There are many commercially available information security tools on the market, many of which can help with PCI compliance. At a minimum, PCI-DSS requires:
This document attempts to clearly define which systems are most applicable to each specific requirement of PCI. For more information on specific products that may be used to address each requirement, please visit nitrosecurity.com/regulatory-compliance/standards/pci/
| Requirement | Solution | Related Product |
|---|---|---|
|
1.1.2 — A current network diagram with all connections to cardholder data, including any wireless networks |
NitroView ESM can actively discover all network devices and build a full network topology map. Discovery results can be filtered and sorted by type, including by assets containing cardholder data and subject to PCI. |
NitroView ESM |
|
1.1.3 — Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone |
NitroGuard IPS includes an integrated stateful inspection firewall ca-pable of filtering traffic at the protocol, IP and port level, either in di-rect response to inspected traffic (as a firewall) or in response to higher level policy violations detected by NitroView using deep application inspection, database activity monitoring, or system-wide event correla-tion. |
NitroGuard IPS |
|
1.1.4 — Description of groups, roles, and responsibilities for logical management of network components |
NitroView monitors for changes in network components and inte-grates with Authentication and Identity Management systems, includ-ing Active Directory, to apply user- group and role- context to changes, as well as all other managed security events and logs. |
NitroView ESM |
|
1.1.5 — Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those pro-tocols considered to be insecure |
NitroView ESM provides visibility into which protocols and applica-tions are being used by which users, and what they are being used for. NitroView ESM ensures compliance by providing reporting showing actual services, protocols and ports in use. These reports can then be used by network security staff to validate and determine that all run-ning ports, protocols, and services have a documented business need. NitroGuard IPS monitors network traffic to determine at various points in a network which protocols and ports are being used by which users. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against docu-mented business needs. NitroView ADM inspects application data to determine how specific services, application, and protocols are being used, identify policy violations, and identify rogue services and protocols. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs. NitroView DBM monitors database activity to determine how data-bases containing sensitive information are being access, by what ports and protocols, and can detect rogue databases and/or sensitive data contained in unknown or unauthorized databases. This information is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs. NitroView Receiver collects log files from relevant network devices including servers, applications, databases, firewalls, and other devices, so that all services, protocols, and ports in use are identified. This in-formation is provided to NitroView ESM for analysis and reporting so that they may be validated against documented business needs. |
NitroView ESM NitroView DBM NitroGuard IPS NitroView ESM |
|
1.1.6 — Requirement to review firewall and router rule sets at least every six months |
NitroView ESM is able to collect router configurations and rule sets for review, and identify when changes to router rule sets have been made.
NitroGuard IPS's firewall and intrusion prevention rule sets are man-aged directly by NitroView ESM, simplifying the review of rule sets and the development of relevant reports.
NitroView Receiver is able to collect various third party router and firewall logs to provide additional visibility into the rule sets used by third-party devices, simplifying the review of rule sets and the devel-opment of relevant reports
Validation of firewall and router rules requires analysis of logs to de-termine that ports, protocols, IP addresses, and services that are the subject of rules in these devices are in fact being blocked and filtered as expected.
NitroView ESM and ELM simplify the development of these reports, and make analysis of rules simpler. |
NitroView ESM NitroView ELM NitroGuard IPS |
|
1.2 — Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment. |
NitroView ESM and NitroGuard IPS add significant security capabil-ity to these connections by isolating security events occurring in this sensitive part of the network, and allowing the security manager to use prebuilt rules or create custom ones that can block attacks that make it past the firewall. |
NitroGuard IPS NitroView ESM |
|
1.2.1 — Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. |
NitroGuard IPS restricts inbound and outbound traffic to the card-holder data environment, functioning as a stateful firewall.
In addition, NitroGuard IPS can identify and block attacks, function-ing as a network intrusion prevention system (IPS).
. |
NitroGuard IPS |
|
1.2.2 — Secure and synchronize router configuration files. |
NitroView ESM provides configuration change management for router configuration files, identifying when configuration changes are made, whether those changes adhere with approved configurations, and identifying differences between configuration files. |
NitroView ESM |
|
1.2.3 — Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. |
NitroGuard IPS and NitroView ADM allow application use to be monitored from wireless networks, and unwanted protocols and traf-fic to be blocked.
They also provide the network visibility that is required to validate that firewall rules for these wireless network segments are functioning properly, as specified in test procedures for 1.2.3
. |
NitroGuard IPS NitroView ADM |
|
1.3 — Prohibit direct public access between the Internet and any system component in the cardholder data environment |
NitroGuard IPS allows ports, protocols, and attacks to be monitored and blocked. This can include creating specific rules that block all communication and access between the Internet and the cardholder data environment
|
NitroGuard IPS |
|
1.3.1 — Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data envi-ronment |
When installed in the DMZ, NitroGuard IPS and NitroView ADM allow ports, protocols, and attacks to be monitored and blocked. This can include creating specific rules that block all protocols except those necessary for the cardholder data environment
|
NitroGuard IPS |
|
1.3.2 — Limit inbound Internet traffic to IP addresses within the DMZ |
NitroGuard IPS 's internal firewall may be used to limit inbound traf-fic to IP addresses within the DMZ.
