In 2005 credit card associations adopted a consolidated data security standard, the Payment Card Industry Data Security Standard (PCI DSS). PCI was adopted to raise the level of security within the industry. This article discusses how Altiris' SecurityExpressions product helps companies interested in (or required to) adopt this relatively new standard.

Table of Contents

• Introduction
• About PCI DSS Compliance
• The Twelve Requirements
• Simplifying PCI DSS Reporting
• How Altiris Can Help
  • About SecurityExpressions
• Policy Templates
  • PCI DSS Template
• Conclusion
• SecurityExpressions Features
  • Auditing
  • Distributed Proxy
  • Scalability
  • Reporting
  • Asset Classification Benchmarking
  • Policy Templates
  • Architecture

Introduction

During the past several years, credit card associations have begun to make a concerted effort to raise the level of security within the industry. In 2000, Visa USA and MasterCard International independently released data security programs. Unfortunately, adoption was slow and compliance lagged. This was due primarily to uncertain penalties and disparate standards from the competing associations. To respond to these issues, the credit card associations adopted a consolidated data security standard, the Payment Card Industry Data Security Standard (PCI DSS) in 2005. While the PCI represented a significant step forward in the mission to increase security within the payments industry, organizations continue to struggle in conforming to numerous requirements.

This article offers a brief history of the payment services industry and discusses some of the common obstacles to compliance. Among these obstacles is a new concern regarding the relationship between national security and data security. Industry best practices will be addressed as they pertain to achieving compliance with the PCI. The risks associated with non-compliance will be discussed, as will ways in which companies can meet compliance in a cost-effective and timely manner.

About PCI DSS Compliance

The PCI DSS applies to all systems, networks, and applications that process, store, or transmit cardholder data. Cardholder data means the Primary Account Number, the CVV, and any other kind of privacy data related to the account holder name, such as expiration date. While it is possible to reduce the scope of auditing with good network segmentation, many networks were not designed with PCI in mind. As a result, organizations must secure and audit against a broad range of systems -- regardless of whether their purpose includes accessing cardholder data.

Network and system components affected by the PCI DSS include those shown below. Applications affected include all purchased and proprietary applications, whether they are internal or external (Internet) applications.

Ensuring compliance with the PCI standard is important for a number of reasons, but perhaps the most significant reason is to protect brand reputation. The public scrutiny that accompanies any breach in security can be very damaging to an organization's image. Any organization doing business in California, for example, is required to disclose any security breach publicly under state regulation CA-1386, and there is no faster way to lose customer confidence than to be forced to report publicly that credit card numbers have been stolen. In fact, a recent study by the Ponemon Institute reports that data breach disclosures, in time, will result in the loss of as many as 20 percent of existing customers.

The second reason for ensuring compliance with the PCI standard is to avoid fines and additional regulatory scrutiny. Failure to comply with the PCI DSS can result in fines that range from $200,000 to $500,000 per security breach, as well as additional government-levied fines that can range from $5 million to $20 million. In addition, once an organization has failed a PCI audit, it is given an elevated risk status and becomes subject to more extensive PCI audits. The ultimate penalty can be a suspension of status and the loss of the ability to accept and process credit cards.

The Twelve Requirements

There are 12 high-level PCI DSS requirements, also called the 12 control objectives. These control objectives are meant to support the single, central control objective of PCI DSS, which is to protect cardholder data. The 12 PCI DSS requirements can be visualized as a set of layer controls.

Companies can use these layers to help meet the control objectives. Any single set of controls does not typically provide complete protection. The overlapping layers of protection support and supplement each other. Each individual layer has some gaps, but putting all 12 controls together achieves a much higher level of effective protection of the cardholder data.

The 12 high-level PCI DSS requirements are:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

These are the primary controls, but the standard allows companies to choose additional controls. Many of the above controls can be audited using a tool that comprehensively audits the infrastructure; however, some of the controls must be tested and tracked using internal processes that must be dictated by management.

