Lock Down Applications for PCI DSS Compliance[2]

Lock Down Applications for PCI DSS Compliance The Payment Card Industry Data Security Standard requires merchants and transaction processors to protect customer data, and firewalls play a major role in the process. By Matt Sarrel and Michael Steinhart Executive Summary Credit card fraud is not a new phenomenon. However, e-commerce has ushered in an era where data theft can be carried out on a global scale. Just as companies processing credit card information couldn’t protect consumers in the world of paper receipts, they lack the skills to do so in the electronic age. To make matters worse, as the raw number of credit card-based transactions has increased online, credit card issuers are feeling the sting of the accompanying rise in online credit card fraud. To cut down on fraud and increase consumer protection, a consortium of payment card providers collaborated to develop the Payment Card Industry Data Security Standard (PCI DSS), to ensure that companies protect credit card data during storage, processing, and transmission. PCI DSS is predicated on solid infrastructure and information security principles that begin with network- and application-layer firewalls. Secure Computing’s award-winning Sidewinder® appliance can meet the needs of any company required to comply with PCI DSS. complaints in 2004, 680,000 in 2005, and 670,000 complaints in 2006; roughly 35 percent of these complaints were related to identity theft. Considering that these numbers are a mere fraction of the total number of identity thefts, this does not paint a pretty picture for protecting the American consumer’s personal financial information. Especially when many of the cases that were reported were a result of data breaches of credit card information. Credit card fraud and identity theft not only concern consumers but also businesses. The cost of notifying customers of a data breach and cleaning up the mess can run as high as $150-$300 per customer. In 2006, breaches cost American businesses over $5 billion, and businesses in the UK lost over ₤1.7 billion. One of the highest-profile data breaches came early in 2007, with the TJX Companies reporting a hole that gave hackers access to as many as 94 million customer records. The breach cost the company an estimated $140 million. These expenses caused the firm’s second-quarter profits to fall 14 percent; had these expenses not been incurred, profits would have risen 31 percent. To combat this trend, PCI compliance was instituted in 2005, when Visa, MasterCard, American Express, Diner’s Club, Discover, and JCB collaborated to create a new set of standards that would prevent credit card fraud. The PCI DSS was born, and all merchants and service providers that handle, transmit, store, or process information concerning payment cards or their related data are expected to comply with the 12 requirements laid out in the data security standard. Businesses that do no comply can face monetary penalties, an increase in card-processing fees, and/or have their cardprocessing privileges terminated. Fines for non-compliance can run as high as $25,000 a month, and service penalties can cost credit card processors even more. For smaller companies, these costs can be devastating; and some larger companies, unfortunately, find that it is cheaper to pay the Introduction Over the last 15 years, e-commerce has proliferated rapidly, bringing an explosion of online financial transactions being processed around the world. Almost all online transactions involve the use of credit and debit cards. Whether the cards are used for purchasing video games, food, services, or vacations, they have become an integral part of online commerce. However, along with increased use of credit cards for online transactions come increased opportunities for criminals to exploit vulnerabilities in merchant networks. With growing threats to consumer information, identity theft is increasing and consumers are losing confidence in the ability of businesses, especially online businesses, to protect their identity and credit card information. The US Federal Trade Commission (FTC) fielded over 650,000  penalties than to comply with the standard, according to an August 2006 report from the IT Compliance Institute.1 Inside PCI DSS For the most part, the PCI DSS is a list of security best practices, many of which have been widely urged and implemented for a number of years. These solid fundamentals of network and information security aren’t just expensive exercises; they represent a comprehensive approach that will help companies reduce risk, and they ought to be in place across all industries. However, the PCI DSS does not go into excessive detail or provide clearly organized recommendations. Firewalls and PCI DSS Requirement 1 specifies that firewalls be configured to protect against unauthorized network traffic. A firewall is a device that controls traffic allowed into and out of a company’s network, as well as traffic into and out of specific sub-networks of a company’s internal network. A firewall inspects all network traffic, applies pre-built rules or filters, and blocks those transmissions that do not meet specified security criteria. All systems (network devices, servers, employee PCs) must be protected from unauthorized access originating outside the company network. There are many threat points that expose internal resources to external attacks, including e-commerce servers, employee Internet access, and employee email. Indeed, seemingly insignificant paths to and from the Internet can provide ready access to important business systems, therefore making firewalls an essential protection mechanism for any network. There are many configuration best practices to keep in mind when protecting a network. The first step is to establish a formal process for documenting existing network configurations; this