In addition, NitroView ESM can detect and alert on inbound and out-bound DMZ traffic, identifying unauthorized access attempts from IP addresses outside of the DMZ. This information can then be used by the NitroGuard IPS to block the unauthorized access.
NitroView ESM can also validate that firewall rules implemented to support 1.3.2 are functioning correctly
|
NitroGuard IPS NitroView ESM |
|
1.3.3 — Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment |
NitroView ESM can validate that network device rules in firewalls and routers that support 1.3.3 are functioning correctly.
In addition, NitroView ESM's network discovery and topology fea-tures will identify all active network routes to ensure there are no available backdoors into the cardholder data environment
|
NitroView ESM |
|
1.3.4 — Do not allow internal addresses to pass from the Internet into the DMZ |
NitroGuard IPS 's internal firewall may be used to allow or disallow internal addresses to pass from the Internet into the DMZ |
NitroGuard IPS |
|
1.3.5 — Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ |
NitroGuard IPS 's internal firewall may be used to limit outbound traffic to IP addresses within the DMZ |
NitroGuard IPS |
|
1.3.6 — Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) |
NitroGuard IPS performs stateful packet inspection, and can apply prebuilt or customer developed rules to network traffic to identify potential attacks. The product also can determine baseline behavior and anomalous behavior to determine potential attacks for which no rules are yet available. |
NitroGuard IPS |
|
1.3.7 — Place the database in an internal network zone, segregated from the DMZ |
NitroGuard IPS can be used to create a highly protected network zone for the database. NitroGuard IPS performs stateful packet inspection, and can apply prebuilt or customer developed rules to network traffic to identify potential attacks. The product also can determine baseline behavior and anomalous behavior to determine potential attacks for which no rules are yet available. In addition, NitroView DBM can be deployed in front of the database, and can be used to monitor all data-base access, and to identify potential attacks and provide a complete audit trail of all access. |
NitroGuard IPS nitroView DBM |
|
1.3.8 — InImplement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies--for example, port address translation (PAT) |
NitroGuard IPS can be used on appropriate network segments to iden-tify internal addresses that are being used outside of their intended network segments. Simple rules can be created in the product that will trigger alerts, or blocking behavior by the NitroGuard IPS appliances. NitroView ESM can similarly detect internal addresses that are being used outside of their intended network segments through log analysis. |
NitroGuard IPS nitroView ESM |
| Requirement | Solution | Related Product |
|---|---|---|
|
2.1 — Always change vendor-supplied defaults before installing a system on the network--for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnec-essary accounts |
NitroView ESM and ELM can detect and alert on detected use of default passwords or known default accounts, including anony-mous or guest account usage activity. NitroView DBM and NitroView ADM can detect and alert on de-tected use of default passwords or known default accounts, includ-ing anonymous or guest account usage activity. Detected password policy violations are logged and used by NitroView ESM and ELM for us in threat detection, and for report generation. |
NitroView ESM NitroView ELM NitroView DBM NitroView ADM |
|
2.1.1 — For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. |
Simple rules can be created and implemented in NitroGuard IPS to detect unencrypted traffic in wireless LAN network segments. Nitroview ESM integrates with 3rd party solutions that provide in-depth reporting of wireless access points (including rogue access points) . |
NitroView ESM NitroGuard IPS |
|
2.2 — Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). |
NitroView ESM provides real-time asset-, threat-, and vulnerability reporting, which highly useful in the development of configuration standards for all IT devices. |
NitroView ESM |
|
2.2.1 — Implement only one primary function per server |
Nitroview DBM & ADM provide full visibility into application ac-cess to ensure that the "Implement only one primary function per server" PCI requirement can be enforced. NitroView DBM when deployed in front of specific database servers can ensure that each database server is limited to a single function. NitroView ESM correlates network device information, flows, and application logs together to simplify detection of instances where more than one primary function is being provided by a single server . |
NitroView ESM NitroView DBM NitroView ADM |
|
2.2.2 — Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device's specified function) |
NitroGuard IPS augments efforts to disable unnecessary services and protocols on various network devices. When deployed on ap-propriate network segments, NitroGuard IPS will alert on protocols and services that rules are deployed for. Similarly, NitroView ESM can identify all services and protocols in actual use across the network, allowing for easy reporting, and fa-cilitating tests of which services are allowed on various devices. |
NitroGuard IPS NitroView ESM |
|
2.2.3 — Configure system security parameters to prevent misuse |
NitroGuard IPS can augment efforts to deploy proper configurations across the IT infrastructure. For example, configurations of servers to disallow FTP access can be easily supplemented with IP rules that examine network traffic for FTP access to various IP addresses, and either alert upon this type of traffic, or block it. |
NitroGuard IPS |
|
2.2.4 — Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. |
NitroView DBM, NitroView ADM, and NitroGuard IPS can monitor and detect on-system behaviors including driver use and file system access, on-network services and protocols (including for example HTTP services, HTTPS access, P2P protocols and access), and net-work file system access. By identifying which services, protocols, and access are present, network security managers can then deter-mine which are unnecessary and need to be removed, and from which IT assets. |
NitroView DBM NitroView ADM NitroGuard IPS |
|
2.3 — Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non-console administrative access. |
While the Nitro products do not perform encryption for administra-tive access themselves, they are highly useful in detecting unen-crypted administrative access. NitroGuard IPS and NitroView ESM can detect the presence of unencrypted console access (for example Telnet). Both products can provide alerts and audit events for these types of access, and they satisfy part of the test procedure for this requirement. In addition, NitroGuard IPS can block these access attempts at the network level, if deployed on an appropriate net-work segment. |
NitroGuard IPS NitroView ESM |
| Requirement | Solution | Related Product |
|---|---|---|
|
3.1 — Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. |
NitroView ESM provides network-wide visibility into where cardholder data is, and who is accessing it.
