Wiring Closet by Cloned Milkmen

The subject of segmentation is and probably always will be a hot topic in the world of PCI. Effective segmentation is the primary subject of conversations as organizations struggle to reduce the scope and the subsequent financial impact of achieving and sustaining PCI compliance.  Due to the massive amount of implementation possibilities, it would be very difficult for the PCI SSC to take a specific stance and define what actually constitutes “effective segmentation.”

So this leaves us with every QSA’s and merchants favorite PCI SSC chant. “It’s up to the QSA.”

One big area of the segmentation discussion surrounds the use of VLAN’s as a part of segmenting the CHD. Dr. W. David Sincoskie and Chase Cotton created and refined the algorithms that eventually became VLAN’s and published their work in the 1988 IEEE Network (http://en.wikipedia.org/wiki/Virtual_LAN). Since then, VLAN’s have become a major part of most networking environments today. However, VLAN’s have been getting a bad rap from the security population in recent years.

The PCI Wireless Guideline information supplement that was published in July of 2009 states:

“Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place.

Relying on VLAN based segmentation is not sufficient? Does this suggest that the only method of proper segmentation would air gapping? Which is to say that each network must completely stand on its own, never traversing a common infrastructure. This common infrastructure would include firewalls, switches and routers.

This approach is not feasible in an enterprise environment, nor do I believe is really the intent of this writing, although I’m at a loss as to how they would suggest that you segment if you are not to use VLAN’s at all.

The issue with segmentation is not with the use of VLAN’s for segmentation. The real concern is with how data is managed that traverses one or more VLAN’s. The devices, technologies and processes that are used to regulate, manage and inspect data that flows from a VLAN of one security level to another should be the focus of concern.

Are access lists ok? What about firewalls? How about Deep Packet Inspection?

Access lists are a common way of managing data flow between VLAN’s. Access lists can be applied to routers, firewalls and switches.  If a standard access list is used to manage traffic, the access must be defined for both ingress and egress. An access list entry must be added to allow traffic to exit a VLAN and another access list is needed to allow the traffic to re-enter the VLAN. These access lists create open persistent “holes” for the traffic to pass through

The security concern with this approach is that defined “open” access might have to be used to allow traffic from a level of lower security to a level of higher security creating a possible attack vector or path to enter the area of higher security.

Prison Fence by Michael Coghlan

Reflexive access lists (also known as IP session filtering ACL’s) are designed to alleviate this problem by monitoring the connection state and only allowing return traffic for established sessions. For example, if traffic is exiting VLAN1, destined for VLAN2, the RACL notes the destination address and port and will only allow return traffic from that destination and destined for the defined port. This prevents the need to add an access list for return traffic. In-turn reducing the exposure of the open ports when not needed. It is important to note that RACL’s only provide full session awareness for TCP. With other protocols RACL’s use timeouts to remove idle sessions.

A firewall adds an additional level of security to reflexive access lists by providing full session state monitoring for all protocols as well as deep packet inspection capabilities.  Deep packet inspection takes a further look into the payload of the traffic that is passing through the firewall in order to inspect the content contained within the TCP encapsulation.

PCI DSS requirement 1.2.3 states:

Install perimeter firewalls between  1.2.3 any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

Brick Wall by MIchael Randall

There is a debate in the industry on how ACL’s or RACL’s play a role as it pertains to DSS requirement 1.2.3. I have heard of assessors who require a physical firewall or at a minimum a firewall feature (such as Cisco’s firewall feature set) on routers acting in this capacity. As noted above, a firewall will provide additional security functions such as DPI, however, it is important to note that these DPI features provide stateful deep packet inspection only for a defined list of protocols (http, ftp, smtp, etc) by default. If the traffic that is traversing the VLANs is not one of the defined protocols, then it is treated like a reflexive ACL in most cases and the firewall feature set provides little added value over the standard RACL features. In most cases, the ports that are traversing these VLAN’s are ephemeral in nature and not a standard port. In these cases, a RACL on a router or switch winds supplying almost identical security controls that a DPI firewall would be.

