I got a comment regarding my post titled “Wireless Security – Random Thoughts On How To Fix” asking what sorts of compensating controls would address requirement 11.1. Since I have been looking for a topic, I thought I would address this as well as provide people with an example of how you develop a compensating control.
In order to construct a proper compensating control, you must first answer a couple of basic questions.
- Define the objective for the original requirement; and
- Identification of how the compensating control addresses the aforementioned objective.
In order to be able to define the objective for the original requirement, you need to understand the requirement. Requirement 11.1 states, “Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.” On the face of it the purpose of requirement 11.1 is to ensure that all wireless access points are accounted for at each location using a wireless scanner or WIDS/WIPS, so that any potential rogue access points are identified and therefore can be removed from the network. But is that the “real” objective of the requirement? Before you go running off for alternative ways of identifying rogue access points, let us ruminate a bit further about the objective of requirement 11.1. What is the “real” objective of requirement 11.1? The real objective is to make sure that rogue access points do not end up on your network and if they do, you can identify and remove them as soon as possible.
Remember the criteria for compensating controls. Compensating controls must:
- Meet the intent and rigor of the original PCI DSS requirement;
- Provide a similar level of defense as the original PCI DSS requirement;
- Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review;
- Existing PCI DSS requirements MAY be considered as compensating controls if they are required for another area, but are not required for the item under review; and/or
- Be “above and beyond” other PCI DSS requirements.
With all of this in mind, what are controls you can put in place to keep rogue wireless access points from being placed on your network in the first place? The following should not be considered a complete list of controls you can put in place, but it does provide enough controls to create a compensating control for requirement 11.1.
- Disable all unused switch ports. If unused switch ports are disabled, the installation of a rogue access point cannot be accomplished by plugging it into an open port on the switch. This approach is usually not appreciated by network administrators as it requires the re-enabling of a port whenever a device needs to be added at a location. It can also be disliked by remote facility personnel as it means there can be additional delays in getting another network device on the network. While this control is referenced in requirement 9.1.2, it is not germane to requirement 11.1, so we can use this control for our compensating control for requirement 11.1.
- Enable MAC address filtering on the switch ports. This control will restrict what device can be plugged into an active switch port. Essentially tying a single device to a single switch port. As with the first bullet, MAC address filtering creates a network management issue when you want devices added or changed. So you will be adding to the effort required to change any devices out in the field. Since MAC address filtering is not required by the PCI DSS, this control will go above and beyond.
- Monitoring of switch ports and generating alerts whenever a device is unplugged or plugged into a switch port. Most switches will generate log entries when a device is either unplugged or plugged into a switch port. Those events should be investigated immediately. Such events can be the first sign of someone trying to plug in any sort of rogue device from a wireless access point to their own laptop. Monitoring of this nature is required as part of requirement 10. However, how you use monitoring to meet requirement 11.1 is not considered part of that requirement, so you can use the information you gather and monitor in requirement 10 to meet your requirement for 11.1.
- Monitoring the network for any devices that do not respond to SNMP inquiries using your organization’s SNMP private community string. Again, if a device does not respond to SNMP inquiries using your organization’s SNMP private community string it is either mis-configured or does not belong. So if you cannot communicate with the device, it needs to be investigated and either fixed or removed. Monitoring of this sort is not even called out in requirement 10, so I would say that this sort of monitoring would go above and beyond.
- Disable dynamic host configuration protocol (DHCP). DHCP is a wonderful service, but it is also a dangerous service. It is dangerous because it allows any device, whether it belongs on your network or not, to obtain an IP address immediately when it connects to the network. If any device can obtain an IP address when connected, then it has full connectivity to your network. By not implementing DHCP, you remove that risk by requiring all devices to be preconfigured for their segment of the network. Yes, your networking people will likely not appreciate this, but it provides a good security feature. DHCP is called out as part of requirement 9.1.2, but again, it is not germane to 11.1, so we can use it here for our compensating control.
Because these controls can have a significant impact on your network and computing environment, we need to discuss a few more items.
First, you only need to disable DHCP at your retail locations, not your corporate office. Typically, an organization has a lot more control over their computing environment at their corporate office, than at their retail locations. As a result, enabling DCHP at the corporate office is not as risky, but you should still avoid enabling unused switch ports and unused jacks throughout any of your facilities.
If you are going to utilize wireless in any of your organization’s locations, make sure to properly isolate the wireless network from the rest of your network. Even though you have implemented all of the compensating controls above to secure your network from rouge access points, you still need to ensure a secure wireless networking environment. If you need wireless for operational purposes, make sure to secure it properly so that it cannot easily be compromised. Such measures typically include not broadcasting the SSID and using WPA2 Enterprise security.
If you wish to provide wireless access to guests at your corporate office, make sure that their traffic is separated from any other wireless traffic and that they are only granted access to the Internet and no other internal resources. A lot of organizations today require even guests to authenticate to their wireless as an extra security measure to keep people from using the available bandwidth at will as well as providing a mechanism to have guests acknowledge their responsibilities when using the wireless network.
Once you have the aforementioned information documented, you still have a few more things to cover in your compensating control. You still need to implement your own feedback loop on these controls to ensure that they are functioning as designed. Unlike Ron Popiel’s miracle TV oven, you cannot just ”set it and forget it” with these controls. You need to have a plan in place to periodically follow up on all of these controls to ensure that they are functioning as designed. Typically, that means tracking statistics collected from the monitoring controls. It also means periodically observing these controls in action to ensure that monitoring is taking place and that ports really are disabled. This sort of follow up is easily implemented as part of your financial field audit work.
In addition to your own follow up. Your QSA also has to document what they did to confirm that these controls were in place and functioning as designed. Their work is going to be similar to your own internal follow up work, but will likely be less extensive than your internal work as long as no exceptions are found.
You should now have a compensating control for requirement 11.1. But better than that, you should now have a much better understanding of how a compensating control is developed and documented.