Clarifying, Somewhat, The PCI Wireless Security Standards
Written by David TaylorGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
The Wireless Special Interest Group of the PCI SSC has just issued a set of guidelines to help companies ensure that their wireless networks are secure and effectively segmented to limit the potential for damage to the cardholder data environment if a portion of the wireless network should be compromised.
(Related story: our coverage of the new PCI wireless guideline document itself.) Given that such a compromise resulted in the TJX breach and many others, the document provides some very worthwhile guidance. OK. So it’s a good document. What’s the point of writing about an implementation guideline beyond telling people to read it? Actually, there are three points that I think are worth making relative to wireless security, based on our PCI best practices research:
One of the technical controls that was introduced with PCI DSS 1.2 is the wireless IDS/IPS. It’s listed as an option, with the other option being to manually carry a laptop around corporate and stores running wireless networks on a quarterly (or more frequent) basis and see whether any networks appear that the security person (if any) does not recognize.
Although it’s certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.
Beyond the analytics provided by such automated tools, it is also necessary for the company to maintain accurate device inventories and implement a thorough remediation process. But the point here is that the labor intense the wireless network detection process is, the less often it’s going to be performed, and the less value it’s going to deliver in terms of early breach detection.
One of the aspects of wireless security that I wish this implementation guideline covered in more detail is the detection of rogue wireless networks, especially at the store level. An increasingly common hack is for criminals to find live, open network plugs in the backend of retail stores and plug in small, discreet wireless access points, which can allow them to bypass some network segmentation controls, and remotely gather information.
Whether in this document or another document, it would be a very useful guideline to help IT managers and even store managers know what to look for physically as well as technically. Although PCI QSAs are very experienced in looking for these hacks, many self-assessors rely heavily on simple network scans and do not do a physical inventory of all network access points at all stores to see what’s plugged into them.
In addition, it is very rare for the results of the wireless network scans to be compared with an accurate store-level IT device inventory, because most are out of date or do not reflect the myriad different wireless network pilots, implemented by multiple local and regional vendors as well as corporate.
The result is that a store manager or IT manager from corporate or a regional office may not be able to tell whether a new wireless network was installed by a legitimate vendor or was installed surreptitiously. Since most store or regional IT managers are reluctant to simply unplug a device (due to the risk of messing up a business application), malicious wireless network devices may be left in place for weeks or months at a time.
-Marc
July 23rd, 2009 at 10:36 am
David makes some very good points here. As described in the wireless guidelines document, a wireless IDS/IPS is really the only practical way to achieve PCI compliance. Walkaround audit are expensive, unreliable and not scalable. Traditional, onsite wireless IDS/IPS systems have often come with a high price tag and only a few large organizations can afford them.