Sunday, October 25, 2009

On PCI and Whitelisting

I am hearing some interesting rumors… But let’s take a step back. PCI DSS Requirement 5.1 mandates the use of anti-virus on systems in scope of PCI (“Deploy anti-virus software on all systems commonly affected by malicious software”)

Now, when people think “AV software” they think about classic anti-virus with daily updates, painful scans, etc. In other words, “enumerating badness”, blacklisting, FAIL, etc. Give relatively low adoption of the whitelisting for desktop security (and slightly wider adoption for single-purpose systems such as PoS or industrial control boxes), I was under impression that the issue of whether a whitelisting protection would be a satisfactory control for PCI Requirement 5 was never  presented to a QSA.

Well, I was mistaken. It seems like many QSA WILL accept a whitelisting-based security application for Req 5, even if it is a pure whitelisting app with no embedded blacklisting mini-engine. Isn’t it cool?

And the rumor was that PCI Council will issue some kind of an opinion on this soon. So, maybe, just maybe, PCI gods will bless this technology into wider adoption – I think it might well happen. And I think it deserves to happen, especially since some vendors have usable implementations of whitelisting which does not plunge its user into “granular-policy-writing hell” (but more on this in the future…)

BTW, my favorite whitelisting vendor, Savant Protection (where I serve on the advisory board) is doing a fun webinar on Tuesday, October 27th.

Dr Anton Chuvakin