- Acronis
- Aruba Networks
- Assuria
- C2C
- Celestix
- Check Point
- Credant
- Cryptocard
- DESlock
- Exinda
- Extricom WLAN
- ForeScout NAC & IPS
- Imprivata SSO
- InfoGov
- IronKey
- Juniper Networks
- Loglogic
- Lumension
- McAfee
- Mimecast
- Netasq EAL4
- Palo Alto Networks
- Safend
- SecurEnvoy
- Sourcefire
- Stonesoft
- Swivel
- Symantec
- Titus Labs
- Trend Micro
- Vasco
- Verity Systems CESG Degausser
- Wallix
- Watchguard
- 1st Responder Services
- Business Support
- Database Security
- Forensics
- Information Systems Security Assessment
- ISO27001 GAP Analysis
- IT Security Awareness
- IT Security Consultancy
- IT Security Standards Compliance Assessment Service
- Penetration Testing
- Physical Security
- Service Management
- Social Engineering
- Wireless Security
- Web Application Test
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters
Malicious individuals (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.
PCI DSS 2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
- 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.
PCI DSS 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
- 2.2.1 Implement only one primary function per server
- 2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function).
- 2.2.3 Configure system security parameters to prevent misuse
- 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers.
PCI DSS 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for Web-based management and other non-console administrative access.
PCI DSS 2.4 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.
Access Control
Imprivata OneSign Single Sign-On provides a single action of user authentication permitting users to access all workstations and applications they are authorized to use. Password-related calls to the IT helpdesk are virtually eliminated by centrally managing each user’s complete collection of application passwords and extending seamless and convenient single sign-on to any enterprise application.
Wallix AdminBastion allows you to control access of your IT service providers, whether internal or external, privilege accounts and high-risk users. You can also record their work sessions and view them as and when needed (audit, incident, etc.). With WAB, you can easily manage IT team turnover, without running the risk of granting acess to your critical servers by individuals who are no longer authorised.
- Session recording
- SSH flow analysis
- Access control
- Real-time supervision
- Single sign-on
Authentication Partners
Standard logins require a user name (often the active directory username) and a static password which even if complex can be beaten by hackers within minutes.
To truly achieve a sufficiently complex password we would recommend using Two Factor Authentication or Strong Mutual Authentication as this will fulfil the Access Control requirement and part of the mobile working requirement together.
CRYPTOCard is a leader and innovator in the Network Authentication Industry with its multi-award winning Two-Factor Authentication solutions. Crypto-Card have 2FA options for every scenario including tokens, magentic stripe access cards, USB tokens, tokenless on Blackberry and Windows mobile as well as software tokens and keyboardless logons and available in a managed service as well as local installation.
Tokenless Two Factor Authentication via SMS to mobile phones and utilises existing network directory structure so doesn't need separate database. SecurEnvoy have a range of tokenless solutions to help with every authentication requirement.
Find out more about SecurEnvoy Tokenless Two Factor Authentication
Swivel PINsafe is a tokenless multifactor authentication solution based on patented technology, offer a CCTM accredited, cost effective image, browser and voice based authentication.
VASCO is the leading supplier of strong authentication and e-signature solutions and services specializing in Internet Security applications and transactions.
Wireless LAN (WLAN) Security
Aruba's integrated policy-enforcement firewall, high-security encryption, standards-based authentication, wireless intrusion detection/prevention, and compliance audit reporting assistance meet or exceed the wireless LAN-specific security requirements in PCI DSS. Merchants using an Aruba solution can cost-effectively implement the security controls required for PCI compliance without compromising the performance of business applications or upgrading legacy networks.
The Extricom WLAN product family is purpose-built to deliver robust, reliable connectivity. Extricom innovation makes the All-Wireless Enterprise possible by delivering voice (VoWLAN), data, video, and location services with an always-on, consistent, and mobile Wi-Fi connection to any client, in any environment.
2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.
PCI DSS Core Principles
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
Build and Maintain a Secure Network
By creating a whitelist of approved software, Bit9 ensures only approved services and software are allowed to run on any Windows-centric device. Therefore Bit9 helps Build and Maintain a Secure Network in the following areas;
2.2 Develop configuration standards for all system components.
2.2.2 Disable all unnecessary and insecure services and protocols
2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
© Copyright Castleforce 2007-2012. Web design by Theme Group