Five key steps to understand the system hardening standards.
Once a system is hardened and deployed into an environment, it’s critical to maintain its level of security through proactively updating or patching it to mitigate new vulnerabilities and weaknesses that are discovered. The hardening process should then be updated to include these new patches or software versions in the baseline configuration, so that the next time a similar system is deployed, old vulnerabilities are not re-introduced into your environment.
5 Steps to Comply with PCI Requirement 2.2
There are five steps you should follow to comply with PCI 2.2, which can more easily be understood through the analogy of building and protecting a home.
Fences, gates, and other such layers may protect your home on the outside, but system hardening is the act of making the home itself (the bricks, siding, doors, and everything inside) as strong as possible.
Many falsely believe firewalls and data security software layers are enough to protect systems and to comply with system hardening requirements. In reality, system hardening is all about locking, protecting, and strengthening components of the actual system, not protecting it by adding new security software and hardware.
Step 1: Understand you’re not safe right out of the box
Plenty of system administrators have never thought about system hardening. They probably think, ”We just installed our system . . . why would it have a problem already?”
In the same way you shouldn’t rely 100% on your builder to secure your home, you shouldn’t expect your system to be 100% secure when you pull it out of the box. Windows, Linux, and other operating systems don’t come pre-hardened. It’s your job to figure out how to make them safe, and it’s going to take work on your part.
A lot of merchants assume system hardening is part of a POS installer’s job. Most of the time, it’s not. If the installer does take on that responsibility, they’re probably not doing it correctly because they don’t understand the PCI DSS.
When installing a new POS system, the PCI Council recommends hiring a PCI DSS Qualified Integrated Reseller (QIR) because they’ve gone through training to understand system hardening and other PCI DSS qualifications.
SEE ALSO: Recording Your QIR: SecurityMetrics’ New QIR Feature
Step 2: Get help with system hardening
For example, the home design you choose may have lots of windows, which may weaken the structure. Builders have guidelines on how to correctly frame out windows to ensure they won’t be a point of weakness.
Similarly, there are guidelines created by organizations (see above bullet points) that help system administrators understand the common holes in operating systems and environments they want to integrate.
Available online, these comprehensive instructions outline the most critical steps to secure your system from attacks. The guidelines usually list vulnerability descriptions, procedures to remediate vulnerabilities, online references to learn more about the vulnerability, and other specific configurations on how to harden that particular part of the system.
Step 3: Prepare for research
Just as each home is different, each system environment is modified to fit your organization’s specific needs. You may want to run a specific OS version, a newer web server, or use a free database application.
Because every environment is unique, there usually isn’t a simple how-to document that fits your specific needs. This means system hardening, and compliance with Requirement 2.2, will require a fair amount of research and discovery time on your part.
You must spend the time researching and finding guidelines that pertain to each specific part of your environment, and then combine the applicable pieces to form your own standard.
Step 4: Harden your systems
Similarly, hardening your systems takes a lot of detailed work and tweaking. For example, some guidelines can require you to:
- Disable a certain port
- Stop a service
- Remove a feature of the OS
- Uninstall software
Here are some key examples from the PCI DSS that state specifically how you’re supposed to harden your systems. Pay attention to these two examples, as they are common PCI 2.2 compliance problems:
Example 1: Ensure servers don’t have more than one primary function
Example 2: Remove unnecessary services and functionality
5. Document your hardened systems
Documentation is key to system hardening. It’s important to keep track of why you chose certain hardening standards and the hardening checklists you’ve completed.
Here are three reasons why:
- PCI auditors: After you ensure all system hardening guidelines are met, you may be asked to convince others (PCI auditors) that you did a good job. Your auditor wants to know and see that you did your research, and have applied appropriate settings for each system.
- New hires: If you leave a company, how will the new IT director know exactly what you did to harden the organization’s systems? Documentation helps drop the breadcrumbs for replacements to understand what’s already been done with the system.
- Yourself: If you decide to change an aspect of your environment and already have the documentation for existing systems, you’ve cut out hours of time-consuming research.
Once you document and establish your configuration hardening standard be sure that it is not a static document. It should be reviewed annually for needed changes and updated as methods of compromising systems develop. Criminals are constantly finding new ways to exploit vulnerabilities. They have developed tools to quickly check and automatically exploit old vulnerabilities. It is shocking that I still run into systems that are not being patched on a regular basis. This is plain system administrator negligence and is similar to leaving the keys in your brand-new Ferrari and inviting thieves to take a test drive. Not hardening systems makes you an easy target increasing your risk for a system breach.
There’s No Easy Button to Comply with PCI Requirement 2.2
There is no easy button for the PCI DSS, and especially for PCI Requirement 2.2. There aren’t magic tools to harden your system automatically. There is no master checklist that applies to every system or application out there. Creating an effective hardening standard can be a research-heavy project. Luckily, there is a lot of information available in the form of industry-standard guidelines that can help you know where to start.The time and resources involved in system hardening are well-spent. Creating and applying appropriate hardening standards in your environment will go a long way toward securing the data that is so critical to your business.
If you need assistance with system hardening, I recommend talking to IT security consultants who are well equipped with both PCI DSS experience and IT proficiency.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.