Real-Time PCI Compliance Monitoring

Transcription

1 Real-Time PCI Compliance Monitoring Leveraging Asset-Based Configuration and Vulnerability Analysis with Real-Time Event Management January 28, 2010 (Revision 6) Ron Gula Chief Technology Officer

2 Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 WHAT IS YOUR AUDIT PROCESS?... 3 Checkbox Audits... 3 Performing Simultaneous and Real-Time Audits... 3 AVOIDING AUDITOR AMBIGUITY... 4 TENABLE S SOLUTIONS... 4 CORE SOLUTION DESCRIPTION... 4 ASSET CENTRIC ANALYSIS... 5 DATA LEAKAGE MONITORING... 5 CONFIGURATION AUDITS... 6 SECURITY EVENT AUDITS... 7 WEB APPLICATION SCANNING... 7 TENABLE AND PCI... 8 BACKGROUND... 8 TENABLE S ROLE IN PCI... 8 PCI SECURITY AUDIT PROCEDURES AND REPORTING... 8 APPENDIX A: TENABLE SOLUTIONS FOR PCI SECURITY AUDIT STANDARDS APPENDIX B: TENABLE SOLUTIONS FOR PCI SECURITY SCANNING PROCEDURES 42 ABOUT TENABLE NETWORK SECURITY Copyright , Tenable Network Security, Inc. 2

3 Introduction Tenable Network Security, Inc. serves customers worldwide and each of our customers has a unique set of audit and compliance requirements. This paper provides insights gained from Tenable s customers on measuring and reporting compliance audit issues in a wide variety of industries. Specifically, this paper describes how Tenable s solutions can be leveraged to achieve PCI compliance by ensuring that key assets are properly configured and monitored for security compliance. It is crucial to monitor for compliance in a manner as close to real time as possible to ensure the organization does not drift out of compliance over time. The greater the gap between monitoring cycles, the more likely it is for compliance violations to occur undetected. What is your audit process? Tenable s worldwide customer base provides a broad spectrum of audit requirements that cover different technologies, legislation, policies and procedures. There are some common baselines, but of the specific technology, procedures and critical data varies among organizations so it follows that the audit processes will also vary. Checkbox Audits Tenable s customers often need to demonstrate compliance with checkbox security requirements that an external auditor may require. These requirements tend to be in a line item format and may contain requirements such as maintain an Intrusion Detection System or enforce password complexity. These requirements are typically mandated by specific compliance guidelines or corporate directives for the particular industry. Perhaps the most common form of a checkbox audit is a PCI vulnerability scan. The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards established by the founding members of the PCI Security Standards Council, including Visa, American Express, Discover Financial Services and MasterCard. The PCI DSS is intended to provide a common baseline to safeguard sensitive cardholder data for all bank card brands. All merchants and service providers that store, process or transmit Visa cardholder data must comply with the PCI standard. For the millions of businesses that offer web sites to purchase products, an entire industry has developed to perform automated vulnerability audits. These audits test the online systems for known vulnerabilities and produce a technical report in a format specified by the PCI standard. While vulnerability scanning is important, it is not the only component of the PCI DSS, as described later in this paper. Performing Simultaneous and Real-Time Audits Many of Tenable s customers need to perform audits for multiple compliance and security standards. Often, these standards have common audit points and customers can reuse collected data from one audit to facilitate another. This saves time, money and reduces interruption to an operating network and staff. Copyright , Tenable Network Security, Inc. 3

