The PCI DSS Wireless Guidance document is filling out a very important need.  As I said in Part I, Part II, and Part III.   Today I will continue analyzing this Wireless Guidance document.  I will number them and ask that you refer to that number in your comments on my suggestions.  Remember – the goal is to help improve the document.

How to Improve on the PCI DSS Wireless Guidelines Document – Part IV

More processes

Continuing in the review of the "Complying with PCI DSS" flow chart, I found some other areas I would change.

(14)  I remove the arrow form "Change defaults" and draw one instead from "Generate audit report" – to "Enable 802.11i".   This may seem as a small fix, but in fact it means "Enable 802.11i AFTER you generate an audit report".   I also (15) would consider changing the verbiage of "Generate audit report"….  How can you generate an audit report to prove that the defaults have been changed?  Do you simply compare it to an earlier report that said that those were the vulnerabilities?  Do you just submit it as "this weakness not found" type report?  Either way, lets change the way it is phrased.

Similarly to (14) above, I would recommend item (16) to route the arrow from "Enable 802.11" to "Physically Secure" to originate at "Generate a wireless audit".  The difference being that taking the steps of "A centralized management system" and "Generate a wireless Audit report that proves…"  are very important to enablement of Audit.  The way the chart is drawn now, these can be seen as optional processes, and should not.

Finally here (17) I would like to note that in some situations it is not feasible, while certainly being desirable, to physically secure wireless devices.  They can be our of reach (as in on a very high ceiling) or maintained by a third-party organization.   I would suggest that the term be defined so an organization would not fail on their audit just for that reason alone.

More to come next Monday…

Tomorrow we will have Chris’ final article in the "How to talk to Senior Management about Security".  On Friday, as I promised, a discussion of Confidentiality, Integrity and Availability, and the next article in the PCI DSS Wireless series will be Monday.

Permalink

As I said in Part I,   The PCI DSS Wireless Guidance document is filling out a very important need.  Today I will continue analyzing this Wireless Guidance document.  I will number them and ask that you refer to that number in your comments on my suggestions.  Remember – the goal is to help improve the document.

How to Improve on the PCI DSS Wireless Guidelines Document – Part II

Semantics

A small matter, but (7) the definition of part B.,, whereby a hub switch or other network device …transmits cardholder data is not accurate.  Why don’t we define it, for these purpose, as a non-segmenting network device that can submit and receive data  Would that work better?  Leaving it as is breaks your demaraction example and your "directly" connected assumption.

A bigger problem appears with figure 3:

If you define the firewall as the Demarc point, as done above, and then try including a wireless access point "F" inside the perimeter, as drawn here, there is a danger of causing confusion about what is proper and what is right.  By marking the network device "B" as an Unrouted Switch (which I believe is done in order to parallel the picture above), a dangerous possibility of complete non-segmentation exists here.   Simply put: I believe it possible for an architect or non-security technologist to design to this diagram.  Why don’t we (8) display the right-and-proper way to do it instead?

Proper Architecture

Section 2.1.3 does provide a more appropriate segmentation of the network.  Placing any wireless access point on a different network is a proper way to do so, considering the business fact of "There is a different risk profile to wireless networks".   As I said before:

If there is no business reason to do it, don’t do it.

 More detail on the analysis of this paper will be next week, on Monday.

Thank you for reading!

Beginning next week I intend to make:

• Mondays into PCI -days;
• Tuesdays into Cloud-days;
• Wednesdays into weekly-special-subject-days;
• Thursdays into guest-blogger-days;
• and Fridays into surprise-days.

- all, of course, time allowing.

Permalink