More and more merchants are looking at the rogue AP detection requirements of the PCI DSS from a technical solution angle. Makes sense right? Why pay a consultant each quarter to do a rogue AP sweep when you can implement a Wireless Intrusion Prevention System like Motorola AirDefense or AirTight and realize an ROI within half a year? Plus you get all of the cool add-ons like counter measures, 802.11x port blocking, et al. Makes sense right?

One of the approaches that has been coming up a lot is to address rogue AP exclusion using Network Access Control (NAC). The PCI SSC specifically addresses NAC as NOT BEING SUITABLE for rogue AP detection. The reason given is that it doesn’t allow the detection of laptops put into AP mode.

Now I understand that the only real way to detect a laptop that’s been put into AP mode is by sniffing the air. But here is the question – One of the key features that make WIPS attractive for addressing 11.1 is that they can cross match what’s on the wire with what’s in the air. Theoretically (and, more importantly, enough to satisfy most auditors) you can conclusively determine that a MAC address that you seen on the air IS connected to your network IF the MAC shows up in your switches ARP tables. THEREFORE if a MAC shows up on the air and ISN’T in the ARP tables, it’s highly unlikely that it’s a rogue AP that you have to worry about.

Right?

But hang on a second… A laptop that has been put into AP or peer to peer mode has two MAC addresses – one for the wireless card and another for the wired ethernet adapter connecting it to the LAN.

So what happens here?

Hitler, Cloud Computing and PCI DSS

Pretty geeky, but it sums it up well. My favourite: “You gave it a .4! What does that even mean?!?”

From a branding standpoint, franchisors have a lot to lose if one of their franchisees falls victim to a breach.  Depending on the level of media attention the breach garners, one for a store in downtown Philadelphia has the potential to negatively affect the brand – and, arguably, sales— across the state, regionally or even nationally.

The interesting thing with franchising and PCI DSS is that while franchisees may have individual merchant accounts with the bank (and therefore be responsible for their own reporting) the impact of a breach on the franchisers compliance may come up for question if a breach was to occur, as well as the inevitable brand reputation loss…

I’d be interested to here any feedback from the field on the topic.

Related articles by Zemanta

• PCI DSS Myths 2009: Myths and Reality (slideshare.net)
• ProPay to Host 2010 Data Security Summit (eon.businesswire.com)
• Why Businesses need to be PCI Compliant (wealthyways4you.com)
• Goodbye PCI – Hello Encryption and Data Loss Prevention Products (pindebit.blogspot.com)
• 2010 Compliance Laws (deurainfosec.com)

Here’s an excerpt of the release from Visa…

The marketplace has expressed a growing interest in pursuing data field encryption (also known as end-to-end encryption) of card data. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the “clear.” Importantly, data field encryption renders cardholder data useless to criminals in the event of a merchant data breach.

The full clarification can be downloaded here, and a “softer” version with sum executive summary style information here.

Kudos to Visa for seeking to clear this issue up a bit.

Related articles by Zemanta

• Only 27% of Organizations Use Encryption (it.slashdot.org)
• Gmail Moves To HTTPS By Default (it.slashdot.org)
• Using Encryption Garners Exemption For Data Breach Notification (yro.slashdot.org)

During a vulnerability assessment an environment is assessed to determine if known vulnerabilities can be identified. Penetration testing goes a step further by attempting to exploit these identified vulnerabilities.

The difference between the two, in terms of identifying a need within an organization, is that vulnerability assessment can be achieved using automated tools, whereas penetration testing generally can not.

Why this is important is that vulnerability assessment and penetration testing are addressed as separate requirements of the PCI DSS… Doing a VA will not address the pentesting requirement, and vice versa.

Related articles by Zemanta

• Metasploit Project Sold To Rapid7 (news.slashdot.org)
• The 20 Coolest Jobs in Information Security (q-ontech.blogspot.com)

Here’s a simple definition:

File Integrity Monitoring (FIM): FIM established a baseline value for the content, presence, and permissions of files on a system (application, binaries, config files, documents – they are ALL FILES). If a change is detected, an alert is raised. Examples of FIM are Samhain, McAfee PCI Pro (formerly Solidcore), Osiris, Tripwire, and nCircle CCM.

Host Intrusion Prevention System (HIPS): HIPS’s are in essence the same as Network Intrusion Detection/Prevention Systems except that they run on hosts. This is useful when you have, for example, point to point IPSec tunneling between your servers which would stop a NIPS/NIDS from detecting anything inside the tunnel (NIPS/NIDS are all but useless is the traffic they are monitoring  is encrypted). Examples are Snort, and just about all of the anti-virus vendors “End point” product now include some sort of HIPS.

This is the REALLY important part if the only reason your are interested is to comply with the PCI DSS:

HIPS will NOT get you compliant with PCI DSS 11.5 Deploy file-integrity monitoring software to alert personnel to
unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Just the same…

FIM will NOT get you compliant with PCI DSS 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date.

Related articles by Zemanta

• Facebook Joins with McAfee to Clean Up Malware on Site (bits.blogs.nytimes.com)
• Security through diversity (cdixon.org)
• Ingenico Unveils Strategy to Provide Secure End-to-End Solutions for Merchants in North America (pindebit.blogspot.com)

I guess it was always going to happen. The fruit is hanging far to low with wireless networking for it not to attract a hell of a lot of the wrong type of attention. The saving grace is the fact that TKIP Personal seems to be the only flavor of WPA threatened.

The paper, Practical Attacks against WEP and WPA, is available for download. Giddy up!

Related articles by Zemanta

• WEP = Fail; WPA+TKIP = Fail (q-ontech.blogspot.com)
• One-minute WiFi crack puts further pressure on WPA (arstechnica.com)
• New attack cracks common Wi-Fi encryption in a minute (infoworld.com)
• New attack breaks Wi-Fi security in a minute (vator.tv)
• WPA networks cracked in just under a minute, researchers claim (engadget.com)