4 Many Tenable customers have expressed a desire for real-time compliance monitoring. This enables organizations to proactively correct compliance violations before they become a problem. If violations are detected and corrected prior to an actual audit, the audit results will reflect positively on the organization. Avoiding Auditor Ambiguity A common problem across Tenable s customer base is the concept of auditor ambiguity, when the auditor does not fully understand the intent of a requirement. To minimize repeated audits for the same types of data, large enterprises often undergo an exercise to agree on a corporate set of standards for everything from building new laptops to making firewall changes. Often, these audits are very detailed and lengthy. The problem arises when auditors need to read these guidelines and interpret their results. Confusion or incorrect interpretation of these guidelines can cause organizations that are in compliance to fail their audits. For example, consider a simple password policy requiring that passwords be changed every 90 days. An organization that enforces password changes every 45 days is technically not in compliance with the policy, even though the 45-day requirement is more stringent. This could cause ambiguous results from an audit. One auditor may interpret this as exceeding the guideline of 90-day expiration and consider this acceptable. However, another auditor may feel that the extra burden of more frequent password changes reduces efficiency and could increase downtime or help-desk calls. Tenable s Solutions Core Solution Description From a network security feature set, Tenable offers a variety of methods to detect vulnerabilities and security events. Tenable s core technology is also extremely powerful for conducting network compliance audits and communicating the results to many different types of consumers. Tenable offers four basic solutions: Security Center Tenable s Security Center provides continuous, asset-based security and compliance monitoring. It unifies the process of asset discovery, vulnerability detection, log analysis, passive network discovery data leakage detection, event management and configuration auditing for small and large enterprises. Nessus vulnerability scanner Tenable s Nessus vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, asset profiling and vulnerability analysis of the organization s security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. Nessus is currently rated among the top products of its type throughout the security industry and is endorsed by professional security organizations such as the SANS Institute. Nessus is supported by a world-renowned research team and has the largest vulnerability knowledge base, making it suitable for even the most complex environments. Log Correlation Engine Tenable s Log Correlation Engine (LCE) is a software module that aggregates, normalizes, correlates and analyzes event log data from the Copyright , Tenable Network Security, Inc. 4

5 myriad of devices within your infrastructure. The Log Correlation Engine can be used to gather, compress and search logs from any application, network device, system log or other sources. This makes it an excellent tool for forensic log analysis, IT troubleshooting and compliance monitoring. The LCE can work with Syslog data, or data collected by dedicated clients for Windows events, netflow, direct network monitoring and many other technologies. Passive Vulnerability Scanner Tenable s Passive Vulnerability Scanner (PVS) is a network discovery and vulnerability analysis software solution, delivering real-time network profiling and monitoring for continuous assessment of an organization s security posture in a non-intrusive manner. The Passive Vulnerability Scanner monitors network traffic at the packet layer to determine topology, services and vulnerabilities. Where an active scanner takes a snapshot of the network in time, the PVS behaves like a security motion detector on the network. In addition, Tenable provides Security Center customers with the 3D Tool that is designed to facilitate presentations and security analysis of different types of information acquired from the Security Center. The key features of Tenable s products as they relate to compliance auditing are as follows: Asset Centric Analysis The combination of network scanning, passive network monitoring and integration with existing asset and network management data allows the Security Center to organize network assets into categories. This enables an auditor to review all components of a particular application. Typically, an auditor reviews a long list of IP addresses that may have vulnerabilities of various severities associated with them. However, the correlation of interdependencies of an application s components is usually missing. The Security Center provides a complete asset list of applications and ensures that the weakest link in the chain is recognized and taken into account. For example, consider a typical PeopleSoft deployment for a human resources group. The actual PeopleSoft application may run on one or more Windows servers that interact with several databases. It may be connected over some network switches and possibly have front-end web servers for load-balancing. The entire group of servers comprises the PeopleSoft asset. A critical security problem in a supporting switch or database can lead to a compromise just as easily as one in the actual PeopleSoft program. It is very efficient for an auditor to be able to work with all of the security issues for one asset type at a time. Data Leakage Monitoring Both Nessus and the PVS can identify sensitive data that may be subject to compliance requirements. The Nessus scanner can be easily configured to look for common data formats such as credit card numbers and social security numbers. It can also be configured to search for documents with unique corporate identifiers such as employee names, project topics, sensitive keywords and so on. Nessus can perform these searches without an agent and only requires credentials to scan a remote computer. Copyright , Tenable Network Security, Inc. 5