NitroView DBM & ADM can discover applications and users accessing credit card data. This added visibility is useful for identifying business that process credit card data NitroView DBM can help organizations to identify and protect cardholder data stored in databases. NitroView ADM and NitroGuard IPS can further identify network traffic and flows within the network containing cardholder data, allowing organizations to identify and secure other IT systems housing and transmitting cardholder data. The Nitro products help organizations determine if requirement 3.1 is being violated, by whom, and from what IT resources. They also help the organization to verify 3.1 compliance across the organization, as required in the test procedures. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
3.2 — Do not store sensitive authentication data after authorization (even if encrypted).
Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3: |
NitroView ESM automatically locates & classifies sensitive data, and can trigger an event if specific patterns are seen within a given log file (for example, card numbers, PAN, masked PANs, etc.).
NitroView DBM can identify sensitive data in databases, including information on how the data is stored, and how it is used in rela-tionship to other activities such as authorization. |
NitroView DBM NitroView ESM |
|
3.2.1 — Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained: To minimize risk, store only these data ele-ments as needed for business. |
Track data can be identified/detected by the Nitro Security product range in several ways: Use of any of these products allows the organization to accomplish the testing procedures for 3.2.1, and to identify violations to this requirement so as to remediate. . |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
3.2.2 — Do not store the card- verification code or value (three- digit or four-digit number printed on the front or back of a payment card) used to verify card-not- present transac-tions |
Card verification codes can be identified/detected in several ways, by matching 3- or 4- digit pattern matches which are seen within the context of a card transaction: Use of any of these products allows the organization to accomplish the testing procedures for 3.2.2, and to identify violations to this requirement so as to remediate.. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
3.2.3 — Do not store the personal identification number (PIN) or the encrypted PIN block. |
Card verification codes can be identified/detected in several ways, by matching 4- or more digit PIN pattern matches which are seen within the context of a card transaction: Use of any of these products allows the organization to accomplish the testing procedures for 3.2.3, and to identify violations to this re-quirement so as to remediate. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
3.3 — Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). |
The Nitro products can detect unmasked PAN in several ways: Use of any of these products allows the organization to accomplish the testing procedures for 3.3, and to identify and alert upon viola-tions to this requirement so as to remediate. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
3.4 — Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs). |
The Nitro products can detect unmasked or cleartext PAN in transit several ways: Use of any of these products allows the organization to accomplish the testing procedures for 3.4, and to identify and alert upon viola-tions to this requirement so as to remediate. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
3.4.1 — If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts. |
Use of the NitroView ESM and DBM products can help ensure that key management is done securely through: |
NitroView DBM NitroView ESM | NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
| Requirement | Solution | Related Product |
|---|---|---|
|
4.1 — Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safe-guard sensitive cardholder data during trans-mission over open, public networks. |
The Nitro products can detect unencrypted cardholder data trans-mitted through the corporate network or over the internet through several means: . Automatically through content filtering using NitroView ADM . Automatically through log filtering using NitroView ELM . Manually through log searches and event filters using Ni-troView ESM Use of any of these products allows the organization to accomplish the testing procedures for 4.1, and to identify and alert upon viola-tions to this requirement so as to remediate. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
4.1.1 — Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission |
WThe Nitro products can detect unencrypted cardholder data trans-mitted through the corporate network or over the internet through several means: . Automatically through content filtering using NitroView ADM . Automatically through custom rules implemented in Ni-troGuard IPS . Automatically through log filtering using NitroView ELM . Manually through log searches and event filters using Ni-troView ESM Use of any of these products allows the organization to accomplish the testing procedures for 4.1.1, and to identify and alert upon viola-tions to this requirement so as to remediate. |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
|
4.2 — Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat). |
The Nitro products can detect unencrypted cardholder data trans-mitted using end user messaging technologies (through the corpo-rate network or over the internet) through several means: . Automatically through content filtering using NitroView ADM . Automatically through custom rules implemented in Ni-troGuard IPS . Automatically through log filtering using NitroView ELM . Manually through log searches and event filters using Ni-troView ESM Use of any of these products allows the organization to accomplish the testing procedures for 4.2.a and to identify and alert upon viola-tions to this requirement so as to remediate |
NitroView ESM NitroView ELM NitroView ADM NitroGuard IPS |
| Requirement | Solution | Related Product |
|---|---|---|
|
5.1 — Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) |
While the Nitro solutions are not A/V products, they can be of great assistance in determining where across an enterprise IT network the organization is in compliance with 5.1, and where there is additional remediation required. NitroView ESM can determine system profiles either via active fin-gerprinting, integration of external vulnerability assessment (VA) scanning, and the ability to analyze event logs from enterprise anti-virus systems. With this level of visibility into logs, NitroView ESM can determine which endpoints have failed A/V scans. Integration with vulnerability assessment systems also provides detail on patch-ing information, which can be correlated along with asset detail for a full picture of AV capability as it relates to compliance with 5.1. |
NitroView ESM |
|
5.1.1 — Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. |
The Nitro solutions can be of great assistance in determining where across an enterprise IT network the organization is in compliance with 5.1.1, and where there is additional remediation required.
