Feb 27 2008
What do I need to log? What product will make me PCI compliant? Can you give me a list of acceptable services to run on my Windows 2008 server? Where’s the punch list of things I need to do to be compliant?; These and a number of other ‘silver bullet’ questions are things a PCI assessor hears on a daily basis. And we’re not the only ones if Dr. Chuvakin’s recent post is any indicator: IT managers want to know exactly what they need to log to be PCI compliant. Unluckily, the answer is “it depends”. There is no list, no resource to refer to, no silver bullet for compliance and despite many marketeers’ wishes, there probably won’t be. Unless we want to make every network out there exactly the same that is.
That’s the real reason that Anton can’t answer the question of logging for his customers; each network is different and what’s good for one client might leave gaping holes in another network. Even networks that are using the same types of switches, routers and servers still have enough variation that what’s good for one won’t be enough for another. And just as logging nothing isn’t an acceptable solution, logging everything isn’t acceptable because someone has to actually sit down on a daily basis and review the logs. A recent comment on a mailing list I read asked “who did you piss off to be put in charge of the Linux logs?” It’s tedious work under the best of situations.
The PCI DSS is about risk mitigation (or risk transference, depending on your point of view). It list a minimum set of standards that merchants and service providers must meet to do business. The risks each business face are unique and no one can honestly give a cookie cutter approach or a product that meets all the requirements. Even implying that a product is going to solve your problems out of the box is at best bad marketing and at worst an outright lie. No matter what product you choose, customizing it to your environment is going to be vital. Not that I have strong feelings on the subject.
So what is the use of the PCI DSS if there are no real solutions? It’s a starting point to make your network secure. And that’s all it is, a starting point. It’s a minimum set of standards, not an end point in and of itself. And this is the place many merchants and service providers fail in that they think once they’ve received the blessing of their auditor for PCI they’re done securing their network. But anyone who’s relying on a PCI assessment to prove that they’re secure is missing the point of PCI and doing their company a disservice.
We all know of a company who was ‘PCI compliant’ but got hacked a lost millions of credit cards due to an improperly secured wireless network. I can only guess they got their letter of compliance, let lose with a big sigh of relief and went on to other projects. Which is exactly why they ended up as front page news. They made the mistake of believing PCI compliance equated to security. And they’re still paying the price for that assumption.
PCI is a starting point for your security programs. It’s a tool to get management to pay for implementing technologies and projects that can secure your network. It can be used as leverage to do the things that really will protect your network. Yes, there are points in the PCI DSS that won’t apply to many businesses but have to be complied with anyways. Luckily, those items are in the minority and the majority of PCI items are things every business should be doing. Your assessor has the job of making sure you’re network and systems meet with the PCI standards and will hopefully have suggestions for continuing beyond PCI to make your business secure. But the fact is, an assessor has to audit to the standards; they can make suggestions beyond PCI, but that’s all they are, suggestions. It’s up to you to take those suggestions and continue the efforts to secure your business.
I’ve been on both sides of the PCI aisle and have a pretty good idea of the problems and benefits of PCI. Obviously I view it as a jumping off point to go beyond just securing credit card data. The same tools that secure your card holder data environment can be used to protect the rest of your network. PCI can and should be used as an agent for change, giving you good guidelines for basic security. But it’s up to you to implement them in the way that best suits your environment and find any holes that PCI and your assessor may have missed. After all, your assessor is human and just as likely to miss something as anyone else; they just have a checklist of things they have to verify.