6 The PVS can monitor network traffic to identify sensitive traffic in motion over , web and chat activity. It can also simply identify servers that host office documents on web servers. The Security Center correlates the information about sensitive data gained from Nessus and the PVS that can be useful in several situations: Identifying which assets have sensitive data on them can help determine if data is being hosted on unauthorized systems. Classifying assets based on the sensitivity of the data they are hosting can simplify configuration and vulnerability auditing by focusing on those hosts and not the entire network. Responding to security incidents or access control violations can be facilitated by knowing the type of information on the target system, which helps identify if a system compromise also involves potential theft or modification of data. Both Nessus and the PVS also act as a deterrent. If organizations realize they will be audited for their use of certain types of data, they will be more careful in how they transfer and store data. Configuration Audits Security policies, guidelines, standards and procedures provide a mandate for maintaining network security. A policy is defined as what will and will not be permitted, such as users are required to have passwords and keep them secure. Guidelines are suggested methods of how to adhere to the policy, such as users should change passwords on a regular basis. Standards are specific technical rules for a particular platform, such as Microsoft IIS or database servers. A standard might state, passwords must be set to expire every 90 days and must force the user to use a combination of alpha-numeric characters. Finally, procedures provide users and systems administrators with methods for maintaining security, such as how to install a Microsoft IIS Server Securely. It is important to understand the distinction between these to ensure appropriate compliance. A configuration audit is one where the auditors verify that servers and devices are configured according to an established standard and maintained with an appropriate procedure. The Security Center can perform configuration audits on key assets through the use of Nessus local checks that can log directly onto a Unix or Windows server without an agent. The are several audit standards available for the Security Center. Some of these come from best practice centers like the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). Some of these are based on Tenable s interpretation of audit requirements to comply with specific industry standards such as PCI, or legislation such as Sarbanes-Oxley. In addition to the base audits, it is very easy to create customized audits for the particular requirements of any organization. These customized audits can be loaded into the Security Center and made available to anyone performing configuration audits within an organization. Once the audit policies have been configured in the Security Center, they can be repeatedly used with little effort. The Security Center can also perform audits intended for specific Copyright , Tenable Network Security, Inc. 6

7 assets. Through the use of audit policies and assets, an auditor can quickly determine the compliance posture for any specified asset. Security Event Audits The Security Center and LCE can perform the following forms of security event management: Secure log aggregation and storage Normalization of logs to facilitate analysis Correlation of intrusion detection events with known vulnerabilities to identify highpriority attacks Sophisticated anomaly and event correlation to look for successful attacks, reconnaissance activity and theft of information Tenable ships the LCE with logic that can map any number of normalized events to a compliance event to support real-time compliance monitoring. For example, a login failure may be benign, but when it occurs on a financial asset, it must be logged at a higher priority. The Security Center and LCE allow any organization to implement their compliance monitoring policy in real time. These events are also available for reporting and historical records. The LCE also allows for many forms of best practice and Human Resources (HR) monitoring. For example, unauthorized changes can be detected many different ways through network monitoring. Another useful application of the LCE is to determine if users recently separated from the organization are still accessing the system. All activity can be correlated against user names so that it becomes easy to see who is doing what inside the network. Tenable s LCE has the ability to store, compress and search any type of ASCII log that is sent to it. Searches can be made with Boolean logic and limited to specific date ranges. There are an infinite number of searches that can be performed, such as searching DNS query records or tracking down known Ethernet (MAC) addresses in switch, DHCP and other types of logs. All search results are saved in a compressed format along with a checksum so that they can be used as forensic evidence. Previous searches can also be re-launched against the latest logs. Each LCE can use a local disk store or a mounted file system from a remote NAS or SAN. The Security Center can show the disk space usage of each LCE and also predict and alert when it will run out of disk space. Web Application Scanning Tenable s Nessus scanner has a number of plugins that can aid in web application scanning. This functionality is useful to get an overall picture of the organization s posture before engaging in an exhaustive (and expensive) analysis of the web applications in the environment. Nessus plugins test for common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), HTTP header injection, directory traversal, remote file inclusion and command execution. Another useful Nessus option is the ability to enable or disable testing of embedded web servers that may be adversely affected when scanned. Many embedded web servers are Copyright , Tenable Network Security, Inc. 7