NitroView ESM can determine system profiles either via active fin-gerprinting, integration of external vulnerability assessment (VA) scanning, and the ability to analyze event logs from enterprise anti-virus systems. With this level of visibility into logs, NitroView ESM can determine which endpoints are not effectively detecting malware. In addition, NitroView ESM supports bi-directional feeds with popu-lar A/V and endpoint security systems providing application white-listing, which is another means of positively identifying all author-ized applications, and blocking all other applications, including mal-ware. ESM delivers reporting for malware identified, and audit re-ports on application whitelist actions. |
NitroView ESM |
|
5.2 — Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. |
NitroView ESM identifies error conditions and significant events from A/V products, and then alerts as appropriate. These can in-clude alerting upon signature updates, signature update failures, malware detected, and other error conditions. This functionality eases the burden of the test procedures identified in 5.2, as this in-formation and the resulting reports can be automatically collected and reports developed for the entire enterprise. |
NitroView ESM |
| Requirement | Solution | Related Product |
|---|---|---|
|
6.1 — Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. |
As with requirement #5, there are several ways to ensure that systems and software are kept up to date. Security solutions such as Vulnerability Assessment (VA) and Change Management solutions are extremely helpful here. Additionally, this information can be obtained directly from application and operating system logs, or via host agents (such as a Database Monitoring agent).
Using a capable SIEM, all of (or combinations of) the above may be used together to provide complete visibility into system configurations as they relate to security. Because the SIEM is also aware of where sensitive data exists, and how it is being accessed (via Database Monitoring), the use of the SIEM for central management of these additional services is highly beneficial. |
NitroView DBM NitroView ESM |
|
6.2 — Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. |
To ensure that new vulnerabilities are identified, all security devices, including Intrusion Prevention systems and VA systems, should support automatic updates via a subscription method. In this case, the SIEM will always have visibility to new exploit attempts, and will be able to adequately assess risk by comparing observed events against the results of updated VA scans. |
NitroView ESM |
|
6.3 — Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. |
Ensuring that applications adhere to industry best practices is achievable in part through the combined use of database/application monitoring systems, SIEM, and a additional information gathered from application and server logs.
For example, the use of 'account pooling' (where many users might log into an application, but that application accessed the database using a single account) poses a challenge to PCI, because the auditable trail between the user and the sensitive data is broken. However, by correlating database activity (where we see the account used by the application) and application logs (where we see more granular account information), the audit trail can be re-built.
Likewise, default accounts, test accounts, the presence of sensitive data on test servers, unencrypted network sessions, and other violations are all visible either to a database monitoring system or Intrusion Prevention system, or are identifiable within application and server logs. By using SIEM capable of integrating all of these functions, visibility into application functionality is provided. |
NitroView ESM |
|
6.3.1 — TeTesting of all security patches, and system and software configuration changes before deployment, including but not limited to the following: |
NitroView ESM can determine system profiles either via active fin-gerprinting, integration of external vulnerability assessment (VA) scanning, and the ability to analyze event logs from enterprise VA systems. With this level of visibility into logs, NitroView ESM can determine which endpoints are out of date with available patches, and which have had configuration changes made. Integration with vulnerability assessment systems also provides de-tail on patching information, which can be correlated along with asset detail for a full picture of patching and configuration management as it relates to compliance with 5.1. |
NitroView ESM |
|
6.3.1.1 — Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.) |
NitroView ADM and NitroGuard IPS, inserted inline for critical sys-tems, can use policy rules tailored to data structures to validate all system input. |
NitroView ADM NitroGuard IPS |
|
6.3.1.2 — Validation of proper error handling |
NitroView ADM and NitroGuard IPS, inserted inline for critical sys-tems, can use policy rules tailored to data structures to validate all system input. |
NitroView ADM NitroGuard IPS |
|
6.3.1.5 — Validation of proper role- based access control (RBAC) |
NitroView ESM, ADM, and DBM, when integrated with Active Direc-tory and other identity and access control solutions, can determine user roles and groups, and correlate valid and invalid access, and provide reports which are useful in determining when improper ac-cess is occurring, so that 6.3.1.5 compliance can be reported on. |
NitroView ESM NitroView ADM NitroView DBM |
|
6.3.5 — Removal of test data and accounts before production systems become active |
NitroView ADM, inserted inline in front of critical systems, can ex-amine an application's data and detect things like known test data, accounts, etc. if they are ever used in a live environment. Alerts can then be raised based upon detecting these events. |