documentation should be kept current and updated each time something changes physically or logically. Understanding both wired and wireless network structure and how devices communicate with one another and the outside world is critical when developing firewall policies. A firewall should be installed at each Internet connection and between any demilitarized zone (DMZ) and the internal network. It is important to document not only the physical network layout, but also the protocol-specific data connections and when they are active. As this activity is focused on PCI DSS compliance, make special note of connections to cardholder data. Also describe the groups, roles, and responsibilities for logical management of network components. Create a list of services and ports necessary for business, which machines and users run these services and open these ports, and which external machines they connect to through your firewall. The best way to do this is to create a spreadsheet that lists the protocols active on your network (such as FTP, HTTP, SSL, and so on), where they come from, where they go, which user or business process is responsible for it, and why. Of course, as firewalls are basically routers with a lot more The PCI DSS has 12 requirements that are organized into six categories: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. 1 Christopher Hord, IT Compliance Institute. “Rumors and Reluctance: PCI Standard Changes,” August 15, 2006.  intelligence, these rules apply to routers also. Lock down the configuration files by requiring a password for uploading, downloading, and viewing them. Conduct quarterly reviews of firewall and router rule sets. Start by building a firewall configuration that denies all traffic from “untrusted” networks and hosts, and then allow traffic as it is needed and deemed appropriate. This is the way all firewalls ought to work by default, but most—under the guise of ease-of-use—do just the opposite and allow everything except specifically delineated items. Your first firewall rule should be “deny all.” Then add necessary protocols and hosts one by one. Pay special attention to connections to any system component storing cardholder data. Restrict inbound Internet traffic to the DMZ and don’t allow internal network addresses to connect to services in the DMZ through the Internet. You can host Web and application servers in the DMZ, but make sure that you host database servers inside the protected internal network zone. Only allow necessary traffic, for example, traffic originating on your Web server, to reach the database server containing sensitive cardholder information. In addition, a firewall should be installed between wireless networks and the cardholder data environment. Install software firewalls on any mobile and employee-owned computers that connect to the the Internet and access your organization’s network. It might be prudent to take PCI DSS one step further and install software firewalls on all computers, including those stationed permanently within your network. Application-Level Protection Section 6.6 of the PCI DSS is somewhat vague. It requires that all Web-facing applications be protected against known attacks, but it doesn’t discuss new exploits. The DSS lists two ways this protection can be implemented, either by having all custom application code reviewed for common vulnerabilities, or by installing an applicationlayer firewall. Non-custom coded applications—such as off-the-shelf e-commerce platforms—seem to be overlooked here. Obviously, in order to protect your company and your customers’ sensitive credit card information, you should address threats in the most comprehensive manner possible. Don’t rely on a review of custom code as your only means of securing an application. Organizations are better served by implementing a combination of protection mechanisms; couple application code review with installing an application-layer firewall in front of Web-facing applications, and indeed, all applications that may expose cardholder data to attack. Application-layer firewalls are relatively new security solutions, having come to the market within the last five or so years. Many application-layer firewalls are also integrated with perimeter anti-virus, anti-spam, content filtering, and VPN (virtual private network) services in unified threat management (UTM) devices, which make them especially adept at inspecting and catching application-layer attacks, a primary concern with PCI DSS. But what do application-layer firewalls do that networklayer firewalls don’t? For a number of years, the device of choice to secure a network’s perimeter has been the stateful packet inspection (SPI) or network-layer firewall. SPI firewalls work by allowing or denying remote connections based on the identity of the sender and receiver as well as the type of network traffic. SPI firewalls work primarily in OSI Layers 3 (network) and 4 (transport), using IP addresses as a filter for controlling TCP connections. This isn’t enough to combat today’s attacks, because hackers are now targeting the application layer (OSI Layer 7). These new threats include viruses, Trojans, worms, banned content, and spam, and they are propagated primarily through email, Web pages, and instant messaging. SPI firewalls have slowly been replaced by Deep Packet Inspection (DPI) firewalls. DPI examines a packet’s contents and also performs header inspection like an SPI firewall. By examining a packet’s contents, DPI is able to detect and prevent many types of attack: denial of service (DOS), buffer overflow, some worms, and IP masking attacks, for example. The primary limitation of DPI is that most devices inspect only a few packets at a time, and more sophisticated attacks can be thousands of packets long. Thus, DPI is a step in the right direction, but not the most complete solution available. A specific type of DPI