Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Key PCI DS Requirements Involving Logging

By Anton Chuvakin

Starting from Requirement 1 “Install and maintain a firewall configuration to protect cardholder data” we see that it mentions that organizations must have “a formal process for approving and testing all external network connections and changes to the firewall configuration.” However, after such process is established, one needs to validate that firewall configuration changes do happen in accordance with documented change management procedures and do not put the firewall configuration out of sync with DSS guidance. That is where logging becomes extremely useful, since it shows you what actually happened and not just what was supposed to happen according to a policy. LogLogic firewall reports are very useful for Requirement 1 PCI compliance.

Other log-related areas within Requirement 1 include section 1.1.6 “Justification and documentation for any available protocols besides Hypertext Transfer Protocol (HTTP), SSL, Secure Shell (SSH), and VPN” where logs should be used to watch for all events triggered due to such communication.

 Also, section 1.1.7 “Justification and documentation for any risky protocols allowed” (such as for example TFTP or even FTP that exposes plain text passwords as well as transferred data to attackers), which includes the reason for use of protocol and security features implemented, where logs help to review and monitor the use of “risky” protocols. This especially applies to cases where the use of risky protocols is not “official.” What is worse is when payment data is actually exchanged using such protocols.

Further, the Requirement 1.3 contains guidance to firewall configuration, with specific statements about inbound and outbound connectivity. One must use firewall logs to verify this; a mere infrequent review of firewall configuration would not be sufficient, since only logs show “how it really happened” and not just “how it was configured.” In order to substantiate this requirement one can use firewall system logging such as records of configuration pushes and updates as well as the summaries of allowed connection to and from the PCI environment. LogLogic PCI reports cover this area.

In order to address these section of Requirement 1, make sure that firewalls that protect a cardholder environment  log their configuration changes and user modifications as well as inbound and outbound connections to and from the environment to a LogLogic appliance.

Requirement 5 “Use and regularly update anti-virus software or programs” refers to defenses against malicious software. Of course, in order to satisfy section 5.2, which requires that you “Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs,” one needs to see such logs. This requirement is directly satisfied by producing and collecting anti-virus logs based on PCI DSS log management guidelines. Moreover, PCI DSS assessment guidelines for QSAs state that they must “verify that antivirus software log generation is enabled and that such logs are retained in accordance with PCI DSS Requirement 10.7.”

In order to address the Requirement 5, make sure that anti-malware software produces logs and such logs are managed and reviewed in accordance with Requirement 10.

Further, Requirement 7, “Restrict access to cardholder data by business need-to-know,” requires logs to validate who actually had access to said data. If the users that should be prevented from seeing the data appear in the log files as accessing such  data, remediation is needed.

In order to address these section of Requirement 7, one needs to make sure that access to such data, whether in databases or files, is logged and such logs are managed and reviewed as prescribed in Requirement 10.

In general,  assigning a unique ID to each user accessing the system fits with other basic security “best practices.” In PCI DSS, it is not just a “best practice”; it is a specific requirement (Requirement 8 “Assign a unique ID to each person with computer access”).  Obviously, one needs to “Control addition, deletion, and modification of user IDs, credentials, and other identifier Objects” (section 8.5.1) and most systems log such activities in order to assure that they are indeed taking place. In addition, Section 8.5.9, “Change user passwords at least every 90 days,” can also be verified by reviewing the logs files from the server in order to assure that all the accounts have their password changed at least every 90 days.

In order to address these section of Requirement 8, one needs to record key system actions with user names of users performing the actions. Using alerting tools or correlation features of LogLogic SEM to detect when accounts are shared is a useful addition as well.

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.