Inspired by the panels we did on PCI (here, here), I decided to start a series of posts with tips on harnessing the amazing motivating power of PCI DSS for meaningful security improvements. Enough ranting; let’s give those PCI skeptics something to whine about!Let’s start from the obvious. There are a few general ways in which PCI provides value to organizations; such as by creating awareness or motivation for security improvements and data security in particular, helping loosen security budgets (and points at a few things that you probably should have bought even without PCI…), providing a simple laundry list of basic security controls (for those who don’t know what they are) as well as by simplifying [some say too much] “the whole security thing” for those who would otherwise ignore it.However, this is not what I have in mind here: I’d like to draw my readers’ attention to a fewspecific things in PCI DSS guidance that will help with security if they are implemented. Also, please keep in mind that your PCI QSA is your final authority on what must be done for PCI, notsome random blog on the Internet! 
Finally, these tips are most useful for those in the trenches who are required to comply with PCI DSS while keeping the systems running and secure but maybe do not know how, and not to those who whine, bitch, blog and now twitter their way to infamy…So, got a nice heavy PCI hammer? Where do you hit for security?
Tip #1 will focus on something very basic, non-controversial and – we are in luck! – spelled out very clearly in PCI DSS: namely, passwords.PCI DSS has a few areas where the use of passwords for cardholder data security is discussed:Requirement 2 covers the following: “2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.”This simply means make sure that if you buy “a piece of IT” which has a default password, it is changed right before said piece of technology is connected to a production network. Simple, obvious [for those doing security for more than a few minutes ] and useful, since password guessing and default account trawling are still common ways to break into networks. BTW, I said “a piece of IT” and not “a computer”, since it applies to various devices (routers, switches, wireless gateways, etc) as well.Requirement 8 covers the following:“8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.”This simple means that passwords should never travel across the network in clear text (such as in FTP and – gasp! – telnet). BTW, for every one time that somebody says that “nobody is using telnet anymore”, I can point at a box that has telnet enabled (yes, this is 2009, not 1989!)Same requirement also has the following guidance:“8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.”“8.5.7 Communicate password procedures and policies to all users who have access to cardholder data.““8.5.8 Do not use group, shared, or generic accounts and passwords.”“8.5.9 Change user passwords at least every 90 days.”“8.5.10 Require a minimum password length of at least seven characters.”“8.5.11 Use passwords containing both numeric and alphabetic characters.”“8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.”This simply means that passwords should be kept secret, hard to guess, hard to break, changed frequently-enough-but-not-too-frequently, and not reused – and that all the above stuff should be known to everybody who can change his/her own password and who can touch card data.Some automated tools can scan your systems and automatically verify that such configuration settings are in use across many systems.BTW, if you read this and thought “huh? there is nothing here that I didn’t know before,” I have a secret to tell you: this was NOT written for you; this was written for somebody who runs the site where you just bought that new iPhone and who now has your credit card data…
Dr. Chuvakin, Great post! Enforcing a strong password policy within an organization has become a straightforward task with modern operating systems which facilitate group policy management across the company network. But how to make it effective has not been so clear and it takes time for an organization and its employees to become fully adapted to the policy. So all the procedures of 2.1,8.4, 8.5.3, 8.5.8, 8.5.9, and 8.5.12. are all about how to make a strong password policy effective.
Besides, your post is very resourceful. I clicked and followed all the links embedded and they lead me to incredible amount of great posts of related topics from various authors and valuable information from other web sites. And thanks for telling the secret.
Mitchell
Comment by mwu — August 16, 2009 @ 8:49 pm
What is a strong password? I noticed some organizations also require the use of special characters (ex. !@#$%^&*(<) and mixing upper and lower cases. Does PCI DSS require that?
Here is an example of a strong password guideline:
1) Passwords must be at least 8 alphanumeric characters in length.