8 static and cannot be configured with custom CGI applications. Nessus provides the ability to test these separately to save time and avoid loss of availability of embedded servers. Nessus provides the ability for the user to adjust how Nessus tests each CGI script and determine the duration of the tests. For example, tests can be configured to stop as soon as a flaw is found or to look for all flaws. This helps to quickly determine if the site will fail compliance without performing the more exhaustive and time-consuming Nessus tests. This low hanging fruit approach helps organizations to quickly determine if they have issues that must be addressed before the more intensive tests are run. Nessus also provides special features for web mirroring, allowing the user to specify which part of the web site will be crawled or excluded. The duration of the crawl process can be limited as well. Tenable and PCI Background The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards established by the founding members of the PCI Security Standards Council, including Visa, American Express, Discover Financial Services and MasterCard. The PCI DSS is intended to provide a common baseline to safeguard sensitive cardholder data for all bankcard brands and is in use by many e-commerce vendors who accept and store credit card data. The PCI DSS specifies a variety of high-level guidelines for running a secure network that leads to variations in how auditors interpret these recommendations. Tenable can help customers exceed the requirements to ensure they meet compliance. Tenable s Role in PCI The PCI DSS strongly advocates analysis by a trusted third party. Tenable provides the solutions to analyze and generate reports on network security before undergoing a costly third party audit. By using Tenable s vulnerability scanning, vulnerability management, log analysis, content discovery and configuration audit tools, Tenable s customers can identify issues audited against the PCI standard well before the official audit occurs. This also helps reduce the cost of the official audit by reducing the time it takes to get the auditors the information they need. Many Tenable customers who are interested in PCI are also extremely interested in Data Loss Prevention (DLP). Data Loss Prevention is a growing concern for companies that handle sensitive information. Breach disclosure laws require that companies that handle consumer data must disclose all data breaches and provide remediation to protect the consumer. The cost of such breaches can be quite staggering in legal and public relations costs as well as lost business. The ability to automatically identify systems that contain customer data or credit card information makes finding unauthorized copies of data easy. This also directly addresses the PCI requirement of protecting stored data. If data at rest is ed or copied by an authorized user to an un-authorized system, it is likely a policy violation that Tenable s solutions can generate an alert on before it becomes a public relations nightmare. PCI Security Audit Procedures and Reporting Copyright , Tenable Network Security, Inc. 8

9 The PCI DSS mandates the following 12 requirements that an organization must perform to be considered in compliance: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors In addition, PCI customers must have a comprehensive vulnerability audit of any system that faces the Internet and handles credit card transactions. This vulnerability audit is required to look for the following items: Any vulnerability with a CVSS score of 4 or larger Any cross-site scripting or SQL injection type of vulnerability Any evidence of outdated SSL encryption The PCI publication PCI Security Audit Procedures addresses in detail how each of these individual requirements needs to be implemented and audited. Tenable can help organizations conform to these guidelines in many ways. Appendix A details how Tenable can specifically address these guidelines. This allows any size organization to determine if they are indeed in compliance or if there are areas that need to be addressed. The reports and data collected by Tenable s solutions can also help organizations pass audits confidently with the knowledge they will be audited based on established tests and procedures. Each of the twelve basic requirements as well as the vulnerability scan audit can be accomplished with various Tenable solutions: All active Nessus scans can include simple PCI Pass/Fail results. This makes analyzing large numbers of servers or large numbers of vulnerability results easy and automatic. Tenable s LCE has the ability to store, compress and search any type of ASCII log that is sent to it, including logs from perimeter devices to aid in firewall monitoring and configuration. Tenable s Security Center can also audit access from various points in the network using distributed scanning and passive analysis. Firewall rule changes that result in open or shut ports can be monitored by comparing multiple scans, analyzing passive network data and analyzing logs from the firewalls themselves. Tenable s Security Center and LCE have full log search capability to easily monitor firewall change activity. Tenable s Nessus vulnerability scanner can be used to attempt logins for various types of applications and devices to test for vendor supplied passwords. The security of systems protecting stored data can be assessed by Tenable s products. Access to the secured data can also be audited with Tenable s LCE. All LCE Copyright , Tenable Network Security, Inc. 9

