> which employees it would like to give access to.
>
> 5) Now let's say that Company B typically processes credit card payments locally and sends transaction data through
>
> their local LAN on its way out to their payment processor.
>
> ====== Problems =======
>
> 1) Company A does not take credit cards and is not required to be PCI compliant however they do provide a service 
> which
>
> requires their network appliance to be installed on Company B's network.
>
> 2) In recent days Company A has come to the conclusion that in some of Company B's newly acquired satellite offices,
>
> credit card data is being forwarded across the LAN in a variety of ways (some of which do not look to be
>
> secure/encrypted).
>
> 3) In addition, several of these satellite offices are running consumer grade routers (ie: Linksys, Netgear) providing
>
> little in the way of segmentation.
>
> 4)Company A would like to avoid being "In Scope" and having to charge the client for consulting fees.
>
> ====== Questions =======
>
> 1) For the smaller satellite offices what might be a simple fix?

Segmentation. Segmentation. Perhaps a little more segmentation.
Proverbial "Company B" should really be segmenting their traffic to
keep CHD away from other devices to reduce scope as much as possible.
The other possibility, though it lands on the opposite end of the
simplicity scale, is tokenization. This is a fairly new method of
reducing scope and is a much larger undertaking probably best left
alone in smaller environments.

> 2) Does segregation provide an easy way to kick devices out of scope for PCI audits?

Yes, very much so. (See above.) If we're still talking about
consumer-grade devices, segmentation that meets standard may not be as
easily achieved. Most entry-level business class equipment offers
simple VLANs and ACLs that quite easily meet the requirements for
network segmentation.

> 3) Would it be recommended/possible to have a firm produce a report which could be handed to an auditor and prove 
> "Out of Scope" prior to being dragged into one of these audits?

It would probably be possible to get a QSA to do a brief engagement to
confirm whether or not "Company A's" devices are "in scope" at
"Company B," but the QSA that "Company B" is using for their own audit
should be able to define this, as well.

> 4) Could the network appliance be designed/situated in such a way as to be "out of scope" or at least easily 
> verifiable as compliant even if it was sitting on the same logical subnet where the card data traffic was moving 
> across?

While it may not seem like it, this is a fairly ambiguous question.
The best way to situate the appliance to be out of scope is to put it
on a different network segment. Whether or not the appliance itself is
compliant is an even most dubious question. This depends heavily on
what the device is, does, and can do. The only way that (this is where
I'll admit my experience gets a bit fuzzy) a device can be said to be
"compliant" is based upon its configuration or ability to meet
configuration requirements. Is this what this particular question
centers around?


> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


NOTICE:  This message, as well as any attached document, contains information from Consolidated Graphics, Inc. that is 
confidential and/or privileged, or may contain attorney work product.  The information is intended only for the use of 
the addressee(s) named above.  If you are not the intended recipient, you are hereby notified that any review, use, 
dissemination, forwarding, printing, copying, disclosure, or the taking of any action in reliance on the contents of 
this message or its attachments is strictly prohibited, and may be unlawful.  If you have received this message in 
error, please destroy all copies (in any form) of this message and its attachments, if any, without disclosing the 
contents, and notify the sender immediately.  Unintended transmission does not constitute waiver of the attorney-client 
privilege or any other privilege.  Unless expressly stated in this email, nothing in this message should be construed 
as a digital or electronic signature.  Thank you for your cooperation.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------