I’ve been doing some follow-up research on the PCI data security standards after meeting with the folks from Aruba Networks this morning. Their multi-vendor approach to wireless management (and rogue detection) sounded pretty cool, so I thought I’d dig in on what the PCI requirements and remedies actually are. (Aruba’s AirWave Management platform)
Shame on me for not knowing (or remembering?) that the language actually states “test for the presence of wireless APs by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.” (PCI DSS v1.2.1, Section 11.1a,b,c)
Also of interest are sections 12.9.3 and 12.9.5 of the PCI DSS. Both are related to incident response planning. The first specifies that a client designate specific personnel to be available 24×7 to respond to alerts (including those for detection of unauthorized wireless access points). The second dictates: “Verify through observation and review of processes that monitoring and responding to alerts from security systems including detection of unauthorized wireless access points are covered in the Incident Response Plan.”
The PCI Security Standards Council also publishes some supporting documents, which includes a dedicated one for Wireless Security Standards.
That document provided some additional clarifications that I found interesting.
Specifically, from section 2.1:
“Wireless networking is a concern for all organizations that store, process or transmit cardholder data and therefore must adhere to the PCI DSS. Even if an organization that must comply with PCI DSS does not use wireless networking at all, the organization must verify that wireless networking has not been introduced into the CDE over time. Therefore, this CDE is in scope for PCI DSS and this guide, in that the organization must verify and continue to ensure that there are no WLANs attached to the network.
This is because there are validation requirements that extend beyond the known wireless devices and require monitoring of unknown and potentially dangerous rogue devices. A rogue wireless device is an unauthorized wireless device that can allow access to the CDE.
From Section 3 (Applicable Requirements Pertaining to Wireless for All Networks):
Wireless networks can be considered outside of PCI DSS scope if (i) no wireless is deployed or (ii) if wireless has been deployed and segmented away from the CDE. Regardless of whether wireless networks have been deployed, periodic monitoring is needed to keep unauthorized or rogue wireless devices from compromising the security of the CDE. Segmenting wireless networks out of PCI DSS scope requires a firewall between the wireless network and the CDE.
And…a summary of recommendations in section 3.2.1:
A. Use a wireless analyzer or a wireless IDS/IPS to detect unauthorized/rogue wireless devices that could be connected to the CDE at least quarterly at all locations. For large organizations having several CDE locations, a centrally managed wireless IDS/IPS to detect and contain unauthorized/rogue wireless devices is recommended.
B. Enable automatic alerts and containment mechanisms on the wireless IPS to eliminate rogues and unauthorized wireless connections into the CDE.
C. Create an “Incident Response Plan” to physically eliminate rogue devices immediately from the CDE in accordance with PCI DSS requirement 12.9.5.
Let me know your thoughts.
