What is PCI Requirement 10.5.4?

Another element to PCI Requirement 10 is PCI Requirement 10.5.4, which requires organizations to write logs for external-facing technologies onto a secure, centralized, internal log server or media device. The PCI DSS explains the purpose of PCI Requirement 10.5.4 when it states, “By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network.”

During an assessment, an assessor will examine logs external-facing technologies and ensure they are written onto a secure, centralized, internal log server or media.

Back in PCI Requirement 1, we talked about establishing a DMZ. You’re going to have firewalls, web servers, email servers, SFTP servers, or you might have a plethora of devices out there. What we require from the PCI perspective is that the logs that are being generated off of those devices pull those logs back into your internal environment. You assessor is going to be pulling the configurations from those devices and looking at where you’re writing those logs to, making sure that those particular logs are pulled out of the DMZ and stored within the secure safe net or secured portion of your network.

Root or Administrative Privileges

Accounts that have root or administrative privileges have a greater chance of impacting the security and functionality of a system. This is why PCI Requirement 10.2.2 requires that organizations implement automated audit trails to reconstruct all actions taken by an individual with root or administrative privileges. Without logging mechanisms enabled, how could you trace issues resulting from misuse or root or administrative privileges?

To verify compliance with PCI Requirement 10.2.2, an assessor will observe audit logs and interview the responsible personnel to ensure that all actions taken by an individual with root or administrative privileges are being logged.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

Anytime anybody with administrative access or privileged access performs an action, those things need to be logged – whatever they’ve done needs to be logged. If there’s one reason why an individual should not be running around checking their email with administrative privileges, this might be it. From an administrative and logging perspective, what we recommend is that they might have two accounts. One for their normal administrative actions and then another account set aside for their normal online activities such as surfing the Internet or checking their email. But effectively, all actions taken by anybody with root or administrative privileges needs to be logged. Where we often find problems with PCI Requirement 10.2.2 is the logging of your changes or logging of your network. For example, if you log into a firewall or router, those are administrative actions that need to be logged. The assessor is going to be make sure that logging is enabled; they’re going to be looking for evidence that any time somebody does anything from an administrative perspective, those actions get logged.

[/av_toggle]

[/av_toggle_container]

Myths about the Cloud and BC/DR Plans

When it comes to Business Continuity and Disaster Recovery Plans for cloud environments, we often hear this feedback:

  • “I’m in the cloud so I don’t have to worry about Business Continuity and Disaster Recovery Plans because my cloud provider does those for me.”
  • “We don’t need to test our Business Continuity and Disaster Recovery Plans, we’ve thought it all through.”
  • “Our cloud service provider is taking care of all our availability concerns, we don’t need Business Continuity and Disaster Recovery Plans.”
  • “Everything is in the cloud, so we aren’t at risk.”

This way of thinking couldn’t be further from the truth, though. This lift and shift methodology is hurting businesses who believe cloud service providers take care of business continuity and disaster recovery needs. Business Continuity and Disaster Recovery Plans are not a technology roadmap; they describe how to recover business operations, which includes people and processes. How could cloud service providers cover your people and processes? Getting into the lift and shift mindset cultivates complacency, which is a dangerous spot to be in.

In this webinar, Michael Burke gives listeners food for thought on what Business Continuity and Disaster Recovery Plans are, why you should test them, best practices, and how the cloud impacts them.

Want to learn more about cloud security and the assessment options that are available? Contact us today.

More Business Continuity and Disaster Recovery Resources

Business Continuity and Disaster Recovery Planning Checklist

3 Steps for an Effective Disaster Recovery Plan

How Cloud Computing is Changing Small Business

How has the cloud impacted your organization’s security? Has it left you wondering – what consequences could we face if a malicious outsider gained access to our cloud environment? Would our clients stay loyal to us if our database was compromised? What can we do to implement cloud security?

Our five best practices for cloud security, especially in Azure and AWS environments, include:

  • Identity and Access Management (IAM)
  • Multi-factor authentication (MFA)
  • Hardening techniques,
  • Monitoring programs, and
  • Industry-accepted cloud security tools.

These best practices for cloud security work together and sometimes overlap to give your cloud environment the protection that it needs.

Learn more about the 12 most common cloud security problems most businesses face.

Implement IAM Best Practices

Implement IAM Best PracticesImplementing Identity and Access Management (IAM) best practices is a vital aspect of cloud security. IAM is a process for managing electronic or digital identities. Without IAM, you can’t track who has which type of access and what actions someone has taken with their access. IAM best practices include policies that outline strong password requirements, key rotation every 90 days or less, role-based access controls, and multi-factor authentication.

Azure and AWS both provide their recommendations for IAM.

