Thursday, October 20, 2011

A Look at PCI 2.0 and the New Wireless Guidelines

THE PAST
I have been predicting that the PCI Standards Council would be moving towards more stringent requirements for WLANs, specifically requirements for full time monitoring, scanning and protection. I also was waiting to see suggestions that “all-in-one” solutions that provides both connectivity and security fall short of the mark. I am happy to see these predictions coming true, especially in light of the PCI-DSS v2.0.

Near the end of last year the PCI Standards Councilpublished, Ten Common Myths of PCI DSS. The very first myth addressed is that, “One vendor and product will make us compliant”. The text reads, “Many vendors offer an array of software and services for PCI DSS compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities to the exclusion of other PCI DSS requirements, the resulting perception of a “silver bullet” might lead some to believe that a point product provides “compliance,” when it really only addresses just one or a few elements of the standard.” It goes on to say, “The PCI Security Standards Council urges merchants, service providers and processors to avoid focusing on point products for data security and PCI DSS compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the “big picture” related to the intent of PCI DSS requirements. This approach includes people and processes, not just technology.”

A large number of merchants today are buying into the idea that a single vendor (Cisco, Aruba, Juniper etc.) can cover all your needs with regard to PCI compliance. This is a very alluring message to the CIO who is making budgetary decisions and would prefer to limit the cost and variables in implementing a compliance solution. However, aside from endangering an organization’s PCI compliance, if you ask any Information Security Engineer they will say the same mantra they have been saying for years, “Limit your exposure and risk through a best of breed - layered security model.” Or, in other words, use layers of products from different vendors and processes developed in house to best protect your organization

THE PRESENT
At the end of the summer this year, the PCI Standards Council released a new set of guidelines meant to clarify their positions in version 2.0 of PCI-DSS on the security of wireless networks, specifically 802.11 (Wi-Fi) networks and Bluetooth.

In section 1.1 of the guidelines it state the purpose that the of the document is to provide, “guidance and recommendations for deploying wireless networks including 802.11 Wi-Fi and 802.15 Bluetooth technologies, in accordance with the Payment Card Industry Data Security Standard (PCI DSS). The goal is to help organizations understand and interpret how PCI DSS applies to wireless environments, how to limit the PCI DSS scope as it pertains to wireless, and to provide practical methods and concepts for deployment of secure wireless in payment card transaction environments.”

A majority of the guidelines are normal common sense approaches to securing WLANs (such as ensuring the physical security of any wireless devices, changing default passwords and settings and securely configuring wireless devices, use strong authentication and encryption, use strong cryptography and security protocols etc.) however some new ideas were put forth which shows the increasingly urgent need for full time monitoring and the prevention of wireless intrusions.

Intrusion Detection and Prevention
Section 4.3 addresses WLAN monitoring systems, specifically WIDS and WIPS systems. It states in reference to section 11. 4 of the PCI-DSS 2.0, “Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises.” This is a very important addition. It means companies who were previously attempting to get by with quarterly scans are now being asked to implement full time wireless Intrusion detection and/or prevention solutions.

The next sentence gets even more specific, “Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.” A quick check of the market today reveals that almost all infrastructure vendors have a very small list of signatures and vulnerabilities to look for and furthermore, they only release new security signatures/alarms when it coincides with a new major release of the entire WLAN system. Typically, this occurs about once every 12-24 months and requires the customer to upgrade all WLAN controllers, APs and all management platforms.  This, coupled with the fact that the newer code may contain bugs or anomalies tends to make IT managers cautious about implementing new code system wide.

WLAN WIDS/WIPS vendors tend to be a bit more agile releasing new vulnerability alarms and attack signatures every 6-12 months although in some cases you may get a patch release on the heels of a widespread and well publicized WLAN vulnerability with a few weeks, but again, the admin must upgrade the entire system (server, clients, sensors etc.) to get the benefit of these new alarms. AirMagnet however has implemented its Dynamic Threat Update (DTU) feature for its AirMagnet Enterprise solution in the first part of 2011, ensuring that all of its customers comply with section 4.3 of the new guidelines.

As an example of what a difference to an organization this makes, we can just look to the last highly publicized WLAN hack, the Cross Site Scripting vulnerability in ArubaOS and AirWave Administration Web Interfaces. This vulnerability which allows, “an attacker to plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN which would be able to trigger a XSS vulnerability in the reporting sections of the ArubaOS and AirWave Administration WebUIs” was posted on Wed, 6 Jul 2011. Within a few days AirMagnet had code written and was testing this attack in house with the ability to prevent access to the malicious AP. By the 25th of July 2011 every AirMagnet Enterprise 9.0 customer was protected from it.

Alerting to Misconfigurations
Lastly, Section 4.3.2 of the guideline, entitled, “Detection of unsafe activity or configurations” states that, “A wireless IDS/IPS can detect misconfigurations and unsafe activity by monitoring and analyzing wireless communications. Most can identify APs and clients that are not using the proper security controls. This includes detecting misconfigurations and the use of weak WLAN protocols, and is accomplished by identifying deviations from organization-specific policies for settings such as encryption, authentication, data rates, SSID names, and channels.” No single vendor solution monitors its own configuration. They are the configuration system, they believe you should just trust them when they say they are implementing you policy of using strong authentication. And in many cases where bugs appear how could they know that they are misconfigured in the first place? WLAN management systems (Controller, APs etc.) get bugs, all systems get bugs and at other times, people make mistakes. Only a WLAN Intrusion Detection/Prevention system, Like AirMagnet Enterprise, can do that. Just another reason for implementing a separate WIPS solution, one that looks specifically for items such as:
  • AP Configuration Changed (Security)
  • AP Using Default Configuration
  • AP Configuration Changed (SSID)
  • Device Unprotected by IEEE 802.11i/AES
  • Device Unprotected by 802.1x
  • Device Unprotected by EAP-* (the * stands in for PEAP, TLS, TTLS etc.)
THE FUTURE

While today, these rules are really just very strongly worded suggestions, I am willing to go out on a limb now and predict that, unless something dramatic changes the landscape in the next 6-12 months, the PCI Standards Council will insist on full time and independent monitoring and protection of the airspace around your facilities in the next version of the PCI-DSS. Fully integrated solutions will not work as they do a very poor job of responding to new threats and they are similarly poor at ensuring that they themselves are meeting policy and all independent wireless intrusion prevention systems will have to have dynamic threat systems, to ensure the timely delivery of new alarms for recent threats, vulnerabilities and hacks.

All documents referenced in this article may be found here at the PCI alliances website.