Detecting and Preventing Intrusion
Has your organization implemented intrusion-detection and/or intrusion-prevention techniques? PCI Requirement 11.4 requires that organizations implement the following:
- Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.
- Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment.
- Alert personnel to suspected compromises.
- Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
The PCI Requirement 11.4 guidance explains that intrusion-detection and/or intrusion-prevention techniques compare the traffic coming into your network with known behaviors of compromise types (hacker tools, Trojans, and other malware) and send alerts and/or stop the attempt as it happens. Without PCI Requirement 11.4 compliance nor a proactive approach to unauthorized activity detection, attacks on or misuse of computer resources could go unnoticed in real time.
Your organization needs to implement an IDS/IPS—an intrusion detection or prevention system. This particular asset or device needs to be installed at the perimeter of your network and at the critical points or junctions within your cardholder data environment. This IDS/IPS needs to be managed, so from an assessment perspective, we need to make sure that the definitions that you are using are appropriately configured, that they are kept up-to-date, and that they are managed so identify whether one of two things are happening: that your organization is blocking those attacks, or if they are not blocking those attacks, that staff is immediately being notified and is reacting appropriately to those events.