NitroView ESM NitroView ADM |
|
6.3.6 — Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers |
NitroView ADM can examine an application's data and detect things like known test data, accounts, etc. if they are ever used in a live envi-ronment. For example, the product can detect use of 'ghost' accounts that have been hard coded into applications. Alerts can then be raised based upon detecting these events, so that administrators can remove them. |
NitroView ESM NitroView ADM |
|
6.5 — Develop all web applications based on secure coding guidelines. such as the Open Web Application Security Project Guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: |
NitroView ESM collects and manages data from multiple sources and correlates them together to provide valuable insight into the use of applications. Web server logs may be the first place that the presence of non-secure forms, unprotected calls to scripts, and the presence of HTTP error codes (404, 500, etc) are observed. Security incidents specifi-cally targeting web application vulnerabilities, such as SQL injection and cross-site scripting can be identified and alerted upon by both NitroView ESM and NitroGuard IPS. NitroView ADM can also detect protocol anomalies in web traffic, and/or the presence of sensitive information in web traffic. It can also see usernames associated with a specific session. NitroView DBM can examine login activity on the backend database (as well as transactions performed after logging). The two together can detect 'account pooling' (which is a poor web application de-sign practice) and even track users through 'pooled' access, if it is in place. NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ESM NitroView DBM NitroView ADM NitroGuard IPS |
|
6.5.1 — Cross-site scripting (XSS) |
Developing and debugging secure web applications requires correlat-ing information available from multiple sources. NitroView ESM collects and manages data from multiple sources and correlates them together to provide valuable insight into coding practices.
Web server logs may be the first place that the presence of non-secure forms, unprotected calls to scripts, and the presence of HTTP error codes (404, 500, etc) are observed. Security incidents specifically tar-geting web application vulnerabilities, such as SQL injection and cross-site scripting can be identified and alerted upon by NitroView ESM, DBM, and NitroGuard IPS. NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ESM NitroView DBM NitroGuard IPS |
|
6.5.2 — Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws |
Developing and debugging secure web applications requires correlat-ing information available from multiple sources. NitroView ESM collects and manages data from multiple sources and correlates them together to provide valuable insight into coding practices.
Web server logs may be the first place that the presence of non-secure forms, unprotected calls to scripts, and the presence of HTTP error codes (404, 500, etc) are observed. Security incidents specifically tar-geting web application vulnerabilities, such as SQL injection and cross-site scripting can be identified and alerted upon by NitroView ESM, DBM, and NitroGuard IPS.
NitroGuard IPS can also actively detect and block SQL attacks. When used in conjunction with DBM and ESM, more subtle threats to the database may be detected. NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ESM NitroView DBM NitroView ADM NitroGuard IPS |
|
6.5.3 — Malicious file execution |
Requirement 6.5.3 refers to preventing malicious file execution in web applications code. When deployed on the appropriate network seg-ment in front of a web application, the NitroGuard IPS and Ni-troView ADM solutions can augment this by identifying and in some cases blocking access to .exe files, and by preventing malicious file execution from attachments, Trojans, and other malware.
NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ADM NitroGuard IPS |
|
6.5.6 — Information leakage and improper error handling |
NitroView ADM can detect improper information leakage, including cardholder data, when inserted inline in front of critical systems.
NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ADM |
|
6.5.7 — Broken authentication and session management |
NitroView ADM, DBM, and ESM can examine application access and login activity, and can detect discrepancies including broken authentication and session management. For example, applications that use guest account access or inappropriate administrative privi-leges on web applications to query databases can be identified and reported upon.
NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ESM NitroView DBM NitroView ADM |
|
6.5.10 — Failure to restrict URL access |
NitroView ADM can use custom rules to detect applications that are access prohibited URLs, and reports on this activity can be easily created.
NitroView DBM can very effectively detect SQL Injection attacks and provide proactive notification by monitoring multiple failed queries. |
NitroView ADM |
|
6.6 — For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
|
NitroView ESM can gather log data from specific web security solu-tions such as web application firewalls, and can alert and report on potential security incidents. |
NitroView ESM |
| Requirement | Solution | Related Product |
|---|---|---|
|
7.1 — Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limita-tions must include the following: |
NitroView ESM gathers access control audit log data and can assist in identifying both authorized access and access attempts by unau-thorized users (including orphaned user accounts).
