Re: PCI Compliance Scope

["David M. Zendzian" <dmz () dmzs com>]

A few thoughts here.

1) Logging is a PCI requirement. So your log servers are in scope so the
auditor can validate that they are logging everything they are suppose
to (every server/service, which would & should include cardholder
applications/databases/etc).

2) The log server is a "connected" system and by PCI definitions it is
in-scope.  Now other things that are outside of the cardholder
environment that connect to the log server are still outside of scope
because connected systems of connected systems are not in-scope :)

3) If your apps or anything that is part of the process is storing card
numbers, passwords (ever see a misconfigured ftp server log passwords,
then those are logged centrally & the alerts (with pw) are emailed to
all admins....

And the concern over passwords brings up the fact that PCI is about
cardholder data, but the requirements include password, server
configurations, management, segmentation of duties, etc.

I always have to examine the log server; it is too important to ensuring
that all pci required services are logged & retained / archived in
accordance with retention policy, monitored as required (daily) and does
not contain any unauthorized data (cardholder data, unencrypted passwords).

Also, log servers are extremely important for both your protection and
forensic investigators if you ever have a compromise.  They are
mentioned throughout the pci-dss and for good reason as you can also use
them to prove, if compromised, that specific systems were or were not
accessed if the attacks can be identified in the logs.  This way you can
limit your scope and liability; otherwise investigators have to assume
all systems have been compromised & investigate every one for possible
compromise.

Good luck with the validation.

Regards
David

David Glosser wrote:
> just finished a "gap analysis" and our auditor stated that the log
> server was in scope as the logs needed to be protected. There's a
> dedicated logserver for our in-scope systems.
>
> The auditor was very interested in examining the logs to ensure that
> they NOT contain PII/cardholder data. If they did, then we would have
> been a BadThing as many other PCI 8and general security) requirements
> would have been violated, such as not sending the cardholder data over
> the clear, storing of the cardholder data in plain text, etc...
>
>
>
>
> On Thu, Nov 12, 2009 at 2:13 PM, Erin Carroll <amoeba () amoebazone com> wrote:
> > It's been a bit since I was forced to do PCI on a daily basis so someone
> > will come along and correct me if I'm wrong....
> >
> > If the logs contain no PII/cardholder data and the logs are pushed to the
> > central log storage device (not pulled from device) then the log server is
> > not in scope. If the logs do contain PII/cardholder data then the log device
> > is in scope but does not make the 300+ other devices which log to the device
> > in scope.
> >
> >
> >
> > --
> > Erin Carroll
> > Moderator, SecurityFocus pen-test mailing list
> > "Do Not Taunt Happy-Fun Ball"
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com
> > > [mailto:listbounce () securityfocus com] On Behalf Of Danux
> > > Sent: Thursday, November 12, 2009 7:27 AM
> > > To: pen-test () securityfocus com
> > > Subject: PCI Compliance Scope
> > >
> > > Question for PCI experts:
> > >
> > > During a PCI Audit the Auditor told us that all the Security Devices
> > > protecting Cardholder Data are also part of PCI Scope, which makes
> > > sense for IDS/IPS, FW, AD, so on but what about a Log Management tool?
> > >
> > > This means that my Log Management Centralized Server solution which is
> > > getting logs not just for PCI assets but for the whole network ... is
> > > gonna be in scope?
> > > if so? This means all 300 security devices sending the logs (Servers,
> > > WStations, Data Bases, AV) to the Centralized server are in scope Too?
> > >
> > > if so?
> > >
> > > Then, obviously I need to find a way to isolate & split the Log
> > > Management Server from the whole network to only monitor PCI assets
> > > but that entails to buy a new costly license to have another
> > > Centralized log server, which is not doable for us.
> > >
> > > Have you ever had the same problem? so that you can share the way to
> > > resolve it WITHOUT adding new software/hardware?
> > >
> > > I think I need to create a kind of PCI Security Devices Zone isolated
> > > from the network but not sure if that works for PCI Auditor.
> > >
> > > Please share your ideas.
> > > --
> > > Danux
> > >
> > > -----------------------------------------------------------------------
> > > -
> > > This list is sponsored by: Information Assurance Certification Review
> > > Board
> > >
> > > Prove to peers and potential employers without a doubt that you can
> > > actually do a proper penetration test. IACRB CPT and CEPT certs require
> > > a full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > -----------------------------------------------------------------------
> > > -
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> > and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------