_edited.jpg

WIFIWALL DOME AND THE PCI DSS WIFI GUIDELINES​

Meet the requirements of PCI DSS WiFi compliance using WifiWall Dome

Introduction

 

This document provides insight into the requirements of the PCI DSS wireless version 3.2.1 dated July 2018, and how WifiWall Dome helps meeting those requirements. The document also describes the vital underlying values and necessity for 24/7 continuous monitoring of wireless networks, to meet the PCI DSS requirements while ensuring the corporate wireless network is safe. WifiWall Dome also covers the PCI DSS Wireless periodic security reviews and is storing all wireless traffic.

 

The PCI DSS is a set of regulations created by major payment system companies and brands such as Amazon, Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS requires organizations to comply with 12 general data security requirements that every merchant needs to follow.  Chapters 10, 11, and 12 include specific requirements for WiFi networks. 

The PCI DSS 3.2.1

“PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions” - TPC DSS V3.2.1: Overview of PCI Requirements.  

Chapters 10 - 12 of the document, obliges organizations to regularly monitor and test networks to find and fix physical and wireless network vulnerabilities, as they present opportunities for criminals to gain unauthorized access to payment’s cards, applications, and cardholder’s data. 

“A rogue access point (AP) is any device that adds an unauthorized (and therefore unmanaged and unsecured) WLAN to the organization‘s network (see Figure 2 below). A rogue AP could be added by inserting a WLAN card into a back-office server, attaching an unknown WLAN router to the network, adding a Bluetooth base, or by various other means.“

The following describes some of the requirements for wireless networks:

 

Chapter 10: Track and monitor all access to network resources:
 

  • Implement automated audit trails and logging system for tracking all systems, users, and network activity. 

  • Review logs and security events for all components to identify anomalies and  suspicious activity. Performance of daily critical log reviews at least.

  • Retain audit trail history for at least one year; at least three months of history must be made immediately available for analysis.

WifiWall Dome - the need for continuous operation and Rogue Access Points detection

Summary

The PCI DSS WiFi regulations mandate WiFi monitoring activity even if a WiFi network is not deployed. The PCI DSS requirements are for companies that use WiFi outside of the CE or inside the CDE, which is more restricted involving ongoing procedures and tools. 

WiFi networks, the de-facto standard for endpoint communication, constantly increase in popularity and size. At any moment, hundreds of thousands of WiFi networks broadcast in the proximity of a PIC company. The need to monitor and log WiFi traffic and the need to search for unauthorized Access Points, of such volume of WiFi networks, requires the appropriate tool.   Only a tool that constantly scans the WiFi traffic, searches for and automatically creates a list of unauthorized Access Points, can address the challenge of securing infrastructure and meeting the PCI DSS WiFi requirements nowadays.

“PCI DSS Requirement 11.1 identifies wireless analyzers and wireless IDS/IPS as accepted scanning methods”

 

“Although PCI DSS does not specify how an organization should record the results of their wireless detection process, it is a critical part of the process that the results are reviewed and appropriate action is taken to mitigate the risk of unauthorized devices."


 

“A wireless IDS/IPS can also analyze wireless traffic to look for malicious activity such as a denial of service (DoS) and individual attacks on devices”

 

“The PCI DSS mandates the need for acceptable usage policies and procedures (Table 11), which include those for wireless devices.”

TPC DSS V3.2.1: Overview of PCI Requirements.

Chapter 12:  Intrusion detection and intrusion prevention 

 

  • Use network intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network

  • Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file integrity monitoring systems.


 

WifiWall Dome and the PCI DSS Regulations


 

Chapter 10: Track and monitor all access to network resources

 

  • WifiWall Dome continuously scans and detects all Access Points in the proximity of the company. WifiWall Dome investigates every Access Point creating lists of Authorized Access Points, Evil Twins, Rogue Access Points, and unrelated Access Points.

  • WifiWall Dome detects all stations and devices identifying these connections with Access Points and alerting if the device is connected to unauthorized or Rogue Access Points.

  • All successful and failed logins are recorded in an audit trail along with any data or management transaction.

  • WifiWall Dome is the only system that maintains logs of all WiFi traffic as required by PCI DSS.


 

 Chapter 11: Regularly test security systems and processes:

 

  • WifiWall Dome continuously scans for unauthorized and authorized Access Points. This allows the detection of unauthorized Access Points immediately as they are published  (both publicly or hidden). 

