Author: Andrew Hay
Book Review: PCI Compliance: Implementing Effective PCI Data Security Standards
When I first received this book from Syngress I was very excited. I knew nothing about PCI compliance — other than it was big ticket item and everyone processing Visa transactions was affected in some way because of it. I can honestly say that I tore through this book and didn’t put it down until I reached chapter 13. I was completely wrapped up in it as it was something I knew nothing about and wanted to know more!
Chapters 1 through 3 introduce you to the concepts behind PCI compliance including what it is and who needs to comply. These chapters really set the stage for what the rest of the book has to offer the reader.
Chapter 4 provides a technology overview of firewalls, intrusion systems, antivirus solutions, and common system default settings. Personally I felt that Chapter 4 was filler content just to add a chapter. It may, however, serve as a good reference for those in management roles who do not have “hands-on” interaction with the architecture of their environment.
Chapter 5 explains how to go about protecting your cardholder data as dictated by PCI requirements 3 & 4. This is a great chapter for anyone new to securing infrastructure to meet the requirements of a PCI audit. The authors also provide a fantastic section entitled “The Absolute Essentials” which offers suggestions on the minimum protection you can employ to protect your cardholder data.
Chapter 6 was by far my most favorite chapter and Syngress has offered it as a free download from their website. Many of you know what I do for a living and know how important understanding logging and requirements for logging is for my day-to-day duties. This chapter focuses around PCI Requirement 10 which details how you must handle the log data collected in your PCI environment. As soon as I started reading this chapter I knew that Dr. Anton Chuvakin had written this section of the book, or at least had a heavy insight into its direction. This chapter alone makes the book worth its weight in gold.
Chapter 7 details the importance of access control in your PCI environment. For obvious reasons, access to your cardholder data must be recorded and checked with a fine tooth comb. User privileges, authentication, authorization, and user education is also covered in this chapter. This chapter goes further to provide examples of ensuring your Windows, Unix/Linux, and Cisco infrastructure meet PCI requirements.
Chapter 8 explains how to leverage vulnerability management solutions to meet the requirements outlined in sections 5, 6, and 11 of the PCI requirement. The authors also provide two very good case studies to help the reader put things into perspective.
Chapter 9 focusses on the monitoring and testing of your environment. The authors are quick to point out that monitoring and testing must continue even after the audit in order to ensure you remain compliant.
Chapter 10 details how to drive your PCI project from the business side in order to ensure you accomplish your objectives. Suggestions are provided on budgeting time and resources, keeping staff in the loop, and justifying the business case to your executive team. The authors also offer a step-by-step “checklist” for ensuring your project runs smoothly and that all of your bases are covered.
Chapter 11 explains the various responsibilities within the organization for ensuring the PCI project succeeds. One of the key things to take away from this chapter is the role of the Incident Response team and its need to understand the requirements of PCI compliance.
Chapter 12 is a really good “eye-opener” that prepares you for the failure of your first audit. The key thing to take away from this is chapter is to not blame the auditor the same way you shouldn’t blame a referee in sports. They’re simply there to do their job to the best of their ability. If you have a problem with the way they are doing their job, bring it up with their superior. Perhaps their decision will get overturned?
Chapter 13 brings you into a “OK, now what?” phase. This chapter provides a detailed overview of the various requirements and breaks each requirement into “Policy Checks” and “Hands-on Assessments” sections. The policy checks discuss policies that should be reviewed to verify that they are up-to-date and the hands-on assessments sections give ideas on testing these policies. The beauty part is that the authors suggest open source solutions to help you protect your PCI compliant investment.
I give this book 5 stars as it is the best PCI reference I have found on the market. Everything I found in this book will allow me to understand the compliance requirements of my existing customers, their process, and their overall goals. Hats off to the entire team of authors.
Suggested Blog Reading – Wednesday August 22nd, 2007
Man what a week so far. It’s been so busy that I don’t have a moment to breath.
Here is the list:
CSFA Test Vouchers – You still have to make your way there but the promise of free vouchers might make it worth your while.
NewsCyberSecurity Institute will be giving away five vouchers for the CyberSecurity Forensic Analyst certification. The vouchers will be good through 2008.
Publication of Hachoir project version 1.0 – Something to check out.
Hachoir is a framework for binary file manipulation: file format recognition, metadata extraction, searching files in any binary stream (forensics), viewing file content with human representation, etc. It’s composed of many components…
UT Determines Stolen Laptop Contained Student Information – Could encryption have helped here? I think so.
While investigating the theft of a laptop stolen from the University of Toledo’s student recreation center in late June, campus police discover that the laptop contained the names and Social Security numbers on at least 30 students and an unknown number of staff members. The university began sending out letters to students and staff letting them know how to protect themselves against Identity Theft. The laptop was stolen from the office of Judith Campbell, the assistant director of the recreation center. According to Ms. Campbell, the office was locked but the door often does not always close. In addition, campus lifeguards often use Ms. Campbell’s office as a shortcut to the stairwell.
Side-Channel Detection Attacks Against Unauthorized Hypervisors – Good articles with some good visual references to drive the point home. I really enjoyed the use of Sesame Street characters 🙂
Your goal as a modern computer system is to stay as close to Oscar the Register as possible. Your goal as a modern computer system is to stay the hell away from Ernie the DRAM cell, as much as possible. Ernie is slow. That’s what Cache Monster is for.
Solaris PCI Audits and other Updates – Some additional checks to ensure your compliant between audits.
Tenable Network Security has released a Solaris audit policy for PCI 1.1 configurations. We’ve also released a new SuSE Linux best practices audit policy and have updated several others. These are all available to Tenable Direct Feed and Security Center customers through the Tenable Support Portal.
