SlideShare ist ein Scribd-Unternehmen logo

Don’t Let Wireless Detour Your PCI Compliance

AirTight Networks
AirTight Networks

The Payment Card Industry Security Standards Council (PCI SSC) has published a PCI DSS Wireless Guideline which acknowledges that wireless is a clear and present danger to network security and those who collect, store or transmit card holder data must take steps to assure that it is secure, whether or not wireless is deployed in the cardholder data environment. Though the PCI DSS already included wireless security requirements, this is the first time that the requirements for wireless security have been described unambiguously for all cardholder data environments (CDE). Organizations which handle payment card data must take steps to secure the CDE against wireless threats including unmanaged and unknown wireless devices in the environment and must scan all locations. This white paper helps those organizations understand how the PCI DSS 1.2 wireless requirements apply to them, how to meet those requirements in a cost effective way, and how to secure your network and cardholder data from wireless threats.

TechnologieBusiness
1 von 11
Downloaden Sie, um offline zu lesen
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Understanding the PCI DSS Wireless Requirements A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved.
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Executive Summary The Payment Card Industry Security Standards Council (PCI SSC) has published a PCI DSS Wireless Guideline which acknowledges that wireless is a clear and present danger to network security and those who collect, store or transmit card holder data must take steps to assure that it is secure, whether or not wireless is deployed in the cardholder data environment. Though the PCI DSS already included wireless security requirements, this is the first time that the requirements for wireless security have been described unambiguously for all cardholder data environments (CDE). Organizations which handle payment card data must take steps to secure the CDE against wireless threats including unmanaged and unknown wireless devices in the environment and must scan all locations. This white paper helps those organizations understand how the PCI DSS 1.2 wireless requirements apply to them, how to meet those requirements in a cost effective way, and how to secure your network and cardholder data from wireless threats. © 2009 AirTight Networks, Inc. All rights reserved. 2
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Introduction Recent incidents have highlighted the growing popularity of wireless among cybercriminals to gain sensitive data from both wired and wireless networks. The TJX incident — the largest known wireless security breach in the U.S. history — is a prime example. Hackers used unsecured wireless as an entry point to access TJX networks worldwide. Over 90 million credit- and debit-card records and personal information such as social security numbers, driver’s license numbers, and military identification of more than 451,000 customers were stolen. A total of nine retail chains — including Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW — were victims of this heist. Forrester Research estimated the cost incurred to cover financial losses and lawsuit settlements to be one billion dollars. Notably the wireless networks that were hacked during this incident were not necessarily being used for processing cardholder data, but were connected to wired networks that were part of the cardholder data environment (CDE). This highlighted the need to comprehensively secure the CDE against all types of wireless threats including those initiated outside it and those initiated from “Rogue” wireless access points and clients installed unofficially inside the CDE. The Payment Card Industry Security Standards Council (PCI SSC) responded promptly by releasing the latest version 1.2 of the PCI Data Security Standard (PCI DSS) in October 2008. The PCI SSC’s Wireless Special Interest Group (SIG) followed it with a “PCI DSS Wireless Guideline” document in July 2009 that clarified the wireless security requirements for PCI compliance, provided guidance on implementing secure wireless LANs and outlined methods for protecting against threats from wireless devices outside the CDE and Rogue wireless devices. Understanding the Cardholder Data Environment Fundamental to achieving PCI compliance is to understand what comprises a CDE. The PCI SSC Wireless SIG defines the CDE as “the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment.” From a wireless security viewpoint, any wireless device that is deployed officially or unofficially becomes part of the CDE as long as it provides access to cardholder data in transit, or in process, or in storage. Any such device is evidently under the purview of PCI DSS. © 2009 AirTight Networks, Inc. All rights reserved. 3