10 search results are saved in a compressed format along with a checksum so that they can be used as forensic evidence. Tenable s PVS can be used to monitor network traffic in real-time to ensure sensitive information, such as credit card numbers, is encrypted. Tenable s Security Center can log into hosts to ensure that anti-virus software is configured and functioning properly. In addition, Tenable s PVS can be used to identify systems running virus signature updates. The Security Center can use both active and passive vulnerability checks that monitor for vulnerabilities, patch levels and insecure configurations. This is a valuable aid to maintain secure systems. The Security Center can monitor access to information by business units on a need to know basis through traffic analysis and distributed scanning. With Security Center s asset centric view of a network, it is easy to see which assets connect to other assets and on which network links or ports. If users who access sensitive information are configured with unique users IDs, then it is highly likely that logs of access control will also exist. These logs can be captured by the LCE for analysis and sorted on individual user identifications. Logs can also be searched by user name. To provide controls for physical limitation of access to sensitive data, Tenable s LCE can receive authentication data from physical access control devices such as card readers. If a list of people or accounts that should or should not have access to sensitive data is provided, the LCE can also generate an alert if unauthorized user access is attempted. Lastly, the Windows LCE agent can monitor local and remote Windows servers for any insertion or removal of a USB device. Similarly, all access to cardholder data systems can be tracked. The LCE can track all logins, login failures, system logs and even network activity for cardholder data systems. These logs are centralized, normalized and correlated. Reports about incidents or security events can be created for specific asset groups under the Security Center. The Security Center can automate regular security testing of the systems managing credit card data. The Security Center offers many types of assessments such as vulnerability scanning, patch audits, configuration audits as well as passive vulnerability analysis. If any policy is created that specifically details how systems are to be configured, the Security Center can be used to audit those systems. Security policies are often broader than configuration standards. All of Tenable s products can assist with unauthorized host detection, implementing a log management strategy, analyzing access control policies, analyzing patch management policies and many others. For a complete list of how Tenable can audit or assist in the monitoring of specific PCI requirement standards, please refer to Appendix A. Appendix B provides details on how Tenable s solutions can be used to comply with the PCI Security Scanning Procedures publication. Copyright , Tenable Network Security, Inc. 10

11 Appendix A: Tenable Solutions for PCI Security Audit Standards Note: This section is based on the content of PCI Security Audit Standards Document. Specific requirements are labeled and quoted directly from this document. How Tenable can help meet these requirements is also specified. Some sub-requirements that are not relevant to Tenable s solution have been omitted to save space. The following acronyms will be used: SC Security Center LCE Log Correlation Engine PVS Passive Vulnerability Scanner PCI Testing procedure 1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following: Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks. Verify that the diagram is kept current Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone. Verify that the current network diagram is consistent with the firewall configuration standards. How Tenable Can Help Tenable s LCE provides full log aggregation, storage and search capabilities for any type of ASCII log such as firewall logs. Searches can be made with Boolean logic and limited to specific date ranges. Through the SC web interface, users can perform full log searches across multiple LCE servers and monitor logs for abuse, connections to key resources and anomalies. The PVS can also enumerate both served and browsed firewall ports, as well as which systems accept connections from the Internet. SC and the PVS can monitor any large enterprise to determine connectivity between various points on the network. This helps ensure proper firewall policy is in place and can help detect unauthorized changes. The LCE can also alert and report when changes to devices such as firewalls have occurred. The SC can be used to search the full log data from multiple LCEs, providing an enterprise-wide view of logged activity. SC produces 3D images showing how a network is connected. Nessus and the PVS also can show which hosts have connectivity to each other. Nessus can also enumerate which hosts have multiple interfaces that are common in DMZ networks. The 3D Tool can be used to display the locations of firewalls within the network. Nessus and the PVS have various methods to detect firewalls as well. Copyright , Tenable Network Security, Inc. 11

12 1.1.5.a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder data environment, as follows: a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit deny all or an implicit deny after allow statement. 1.3 Examine firewall and router configurations, as detailed below, to determine that there is no direct access between the Internet and system components, including the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment Verify that a DMZ is implemented to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment Verify that inbound Internet traffic is limited to IP addresses within the DMZ. Through Nessus and the PVS, as well as through analysis of existing firewall logs, SC can be used to list any UDP or TCP ports in use by any IP, network or asset group. Searches can be performed on log data across the enterprise to identify services and ports that are in use. Nessus credentialed scans can also list all open UDP and TCP ports on Unix and Windows operating systems and also identify the system process that owns each port. The PVS and distributed Nessus scanning can show which assets have open ports when scanned remotely or viewed on egress/ingress network points. It can also show which ports are being browsed to see if a firewall s outbound policies are correct. SC can leverage logs from firewalls for analysis to determine if unauthorized protocols are being blocked. The SC can manage multiple LCEs and provides powerful log search capabilities across multiple LCE instances. This facilitates an enterprise-wide search of protocols in use. This can be complimented with continuous passive monitoring and distributed scanning with Nessus to look for networks with incorrect firewall policies. SC can use both the LCE and the PVS to list which assets communicate with other assets, on which ports and across which network segments. The full log search capability provided in the SC and LCE can be used to monitor traffic and ensure that a DMZ has been implemented. The PVS can also identify which hosts accept network connections from systems outside of a trusted domain. The full log search capability provided in the SC and LCE can be used to monitor traffic and ensure that Internet traffic is limited to the DMZ. The PVS can also identify which hosts accept network connections from systems outside of a trusted domain. Copyright , Tenable Network Security, Inc. 12