VLAN security has come a long way since the introduction of VLAN hopping or double tagging in 2000. Vendors have increased the level of security features in the switches and routers as well as provided more detailed implementation and configuration instructions. In virtually every case, proper configuration of the networking environment reduces the risk of these vulnerabilities.

VLAN’s are an essential part of managing enterprise networking environments. While the most secure network architecture will be a complete air-gapped environment, chances of you coming across one outside of your local donut shop isn’t very high. Don’t be afraid to roll your sleeves up and get your hands dirty with the details. Grab your QSA and pull them into the ditch with you and force them to think.

How do you think I learned?

In recent months Verizon and Amazon have both issued press releases stating that their cloud computing platforms have been assessed as PCI compliant by third parties. Neither press release notes anything about the scope of the assessments or how these uber-achievements in compliance may or may not affect a customer’s compliance efforts. So let’s see if we can shake some of that logic out here.

Let me start off by saying that we have no further information to go on besides the press releases so admittedly we will need to draw on some assumptions here. More than likely the scope of the Verizon and Amazon PCI assessments were limited to the management infrastructure that it takes to support the cloud services. So they are assessed as as service provider that facilitates the transmission or processing of cardholder data of a merchant. Essentially they are providing some infrastructure in order to facilitate the merchant’s applications/systems to operate.

If a merchant decides to place PCI scoped applications on this infrastructure the merchant would still need to have the environment assessed as a part of their own PCI commitments. So the fact that Verizon, Amazon (or any other service provider) has undergone a PCI assessment on their management infrastructure does not change the fact that the merchant still has to have an assessment done.

Whoever possesses the banking relationship bears the burden of validation of compliance and must validate compliance either through an assessment or self assessment questionnaire. Just because you outsource a portion of your infrastructure does not mean you can outsource the accountability of validating the compliance.

In the case of IaaS cloud services, most of these vendors have complete control of the infrastructure up through to the virtual server. Your QSA should validate what the merchant has management capabilities of, and in most cases it will be to the virtual machine level as well as the infrastructure management that is supplied as a part of the vendor’s stack. Mileage will vary from IaaS solution to solution as to what a QSA may request to validate.

While I think that it’s good traction to see the cloud vendors pursuing these types of validation efforts, buyers beware, a compliant cloud doesn’t make you compliant.

Tail Wagging the Dog

This year’s PCI Community Meeting held in Orlando was my third community meeting that I have attended. In speaking to many of the participants, I have an increasing concern of how merchants and service providers are seeking the opinions of QSA’s in order to set their annual security budget. This approach is very skewed in my opinion as the PCI assessment process is meant to measure operations, not establish operations. Merchants are not putting any resources into doing proper security, risk andcompliance due diligence into a project implementation. They seem to want to avoid that process and obtain the opinion of the QSA. Effectively many merchants seem to be conforming to the QSA opinion, instead of building their operations based upon their own organization’s risk and defending that position to the assessing organizations.

This view of the QSA is made worse by what I forecast will be a downward trend in the quality of PCI assessments. This is not a shot against any specific QSA’s or QSA firm, it is a mere reflection of where market pressures are pushing the assessing organizations. QSA companies continue to refine their assessment process, but at the end of the day the goal of the QSA company is to make money by performing more assessments for more clients. In order to capture increased market share, cheaper assessments are much easier to sell. As the old saying goes pick any two, cheaper, faster, better. Which one do you think clients are choosing?

Merchants should not be afraid to stand up to assessors and let them know why they implemented a technology in a particular way. PCI is unique in many ways, but what many of the merchants don’t realize is that they have the QSA’s playbook. The PCI DSS Security Assessment Procedures has the exact questions that the assessor must answer for each requirement. Merchants should build their solution and documentation to address these specific questions. This approach provides the QSA with a certain level of comfort that the merchant has at least thought about the impact of compliance.

In the end, the responsibility of a breach falls to the merchant. While it is the responsibility for the assessor to attempt to locate all non-compliant issues within an organization, the assessor will never catch everything that is not compliant in a particular environment. It is incumbent upon the merchant to operate in a compliant fashion, not to rely on the assessor to tell them what to do to become compliant.