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Officially deployed wireless access points (APs) and clients can violate PCI DSS requirements if they are misconfigured or provide CDE access to unauthorized users. Unofficially deployed Rogue wireless APs and clients can also compromise the security of the entire network and provide CDE access to unauthorized users. Depending on how wireless usage influences a CDE, the PCI DSS 1.2 wireless security requirements can be broadly grouped into two categories: • Those that address threats from unknown wireless networks and apply generally to all organizations wanting to comply with PCI DSS; and • Those that apply to organizations who have deployed an official wireless network inside the CDE. PCI DSS 1.2 Wireless Security Requirements for All “ [Generally applicable wireless requirements] apply to Organizations organizations regardless of their Irrespective of whether or not they have deployed a wireless network, use of wireless technology and organizations cannot afford to discount the presence of unknown or unmanaged regardless of whether the wireless wireless devices on their premises. Today all consumer computing devices (e.g., technology is a part of the CDE or laptops, smartphones, PDAs) have WiFi built in. WiFi APs are inexpensive and not. As a result, they are generally available off-the-shelf for anyone to autonomously deploy their own wireless applicable to organizations that network at work. wish to comply with PCI DSS. ” - PCI Security Standards Council The significant risk that these unmanaged wireless devices pose to the CDE has Wireless SIG prompted the PCI Security Council to highlight the following PCI DSS requirements as applicable to all organizations wanting to comply with PCI DSS. Regardless of © 2009 AirTight Networks, Inc. All rights reserved. 4
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance whether an organization runs or bans wireless, it needs to ensure that the CDE is not plagued with such Rogue wireless devices. These are minimum wireless scanning requirements. Conduct Wireless Scans At Least Quarterly at All Locations “ Although [use of a wireless analyzer for scanning] is PCI DSS Requirement 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. technically possible for a small number of locations, it Organizations must scan ALL their sites at least quarterly to detect Rogue or is often operationally tedious, unauthorized wireless devices that may be attached to the CDE. Sampling of few error-prone, and costly for sites for scanning is not allowed. Scanning only the CDE wired network does not organizations that have serve the purpose as it cannot detect Rogue wireless devices. several CDE locations. For large organizations, it is recommended Walking around with a wireless analyzer for conducting scans is a time-consuming that wireless scanning be process, limited in scope (in terms of ability to discover Rogue APs and relevance automated with a wireless IDS/ over a longer time duration), cannot scale for large premises and is costly if IPS system. ” - PCI Wireless Security Standards multiple sites have to be scanned. Using a wireless IPS (WIPS) for scanning is a much more convenient and Council Wireless SIG comprehensive alternative. A WIPS gives you: • 24x7 monitoring of wireless devices • Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG) • Instant detection of Rogue wireless APs • Automatic blocking of Rogue APs and other wireless threats or hack attacks • Location tracking capability to physically hunt down Rogue and other threat posing wireless devices Monitor Wireless Intrusion Alerts PCI DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusion- prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date. Unless a wireless network is segmented from the CDE (requirement 1.2.3) using a firewall, the network should be monitored for wireless intrusion attempts. A WIPS should be configured to send automatic threat alerts and instantly notify © 2009 AirTight Networks, Inc. All rights reserved. 5
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance concerned personnel about potential risks and attacks. Eliminate Wireless Threats PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the- middle attack, denial-of-service attack, and ad-hoc networks. PCI DSS 1.2 Wireless Security Requirements for Known WLAN inside CDE Organizations that run a wireless network as a part of the CDE need to comply with the following PCI DSS requirements to run a secure wireless network, over and above the requirements (11.1 – Conduct wireless scans at least quarterly at all locations, 11.4 – Use a WIPS to monitor wireless intrusion alerts, and 12.9 – Use a WIPS to eliminate wireless threats) discussed in the previous section. These are secure wireless deployment requirements. Change Default Settings PCI DSS Requirement 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings. Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization. © 2009 AirTight Networks, Inc. All rights reserved. 6
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors. Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details. Use Strong Encryption and Authentication PCI DSS Requirement 4.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters. Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP- encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control. Restrict Physical Access PCI DSS Requirement 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices. Physical access to authorized wireless devices should be restricted to minimize tampering of these devices and exposure of cardholder data. Physical access to © 2009 AirTight Networks, Inc. All rights reserved. 7
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance wireless APs can be restricted by mounting them high up on the ceilings or walls, and by installing them inside tamper-proof enclosures. Access to laptops and handheld devices should be restricted by using strong passwords. Sensitive information on these devices should be encrypted to prevent unauthorized access even if the device gets stolen. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices. Maintain Logs of Wireless Activity PCI DSS Requirement 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. Archive logs of wireless activity over one year on a central server where the logs cannot be tampered. Review wireless access logs daily to check for any anomalous activity. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary. Develop and Enforce Wireless Usage Policies PCI DSS Requirement 12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access. How AirTight Networks Can Help You Meet PCI Compliance The PCI requirement for conducting wireless scans at all sites can become very demanding. Walking around with wireless analyzers is too tedious and costly for organizations with large number of sites. Many small- and medium-sized businesses do not have the IT resources that they can dedicate for wireless © 2009 AirTight Networks, Inc. All rights reserved. 8
