[In the previous post, we briefly discussed the requirements proposed for PCI-DSS 3.0. In this post, we’ll discuss the requirements in depth.]
When a customer presents a payment card to a merchant at the point of sale, a chain of operations is triggered in the background. The request-approval process happens across software applications, wireless devices, firewalls, routers, switches, storage devices, telecommunication systems, and a host of other applications. Therefore, your data’s security is directly dependent upon the security of all these devices and applications.
Although several authentication mechanisms are emerging, passwords are still the most prominent mode of authentication. In the backdrop of high-profile cyber incidents involving password breaches, password protection and security assume paramount importance in payment transactions. PCI DSS 3.0 accords top-most priority to password security.
Among the enhancements proposed in PCI-DSS 3.0, requirements 2 and 8 relate to password protection. These requirements seem to be expecting the organizations to not only ensure protection of passwords, keys, and digital certificates, but also demonstrate the effectiveness of such protection measures.
Let us now analyze these new requirements in detail:
Requirement 2: Maintain an inventory of system components in scope for PCI DSS to support effective scoping practices.
Maintaining an asset inventory – hardware and software components – is essential for any organization, and it forms the foundation for IT security. The requirement only formalizes a necessity! However, the exact nature of the expectation will be clear only when PCI-DSS 3.0 is published on November 7, 2013. The phrase inventory of system components in scope for PCI DSS might essentially include maintaining an inventory of the passwords, digital certificates, private keys, SSH keys, and other forms of digital identities.
Analysis of various cyber incidents reveal that cyber criminals target not only traditional passwords, but also digital certificates and SSH keys. With a stolen certificate, hackers could sign a malware, which could be easily planted/executed on any target system. Similarly, with stolen SSH keys/private keys, attackers could easily access sensitive data. So, while maintaining the inventory, organizations might be expected to centrally manage the passwords, keys and certificates too. They should be able to demonstrate ‘who’ is having access to ‘what’. And, to keep the inventory up-to-date, organizations would be required to automate the management of these passwords, keys, and certificates in a centralized repository. Manual processes to maintaining these would be cumbersome and error-prone, besides inviting security issues.
Requirement 2: Clarified that changing default passwords is required for application and service accounts as well as user accounts.
All devices, applications, and software connected with payment card transaction come with default accounts and passwords. Switches, routers, firewalls, and databases have all default accounts, such as ‘administrator,’ ‘admin,’ ‘system,’ ‘root,’ and ‘sa’. Changing the default user names and passwords is crucial because default values make your systems extremely vulnerable.
Though the requirement of changing the default passwords exists even in PCI DSS 2.0, the thing which is new in 3.0 is the stress on handling the application and service accounts.
Windows service accounts (and application accounts in UNIX machines) that system programs use to run application software services or processes, often possess higher or even excessive privileges than normal user accounts. These are indeed very powerful accounts that run critical business processes and services. Many third-party services or scheduled tasks or processes might use the same service account, resulting in a complex interconnection.
In many production networks, it quite common to find service accounts with static credentials. Service accounts are normally forgotten after they are configured. Passwords are not changed for ages due to the sheer complexity of the service account password reset process. The new password must be updated in all associated services or processes. Otherwise, many services will simply not work. Unless the administrator meticulously maintains a master list of all service accounts and their dependencies/associations, password change of service accounts will prove herculean.
The flipside of this is static service accounts make the enterprise a haven for hackers! Malicious programs and hacking tools can decipher service account credentials and wreak havoc on the network. And, that’s why Windows security experts are of the opinion that service accounts are one of the simplest ways to turn a compromise of one computer system into a compromise of an entire network. Therefore, proper management of Windows service accounts and application accounts credentials is one of the crucial aspects of network protection.
Based on the feedback received on static service accounts, PCI DSS 3.0 has rightly recognized the seriousness and has mandated that default/common passwords for service accounts should be changed. Here again, manually doing this not only time-consuming and mind-boggling, but also error-prone. The best way to ensure security is to automate the Windows service account and UNIX application accounts password management.
Requirement 8: Provided increased flexibility in password strength and complexity to allow for variations that are equivalent. Revised password policies to include guidance for users on choosing strong passwords, protecting their credentials, and changing passwords upon suspicion of compromise.
PCI-DSS 3.0 seems to be moving towards mandating the usage of ‘passphrases’ instead of passwords. Passphrases are a combination of words and symbols that are easy to remember than a lengthy password. While users can remember even long passphrases easily, attackers might find it difficult to guess or hack passphrases.
The new requirement also intends to provide guidance on ways to protect credentials (including passwords, keys, and digital certificates), probably through a centralized password management system and a policy on frequent rotation and strength of passwords.
Password Protection Paramount in PCI-DSS 3.0; Automated Solution Need of the Hour
From the foregoing, it is clear that PCI DSS 3.0 views password protection and security quite seriously. Organizations will need to follow an automated approach to control, monitor, and manage privileged passwords, keys, and digital certificates because manual processes can be cumbersome, time-consuming, and error-prone.
ManageEngine Password Manager Pro offers an automated approach. A secure vault for storing and managing shared sensitive information such as passwords, documents, keys, certificates, and other digital identities of enterprises, it delivers both privileged access management and privileged session management in a single unified solution. It helps enterprises consolidate and control all privileged accounts, ending convoluted manual password management practices.
P.S: Let us discuss the other enhancements proposed for PCI-DSS 3.0 in the next post. Stay tuned!