IDS/IPS for PCI compliance requirements

Similar Messages

• Upgrade firmware for PCI compliance scan

  I have a WRT54G ver. 5 wireless router running ver. 1.02.0 firmware. I'm anticipating a PCI compliance scan which my bank requires since I transmit credit card numbers from here for my online business. I'm wondering if I should upgrade to the latest firmware version (1.02.6) before the scan. The router is working fine and I'm a great believer in not fixing things if they aren't broken. Does the upgrade make security improvements (which I should have) or just fix problems (which I don't have)?

  If the router is upgraded with latest firmware...it resolve many problem.So if you get some time you may upgrade the firmare . 

• Patching vulnerabilities for PCI compliance

  Hi
  My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
  What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
  SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
  OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                 CVE-2014-3511
                                                                                                                 CVE-2014-3510
                                                                                                                 CVE-2014-3507
                                                                                                                 CVE-2014-3508:
                                                                                                                 CVE-2014-5139:
                                                                                                                 CVE-2014-3509:
                                                                                                                 CVE-2014-3505:
                                                                                                                 CVE-2014-3506
  Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

  If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
  OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
  Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
  If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

• E Business columns for PCI Compliance

  Does Oracle have a documentation with configuration details to meet Payment Card Industry standards requirements? We are implementing Oracle Advanced Security against Oracle E Business and need to know what columns we should specifically address within E Business to protect our PII/PCI data.
  Any help would be greatly appreciated.
  Bill

  If the router is upgraded with latest firmware...it resolve many problem.So if you get some time you may upgrade the firmare . 

• Disable SSL v2 and weak cipers on a RV325 for PCI compliance

  How do you disable SSL v2 and weak cipers on a RV325 to become PCI compliant?

  Hello
  per Cisco RVS4000 product site information this router is already end of life since January 30, 2010. Last date of support is also already missed - April 30, 2013. This means that according Cisco policy no further updates to existing firmware will be done - neither security-related fixes. And I am afraid that this is fact with which you have to deal.
  regarding RV320 - it seems that there is no any possibility to restrict SSL/TLS protocol/version by your own in current version. Francis - I would recommend you to open service request to Cisco SMB Support if you still have valid support contract. I hope there is good chance to get it fixed as this security related inability.
  lastly - for all products (including RVS4000) - I would suggest to keep management interface of router separated most as possible - i.e. restrict access to management interface only to single subnet/host(s) only (via Firewall feature). With having administration/management subnet and certain client(s) which is a part of this subnet can help to avoid eavesdropping your connection to router. Of course disabling remote management is the best thing you can do in any case (including avoid of possible firmware bugs, loggin attempts and so on).

• PCI DSS Compliance - Requirements 5 & 6

  We are currently applying for PCI Compliance, and are required to answer the following questions. Since our solution is hosted on Windows Azure, are these questions relevant? Can anyone please suggest where we might establish the answers to these, with respect
  to our Azure environment?
  Requirement 5: Use and regularly update anti-virus software or programs
  5.1:         Is anti-virus software deployed on all systems commonly affected by malicious software?
  5.1.1:     Are all anti-virus programs capable of detecting, removing and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)?
  5.2:         Is all anti-virus software current, actively running, and generating audit logs, as follows:
  (a)          Does the anti-virus policy require updating of anti-virus software and definitions?
  (b)          Is the master installation of the software enabled for automatic updates and scans?
  (c)           Are automatic updates and periodic scans enabled?
  (d)          Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
  Requirement 6: Develop and maintain secure systems and applications
  6.1:
  (a) Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
  (b) Are critical security patches installed within one month of release?

  Have a look at Microsoft Endpoint Protection for Windows Azure.
  http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
  http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

• CCX PCI Compliance

  Hi All,
  I am looking to achieve PCI compliance for my networking infrastructure, which includes CCX, currently runnng version 4.1 with IVR being used for credit card authentication. Not really sure where to start on this, so if anybody has any pointers on how the requirements for PCI compliance translates to what we actually need to do to the server, that would be much appreciated.
  Rgds

  I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

• SQL Injection detection with IDS/IPS on cisco ASA?

