PCI compliance... what are you using?

s0ck

s0ck

s0ck

Soldato
Joined
18 Oct 2002
Posts
5,299
Hi chaps

Trying to help a customer get through this. One of the specs say file integrity monitoring software? I guess something that has the ability to hash an executable and monitor it for changes? What do you use?

Also, network intrusion, any recommended appliances? They run an appliance with basic snort but just wondering what else is out there. Need to be able to keep logs for a year, reporting, usual stuff.
 
File integrity - we're a unix shop on all the boxes which are part of the affected systems, so we did a rewrite of the old tripwire script to make it work a bit better and tweak the security a little. Works well, nightmare to explain to the idiot PCI consultants.

IDP/IDS - we use Juniper SRX security routers and they're really quite fantastic bits of kit, massively expensive though. Our previous ISG/SSG firewalls did the job alright too and I've seen Fortigate firewalls used (though personally I despise the damn things)

EDIT: Also bear in mind you can basically ignore any part of it if you can provide - a reason why you don't need to do it, a reason why you won't do it or a timescale in which you will do it. PCI is ridiculous, just make sure you don't mistake having systems which comply for having systems which are actually secure!
 
Qualys has a PCI module/mode available for vuln scanning, we don't have that bit as it's not something we need but Qualys in itself seems pretty good the more I use it.

Isn't that cheap though.
 
I was thinking of scripting something with md5sum; was hoping for something a little more elegant though :)

Code: 
2.2.1 Implement only one primary function per server.

Whaaaa! It's an SBS box :p

I suppose the get out clause here is primary. It has one primary function and 63 secondary functions.
 
s0ck said:
I was thinking of scripting something with md5sum; was hoping for something a little more elegant though :)

Code: 
2.2.1 Implement only one primary function per server.

Whaaaa! It's an SBS box :p

I suppose the get out clause here is primary. It has one primary function and 63 secondary functions.
Click to expand...

MD5 sum checking is how our tripwire like script works, on a unix box it's lightening fast, I was shocked how quickly it does the entire drive. On windows I guess you can just turn on access logging for the affected folders and then promise to check the event logs...

The one primary function rule is actually a good one in my opinion, I wouldn't knowingly buy anything from someone who was processing my credit card data on a SBS box...
 
bigredshark said:
MD5 sum checking is how our tripwire like script works, on a unix box it's lightening fast, I was shocked how quickly it does the entire drive. On windows I guess you can just turn on access logging for the affected folders and then promise to check the event logs...

The one primary function rule is actually a good one in my opinion, I wouldn't knowingly buy anything from someone who was processing my credit card data on a SBS box...
Click to expand...

You probably wouldn't send your CC details in a plaintext email either!!! :o :(
 
You must log in or register to reply here.
Back
Top Bottom