If assessors are pushed to accomplish more with less time, and merchants are fully responsible, it stands to reason that merchants should put more effort into building a security platform based on their unique risks and compliance requirements. This platform should include compliance to the DSS where applicable only as a minimum standard. Document how each solution meets the actual assessment testing procedure. This is a great test to be able to explain the approach to the assessor. Ensure that compliance to the testing procedure is clear and concise and leaves as little room for interpretation as possible.

Merchants should always keep an open communications channel with QSA’s and seek out their opinions as a part of the planning process. However, it is important to remember that the QSA’s ultimate responsibility is to determine if your operations adhere to a set of standards, not to make risk decisions that are best for your business.

Per my previous blog post The PCI Assessment Paradox I had posted a small survey. This survey asked two questions:

1. How many assessors were on site during your most recent PCI assessment?
2. How long were your assessors on site for your most recent PCI assessment?

I only received six responses to this survey but the results are interesting nonetheless.

How do you know how long your assessor should be on site? Ask yourself if you would be able to fully understand the size and scope of your environment and sign an a document attesting to the compliance of that environment given the time the QSA organization is proposing. Refer to my previous blog post for more information on assessment time frames.

Fast Assessor!

PCI has been around for a while now and the companies providing assessments are becoming better and defining the process of the PCI assessment with this experience. The assessors have refined what works best with the assessing process, interview schedules, sampling methods, reporting structures, etc.

The publicized information surrounding breaches of entities that were previously assessed as PCI compliant companies has brought additional scrutiny to the assessment process from the PCI Council. The council has implemented a quality assurance program which includes placing assessing organizations on probation for insufficient assessing practices.

While the work required to perform a PCI assessment per the documented guidelines is defined, the range of effort seems to vary greatly from organization to organization. I have seen small organizations undergo very thorough assessments by QSA firms and to the contrary I have seen very large organizations be assessed by a single assessor that is on site less than a week. It becomes easy to see who wins when shopping QSA firms strictly on price alone.

So what is the “just right” amount of time and effort an assessing organization would need to conduct a proper assessment for you? The assessment process isn’t some kind of voodoo magic. There’s no real shortcut — every assessment must answer every bullet for every testing procedure for every requirement. To me it’s very simple. When choosing a QSA firm, ask yourself if you would be willing to sign a document attesting to the compliance of your size/scope of organization given the time and effort that the QSA is presenting?

The difficulty here is that it seems that the companies that are willing to stand tough on the basis that they are doing what is contractually and ethically required of them by the PCI Security Standard Council and the industry as a whole will suffer to those who are just volume assessors providing check marks at a low cost.

So be wary of an assessing firm that says that they can conduct a level 1 PCI assessment and only show up for 2 days on site. Ask yourself, could you sign that attestation form?

How many assessors conducted your most recent survey and how long were they on site? I am conducting a brief two question survey and will post the results.

Our father, mentor, and best friend left this world at 9:30 pm on June 8, 2010. Ben Springfield was a wonderful father of 3 sons (Scott, Brad and myself), though hundreds of people throughout Oklahoma referred to him as dad, pops or Pappy. The amount of people that this man touched over the years is astounding.

His professional life was spent serving others. He served as a Lincoln County Deputy Sheriff, City of Chandler Police Officer and the Director of Emergency Management for Lincoln County. But there was so much more to his service to the community.

Please leave a comment below if my dad impacted you in any way over the years.

Services will be held at the  First Christian Church in Chandler, Oklahoma at 10am on Friday June 11, 2010. The viewing will be any time after noon on Thursday June, 10 at Brown Fulneral home in downtown Wellston.

While he did not die of cancer, he lost his mother to breast cancer and father to stomach cancer. His sister and I both battled colon cancer. If you would like to make a donation, you can donate to the American Cancer Society in his name. On the American Cancer Society form, please indicate that the donation is an “HONOR” gift. Please make the donation in Honor of Ben Springfield and send the card to:

Matt Springfield

529 Windward Dr

Murphy, TX 75094

Your donations are greatly appreciated.

