PCI-DSS v1.2 – My Thoughts, Concerns & Questions old navy cc, dumps cc

wpadmin 0

Having had the opportunity to go to the 2008 PCI-SCC meeting in Orlando this year, that just so happened to be conveniently 5 minutes down the street from my office. And having had a couple of weeks to digest the new PCI-DSS v1.2 standard, here are some of my thoughts, concerns and questions. I’m not going to go into all the minor changes or clarifications, but rather the ones I feel have the most impact to the most organizations. One of the first ones I think that jumped out to allot of us was the notes added to requirement 6.1, concerning patch management. The testing procedure under 6.1.b states that patches rated critical must be shown to be installed within one month, however the following has now been added under the NOTES of requirement 6.1;
6.1 – Note: An organization may consider applying a risk-based approach to prioritize their patch installations.
Keywords are “may” and “risk-based” here.
Now I’m not going to let the old I.T. security administrator in me get up on my infosec soapbox on this topic, because it is a very subjective area with many variables that most auditors in general do not always understand (I’m talking about arguing risks). This addition under the notes to the overall requirement, although welcome to all, particularly systems administrators, does in my opinion have a downside. My concern is from an I.T. security perspective, not only a compliance one, where I think many organizations will once again not put enough resources behind a solid but practical patch management program and become laxed once again.
Ok let me get back on track here, testing procedure 3.4.1.b for requirement 3.4.
3.4.1.b – Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
“Stored Securely” being the key word here, the change and relief I think here is that having the keys stored locally on the system isn’t a deal breaker. Although one may argue a best practice may be to have them located somewhere else, it is no longer required.
Another one I find worth mentioning and would also like to get a general consensus is on 4.2 where instant messaging has now been added to the language. Here’s an area where both the I.T. security geek and compliance manager in me are in complete agreement. I like to have strong controls including when possible content controls on all communication channels that have the ability to travel outside my network. My question is where the consensus on both scope and controls will fall on instant messaging.
Requirement 11.4 has now been thankfully changed to where it now states and/ or in reference to IDS and/ or IPS. I can say that 99.9% of any network administrators I have ever worked or spoken with always stayed away in general to any device that has the access or ability to change routing and/ or firewall tables, a decision I 100% agree with.
In requirement 5.1 I welcome the terminology being changed from anti-virus to “malicious code”, it makes the requirement more flexible. But one new development in the requirement that many may think is trivial but does raise some long term concern with me is the addition of the word “Rootkit”. Now I agree this is a form of nasty code that needs to be addressed, but I would like to get a consensus on this one. I have two questions; 1. Does this now mean that anti-virus installations on Windows servers will have to have a rootkit component in them, and 2. The phrase “commonly affected systems” used under requirement 5.1, does this now mean that UNIX systems down the road will need to have some form of rootkit detection running on them. I know most will agree that will probably be a long way from now, I just curious if thats the direction we are going, just a thought.
OK, I had to come back and add this one, I almost forgot, the additions and changes to requirement 11.3. and the testing procedures, first lets hit the requirement;
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification.
Ok the thing that caught my eye here immediatly was “Internal”. Now as a former I.T. security
administrator I agree 100% with a vulnerability management program that
includes limited internal vulnerability scans of production servers
that are online and where warranted limited penetration tests,
particularly sensitive web applications. But I can’t say I agree with a
requirement that now requires full penetration tests on all in-scope
hosts internally. I had a discusion with a fellow compliance officer and said no matter how secure our systems are, a good pen tester or black hat can with enough effort break into them, including using social engineering methods. I rather see the PCI-SSC be more strict and put more emphasis on strong system security baselines, patch management, logging and incident reponse than add this requirement.
My second concern is with the language added to the testing procedure 11.3.a.
“Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. Verify that noted vulnerabilities were corrected and testing repeated”.
The phrase that pops out at me here is “testing repeated”, does this now mean I have to run penetration tests until all of the security issues identified in the test have been corrected. So is this now going to put me in a situation of constantly performing penetration testing all year round as my environment changes and new vulnerabilites are introduced.
The jury is dismissed on this one.  
old navy cc dumps cc