13 1.3.3 Verify there is no direct route inbound or outbound for traffic between the Internet and the cardholder data environment Verify that outbound traffic from the cardholder data environment to the Internet can only access IP addresses within the DMZ Verify that the firewall performs stateful inspection (dynamic packet filtering). [Only established connections should be allowed in, and only if they are associated with a previously established session (run a port scanner on all TCP ports with syn reset or syn ack bits set a response means packets are allowed through even if they are not part of a previously established session).] Verify that the database is on an internal network zone, segregated from the DMZ For the sample of firewall and router components, verify that NAT or other technology using RFC 1918 address space is used to restrict broadcast of IP addresses from the internal network to the Internet (IP masquerading). 1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization s network, have personal firewall software installed and active. 1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by mobile computer users. 2.1 Choose a sample of system components, and attempt to log on (with SC analysis of logs captured via the LCE can show that no direct route exists between the internet and the cardholder data environment. The SC can manage multiple LCEs and provides powerful log search capabilities across multiple LCE instances. SC can determine this with log analysis, passive network monitoring and direct vulnerability scanning. Through SC and Nessus, both TCP and SYN scanning options are available for port enumeration. As an asset class, SC can be used to view, analyze and report on any firewall. Many different databases can be identified by Nessus and the PVS, and their locations on an internal network that is segregated from a DMZ can be determined by SC. Nessus can perform a variety of application tests to determine internal IP addresses that may be private. Both the PVS and the LCE s sniffing agents can also observe all IP traffic and audit RFC 1918 addresses and public IP addresses. The full log search capability provided in the SC and LCE can be used to easily search and monitor all logged IP data across the enterprise. A system audit with a credentialed Nessus scan can also enumerate any IP addressing for each network interface. Nessus configuration auditing can be used to develop customized audits for these devices to ensure that the right software is installed and is configured correctly. Audit files can also be configured to check for user permissions to administrative functions. Tenable s Nessus vulnerability scanner includes default password checks for many different Copyright , Tenable Network Security, Inc. 13

14 system administrator help) to the devices using default vendor-supplied accounts and passwords, to verify that default accounts and passwords have been changed. (Use vendor manuals and sources on the Internet to find vendorsupplied accounts/passwords.) Verify the following regarding vendor default settings for wireless environments and ensure that all wireless networks implement strong encryption mechanisms (for example, AES): Encryption keys were changed were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions. Default SNMP community strings on wireless devices were changed. Default SNMP community strings on wireless devices were changed. Default passwords/passphrases on access points were changed. Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2). Other security-related wireless vendor defaults, if applicable. 2.2.a Examine the organization s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards. 2.2.b Verify that system configuration standards include each item below (at ) For a sample of system components, verify that only one primary function is implemented per server. For example, web servers, database servers, and DNS should be implemented on separate servers. applications, operating systems and network devices. Nessus can also be given SNMP credentials in order to audit network devices. The PVS also includes many checks for vendor supplied security issues. The Nessus vulnerability scanner and PVS have many different signatures to check for common SNMP and login settings. In addition, Nessus can audit the active wireless domain of each Windows device and this can be used to build a complete list of all wireless devices. The LCE can also be used to log system events form network devices such as WiFi appliances, NAT firewalls and other hardware. The full log search capability provided in the SC and LCE can be used to easily search and monitor all logged wireless data across the enterprise. SC can be configured with audit policies to login to Unix and Windows devices to ensure they have been configured correctly according to the corporate policy or other compliance standards. For devices that don t support these types of logins, Nessus and the PVS can be used to profile systems, discover open ports and identify vulnerabilities. SC can place all discovered assets into specific groups such as web servers, database servers or DNS servers. SC can then be used to show vulnerabilities, open ports, running software, etc. Systems that have not been configured correctly will be highlighted. Nessus certified CIS configuration audits also implement the principal of least privilege and minimal usage of services per server For a sample of system SC can use a variety of techniques through Copyright , Tenable Network Security, Inc. 14

