Wednesday, May 20, 2009

How to Harness the Power of PCI DSS? Tip #1

Inspired by the panels we did on PCI (here, here),  I decided to start a series of posts with tips on harnessing  the amazing motivating power of PCI DSS for meaningful security improvements. Enough ranting; let’s give those PCI skeptics something to whine about!

Let’s start from the obvious. There are a few general ways in which PCI provides value to organizations; such as by creating awareness or motivation for security improvements and data security in particular, helping loosen security budgets (and points at a few things that you probably should have bought even without PCI…), providing a simple laundry list of basic security controls (for those who don’t know what they are) as well as by simplifying [some say too much] “the whole security thing” for those who would otherwise ignore it.

However, this is not what I have in mind here: I’d like to draw my readers’ attention to a few specific things in PCI DSS guidance that will help with security if they are implemented. Also, please keep in mind that your PCI QSA is your final authority on what must be done for PCI, not some random blog on the Internet! :-)

Finally, these tips are most useful for those in the trenches who are required to comply with PCI DSS while keeping the systems running and secure but maybe do not know how,  and not to those who whine, bitch,  blog and now twitter their way to infamy…

So, got a nice heavy PCI hammer? Where do you hit for security?


Tip #1 will focus on something very  basic, non-controversial and – we are in luck! – spelled out very clearly in PCI DSS: namely, passwords.

PCI DSS has a few areas where the use of passwords for cardholder data security is discussed:

Requirement 2 covers the following:  “2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings,  and elimination of unnecessary accounts.”

This simply means make sure that if you buy “a piece of IT” which has a default password, it is changed right before said piece of technology is connected to a production network. Simple, obvious [for those doing security for more than a few minutes :-)]  and useful, since password guessing and default account trawling are still common ways to break into networks. BTW, I said “a piece of IT” and not “a computer”, since it applies to various devices (routers, switches, wireless gateways, etc) as well.

Requirement 8 covers the following:

“8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.”

This simple means that passwords should never travel across the network in clear text (such as in FTP and – gasp! – telnet). BTW, for every one time that somebody says that “nobody is using telnet anymore”, I can point at a box that has telnet enabled (yes, this is 2009, not 1989!)

Same requirement also has the following guidance:

“8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.”

“8.5.7 Communicate password procedures and policies to all users who have access to cardholder data.“

“8.5.8 Do not use group, shared, or generic accounts and passwords.”

“8.5.9 Change user passwords at least every 90 days.”

“8.5.10 Require a minimum password length of at least seven characters.”

“8.5.11 Use passwords containing both numeric and alphabetic characters.”

“8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.”

This simply means that passwords should be kept secret, hard to guess, hard to break, changed frequently-enough-but-not-too-frequently, and not reused – and that all the above stuff should be known to everybody who can change his/her own password and who can touch card data.

Some automated tools can scan your systems and automatically verify that such configuration settings are in use across many systems.

BTW, if you read this and thought “huh? there is nothing here that I didn’t know before,” I have a secret to tell you: this was NOT written for you; this was written for somebody who runs the site where you just bought that new iPhone and who now has your credit card data…

Dr Anton Chuvakin