There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance. The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks. There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.
Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)
- Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data – a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
- Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas. (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).
Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”
- Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data. This would provide rapid identification of unauthorized attempts due to the magnetic card attack. Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.
I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls. In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls – Best Practices for Implementation (my newly released book).
Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.
James DeLuccia IV
Upcoming Speaking Engagements:
- Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
- Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on: Worst and Best IT Management Practices