15 components, inspect enabled system services, daemons, and protocols. Verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. For example, FTP is not used, or is encrypted via SSH or other technology a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components b Verify that common security parameter settings are included in the system configuration standards c For a sample of system components, verify that common security parameters are set appropriately For a sample of system components, verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed. Verify enabled functions are documented and support secure configuration, and that only documented functionality is present on the sampled machines. 2.3 For a sample of system components, verify that non-console administrative access is encrypted by: Observing an administrator log on to each sampled system to determine that a strong encryption method is scanning, passive network analysis and log analysis to determine if protocols in use are not authorized. By gathering evidence from multiple sources such as firewall logs, netflow, scanning, credentialed system analysis and so on, it is possible to monitor a network on many levels. The full log search capability provided in the SC and LCE can be used to easily search and monitor all services and protocols across the enterprise. Through Nessus credentialed local checks, SC can perform a wide variety of configuration audit tests. SC ships with many tests and organizations can craft their own tests specific to their risk level or policy. Unique tests can also be performed per asset. Nessus can audit systems per recommended hardening guides available from the Center for Internet Security, many different operating system vendors, NIST FDCC or the NSA. Credentialed Nessus audits also show open ports and the processes that are listening on them. With SC, one, some or all of an organization s systems can be audited. Full log searches can be made with Boolean logic and limited to specific date ranges. There are an infinite number of searches that can be performed, such as searching DNS query records or tracking down known Ethernet (MAC) addresses in switch, DHCP and other types of logs. Previous searches can also be re-launched against the latest logs. SC and Nessus can be used to test for software and configurations that are not authorized. Many of the certified audits that can be performed by Nessus also include recommendations for disabling unneeded services. SC and Nessus can be used to look for any nonencrypted services on specific assets that are supposed to use SSH or SSL for administration. Multiple LCEs can be used to monitor servers and correlate network traffic with logins to see Copyright , Tenable Network Security, Inc. 15

16 invoked before the administrator s password is requested. Reviewing services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally. Verifying that administrator access to the web-based management interfaces is encrypted with strong cryptography. 3.1 Obtain and examine the company policies and procedures for data retention and disposal, and perform the following Verify that policies and procedures include legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons) Verify that policies and procedures include provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data Verify that policies and procedures include coverage for all storage of cardholder data. Verify that policies and procedures include a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, requirements for an audit, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements For a sample of system components, examine the following and verify that the full contents of any track from the magnetic stripe on the back of card are not stored under any circumstance: Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas that only encrypted protocols are being used. Nessus actively tests all SSL systems for compliance with PCI DSS. This includes verification of host names that keys are tied to and testing the age of the SSL library to ensure it is up to date. Nessus and the PVS can be used to identify which hosts are serving different types of files, such as spreadsheets being available on a public web server. Nessus has the ability to look into these documents at rest and discover if they have sensitive data, such as credit card account information. In addition, this process can be customized to local procedures to look for specific database files, authentication logs and other types of sensitive data that is involved with credit card processing. The full log search capability provided in the SC and LCE can be used to easily search and monitor USB activity on Windows systems across the enterprise. Policies for data-at-rest can be developed for Nessus to search for specific file extensions and content that matches or exceeds stated business requirements to store this data. Copyright , Tenable Network Security, Inc. 16