firewall is an application-layer firewall, which protects a network by screening packet contents in their complete, proper context—in real time—to block suspicious traffic before damage can be done. Packets are reassembled and analyzed as they pass through the firewall, enabling it to apply network and transport-layer filters, inspect application-specific traffic for vulnerabilities, perform virus scanning on Web pages, emails, and file attachments, and filter spam, spyware, and URLs—all at the network edge—before these threats can reach servers or spread across the corporate network. Many business-class firewalls on the market today include DPI capability, however few provide true application-layer security. In order to comply with the PCI DSS, make sure that your equipment has the application-layer features needed. The increase in safety far outweighs the initial investment in upgrading firewalls. After all, what’s the point of trying to save $500 if, in the long run, it may cost you $120 million?  Secure Computing Plays Major Role in PCI Compliance Secure Computing’s Sidewinder Network Gateway Security appliance is widely regarded as the world’s strongest firewall. Sidewinder delivers industry-leading application-layer performance and best-in-class security, as determined by SC and Network Computing magazines. The gigabit-speed application-layer firewall is two to four times faster than leading “deep inspection” firewalls. The Sidewinder UTM helps organizations to comply with PCI DSS requirements 1, 2, 4, 5, 6, 7, 10, and 11. Sidewinder is the first and only firewall that offers reputation-based security for network perimeters. TrustedSource™, Secure Computing’s global reputation service, enables Sidewinder to make proactive security decisions based on the real-time behavior of IP addresses worldwide. For email for example, the TrustedSource global intelligence centers analyze over 120 billion email messages each month and assign each sender’s IP address a numeric reputation score. This score enables Sidewinder appliances to drop huge volumes of unwanted and infected email at the network perimeter. TrustedSource provides the same proactive security for numerous protocols. Separating Sidewinder even further from many other firewalls is its ability to decrypt and inspect SSL traffic. Instead of passing encrypted protocols through, as many firewalls do today, Sidewinder has been on the leading edge of devices that can decrypt these protocols and then apply deep inspection or application analysis to ensure that this traffic does not represent an attack on the internal application servers behind the firewall. Sidewinder also uses signature-based intrusion prevention (IPS) to defend against over 200,000 known attacks. These services are updated on a regular basis. Secure Computing relies on proprietary attack signatures, thus providing better protection than solutions that rely on open-source signature services. Secure Computing’s global attack analysis network automatically builds IPS attack signatures at speeds and accuracy levels far outpacing general industry practice, giving companies earlier protection for unknown attacks and the greatest operating assurance. The ability to apply highly current, pre-organized service groups of IPS signatures against specific connection flows on a rule-by-rule basis also sets Sidewinder apart from any competing product, to provide not only superior protection but also superior gigabit-speed performance as well. Sidewinder also offers optional anti-virus and anti-spyware engines in an add-on module for email and Web traffic. The award-winning Sophos anti-virus engine is tightly integrated with Sidewinder for the best protection and lower maintenance; this embedded solution prevents Internet attacks such as viruses, worms, Trojans, spyware, and malicious code from entering an organization’s network. On the application side, Sidewinder includes over 40 application-specific proxies, including deeply aware application filtering for email, Web, Oracle, Citrix, SQL, VoIP, and other popular Internet protocols. Each proxy can be configured for the customer’s unique needs. Consolidating all major perimeter security functions in one system, Secure Computing’s Sidewinder Network Gateway Security appliance defends networks and Internetfacing applications from a wide range of malicious threats, both known and unknown. Enterprises use the Sidewinder UTM to secure their networks, protect applications, manage employee Internet use, decrypt and wipe out hidden attacks in encrypted protocols, block viruses and spyware in file transfers, and create high-quality audit trails for regulatory compliance and reporting. Conclusion As a credit card processor, not only do you have to comply with the PCI DSS, but you should want to, to better protect your customers. The financial penalties of non-compliance are serious, but they pale in comparison to the damage that could result from a data breach. The cost of protecting sensitive customer data proactively is well justified. Data and identity theft are very real threats. Using the PCI DSS as a blueprint and Secure Computing’s Sidewinder Network Gateway Security appliance as your primary tool, you can confidently protect your business and your customers’ private credit card data. n To learn more about Sidewinder and Secure Computing’s other data protection offerings, visit www.securecomputing.com. Matt Sarrel, CISSP, is a contributing senior editor at Ziff Davis Enterprise. He runs the Sarrel Group, a privately held, full-service IT consulting firm located in New York City. Michael Steinhart, a senior editor at Ziff Davis Enterprise, brings ten years of technology media experience to his coverage of business software and Internet applications. Prior to joining Ziff Davis Enterprise, Steinhart served as Features Editor for business and consumer software at PC Magazine.