Windows 2003 Yakkage

It is amazing how we have come to expect nothing but perfection from our anti virus providers. The recent events that stem from a McAfee DAT update has reminded us the level of access and the level of risk that this type of software can have in our environment.

Would you roll a Microsoft Super Tuesday patch to your servers straight out of the package with no testing? No, your organization probably has a very formal process for upgrading software. Staging, testing, phased roll-outs, etc. It is somewhat strange how we look at a vendor such as McAfee so differently in the updating of the DAT and the inherent risks that involves. Granted this level of impact hasn’t been seen many times in the past.

We want the best of all worlds. To update our anti-virus engines with the most recent packages in order to take advantage of the new protection in order to reduce our overall risk. But we also want to do it in a manner that provides a level of assurance that we won’t have an operational impact. You know, we want to reduce risk while reducing risk.

What a fine line that McAfee has to walk. Build increasingly complex signatures that will protect the servers without any room for an adverse effect. Wow, that’s got to be hard. To think that this has gone for so many years without a widespread outage is amazing and I think it shows an amazing track record for McAfee as well as other anti-virus software providers. The question is though, will this event effect how organizations update their DATs?

Bottom line (is that some sort of pun?) it’s not fun to talk about. But ask your doctor about getting screened.

• Colorectal cancer is the third most commonly diagnosed cancer and the second leading cause of cancer death in both men and women in the US. Second only to lung cancer.

• 37% of colorectal cancers are found after the cancer is diagnosed at a regional stage (spread to surrounding tissue).
• 20% of colorectal cancers are found after the disease has spread to distant organs.

Colorectal cancer has a higher annual death rate than prostate cancer for men and breast cancer for women. However, awareness and funding is much much less than breast cancer:

• The Center for Disease Control and Prevention’s (CDC) 2008 colorectal cancer budget was $14 million, compared to $200.8 million for breast and cervical cancer.
• The National Cancer Institute spent $572.6 million on breast cancer compared to $273.7 million on colorectal cancer research in 2008.

In most cases colon cancer is preventable with proper screening. Talk to your doctor about getting screened before you are 50.

Folks, today is World Cancer Day. In 2005, 7.6million people died of cancer worldwide. That’s just plain crazy.

Get checked, get off your but and exercise, eat better, take care of yourself and each other every day.

http://www.newsweek.com/id/232998

So my Apple Time Capsule died back in September. It seems that the first run units had an issue with power supplies. So much so that someone setup a registration website where you can register your fallen Time Capsule (http://timecapsuledead.org/). Seems that 18months of operation is the key time frame before it goes kaput.

Anyway my local Apple store very generously offered me a replacement (how about that!). However, when I asked about what their data destruction policy was surrounding returned Time Capsule devices, the reply was that Apple doesn’t have one.

For those of you who don’t know, the Apple Time Capsule is a backup device that wirelessly backs up all of your Apple computers to the 1TB hard drive that is on board the device. So in this case when the power supply died, leaving the hard drive containing the data completely intact. When your device dies, Apple exchanges it with a new device. So you have handed a full unencrypted backup of all of your computer’s data over to Apple and they don’t have a policy that restricts what they can do with that data.

In my case Apple didn’t have the exact model of my Time Capsule in stock. They did the exchange paperwork and ordered my new one. I have to bring my broken TC back later this week for exchange. Since the paperwork is now done, I took it upon myself to do a little surgery. I opened up the device, mounted the drive directly to my Mac and erased the data properly. I’m hoping that the exchange will still go through later this week.

Now I am stuck with a decision of what to do with my new Time Capsule. I’m seriously thinking about just eBaying it because I don’t want to be in a position for this to occur again. It’s not worth the risk of the data for me. I will just continue to back it up on my NAS.

I wonder if Apple will adopt a data destruction policy concerning these type of backup systems? As the current consumer base becomes more and more educated on data security issues, I think the manufacturers will have to deal with the issue of security on returned devices.