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance scanning. Additionally, for organizations that do not have a known WLAN AP in the CDE and are subject only to the minimum scanning requirements, a full Wireless IPS (WIPS) capability may not be required. Built on its leading WIPS technology, AirTight Networks offers SpectraGuard Online, a SaaS-based wireless security solution for PCI compliance. This solution automates wireless scanning and requires no IT intervention, thus making PCI wireless scanning and compliance a low cost and no effort affair. Depending on the needs of the organization, SpectraGuard Online can be upgraded seamlessly to provide full wireless IPS capabilities. SpectraGuard Online is a true “hands off” solution. The customer installs pre- configured wireless sensors (plug-and-play), responds to a few wireless setup questions and, within 72 hours, begins to receive wireless vulnerability alerts by email. Users can choose to receive PCI Wireless Compliance report by email monthly or quarterly. Customer data is hosted in a secure SAS70 certified datacenter designed for security and high availability. SpectraGuard Online offers four service modules to choose from with pricing as low as $20 per month per location. Modules Services Basic Wireless Wireless Wireless Compliance Alerts IDS IPS Automated wireless scanning     Compliance report delivered by email monthly or quarterly     Real-time email alerts for Rogue AP detection and wireless intrusion -    Archiving of alerts for one year -    Access to wireless IDS console - -   24x7 full wireless monitoring - -   Troubleshooting and customizable unlimited reporting - -   24x7 full wireless intrusion prevention and automatic incident response - - -  RF heat maps - - -  Location tracking to physically locate and remove Rogue APs - - -  © 2009 AirTight Networks, Inc. All rights reserved. 9
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Using SpectraGuard Online customers: • Incur no capital expenditures • Pay only for the wireless security features required • Grow as needed • Have an affordable and predictable total cost of ownership • Do not need to be concerned with hardware or software obsolescence • Can seamlessly upgrade to get full wireless IPS capabilities Comparing Cost of PCI Wireless Scanning: SpectraGuard Online versus Full Onsite WIPS versus Wireless Analyzer 5 Cost of PCI Compliance (Million $) Wireless analyzer 4 3 On-site WIPS 2 1 SpectraGuard Online 0.5 500 1000 2000 3000 5000 Number of sites Estimated one year expense for PCI wireless scanning. For SpectraGuard Online and on-site WIPS, one wireless sensor per location is assumed. Cost for scanning with a wireless analyzer includes logistics cost such as travel and lodging. The total cost of ownership for SpectraGuard Online is radically less expensive — 60 to 75 percent lower — than any competitive WIPS solutions on the market today. For large enterprises with hundreds or even thousands of sites across the globe, PCI compliance wireless scanning using the SpectraGuard Online automated, hosted solution is dramatically less expensive in both manpower and cost than walk-around scanning using any wireless analyzer. h Conclusions The PCI Security Standards Council has made it clear that wireless security is a concern that all merchants, regardless of whether or not wireless is deployed, must address. Scanning all sites for wireless vulnerabilities and threats such as Rogue APs and eliminating them from the cardholder data environment (CDE) is mandatory. © 2009 AirTight Networks, Inc. All rights reserved. 10
AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance A wireless IPS (WIPS) can automate wireless scanning, alerts monitoring, ABOUT compliance reporting and threat prevention. AIRTIGHT NETWORKS AirTight Networks’ SpectraGuard Online delivers PCI wireless scanning and AirTight Networks is the global wireless intrusion prevention as a SaaS. It makes wireless scanning for PCI leader in wireless security and compliance solutions providing compliance easy and cost-effective. Organizations can choose the features customers best-of-breed they need depending on their size and use of wireless, and save significantly technology to automatically as compared to on-site WIPS installations or manual scanning using a detect, classify, locate and wireless analyzer. block all current and emerging wireless threats. AirTight offers both the industry’s leading wireless intrusion prevention system (WIPS) and the world’s first wireless vulnerability management (WVM) security- as-a-service (SaaS). AirTight’s award-winning solutions are used by customers globally in the financial, government, retail, manufacturing, transportation, education, healthcare, telecom, and technology industries. AirTight owns the seminal patents for wireless intrusion prevention technology with 11 U.S. patents and two international patents granted (UK and Australia), and more than 20 additional patents pending. AirTight Networks is a privately held company based in Mountain View, CA. For more information please visit www.airtightnetworks.com The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.