  Hi
  Is it possible to detect or prevent SQL injection attacks using Cisco IDS/ IPS on ASA or with regular expressions?
  Is there any signature available in IDS/IPS for this? And how effective it is in terms of generating correct alarms?
  Thanks in advance

  Deepak,
  We have several signatures that detect generic SQL injection attacks in the 5930-x family of signatures.

• Pci compliance for very small biz using mac and ipad

  I run a very SMALL business. We have one MacBook an iPad and an iPhone. We run everything through a second party merchant card processor/software (mindbody). However, according to the PCI compliance survey I just finished, I am supposed to run quarterly internal scans for vulnerabilities. Does antivirus software do this?
  Also, what firewall settings do I need on my mac to be PCI compliant?
  I know this may be a very simple question, but the PCI survey assumes everyone has an IT department with a ton of policies and procedures. Trying to figure out how to be compliant as a super small business without all that infrastructure.

  Anti-virus software would not do PCI vulnerability scanning. You need specialized software to do that. Unfortunately, I cannot recommend specific software. My wife's small business was wrestling with PCI issues some time ago, and they're currently not doing any kind of internal scans. I don't know why not. They do get scanned externally periodically, to look for vulnerabilities in their setup that could allow people outside their network to gain access.
  PCI compliance is a scam anyway. It doesn't prevent the numerous breaches that so many high-profile companies have been facing lately, and you can bet they're dotting their i's and crossing their t's with respect to PCI compliance. They have the budget to do so.
  Your Mac should not need the firewall on. That shouldn't affect PCI compliance, if the Mac is properly configured and does not have any services open in System Preferences -> Sharing.

• Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

  We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
  Does anyone use it in their production environments? Do you find it useful?
  Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
  Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
  Just curious if others had similar experiences with CSM.
  Thanks!

  haxworthy,
  I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
  -Mike
  http://cs-mars.blogspot.com

• Which IDS/IPS module for 10 GB WAN/LAN

  I have a question about present scenario in a network where the wan connectivity is 4 GB and Lan network is 10 GB. The firewall for the WAN is cisco 5580-20 with 10 GB ethernet interface and on the LAN 6500 series switch with 10 GB ethernet module. The issue about how to implement IPS in this network. Because cisco 5580 series firewall doesn't support any IPS module even 6500 series switch support IDSM-2 module. But only for 2 GB ethernet module. So what can be the solution for such a network?

  On a machine that can do 10Gb firware rate, it is well advisable to have your IDS/IPS to be a separate box.  IDS/IPS "cost" alot of CPU power.  It gets more expensive when you are talking about pushing beyond 1Gb.  This is why you'll find several forums stating that if you have a firewall with 10Gb speed, separate IDS/IPS is the way to go.  Otherwise, a firewall with IDS/IPS will not necessarily push 10Gb all together.

• HA for Cisco IDS/IPS 42xx appliances

  Can anyone refer me to documentation on the Cisco site that talks about high-availability options and configuration examples for Cisco IDS/IPS 42xx appliances? Thank you in advance.

  I am also interested in understanding the high availability options.
  I found the following in the IPS V5 datasheet:
  Auto and manual sensor bypass configuration-High availability can be achieved through numerous mechanisms for Cisco IPS sensors. Resiliency and redundancy can be delivered through unique network collaboration, for example, hot Standby Router Protocol (HSRP) configuration and Cisco EtherChannel® load balancing on Cisco Catalyst switches to divert traffic to a secondary IPS device upon the failure of a primary device.
  I would like to have more info about how to divert traffic to a secondary IPS device; info about HSRP and EtherChannel load balancing as it relates to IPS. Is this HA option only available in bypass mode? Thanks.