Another Presentation: Logs for Information Assurance and Forensics @ USMA – Another presentation posted by Anton. Check it out.
Here is my old presentation “Logs for Information Assurance and Forensics” that I gave at USMA, West Point last year when I was giving a lecture there.
Rubik’s cube solved in 26 moves or fewer – You paid how much for your education and your biggest accomplishment to date is solving how quickly you can solve a Rubik’s cube? Give this guy the Nobel Prize!
Northeastern Computer Science PhD student Daniel Kunkle has proven that any configuration of a Rubik’s cube can be solved in 26 moves or fewer moves. The previous upper bound was 27.
A step-by-step guide to building a new SELinux policy module – For anyone who knew what SELinux conceptually was but was afraid to implement 🙂
A lot of people think that building a new SELinux policy is magic, but magic tricks never seem quite as difficult once you know how they’re done. This article explains how I build a policy module and gives you the step-by-step process for using the tools to build your own.
Vista IR – I still have yet to install Vista but I’m starting to think I should just so I don’t fall behind.
I recently started doing some testing of IR tools on Vista, using Vista Ultimate (32-bit) installed into a VMWare Workstation 6.0 virtual machine.
Part of my testing involved running some tools on Vista to see how they worked, and another part involved mounting the *.vmdk file for my Vista VM using the latest versions of VDK and VDKWin.
Suggested Blog Reading – Sunday August 19th, 2007
In laws are in town this week, which tends to cut down on computer time. On the plus side we did get some good work done in the garage this weekend as well as install a filter in the basement for the water (still a bit leaky but my father-in-law is going to take care of that Monday)
Here is the list:
The Magical “Human Security Layer” – I’d say the “Human Layer” is by far the most important, and most likely to be exploited, layer in your enterprise.
One thing that many managers overlook is that, while login banners are necessary from a legal point of view to show some amount of due diligence, the fact is many people ignore the same message that pops up every day. That doesn’t make the employees less responsible, just less effective.
How To Configure Apt Sources.List – For Complete Newbies – With more and more people switching to Ubuntu, it’s critical that you have the proper sources for updates (and cool stuff).
So you were playing with your Apt sources.list and somehow ruined it. No matter how hard you try you cannot get it back. Every time you try to install a package you get error messages. Now what?
Don’t despair … I’ve been there and found an easy answer: The Aptitude Source-O-Matic: http://www.ubuntu-nl.org/source-o-matic/
August SRT: Security Career Success – I haven’t had time to listen to this yet but I do plan on it.
We had an excellent panel together to talk about how you can build a successful security career, with Michael Santarcangelo, Mike Murray, Dan Sweet and Ron Vereggen. Any one of these gentlemen would be an outstanding career coach by themselves, but having them all together on one phone call made for an exceptionally enlightening session. I add a little flavor as someone who’s in the middle of a job search right now. There’s a lot of good information here, whether you’ve already got a career in security or are contemplating one.
BlackHat Encore Webinar Presentation – I’ll have to see if I can make it.
A lot of people were unable to make it to Black Hat this year and asked how else they might see the presentation RSnake and I gave, “Hacking Intranet Websites from the Outside (Take 2)–”Fun with and without JavaScript Malware”. So we decided to do an encore performance webinar style. This means wherever you are in the world (relatively speaking), you can participate and perhaps ask a question of either RSnake or myself live. If you already well-familiar with all the latest and greatest attack techniques discussed here, on RSnake’s blog, and elsewhere… you won’t see much “new”. But maybe if you have an hour to kill and want to see a few demos, why not… it’s free!
How to make a website harder to hack – Jeremiah brings up a good point. When speaking with a vendor about any proposed security solution make sure you ask them “What does your product do to protect me and my network.” If you want to see them sweat while doing it ask them to explain it without using any buzzwords 🙂
I mean, that’s what web application security is all about. We know websites will never be 100% secure just like software never be 100% bug free. We also know web application hacks are targeted. All we have to do is look at CardSystems, the U.N., MySpace, CNBC, UC Davis, Microsoft UK, Google, Dolphin Stadium, Circuit City, T-Mobile, and many other incidents to figure that out. Bad guys don’t hammer away at eComSiteA then mistakenly hack into WebBankB. It doesn’t work like that. The victim is the one they’re targeting in the browser URL bar. So instead we should approach website security in terms of time and difficulty just like they’ve done for decades in physical security–with burglary resistance, fire resistance, alarm systems, etc.
IR “Best Practices” – Harlan’s back….Harlan’s back!
So, I’ve been talking to a number of different folks recently, having discussions during my travels to and fro about incident response and computer forensics. Many times, the issue of “best practices” has come up and that got me thinking…with no specific standards body governing computer forensics or incident response, who decides what “best practices” are? Is it FIRST? After all, they have “IR” in their name, and it does stand for “incident response”. Is it the ACPO Guidelines that specify “best practices”?
TJX reports a loss due to cardholder data breach – Maybe we should send them a card….or maybe some flowers? That’s really too bad 🙂
TJX is back in the news and reporting over a hundred million dollar loss due to the massive cardholder data breach.
People continually ask why they got off so easy, but as the losses continue to pile up I’m sure the CEO is asking, “why weren’t we compliant?”
Immunity Debugger v1.0 (immdbg) Release – Download it Now! – Cool. This is a great tool. Glad to see there is a 1.0 release finally.
After almost a year of intensive development and internal use, Immunity (The guys who bought us CANVAS) has announced the public release of Immunity Debugger v1.0. The main objective for this tool was to combine the best of commandline based and GUI based debuggers.