Empfohlen

The History Of The Internet
The History Of The InternetThe History Of The Internet
The History Of The InternetMadison93
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
Excursie De Esch
Excursie De EschExcursie De Esch
Excursie De Eschguest7c5ddfd9
 
When WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS AttacksWhen WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS AttacksAirTight Networks
 
Electronic Entertainment Expo 2016
Electronic Entertainment Expo 2016Electronic Entertainment Expo 2016
Electronic Entertainment Expo 2016Bruna Mesquita
 
Water Ways Presentation
Water Ways PresentationWater Ways Presentation
Water Ways PresentationTipperary
 
802.11n The Good, The Bad, and The Ugly: Will You Be Ready?
802.11n The Good, The Bad, and The Ugly: Will You Be Ready?802.11n The Good, The Bad, and The Ugly: Will You Be Ready?
802.11n The Good, The Bad, and The Ugly: Will You Be Ready?AirTight Networks
 
Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?AirTight Networks
 

Empfohlen

The History Of The Internet
The History Of The InternetThe History Of The Internet
The History Of The InternetMadison93
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
Excursie De Esch
Excursie De EschExcursie De Esch
Excursie De Eschguest7c5ddfd9
 
When WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS AttacksWhen WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS AttacksAirTight Networks
 
Electronic Entertainment Expo 2016
Electronic Entertainment Expo 2016Electronic Entertainment Expo 2016
Electronic Entertainment Expo 2016Bruna Mesquita
 
Water Ways Presentation
Water Ways PresentationWater Ways Presentation
Water Ways PresentationTipperary
 
802.11n The Good, The Bad, and The Ugly: Will You Be Ready?
802.11n The Good, The Bad, and The Ugly: Will You Be Ready?802.11n The Good, The Bad, and The Ugly: Will You Be Ready?
802.11n The Good, The Bad, and The Ugly: Will You Be Ready?AirTight Networks
 
Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?AirTight Networks
 
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014AirTight Networks
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfAirTight Networks
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight Networks
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration AirTight Networks
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution briefAirTight Networks
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013AirTight Networks
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecurityAirTight Networks
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Networks
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1AirTight Networks
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesAirTight Networks
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseAirTight Networks
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseAirTight Networks
 
802.11w Tutorial
802.11w Tutorial802.11w Tutorial
802.11w TutorialAirTight Networks
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresAirTight Networks
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsAirTight Networks
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Weitere ähnliche Inhalte

Mehr von AirTight Networks

Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014AirTight Networks
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfAirTight Networks
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight Networks
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration AirTight Networks
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution briefAirTight Networks
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013AirTight Networks
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecurityAirTight Networks
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Networks
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1AirTight Networks
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesAirTight Networks
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseAirTight Networks
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseAirTight Networks
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresAirTight Networks
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsAirTight Networks
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseAirTight Networks
 

Mehr von AirTight Networks (20)

Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise Thyself
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSP
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution brief
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise Security
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the Enterprise
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the Enterprise
 
802.11w Tutorial
802.11w Tutorial802.11w Tutorial
802.11w Tutorial
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—Recommendations
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your Enterprise
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Don’t Let Wireless Detour Your PCI Compliance