• PCI Compliance for the iPad

  Has anyone implemented a PCI compliant iPad application? If so, were there specific steps you used?

  There are a number of credit card processing applications in the iTunes Store, and at least a couple claim PCI compliance, if that's what you mean. Do a Power Search for apps with "credit card" and browse through the results, or search a site like appshopper.com. Once you find one, you can contact the developer and ask if they'll share tips.
  If that's not what you're referring to, please post back and elaborate.
  Regards.
  Message was edited by: Dave Sawyer

• APPLSYSPUB and PCI Compliance

  PCI Compliance documentation requires us to change all vendor-supplied default passwords.
  Oracle says in 'Best Practices for Securing Oracle E-Business Suite' that it recommends that you NOT change the default password for APPLYSYSPUB. (Appendix C).
  So what is a company to do? Do we change it or not?

  If by "logs" you mean the signature events the IPS Sensor generates, then the answer is mostly yes.
  The Sensor has a circular buffer for event storage. It will keep these event until they are overwritten.
  How quickly they are overwritten is a factor of buffer size, event size, packet capture options, etc (there was a forum thread on this very topic you can search for)
  If you are concerned about keeping event logs, you can install the free IME server and pull events from the sensor. If you are REALLY concerned about getting events logs you can stand up two IME servers (they will cost you some sensor overhead though) and keep them on your host, instead of your senor. Each sensor can support up to 5 devices (I think) pulling events.
  - Bob

• SAP Short Dumps and PCI Compliance

  We've run into an issue with our PCI Compliance audit around being able to see unencrypted credit cards in short dump messages in SAP.  Has anyone run into this issue?
  Only work around I've got at this point is to restrict all access to short dumps and require many documented signoffs before turning on and off access to a short dump.  This is pretty cumbersome, and still leaves a hole in my overall security.
  We've managed to purge restricted CC data from our XI logging, and done everything right with encryption, but this short dump issue just doesn't seem to have a solution.
  Can anyone help?  We're on 6.0.
  Thanks!

  Hi David,
  This is an interesting situation you have described. ABAP short-dumps or run-time errors as they are also known as, are unhandled exceptions during program execution. The conditions that cause such exceptions is unknown or cannot be handled at run-time. To help analyze what went wrong with the said program during execution, it is necessary for the dump to contain all possible information including data values passed between programs when the error occurs. Encryption of restricted data values is a program step in itself. If the dump were to occur after this step then of course it would contain encrypted CC info. Unfortunately in your case it exposes restricted CC info because the dump occurs BEFORE this step.
  I don't believe there is a way to prevent this from happening -- for the same reason that the program logic does not know at run-time how to "handle" the exception. If occurrences of such dumps is fairly common in your system, you may want to investigate the likely causes -- for example, missing or incorrect customization. Analyzing the short dumps will probably give you a clue. Your customization team may be able to identify a pre-condition that causes this unhandled exception. If this exception can then be handled (via a program change) that returns a meaningful error instead of a short dump you would be able to close the security hole. This however entails modification to SAP standard code. I don't usually recommend such changes, but given the sensitive nature of your data it may be worth consideration.
  I personally advocate restricted access to ST22. The steps you have undertaken to enforce this may be cumbersome despite efforts to keep it simple. I suppose that's the price we pay in administering the system. If you have not already done so, you may also want to ensure that short-dumps that contain restricted CC info are not saved (using the "Keep" feature in ST22) for easy retrieval at a later point in time or they are saved, it be available only to 'restricted eyes'. Short-dumps are normally saved in the system for 7 or 14 days (not sure of exact # of days). The bigger challenge in my opinion is: How do you prevent the restricted info from being viewed by the user who during the course of program/transaction execution encounters the said short dump? No amount of security controls around ST22 will mitigate this risk. The only option that remains is program change (as mentioned above). But to get there you first need to know what causes the exception.
  Regards.
  Ashutosh