NitroView DBM and ADM provide visibility into users accessing cardholder data to ensure that the "limit access to individuals whose job requires access to cardholder data" PCI requirement can be en-forced. |
NitroView ESM NitroView DBM NitroView ADM |
|
7.1.2 — Assignment of privileges is based on individual personnel's job classification and function. |
NitroView ESM integrates with Active Directory and other identity and access management solutions to help deliver a full picture of user roles and privileges and how they are used on the network, by correlating identity and roles to observed access, application use, and events. This functionality makes validating 7.1.2 far simpler. |
NitroView ESM |
|
7.1.4 — Implementation of an automated access control system. |
NitroView ESM integrates with Active Directory and other identity and access management solutions to help deliver a full picture of user roles and privileges and how they are used on the network, by correlating identity and roles to observed access, application use, and events. This functionality makes auditing access control, as called for in 7.1.4 far simpler. |
NitroView ESM |
| Requirement | Solution | Related Product |
|---|---|---|
|
8.1 — Assign all users a unique ID before allowing them to access system components or cardholder data. |
NitroView ESM allows reporting and log analysis to determine if specific accounts have suspicious login patterns that can indicate problems such as shared or stolen logins. This allows auditing for compliance with 8.1. |
NitroView DBM NitroView ESM |
|
8.2 — In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
|
NitroView ESM can help organizations to determine where systems may not be compliant with 8.2, by detecting instances where a mis-match occurs between the user ID and secondary (token, biometrics, or other two-factor) authentication. |
NitroView ESM |
|
8.3 — Incorporate two-factor authentication for remote access (network-level access origi-nating from outside the network) to the net-work by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control sys-tem (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certifi-cates. |
NitroView ESM uses authentication information from RADIUS and other authentication systems to verify accounts, and to subsequently track user activity across networks and applications. |
NitroView ESM |
|
8.4 — Render all passwords unreadable during transmission and storage on all system components using strong cryptography. |
NitroView ESM, IPS, and ADM can identify unencrypted passwords being used on a network. NitroView DBM can detect unencrypted passwords on a system. |
NitroView ESM NitroView ADM NitroGuard IPS |
|
8.5 — Ensure proper user authentication and password management for non- consumer users and administrators on all system com-ponents as follows: |
NitroView DBM can track user and account activity, maintaining a clear audit trail of user activity including the addition of new user accounts, account deletion, and escalation of account privileges.
Account grouping or 'pooling' between users and applications can be detected by NitroView ESM, and by DBM. |
NitroView ESM NitroView DBM |
|
8.5.8 — Do not use group, shared, or generic accounts and passwords |
NitroView ADM detects and reports upon the use of weak, shared, and generic passwords, which helps in testing for compliance with 8.5.8. |
NitroView ADM |
|
8.5.10 — Require a minimum password length of at least seven characters |
NitroView ADM detects and reports upon the use of weak pass-words, which helps in testing for compliance with 8.5.10. |
NitroView ADM |
|
8.5.11 — Use passwords containing both numeric and alphabetic characters |
NitroView ADM detects and reports upon the use of weak pass-words, which helps in testing for compliance with 8.5.11. |
NitroView ADM |
|
8.5.16 — Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users |
NitroView DBM and ADM, when integrated with Active Directory or other identity solutions, provide visibility into all database access. All access is authenticated and logged. NitroView ESM also tracks activity from applications using pooled accounts, where applica-tions have been coded improperly to share a single database ac-count. |
NitroView ADM NitroView DBM |
| Requirement | Solution | Related Product |
|---|---|---|
|
9.1 — Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. |
NitroView ESM can provide linkage between physical access control systems, and logical access control systems. This allows for correla-tion of a user's physical location to other events and activities. For example, if a user account is being used within a locked facility, but there is no record of that user entering the facility, security alerts can be raised for a possible physical intrusion. |
NitroView ESM |
| Requirement | Solution | Related Product |
|---|---|---|
|
10.1 — Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. |
NitroView DBM links database activity to a given session, including login activity. In theory this requirement can be satisfied by enabling database audit options, however in practice, enabling verbose audit-ing on database servers is rarely done, due to performance consid-erations. NitroView DBM fulfills this requirement, without incur-ring any performance penalty. |
NitroView ESM NitroView DBM |
|
10.2 — Implement automated audit trails for all system components to reconstruct the fol-lowing events: |
NitroView ESM and ELM provide log centralization, event detection and correlation, and log file management across a wide variety of IT devices. The reports created by these products describe all audit activity in-cluding account creation, user authentication & account activity, account modification, and account de-provisioning |
NitroView ESM NitroView ELM |
|
10.2.1 — All individual accesses to cardholder data |
NitroView ELM allows logs of access from users to specific systems. NitroView DBM extends user activity tracking and logging to include databases, tables, and specific records in databases |
NitroView DBM NitroView ELM |
|
10.2.2 — All actions taken by any individual with root or administrative privileges |
NitroView ESM aggregates all administrative account management activities. Reports created by the product track account creation and modification, access summary by user/administrator, and valid/invalid access attempts |
NitroView ESM |
|
10.2.3 — Access to all audit trails |
