Académique Documents
Professionnel Documents
Culture Documents
WHITEPAPER
Executive Summary
The Payment Card Industry Security Standards Council (PCI SSC) has
published a PCI DSS Wireless Guideline which acknowledges that
wireless is a clear and present danger to network security and those who
collect, store or transmit card holder data must take steps to assure that
it is secure, whether or not wireless is deployed in the cardholder data
environment. Though the PCI DSS already included wireless security
requirements, this is the first time that the requirements for wireless
security have been described unambiguously for all cardholder data
environments (CDE). Organizations which handle payment card data
must take steps to secure the CDE against wireless threats including
unmanaged and unknown wireless devices in the environment and
must scan all locations. This white paper helps those organizations
understand how the PCI DSS 1.2 wireless requirements apply to them,
how to meet those requirements in a cost effective way, and how to
secure your network and cardholder data from wireless threats.
Introduction
Recent incidents have highlighted the growing popularity of wireless among
cybercriminals to gain sensitive data from both wired and wireless networks. The
TJX incident — the largest known wireless security breach in the U.S. history — is
a prime example. Hackers used unsecured wireless as an entry point to access TJX
networks worldwide. Over 90 million credit- and debit-card records and personal
information such as social security numbers, driver’s license numbers, and military
identification of more than 451,000 customers were stolen. A total of nine retail
chains — including Office Max, Boston Market, Barnes & Noble, Sports Authority,
Forever 21, and DSW — were victims of this heist. Forrester Research estimated
the cost incurred to cover financial losses and lawsuit settlements to be one billion
dollars.
Notably the wireless networks that were hacked during this incident were not
necessarily being used for processing cardholder data, but were connected to
wired networks that were part of the cardholder data environment (CDE). This
highlighted the need to comprehensively secure the CDE against all types of
wireless threats including those initiated outside it and those initiated from “Rogue”
wireless access points and clients installed unofficially inside the CDE.
The Payment Card Industry Security Standards Council (PCI SSC) responded
promptly by releasing the latest version 1.2 of the PCI Data Security Standard (PCI
DSS) in October 2008. The PCI SSC’s Wireless Special Interest Group (SIG) followed it
with a “PCI DSS Wireless Guideline” document in July 2009 that clarified the wireless
security requirements for PCI compliance, provided guidance on implementing
secure wireless LANs and outlined methods for protecting against threats from
wireless devices outside the CDE and Rogue wireless devices.
Officially deployed wireless access points (APs) and clients can violate PCI DSS
requirements if they are misconfigured or provide CDE access to unauthorized
users. Unofficially deployed Rogue wireless APs and clients can also compromise
the security of the entire network and provide CDE access to unauthorized users.
Depending on how wireless usage influences a CDE, the PCI DSS 1.2 wireless
security requirements can be broadly grouped into two categories:
•• Those that address threats from unknown wireless networks and apply
generally to all organizations wanting to comply with PCI DSS; and
•• Those that apply to organizations who have deployed an official wireless
network inside the CDE.
whether an organization runs or bans wireless, it needs to ensure that the CDE
is not plagued with such Rogue wireless devices. These are minimum wireless
scanning requirements.
•• Automatic blocking of Rogue APs and other wireless threats or hack attacks
•• Location tracking capability to physically hunt down Rogue and other threat posing
wireless devices
Unless a wireless network is segmented from the CDE (requirement 1.2.3) using
a firewall, the network should be monitored for wireless intrusion attempts. A
WIPS should be configured to send automatic threat alerts and instantly notify
Change default password: Change the default password of your wireless AP with a
stronger password (at least eight characters and a mix of alphanumeric characters).
This will prevent unauthorized users from logging into your AP and manipulating
its settings.
Change default SSID: The Service Set Identifier (SSID) or network name can be
configured on a wireless AP. Replace the default SSID with a unique name that does
not reveal the identity or other private information about your organization.
Turn off unused services: By default certain wireless APs may run additional
services such as Web-based remote management, zero configuration, and SNMP
based monitoring. If you are not using these services, simply turn them off. If
you use SNMP, prefer SNMPv3 that supports stronger authentication than its
predecessors.