  • 1. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Understanding the PCI DSS Wireless Requirements A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved.
  • 2. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Executive Summary The Payment Card Industry Security Standards Council (PCI SSC) has published a PCI DSS Wireless Guideline which acknowledges that wireless is a clear and present danger to network security and those who collect, store or transmit card holder data must take steps to assure that it is secure, whether or not wireless is deployed in the cardholder data environment. Though the PCI DSS already included wireless security requirements, this is the first time that the requirements for wireless security have been described unambiguously for all cardholder data environments (CDE). Organizations which handle payment card data must take steps to secure the CDE against wireless threats including unmanaged and unknown wireless devices in the environment and must scan all locations. This white paper helps those organizations understand how the PCI DSS 1.2 wireless requirements apply to them, how to meet those requirements in a cost effective way, and how to secure your network and cardholder data from wireless threats. © 2009 AirTight Networks, Inc. All rights reserved. 2
  • 3. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Introduction Recent incidents have highlighted the growing popularity of wireless among cybercriminals to gain sensitive data from both wired and wireless networks. The TJX incident — the largest known wireless security breach in the U.S. history — is a prime example. Hackers used unsecured wireless as an entry point to access TJX networks worldwide. Over 90 million credit- and debit-card records and personal information such as social security numbers, driver’s license numbers, and military identification of more than 451,000 customers were stolen. A total of nine retail chains — including Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW — were victims of this heist. Forrester Research estimated the cost incurred to cover financial losses and lawsuit settlements to be one billion dollars. Notably the wireless networks that were hacked during this incident were not necessarily being used for processing cardholder data, but were connected to wired networks that were part of the cardholder data environment (CDE). This highlighted the need to comprehensively secure the CDE against all types of wireless threats including those initiated outside it and those initiated from “Rogue” wireless access points and clients installed unofficially inside the CDE. The Payment Card Industry Security Standards Council (PCI SSC) responded promptly by releasing the latest version 1.2 of the PCI Data Security Standard (PCI DSS) in October 2008. The PCI SSC’s Wireless Special Interest Group (SIG) followed it with a “PCI DSS Wireless Guideline” document in July 2009 that clarified the wireless security requirements for PCI compliance, provided guidance on implementing secure wireless LANs and outlined methods for protecting against threats from wireless devices outside the CDE and Rogue wireless devices. Understanding the Cardholder Data Environment Fundamental to achieving PCI compliance is to understand what comprises a CDE. The PCI SSC Wireless SIG defines the CDE as “the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment.” From a wireless security viewpoint, any wireless device that is deployed officially or unofficially becomes part of the CDE as long as it provides access to cardholder data in transit, or in process, or in storage. Any such device is evidently under the purview of PCI DSS. © 2009 AirTight Networks, Inc. All rights reserved. 3
  • 4. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Officially deployed wireless access points (APs) and clients can violate PCI DSS requirements if they are misconfigured or provide CDE access to unauthorized users. Unofficially deployed Rogue wireless APs and clients can also compromise the security of the entire network and provide CDE access to unauthorized users. Depending on how wireless usage influences a CDE, the PCI DSS 1.2 wireless security requirements can be broadly grouped into two categories: • Those that address threats from unknown wireless networks and apply generally to all organizations wanting to comply with PCI DSS; and • Those that apply to organizations who have deployed an official wireless network inside the CDE. PCI DSS 1.2 Wireless Security Requirements for All “ [Generally applicable wireless requirements] apply to Organizations organizations regardless of their Irrespective of whether or not they have deployed a wireless network, use of wireless technology and organizations cannot afford to discount the presence of unknown or unmanaged regardless of whether the wireless wireless devices on their premises. Today all consumer computing devices (e.g., technology is a part of the CDE or laptops, smartphones, PDAs) have WiFi built in. WiFi APs are inexpensive and not. As a result, they are generally available off-the-shelf for anyone to autonomously deploy their own wireless applicable to organizations that network at work. wish to comply with PCI DSS. ” - PCI Security Standards Council The significant risk that these unmanaged wireless devices pose to the CDE has Wireless SIG prompted the PCI Security Council to highlight the following PCI DSS requirements as applicable to all organizations wanting to comply with PCI DSS. Regardless of © 2009 AirTight Networks, Inc. All rights reserved. 4