NitroView ESM and ELM maintain complete audit trails, and they consolidate logs, making finding information easier.. NitroView DBM and ADM can create audit trails through the reassembly of transaction / application session information to create 'logs' where they wouldn't otherwise exist |
NitroView ESM NitroView ELM NitroView DBM NitroView ADM |
|
10.2.4 — Invalid logical access attempts |
NitroView ESM collects and correlates valid and invalid access at-tempts for enterprise IT devices. Alerts and security incidents can be created based upon thresholds being exceeded; indicating possible brute force login attacks. NitroView ESM also provides a central collection point for logs, so that the test procedure for 10.2.4 can be easily achieved on a single console |
NitroView ESM |
|
10.2.5 — 5 Identification & authentication mechanisms |
NitroView ESM and ELM clearly demonstrate the identification and authentication mechanisms in use on a per user basis, via log events |
NitroView ESM NitroView ELM |
|
10.2.6 — Initialization of the audit logs |
NitroView DBM monitors native database auditing functions includ-ing initiation of audit logs. NitroView ESM provides a central reporting facility for these and other relevant activities |
NitroView ESM NitroView DBM |
|
10.2.7 — Creation/deletion of system-level objects |
NitroView DBM monitors all database system tables and procedures. NitroView ESM provides a central reporting facility for these and other relevant activities |
NitroView ESM NitroView DBM |
|
10.3 — Record at least the following audit trail entries for all system components for each event: |
NitroView ESM and ELM provide time and date stamps and event classification for each audit event. The products also provide user identification, IP addresses and host names, objects accessed, vendor message ids, resources consumed (bytes traffic or storage, monetary values, quantities, durations), applications used, and other event detail. |
NitroView ESM NitroView ELM |
|
10.3.1 — User identification |
NitroView ESM and ELM record user identification in audit records (indexed within ESM schema, and stored in raw format within ELM). |
NitroView ESM NitroView ELM |
|
10.3.2 — Type of event |
NitroView ESM and ELM record event type in audit records (indexed within ESM schema, and stored in raw format within ELM). |
NitroView ESM NitroView ELM |
|
10.3.3 — Date and time |
Full date and time stamps are provided in audit records for all events in both NitroView ESM and ELM. |
NitroView ESM NitroView ELM |
|
10.3.4 — Success or failure indication |
NitroView ESM and ELM record success or failure for audit events (for example login or failed login attempt) (indexed within ESM schema, and stored in raw format within ELM). |
NitroView ESM NitroView ELM |
|
10.3.5 — Origination of event |
NitroView ESM and ELM record origination of the event (IP address) (indexed within ESM schema, and stored in raw format within ELM). |
NitroView ESM NitroView ELM |
|
10.3.6 — Identity or name of affected data, system component, or resources |
NitroView ESM and ELM record identity or name of the affected data, system component, or resource (indexed within ESM schema, and stored in raw format within ELM). |
NitroView ESM NitroView ELM |
|
10.5 — Secure audit trails against alteration |
NitroView ESM and ELM securely store audit trails to prevent un-authorized access and tampering. Security mechanisms provided by the products include: signed log storage, and role-based access con-trol, and support for encrypted or WORM storage using network attached storage devices and/or a channel attached SAN. |
NitroView ESM NitroView ELM |
|
10.5.1 — Limit viewing of audit trails to those with a job-related need |
NitroView ESM and ELM provide role-based access control to pre-vent unauthorized access and tampering with log files. |
NitroView ESM NitroView ELM |
|
10.5.2 — Protect audit trail files from modifications |
NitroView ESM and ELM securely store audit trails to prevent un-authorized access and tampering. Security mechanisms provided by the products include: signed log storage, and role-based access con-trol, and support for encrypted or WORM storage using network attached storage devices and/or a channel attached SAN. |
NitroView ESM NitroView ELM |
|
10.5.3 — Promptly back up audit trail files to a centralized log server or media that is difficult to alter |
NitroView ESM and ELM are the central logging servers that deliver this function for large, heterogeneous IT environments. Both products securely store audit trails to prevent unauthorized access and tamper-ing. Security mechanisms provided by the products include: signed and encrypted log storage, and role-based access control. Verification of this functionality as called for in the test procedure for 10.5.3 is easily ac-complished via the administrative console. |
NitroView ESM NitroView ELM |
|
10.5.4 — Write logs for external-facing technologies onto a log server on the internal LAN |
NitroView ESM and ELM are easily configured to collect logs from ex-ternal/web facing systems, and to store the logs on an internal network segment. |
NitroView ESM NitroView ELM |
|
10.5.5 — Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) |
NitroView ESM and ELM provide an integrated file integrity monitor-ing capability that ensures log files and log collection servers are not tampered with. Access controls at the operating system and application level are also provided to ensure log data cannot be modified or deleted. Alerts are customizable to selectively prevent or allow alarms. |
NitroView ESM NitroView ELM |
|
10.6 — Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RA-DIUS). |
NitroView ESM and ELM provide a central log repository that makes daily review of logs and security events simple. Reports can be generated and distributed automatically on a daily basis, or gen-erate on demand. The products show which users did what within the ESM/ELM, and within the entire IT logged infrastructure. Report can be easily run that show proof of log data review. |
NitroView ESM NitroView ELM |
|
10.7 — Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up. |
NitroView ESM and ELM simplify the process of log file retention and storage. NitroView ESM parses all logs and keeps highly granular event and audit data available for analysis. This data may be stored for analysis indefinitely, depending upon total event vol-umes.