Simplifying PCI DSS Reporting

Compliance reporting should not be a daunting task. By automating collections of information, an organization can quickly identify their PCI security posture in an easy to interpret report. Summary reports and more detailed reports should be available for all levels of persons in the organization.

Figure 1 demonstrates a sample management style report that identifies the current security posture.

Figure1: Management Level Report

Click to view.

Figure 2 illustrates that the company is increasingly locking down its systems according to their policy.

Over time there is a downward trend that demonstrates an increase in proper security posture.

Figure 2: Trending of Vulnerabilities for Compliance Reporting

Click to view.

How Altiris Can Help

Incorrect system configuration, poor security management, and vague or incomplete security policies critically weaken an organization's defenses. As a result, companies face increased pressures from security breaches, potential information theft, and the inability to meet requirements surrounding PCI. Altiris can help address these issues through the implementation of sound security configuration policies and proactive auditing.

With Altiris a company can ensure that the security posture is consistent with its security policies and relevant regulatory mandates. It is the ability to continually manage security configurations that distinguishes Altiris from other solutions.

ABOUT SECURITYEXPRESSIONS

Altiris® SecurityExpressions™ software is a security configuration management solution for Windows, Linux and UNIX systems. SecurityExpressions supports an organization's security processes through the implementation of sound security configuration baselines, proactive evaluation of IT controls, and comprehensive reporting.

The first step to proactive security configuration management is to define effective baseline policies. However, developing these baselines can be a time-consuming, difficult task that requires extensive expertise in configuration management. Altiris simplifies the process with industry best practices templates that can be implemented directly or customized to meet your needs. SecurityExpressions also supports homegrown configuration policies. Both methodologies accelerate deployment while ensuring rigorous best practices protection. The resulting policies can be tailored and published to document administrative controls.

SecurityExpressions can accurately and quickly compare the system's configurations against the company's existing policy. This process allows IT managers to conduct comprehensive audits on a frequent basis, plan and execute remediation, and re-evaluate compliance with minimal effort. Once the audit is complete, SecurityExpressions will compare the actual settings against the organization's defined policy. Instances in which the actual settings vary from those defined by the company's policy are immediately identified and security managers are given the ability to remediate those areas of non-compliance. In this manner, any security issues can be quickly identified and addressed.

These audits can be conducted on a daily basis to ensure that the company is in a constant state of compliance, as opposed to having only a quarterly vulnerability scan. While vulnerability scans are required for the PCI, they possess some significant issues. A quarterly vulnerability scan leaves companies with grave areas of uncertainty from the day after the scan is conducted until the next scan is completed. Nor does it examine any systems or devices behind the firewall. Using Altiris solutions, companies can validate compliance with automated security audits rather than discover too late that vulnerabilities exist.

A comprehensive reporting functionality provides security managers with detailed information regarding areas of noncompliance. The reports also include a compliance benchmarking tool, which allows security managers and executives to quickly assess their level of compliance against the policy standard. Trending analysis allows security managers to ascertain the company's progress in their compliance project. The audit trails and reports offer evidence of a company's due diligence in monitoring their security and compliance status.

Policy Templates

SecurityExpressions has a variety of pre-made templates that can be leveraged as a foundation for audits. Security configuration policies are built using industry best practices recommendations from organizations such as VISA, SANS, CIS or the NSA. The policies can be modified so that they are in line with your organization's audit requirements.

PCI DSS TEMPLATE

Altiris also provides numerous templates for PCI DSS compliance. The information below is an excerpt from that template.

This policy implements the Payment Card Industry Data Security Standard Version 1.1 document.

The following table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each data element is permitted or prohibited, and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.

** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

These security requirements apply to all "system components." System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to Web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

Conclusion

PCI is probably the most comprehensive standard developed to date. The credit card companies are serious about proving to the world that consumer information is safe in their hands. Demonstrating compliance with PCI is about following best practices, which is in the enterprises' best interests as well as the consumers.