  • 5. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance whether an organization runs or bans wireless, it needs to ensure that the CDE is not plagued with such Rogue wireless devices. These are minimum wireless scanning requirements. Conduct Wireless Scans At Least Quarterly at All Locations “ Although [use of a wireless analyzer for scanning] is PCI DSS Requirement 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. technically possible for a small number of locations, it Organizations must scan ALL their sites at least quarterly to detect Rogue or is often operationally tedious, unauthorized wireless devices that may be attached to the CDE. Sampling of few error-prone, and costly for sites for scanning is not allowed. Scanning only the CDE wired network does not organizations that have serve the purpose as it cannot detect Rogue wireless devices. several CDE locations. For large organizations, it is recommended Walking around with a wireless analyzer for conducting scans is a time-consuming that wireless scanning be process, limited in scope (in terms of ability to discover Rogue APs and relevance automated with a wireless IDS/ over a longer time duration), cannot scale for large premises and is costly if IPS system. ” - PCI Wireless Security Standards multiple sites have to be scanned. Using a wireless IPS (WIPS) for scanning is a much more convenient and Council Wireless SIG comprehensive alternative. A WIPS gives you: • 24x7 monitoring of wireless devices • Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC Wireless SIG) • Instant detection of Rogue wireless APs • Automatic blocking of Rogue APs and other wireless threats or hack attacks • Location tracking capability to physically hunt down Rogue and other threat posing wireless devices Monitor Wireless Intrusion Alerts PCI DSS Requirement 11.4 Use intrusion-detection systems, and/or intrusion- prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date. Unless a wireless network is segmented from the CDE (requirement 1.2.3) using a firewall, the network should be monitored for wireless intrusion attempts. A WIPS should be configured to send automatic threat alerts and instantly notify © 2009 AirTight Networks, Inc. All rights reserved. 5
  • 6. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance concerned personnel about potential risks and attacks. Eliminate Wireless Threats PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A WIPS can help you automatically respond to incidents by blocking wireless threats such as Rogue APs before any damage is done. Any Rogue AP connected to a wired network inside the CDE should be physically removed. The location tracking capability of a WIPS can help locate the Rogue AP. A WIPS can also proactively protect against other common wireless threats such as man-in-the- middle attack, denial-of-service attack, and ad-hoc networks. PCI DSS 1.2 Wireless Security Requirements for Known WLAN inside CDE Organizations that run a wireless network as a part of the CDE need to comply with the following PCI DSS requirements to run a secure wireless network, over and above the requirements (11.1 – Conduct wireless scans at least quarterly at all locations, 11.4 – Use a WIPS to monitor wireless intrusion alerts, and 12.9 – Use a WIPS to eliminate wireless threats) discussed in the previous section. These are secure wireless deployment requirements. Change Default Settings PCI DSS Requirement 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Change default password: Change the default password of your wireless AP with a stronger password (at least eight characters and a mix of alphanumeric characters). This will prevent unauthorized users from logging into your AP and manipulating its settings. Change default SSID: The Service Set Identifier (SSID) or network name can be configured on a wireless AP. Replace the default SSID with a unique name that does not reveal the identity or other private information about your organization. © 2009 AirTight Networks, Inc. All rights reserved. 6
  • 7. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Turn off unused services: By default certain wireless APs may run additional services such as Web-based remote management, zero configuration, and SNMP based monitoring. If you are not using these services, simply turn them off. If you use SNMP, prefer SNMPv3 that supports stronger authentication than its predecessors. Turn on security settings: Most wireless APs come with wireless security turned off by default. Cardholder data sent over an unsecured wireless connection is up for grabs and can be passively sniffed by unauthorized users. Turn on the security on your wireless APs and use strong encryption and authentication. See requirement 4.1.1 for more details. Use Strong Encryption and Authentication PCI DSS Requirement 4.