NitroView ELM uses flexible storage 'pools' to allocate both storage space and retention requirements to individual log sources or groups of log sources. NitroView ELM creates a reference between parsed events and the raw source log, which is then signed and stored to an appropriate storage pool . |
NitroView ESM NitroView ELM |
| Requirement | Solution | Related Product |
|---|---|---|
|
11.1 — Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.. |
NitroView ESM records the results of test activity in an auditable manner. Configured properly, the products provide visibility across networks, devices, databases, applications, and users--and can cor-relate that information against vulnerability scan results to get a clear picture of where access risk from wireless networks exists. |
NitroView ESM |
|
11.2 — Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifica-tions, product upgrades). |
NitroView ESM, via integration of external vulnerability assessment (VA) scanning, can identify changes in network topology and in sys-tem configurations. |
NitroView ESM |
|
11.3 — Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub- network added to the environment, or a web server added to the environment). These penetration tests must include the following: |
NitroView ESM, via integration of external vulnerability assessment (VA) scanning, can identify changes in network topology and in system configurations. |
NitroView ESM |
|
11.4 — Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date. |
NitroGuard IPS is an intrusion prevention system that (when in-stalled on a network segment inside the cardholder data environ-ment) fulfills this requirement. Intrusions can be recognized in two primary ways, first by signature matching against a comprehensive database of signatures developed by Nitro. Second, the product can detect anomalous behavior (behavior that does not match a norm or baseline established for the network). Signatures for the product are updated automatically. |
NitroGuard IPS |
|
11.5 — Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. |
NitroView ESM can monitor file integrity in several ways: by pro-viding a central monitoring and reporting facility for third-party file-integrity solutions, application white listing solutions, and host agents; through the direct monitoring of database activity to closely monitor database modifications using NitroView DBM; or using integrated change management features within NitroView ESM to actively monitor supported device configuration files and detect changes. |
NitroView ESM NitroView DBM |
| Requirement | Solution | Related Product |
|---|---|---|
|
12.1 — Establish, publish, maintain, and disseminate a security policy that accomplishes the following: |
NitroView ESM, ELM, DBM, ADM, and NitroGuard IPS are useful tools that can help organizations to validate that the policies put in place for PCI DSS are actually being followed in practice. |
NitroView ESM NitroView ELM NitroView DBM NitroView ADM NitroGuard IPS |
|
12.1.2 — Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment |
Use of NitroView ESM with vulnerability assessment products can help organizations to assess risk and compliance status. |
NitroView ESM |
|
12.1.3 — Includes a review at least once a year and updates when the environment changes. |
NitroView ESM, ELM, DBM, ADM, and NitroGuard IPS are useful tools that can help organizations to conduct an annual review, and validate that the policies put in place for PCI DSS are actually being followed in practice. |
NitroView ESM NitroView ELM NitroView DBM NitroView ADM NitroGuard IPS |
|
12.2 — Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures). |
NitroView ESM provides a central point from which security inci-dents and attacks can be monitored, and forensic procedures carried out. |
NitroView ESM |
|
12.3 — Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies re-quire the following: |
NitroView ADM can be useful in monitoring internal compliance with policies regarding employees sending sensitive data unen-crypted, or using peer-to-peer protocols. NitroView ADM makes it easy to detect violations of these types. |
NitroView ADM |
|
12.3.3 — A list of all such devices and personnel with access |
NitroView ESM's asset management capabilities may assist in the generation of critical technology devices by identifying all discov-ered network assets that are currently in use, including relevant detail about the applications, protocols and services used by those devices, as well as those users who have previously access those devices. |
NitroView ESM |
|
12.3.6 — Acceptable network locations for the technologies |
NitroView ESM's network topology capabilities may assist in the determination of acceptable network locations for devices and tech-nologies, by producing reports to show the network location, proto-cols and services used, and other relevant details of currently de-ployed technology. |
NitroView ESM |
|
12.3.7 — List of company-approved products |
NitroView ESM's asset management capabilities may assist in the generation of company-approved product lists by identifying all discovered network assets that are currently in use. |
NitroView ESM |
|
12.5.2 — Monitor and analyze security alerts and information, and distribute to appropriate personnel |
NitroView ESM's event management capabilities simplify the analy-sis of security alerts generated from the digital infrastructure, and provide a variety of reporting and notification features to distribute these results to appropriate personnel. |
NitroView ESM |
|
12.5.3 — Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations |
NitroView ESM's integrated case management capabilities simplify incident response, while also providing incident response histories that may assist in the development of incident response and escala-tion policies. |
NitroView ESM |
|
12.5.4 — Administer user accounts, including additions, deletions, and modifications |
NitroView ESM can easily produce reports that provide user ac-count activity and information, which may be useful in the assign-ment of security management responsibilities in this area. |
NitroView ESM |
|
12.5.5 — Monitor and control all access to data |
NitroView DBM can monitor data access directly, while NitroView ESM can easily produce reports on all data access, which may be useful in the assignment of security management responsibilities in this area. |
NitroView DBM |
|
12.9 — Implement an incident response plan. Be prepared to respond immediately to a system breach |
Effective incident response requires real time event logging, correlation, and management. The NitroView ESM solution delivers this intelligence across the enterprise, and it enables incident response staff to quickly determine what parts of the organization were affected. |
NitroView ESM |
|
Log in
