Tuesday, August 26, 2008

Run Through PCI DSS 1.2 Changes

Finally, I found time to read PCI DSS 1.2. change doc. So:

  • Good news: router is now officially a firewall (it has been for a while, but many people are still stuck in "security device" vs "network device" cloud) - see Req 1
  • From the "WTH dept": anti-virus is a MUST on ALL platforms - Req 5. Please ship me some of the stuff they are smoking; I want it! BTW, I am going to Amsterdam soon :-)
  • WAF or code review for web application security is still a stupid "OR" - Req 6.6. OMG, please, software security folks, teach them the truth.
  • Can we kill "plain text passwords" once and for all? Req 8 tries to achieve that noble goal (good thing!)
  • Visit your offsite data storage - good (if costly) idea - added to Req 9. Requirements to secure electronic AND  paper media  are solid too.
  • Love it, love it! Req 10 explains that logs needs to be actually available: 'three months of audit trail history must be “immediately available for analysis” or quickly accessible' (bye-bye, silly log dumps...)
  • Some vulnerability stuff clarified in Req 11, mostly about ASVs and pentesting.
  • Scope of security policy is expanded to "employee-facing technologies" (what a term!) - Req 12
  • All over: more references to wireless  (WEP, access points, hidden SSIDs, etc) - indeed, recent data losses are often due to insecure wireless.

Overall, a minor change that, sadly, doesn't touch a few KEY areas, such as virtualization, for one.

Dr Anton Chuvakin