Picture from https://guardiansafeandvault.com/
Requirement 2.2 has been often deliberated by customers undergoing PCI-DSS. To recap, the requirement states:
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Requirement 2.2
Sources of industry-accepted system hardening standards may include, but are not limited to:
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).
So often, customers go ahead and download the CIS hardening documents at https://www.cisecurity.org/cis-benchmarks/ and copy lock stock and barrel into their policies and send it in. Now all this may be well and good, but now you have around 1,200 page tome with guidelines like 14 character alphanumeric password, as opposed to what PCI requires (7 Alphanumeric). This is where our customers get stuck, and some even send in a 1000 page hardening document to us to review, only for us to find that they have not implemented even 1% of what is noted in their hardening document.
After that, the hardening documents get re-jigged again until it meets a reasonable, practical standard that is implementable, usually in the form of a checklist. For a very quick hardening checklist, this is the initial one we often end up using, just to get our clients up to baseline speed, whether it’s PCI or not:
Hardening Item | Servers | Network Devices | Databases |
Assign individual server for each critical role (App, Web, DB, AD, AV, Patching etc) | Y | NA | Y |
Disable/Rename/Remove default user accounts | Y | Y | Y |
Assign role based access to users | Y | Y | Y |
Disable insesure or unnecessary services | Y | Y | NA |
Use Secure Versions of Remote Access Services (SSH, RDP over SSL) | Y | Y | Y |
Install well known Anti Virus with latest signatures | Y | NA | NA |
Install latest OS / Firmware / Software security patches | Y | Y | Y |
Disable inactive users automatically after 90 days | Y | Y | Y |
Ensure Following Password Policies – 1. Use Complex Password with 7 characters or more 2. Remember minimum last 4 Passwords 3. Require passsword change within 90 days 4. Require password change upon password reset and first logon | Y | Y | Y |
Ensure following account policies – 1. Account lockout threshold – Max 6 attempts 2. Account lockdout duration – 30 mins or until admin unlocks 3. Idle Session Timeout – 15 Mins or less | Y | Y | Y |
Ensure passwords are stored securely with encryption | Y | Y | Y |
Enable Audit logging to Capture at minimum following events
– 1. Successful Login 2. Failed Login 3. Administrative Actions 4. User Creation 5. User Deletion 6. User Updates 7. Escalation of Privileges 8. Access to Audit Trails 9. Initialization or stopping auditing | Y | Y | Y |
Configure NTP and time syncronization | Y | Y | Y |
Implement File Integrity Monitoring | `Y | Y | Y |
Now obviously this doesn’t cover all the requirements of PCI (testing, scans, retention etc) but this should give us a fair idea of how ready our systems are for an audit or assessment.
If you have any queries on PCI or ISMS or any other security related standard, drop us a message at avantedge@pkfmalaysia.com.