  • Quarterly scanning - WifiWall Dome performs scans every two-minute and reports back on the findings.

  • Inventory lists of authorized and unauthorized Access Points are created automatically. Every new Access Point is detected on the first show and is classified in to the appropriate list. Unauthorized Access Points are classified as simple Rogue or Evil Twin (spoofing the SSID and BSSID of the target Access Point).

  • In case of WiFi attacks such as POS connection hijack, de-authentication, etc. WifiWall Dome sends an Alert including the origin of the attack, the target, attack metadata, recommended action, and forensics data required for investigation. 

  • WifiWall Dome’s risk mapping provides a continuous reporting on all existing WiFi risks and weaknesses in the network, such as WiFi-Direct enabled devices, bad Access Point configurations, vulnerable Access Points, WPS configuration, WiFi cameras, and printers, etc.

  • WiFi pen testing is included in the WifiWall Attack simulation module. This allows us WiFi  penetrations to be conducted for the purpose of observing the process of detection and reporting. 

  • The continuous nature of WiFi scanning and alerting allows for the safe modification of the network configuration and maintaining of the PCI DSS requirements during and after the modifications.


 

Chapter 12:  Intrusion detection and intrusion prevention 

 

  • WifiWall Dome is a WiFi IDS and IPS and complies with the requirements.

  • WifiWall Dome includes an alert module that reports WiFi IDS and IPS alerts to the dashboard and the company SOC.

Rogue detection for wireless technology in the branch is required by the PCI DSS at a minimum of once per quarter, whether or not the organization has wireless deployed. A hacker might infiltrate a branch and install a rogue wireless device (for example, access point, wireless-enabled printer, or radio-enabled USB stick). This would allow a hacker remote access into the branch (from the parking lot, for example) that is hard to detect. The PCI DSS offers several methods for detecting rogue devices.

“Wireless networking is a concern for all organizations that store, process, or transmit cardholder data and who therefore must adhere to PCI DSS. Even if an organization does not intentionally use any wireless technology, they must periodically verify that wireless technologies have not been introduced into their environment. ”

Over the last few years, WiFi networks have grown significantly in size and complexity.  WiFi is considered the standard de-facto of endpoint communications. WiFi networks are also available in the proximity, from other offices, buildings, or public networks. A typical example of how many SSIDs (WiFi network names) are available in an urban single office may be hundreds to thousands. 

“Unauthorized wireless devices connected to the CDE must be detected and disabled. A wireless IPS should be able to find these rogue devices even when they are configured to not broadcast information about themselves or are present in isolated network segments.”

Also, the employee’s stations (Laptops, smartphones, etc.) connect to WiFi networks out of the office. This may be in an airport, coffee shop, etc.  Once connected to such public WiFi, the station will keep searching for it, every time the station is on (unless WiFi is turned off). When the employee connects the station to the office wired network, the WiFi card may connect to a Rogue Access Point publishing the SSID of the airport or coffee shop.  Such connection may present an opportunity for the attacker, to move from the Rogue Public WiFi into the office’s wired network, within the CDE.

“The response to unauthorized wireless devices should include action to remove the device and any corrective controls as appropriate to prevent a recurrence. In some instances, additional testing or rescans of the environment may be warranted to ensure the threat has been mitigated. “


Chapter 11: Regularly test security systems and processes:
 

  • Implement processes to test for the presence of wireless access points (802.11), detect and identify all authorized and unauthorized wireless access points quarterly. 

    • Examine policies and procedures to verify processes are defined for the detection and identification of both authorized and unauthorized wireless access points quarterly.
       

  • Maintain an inventory of authorized wireless access points and implement incident response procedures if that unauthorized wireless access points are detected.

    • Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.

    • Examine the organization’s incident response plan (Requirement 12.10) to verify it defines and requires a response if an unauthorized wireless access point is detected.

    • Interview responsible personnel and/or inspect recent wireless scans and related responses to verify that action is taken when unauthorized wireless access points are found.
       

  • Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.  Quarterly external scans must be performed by an Approved Scanning Vendor (ASV).

  • Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification. 

STAY IN CONTACT
SOCIAL
  • White Facebook Icon
  • linkdin-01
  • White Twitter Icon
  • White Instagram Icon