2) It must contain a mix of three of the following four character types:
2.1 Upper case character (A, B, C, etc.)
2.2 Lower case character (a, b, c, etc.)
2.3 Special character, including ~, !, @, #, $, %, ^, &, *, (, ),
2.4 Arabic number (0, 1, 2, 3, etc.)
3) Passwords cannot be any of the followings:
3.1 Dictionary words or common names, such as John, Fred, Tom, etc.
3.2 Portions of associated account names, for example, user ID, login name
3.3 Consecutive character strings, such as abcdef, 123456
3.4 Simple keyboard patterns, such as asdfgh, qwerty
3.5 Generic passwords, such as a password consisting of a variation of the
word “password”(e.g., P@ssword1)
4) Passwords must be changed every 90 days (45 days for Administrator accounts).
5) Password history will prevent users from using the same password for 10 previous password changes.
6)After three invalid password attempts, the user account will be locked out for a period of, say 15 minutes.
Does any one know is there any company or government agency really implement all these 100%? I thinnk it is more challenging to implement all requirements in 3). I got to try out all my credit card and bank accounts to see how far they go or do they care about if customers change their passwords every 90 days? And I already experience each financial firm implement it differently; some require enter last 4 digit of SSN, some also use customer’s favorite image, etc. as part of authentication ritual.
Mitchell
Comment by mwu — August 17, 2009 @ 3:37 pm
PillSpot.org. Canadian Health&Care.No prescription online pharmacy.Special Internet Prices.Pillspot.org. Vitamins@buy.online” rel=”nofollow”>.…
Categories: Womens Health.Stop SmokingPain Relief.Blood Pressure/Heart.Weight Loss.Stomach.Antidepressants.Vitamins/Herbal Supplements.Eye Care.Skin Care.Mental HealthAntibiotics.Mens Health.Antidiabetic.Anti-allergic/Asthma.Anxiety/Sleep Aid.Anti…
Trackback by KARL — June 26, 2010 @ 2:59 pm
Buy:Zetia.Lasix.Advair.Prozac.Nymphomax.Acomplia.Female Cialis.Lipothin.SleepWell.Aricept.Female Pink Viagra.Cozaar.Seroquel.Lipitor.Amoxicillin.Benicar.Ventolin.Wellbutrin SR.Buspar.Zocor….
Trackback by STEVE — July 15, 2010 @ 1:44 pm
Buy:Cozaar.Female Cialis.Zetia.Prozac.Lipitor.Amoxicillin.Zocor.Advair.Nymphomax.Lipothin.Buspar.Aricept.Ventolin.Benicar.Acomplia.Lasix.Female Pink Viagra.Wellbutrin SR.Seroquel.SleepWell….
Trackback by LYLE — July 21, 2010 @ 3:43 pm
To http://AACEHARDWARE.INFO/tag/How To : How…
makeup eye/…
Trackback by makeup eye/ — August 29, 2010 @ 1:03 am
colors http://olightedhksqyi3.04FORDPARTS.US/tag/colors metal Roofing/ : Roofing…
colors…
Trackback by colors — August 29, 2010 @ 3:13 am
Englander http://qkingsipc8gvg.APTAUTOPARTS.INFO/tag/Englander Prices Mattress kings/ : kings…
kings…
Trackback by Englander — August 29, 2010 @ 3:19 am
handicap http://rhandicapvrxgxy.bestpartsstore.info/tag/dimmer+handicap+switch/ : switch…
handicap…
Trackback by handicap — August 29, 2010 @ 3:33 am
cotton http://torganicuym.AWESOMEBABYCLOTHES.INFO/tag/popular+Cotton+cotton/ : Cotton…
cotton…
Trackback by cotton — August 29, 2010 @ 2:25 pm
canoe http://xkenmoreb5sy3bj.BEDROOMPROPERTY.INFO/tag/Souris+River+Canoe+canoe/ : canoe…
River…
Trackback by Canoe — August 29, 2010 @ 2:39 pm
Storage http://cpixmawxbi.AUTOTECHGUIDE.INFO/tag/people+extended+Storage/ : extended…
Storage…
Trackback by Storage — August 29, 2010 @ 5:51 pm
In-Dash http://pashfordqep.AWESOMEBABYCLOTHES.INFO/tag/BMW+In-Dash+double+in/ : double…
in…
Trackback by double — August 29, 2010 @ 7:00 pm