Scan softly and carry a big scope – PCI clarifies wireless guidelines

Blog Post created by rapid7-admin on Jul 21, 2009

Originally Posted by Sheldon Malm



In an Information Supplement released by the PCI Security Standards Council, the requirements for securing Wireless Access Points just got a lot clearer. 

The Special Interest Group (SIG) has completed the review of the Wireless guidelines within the DSS and is taking aim at clarifying requirements for managing wireless communications.  As has become the hallmark of the PCI SSC, the guidelines are practical and prescriptive.  Here is a summary of the 9 key areas:


1.    Maintain a hardware inventory
2.    Wireless scanning to look for rogue APs
3.    Segmenting wireless networks


4.    Physical security of wireless devices
5.    Changing default passwords and settings on wireless devices
6.    Logging of wireless access and intrusion prevention
7.    Strong wireless authentication and encryption
8.    Use of strong cryptography and security protocols
9.    Development and enforcement of wireless usage policies


. This update takes on a common misconception that has plagued the standard since its inception.  Wireless Security assessments were widely believed to only apply to Access Points that transmit cardholder data; the recent update makes it clear that this is not the case.  As a matter of fact, the division between requirements for all networks and those for in-scope wireless networks cuts to the heart of the issue: even for customers who believe they have no wireless devices deployed, this update makes it clear that - in addition to wire-side scanning - *wireless* scanning must be done at least Quarterly.  Once found, detected devices are in scope unless they are *completely* segmented from the Cardholder Data Environment. 

This, of course, is likely to be applauded by the Security Community overall.  Wireless Access Points are a critical piece of the attack surface and if they are vulnerable or poorly configured, they represent low hanging fruit for attackers to gain access to your network.  They represent a unique challenge for Security and PCI, as wireless interfaces are a ripe channel for rogue devices to connect to your network. 

To deal with this challenge, the Council and SIG have made an important clarification: that Wireless detection is a requirement for organizations that do not use Wireless devices in their Cardholder Data Environment.  In other words, even if you don’t implement a wireless device at all, you are required to demonstrate that Wireless Access Points are not connected to your network. 

It’s important to note that there are no new requirements in this update, but these are important clarifications.  Ultimately, this is one step closer to converging PCI Compliance and Security.  Also important to note that this is not something that we in the wired scanning space can solve on our own. 

For those who saw my inaugural post, you can be certain that this is precisely the kind of issue that can only be addressed by Customers, Community, and Competitors working together.  If you want to be part of the solution, we’d love to hear from you.