With SecurityExpressions enterprises have an automated solution to audit, deploy and enforce system security policies across all Windows, UNIX and Linux desktops, notebooks, and servers in a fraction of the time previously required, using an agentless or agent-based approach -- or a combination of the two. SecurityExpressions dramatically reduces the cost and time to implement, administer and manage formal, defined system security policies that control items such as network authentication, system settings, user rights, accountability, resource access controls, operating systems and application of patches. Additionally, SecurityExpressions can bring all single machines, workgroups or entire networks into compliance with the corporate system security policy.

SecurityExpressions Features

The following sections provide details on key features. For more information about SecurityExpressions, including white papers and data sheets, visit www.altiris.com/products/securityexpressions/.

Auditing
With SecurityExpressions, you can audit a single machine, a group of machines, a domain, or your entire network. Each audit provides information on every item in the system security policy. Items are notated with "okay," "not okay," "error," or "information." Additionally, you can assign priority to items and fix individual items, groups of items, or global problems with a single click.

You can view audits in real-time for immediate feedback, early detection and response planning. Alternatively, you can save audits to files or a database for offline analysis and reporting. You can also schedule audits by day and time (such as at night or on weekends) to minimize or eliminate any noticeable impact on system or network performance.

Distributed Proxy
For remote sites behind firewalls, across the Internet, or in bandwidth-constrained locations, SecurityExpressions includes a distributed proxy that resides on a single machine at the remote site. The distributed proxy provides complete auditing and compliance functionality at the remote location and interacts with SecurityExpressions' central console through SSL. The distributed proxy does not require any agent on target machines for auditing or compliance.

Scalability
SecurityExpressions can scale to any enterprise network. The central console allows for 200 simultaneous multi-threaded audits, and you can select the optimal number of simultaneous audits. Since the distributed proxy performs audits at remote sites in a hierarchical structure, you can combine multitreaded audits with the distributed proxy to achieve virtually unlimited scalability. In addition, you may throttle the allowed network bandwidth usage to stay under a desired limit. To date SecurityExpressions largest rollout is 86.000 systems with deployments in process upwards of 150,000 systems.

Reporting
SecurityExpressions includes an embedded Crystal Reports engine and several pre-defined operations and management reports. You can customize and print reports or export them to HTML, tab-delimited, Microsoft Word, Microsoft Excel, Adobe PDF and other formats. Built-in reports are tailored for various groups, such as operations, security and management.

Asset Classification Benchmarking
Benchmarking allows a single measurement of audit compliance status. All levels of IT management can work from a single number as a percentage of compliance. For example: if compliance was at 82%, and the set benchmark was 80%, then 82% is a passing score. A weighting can be assigned to each rule at a level of high, medium and low, and a total composite percentage score can be calculated. This provides for a single weighted average number for easy communication of system security compliance to all management levels.

In addition, systems themselves can be classified by their asset value to the company. Weights for each system can be assigned manually, or weights can be given to various services running on a system. Then, when the per- system score is rolled up for the entire audit into an overall score, more important or impactful systems affect the score more than less critical systems. For example, all systems running a database can automatically have a greater weight than systems only acting as print servers. For a second example, systems on which financial data are stored can be assigned a greater weight by the administrator of SecurityExpressions.

Policy Templates
SecurityExpressions includes over 75 templates in categories such as Industry Best Practices, Standards and Regulations, Industry Known Vulnerabilities, Security Patches, Users & Groups, and Unauthorized Hardware and Software. To view all policy files currently available, please visit the online policy library at: .

Architecture
SecurityExpressions supports both an agentless and an agent-based approach to system audits. In an agentless environment, SecurityExpressions uses Windows Networking, and for UNIX it uses SSH. Since there are no clients or agent software to install or maintain, deployment is fast and easy. SecurityExpressions provides both a Windows console and SecurityExpressions Web-based Management, a .NET IIS based web server for access to SecurityExpressions functions. This allows flexibility to deploy a local windows application for some users, and allow others to access functions via a web browser.

Figure 3: SecurityExpressions Architecture

Click to view.