17 Database contents For a sample of system components, verify that the three-digit or four-digit card-verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored under any circumstance: Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents For a sample of system components, examine the following and verify that PINs and encrypted PIN blocks are not stored under any circumstance: Incoming transaction data All logs (for example, transaction, history, debugging, error) History files Trace files Several database schemas Database contents 3.3 Obtain and examine written policies and examine displays of PAN (for example, on screen, on paper receipts) to verify that primary account numbers (PANs) are masked when displaying cardholder data, except for those with a legitimate business need to see full PAN. 3.5 Verify processes to protect keys used for encryption of cardholder data against disclosure and misuse by performing the following: Examine user access lists to verify that access to keys is restricted to very few custodians. Policies for data-at-rest can be developed for Nessus to search for specific file extensions and content that matches or exceeds stated business requirements to store this data. Policies for data-at-rest can be developed for Nessus to search for specific file extensions and content that matches or exceeds stated business requirements to store this data. Nessus audits are configured by default to display the last four digits of discovered credit card numbers. If your security auditing team is authorized to work with full credit card numbers, the audit policies can be modified to show the entire number. There are many physical and electronic methods to storing cryptographic keys. SC and the LCE can help identify these systems, report on their security issues and log access to these devices including insertion and removal of USB devices. The LCE can leverage authentication logs to associate all logged activity with a real user ID. This allows easy review of who has access, who obtained access and who was denied access to critical PCI systems. If a list of allowed users is known, the LCE can be configured to alert when users other than those authorized attempts access. All logs can be associated with an authentication system, such that events can be viewed by the user account that caused them. This makes it easier to identify insider abuse. Copyright , Tenable Network Security, Inc. 17

18 This same list can be used to create custom Nessus audit files to audit servers to ensure that only certain users are enabled. 4.1.a Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Verify that strong encryption is used during data transmission. For SSL implementations: o Verify that the server supports the latest patched versions. o Verify that HTTPS appears as a part of the browser Universal Record Locator (URL). o Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) For wireless networks transmitting cardholder data or connected to the cardholder data environment, verify that industry best practices (for example, IEEE i) are used to implement strong encryption for authentication and transmission. 4.2.a Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies. The SC can manage multiple LCEs and provides powerful log search capabilities across multiple LCE instances. This facilitates an enterprisewide search of a particular user s activity. The SC can define and segregate user roles so that some audit users cannot see events, some can only see normalized events and that others can do unlimited log search. User access to LCE raw log data is configurable on a per-lce basis. The SC can collect encryption information about web portals that accept credit card data. This information can be used for reporting by asset type. Nessus can be used to recognize the supported protocols that enable encrypted communications. Nessus actively tests all SSL systems, including wireless systems, for compliance with PCI DSS. This includes verification of host names that keys are tied to and testing the age of the SSL library to ensure that it is up to date. The SC and PVS can be configured to test for several items including the presence of encryption software, the detection of an sent that has been scripted by the software and Copyright , Tenable Network Security, Inc. 18

19 4.2.b Verify the existence of a policy stating that unencrypted PANs are not to be sent via end-user messaging technologies. 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. 5.2 Verify that all anti-virus software is current, actively running, and capable of generating logs by performing the following: 5.2.a Obtain and examine the policy and verify that it requires updating of antivirus software and definitions. 5.2.b Verify that the master installation of the software is enabled for automatic updates and periodic scans. 5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled. 5.2.d For a sample of system components, verify that antivirus software log generation is enabled and that such logs are retained in accordance with PCI DSS Requirement a For a sample of system components and related software, compare the list of security patches installed on each system to the most recent security vendor patch list, to verify that current vendor patches are installed. 6.1.b Examine policies related to security patch installation to verify they require installation of all critical new security patches within one month. s sent that contain credit card data that was not encrypted. SC, Nessus and the PVS can be used to discover installed anti-virus instances and assets if they have been updated. Nessus can be used to audit systems for the presence of a standard anti-virus solution and to also test that the solution is configured and working properly. SC and Nessus can test for how recently an anti-virus product was updated and if it is running correctly. Tenable s LCE provides full log aggregation, storage and search capabilities and can be used to aggregate logs from multiple anti-virus products. The LCE normalizes logs from many different anti-virus sources, including hostbased and network based (such as antivirus solutions). The SC can manage multiple LCEs and provides powerful log search capabilities across multiple LCE instances. This facilitates an enterprisewide search of anti-virus logs. SC and Nessus can be used to perform patch audits of Unix, Windows and router devices. This audit can occur across a sampling of the network, or all of it. Patch auditing is highly accurate and has a very low false positive and false negative rate because it uses file-based analysis to ensure that patches are deployed. Other techniques to assess patch deployment status such as looking into the registry do not perform a complete audit. The SC can also show vulnerabilities that have been discovered in a certain period of time. This allows reporting vulnerabilities older than 30 days. When considering systems running or operated by different groups, the SC can show which organizations are more efficient at testing Copyright , Tenable Network Security, Inc. 19