Turn on security settings: Most wireless APs come with wireless security turned off
by default. Cardholder data sent over an unsecured wireless connection is up for
grabs and can be passively sniffed by unauthorized users. Turn on the security on
your wireless APs and use strong encryption and authentication. See requirement
4.1.1 for more details.
Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless
network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the
Advanced Encryption Standard (AES) to protect in-transit cardholder data against
eavesdropping. Implement 802.1x based central authentication to restrict wireless
network access to authorized users. If you instead use Pre-Shared Key (PSK)
authentication, use a strong passphrase that is at least eight characters long and a
mix of alphanumeric and special characters.
Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless
data. WEP is fundamentally broken and cannot be fixed by any supplementary
solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP-
encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks
could serve as a compensating control.
wireless APs can be restricted by mounting them high up on the ceilings or walls,
and by installing them inside tamper-proof enclosures.
Access to laptops and handheld devices should be restricted by using strong
passwords. Sensitive information on these devices should be encrypted to prevent
unauthorized access even if the device gets stolen.
A WIPS can also serve as a wireless inventory management system, monitoring
wireless devices and their activities, tracking their physical location inside the
CDE, and enabling the administrator to quickly discover any missing or tampered
devices.
Archive logs of wireless activity over one year on a central server where the logs
cannot be tampered. Review wireless access logs daily to check for any anomalous
activity. Here a WIPS can be repurposed to maintain records of wireless activity it
has monitored and can also help in forensic analysis of past data if necessary.
scanning. Additionally, for organizations that do not have a known WLAN AP in the
CDE and are subject only to the minimum scanning requirements, a full Wireless
IPS (WIPS) capability may not be required.
Built on its leading WIPS technology, AirTight Networks offers SpectraGuard Online,
a SaaS-based wireless security solution for PCI compliance. This solution automates
wireless scanning and requires no IT intervention, thus making PCI wireless
scanning and compliance a low cost and no effort affair. Depending on the needs
of the organization, SpectraGuard Online can be upgraded seamlessly to provide
full wireless IPS capabilities.
SpectraGuard Online is a true “hands off” solution. The customer installs pre-
configured wireless sensors (plug-and-play), responds to a few wireless setup
questions and, within 72 hours, begins to receive wireless vulnerability alerts
by email. Users can choose to receive PCI Wireless Compliance report by email
monthly or quarterly. Customer data is hosted in a secure SAS70 certified
datacenter designed for security and high availability.
SpectraGuard Online offers four service modules to choose from with pricing as
low as $20 per month per location.
Modules
Services Basic Wireless Wireless Wireless
Compliance Alerts IDS IPS
Automated wireless scanning
Compliance report delivered by email
monthly or quarterly
Real-time email alerts for Rogue AP
detection and wireless intrusion -
Archiving of alerts for one year
-
Access to wireless IDS console
- -
24x7 full wireless monitoring
- -
Troubleshooting and customizable
unlimited reporting - -
24x7 full wireless intrusion prevention
and automatic incident response - - -
RF heat maps
- - -
Location tracking to physically locate
and remove Rogue APs - - -
•• Grow as needed
3 On-site WIPS
1
SpectraGuard Online
0.5
Estimated one year expense for PCI wireless scanning. For SpectraGuard Online and on-site WIPS, one wireless sensor per location
is assumed. Cost for scanning with a wireless analyzer includes logistics cost such as travel and lodging.
The total cost of ownership for SpectraGuard Online is radically less expensive
— 60 to 75 percent lower — than any competitive WIPS solutions on the
market today. For large enterprises with hundreds or even thousands of sites
across the globe, PCI compliance wireless scanning using the SpectraGuard
Online automated, hosted solution is dramatically less expensive in both
manpower and cost than walk-around scanning using any wireless analyzer.
h
Conclusions
The PCI Security Standards Council has made it clear that wireless security is a
concern that all merchants, regardless of whether or not wireless is deployed, must
address. Scanning all sites for wireless vulnerabilities and threats such as Rogue APs
and eliminating them from the cardholder data environment (CDE) is mandatory.