Utilize Multi-Factor Authentication

Utilize Multi-Factor AuthenticationAs part of IAM, implementing access controls based on business need to know is a crucial aspect of cloud security. Access controls are key to preventing data breaches, account hijacking, breaches caused from shared resources, and creating a secure identity and access management (IAM) system, among other benefits. The more people who have access to sensitive areas, the more risk there is.

Implementing access controls like multi-factor authentication (MFA) adds an additional security measure for protecting user names and passwords. When MFA is enabled, a user will be asked for their user name, password, and a secondary verification method. This is something you know, something you have, or something you are. How many times have you entered your PIN after swiping your payment card this week? Your PIN is something you know. Has a website ever texted you a one-time password in order to log on? That one-time password is something you have. Do you use the face ID or fingerprint function to unlock your smartphone? Your face or fingerprint is something you are. This type of verification method, when used in addition to unique IDs, help protect user IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password.

Azure and AWS make multi-factor authentication (MFA) an easy to use, scalable, protected, and reliable control.

Identify Responsibility

Identify ResponsibilityTo close some of the gaps in cloud security, you must understand what the cloud service provider is responsible for and what the cloud service customer is responsible for. If responsibility for cloud security is not defined, cloud security could be compromised. In general, the shared responsibility model outlines that providers are responsible for security of the cloud, and customers are responsible for security in the cloud. Cloud service providers and customers must work together to meet cloud security objectives.

Azure and AWS both define the shared responsibility model to give some perspective on how important it is to identify responsibility.

Continuous Monitoring Program

Continuous Monitoring ProgramA monitoring program should be a continuous, mostly automated process. Making your monitoring program a priority will help solve small problems or risks before they become a much larger issue.

Your monitoring program should answer: What are your goals for monitoring? Which resources you will monitor? Which monitoring tools will you use? How often will you monitor these resources? Who will perform the monitoring tasks? Who will be notified of an incident?

Utilize Cloud Security Tools

Utilize Cloud Security ToolsCloud service providers have developed many cloud security tools to help their customers achieve secure environments. Cloud security is just as important to providers as it is to customers. These tools can help you achieve best practices for cloud security, automate security assessments, give alerts for security incidents, and assess data security requirements to verify the security and compliance of cloud solutions. Amazon CloudWatch, Amazon Inspector, and Azure Security Center are a few examples of industry-accepted tools. You could also utilize another trusted advisor or tool, like third-party auditing firm or internal audit.

Has your organization implemented these five best practices for cloud security? Contact us today to start learning about protecting your cloud environments.

More Cloud Security Resources

The Top 10 Most Downloaded AWS Security and Compliance Documents in 2017

Azure Data Security and Encryption Best Practices

CIS AWS Foundations Benchmark

12 Risks You Need to Know to Secure Your Cloud Environment

Cloud Security: The Good, The Bad, and The Ugly

Herbert McMorris, KirkpatrickPrice Information Security Specialist, will discuss penetration testing and business impact analyses at ISACA’s North America CACS Conference, taking place April 30-May 2, 2018 in Chicago, Illinois.

IT audit, risk, cybersecurity, and governance professionals from across the continent will gather at the Chicago Hilton to examine the transformational role they play in their organizations. Attendees will learn solutions and strategies, including how assurance, risk, governance, and security professionals can advance their careers and impact their enterprises.

This year’s event offers more than 70 sessions in tracks covering:

  • Big Data, Data Analytics & Visualization
  • IT Operations for Auditors
  • Risk Management
  • Security/Cybersecurity
  • IS Audit and Assurance
  • IT Leadership: Career and Communications Development
  • Governance and Compliance
  • Industry Trends & Insights

In Session 223, “BIA: The Root of Security & Recovery Plans,” Herbert will explain the purpose of a Business Impact Analysis, how the BIA applies to risk and recovery programs, the critical outputs from the analysis, and how outputs apply to risk, security, and recovery.

In Session 232, “Auditor’s Guide to a Penetration Test,” Herbert will define the different types of penetration tests, discuss why penetration testing is needed, help listeners understand a penetration test report, and discuss how resolution and mitigation should be verified.

Herbert McMorris has over 36 years of experience working in IT and holds CISSP, CISA, CGEIT, CISM, CRISC, and QSA certifications. In his current position as an Information Security Specialist at KirkpatrickPrice, Herbert specializes in assisting clients in meeting challenging information security and compliance goals.

Additional details, registration and venue information can be found at here.

About ISACA

Nearing its 50th year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Technology powers today’s world and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 215 chapters and offices in both the United States and China.

Twitter: www.twitter.com/ISACANews

LinkedIn: www.linkedin.com/company/isaca

Facebook: www.facebook.com/ISACAHQ

Instagram: www.instagram.com/isacanews/

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 700 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.