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Use WiFi Protected Access (WPA or WPA2) for implementing a secure wireless network. Use at least the Temporal Key Integrity Protocol (TKIP), preferably the Advanced Encryption Standard (AES) to protect in-transit cardholder data against eavesdropping. Implement 802.1x based central authentication to restrict wireless network access to authorized users. If you instead use Pre-Shared Key (PSK) authentication, use a strong passphrase that is at least eight characters long and a mix of alphanumeric and special characters. Do not use the Wired Equivalent Privacy (WEP) protocol for encrypting wireless data. WEP is fundamentally broken and cannot be fixed by any supplementary solutions. Use of WEP is not allowed in the CDE after June 30, 2010. If using a WEP- encrypted wireless network, a WIPS that detects and blocks WEP cracking attacks could serve as a compensating control. Restrict Physical Access PCI DSS Requirement 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices. Physical access to authorized wireless devices should be restricted to minimize tampering of these devices and exposure of cardholder data. Physical access to © 2009 AirTight Networks, Inc. All rights reserved. 7
  • 8. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance wireless APs can be restricted by mounting them high up on the ceilings or walls, and by installing them inside tamper-proof enclosures. Access to laptops and handheld devices should be restricted by using strong passwords. Sensitive information on these devices should be encrypted to prevent unauthorized access even if the device gets stolen. A WIPS can also serve as a wireless inventory management system, monitoring wireless devices and their activities, tracking their physical location inside the CDE, and enabling the administrator to quickly discover any missing or tampered devices. Maintain Logs of Wireless Activity PCI DSS Requirement 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. Archive logs of wireless activity over one year on a central server where the logs cannot be tampered. Review wireless access logs daily to check for any anomalous activity. Here a WIPS can be repurposed to maintain records of wireless activity it has monitored and can also help in forensic analysis of past data if necessary. Develop and Enforce Wireless Usage Policies PCI DSS Requirement 12.3 Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. In defining wireless usage policies, organizations will need to understand how to securely deploy a wireless network and encourage users to follow best practices when they use wireless laptops and handheld devices. Once wireless access policies are defined, a WIPS can be used to truly enforce those policies and proactively secure the CDE against unauthorized wireless access. How AirTight Networks Can Help You Meet PCI Compliance The PCI requirement for conducting wireless scans at all sites can become very demanding. Walking around with wireless analyzers is too tedious and costly for organizations with large number of sites. Many small- and medium-sized businesses do not have the IT resources that they can dedicate for wireless © 2009 AirTight Networks, Inc. All rights reserved. 8
  • 9. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance scanning. Additionally, for organizations that do not have a known WLAN AP in the CDE and are subject only to the minimum scanning requirements, a full Wireless IPS (WIPS) capability may not be required. Built on its leading WIPS technology, AirTight Networks offers SpectraGuard Online, a SaaS-based wireless security solution for PCI compliance. This solution automates wireless scanning and requires no IT intervention, thus making PCI wireless scanning and compliance a low cost and no effort affair. Depending on the needs of the organization, SpectraGuard Online can be upgraded seamlessly to provide full wireless IPS capabilities. SpectraGuard Online is a true “hands off” solution. The customer installs pre- configured wireless sensors (plug-and-play), responds to a few wireless setup questions and, within 72 hours, begins to receive wireless vulnerability alerts by email. Users can choose to receive PCI Wireless Compliance report by email monthly or quarterly. Customer data is hosted in a secure SAS70 certified datacenter designed for security and high availability. SpectraGuard Online offers four service modules to choose from with pricing as low as $20 per month per location. Modules Services Basic Wireless Wireless Wireless Compliance Alerts IDS IPS Automated wireless scanning     Compliance report delivered by email monthly or quarterly     Real-time email alerts for Rogue AP detection and wireless intrusion -    Archiving of alerts for one year -    Access to wireless IDS console - -   24x7 full wireless monitoring - -   Troubleshooting and customizable unlimited reporting - -   24x7 full wireless intrusion prevention and automatic incident response - - -  RF heat maps - - -  Location tracking to physically locate and remove Rogue APs - - -  © 2009 AirTight Networks, Inc. All rights reserved. 9
  • 10. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance Using SpectraGuard Online customers: • Incur no capital expenditures • Pay only for the wireless security features required • Grow as needed • Have an affordable and predictable total cost of ownership • Do not need to be concerned with hardware or software obsolescence • Can seamlessly upgrade to get full wireless IPS capabilities Comparing Cost of PCI Wireless Scanning: SpectraGuard Online versus Full Onsite WIPS versus Wireless Analyzer 5 Cost of PCI Compliance (Million $) Wireless analyzer 4 3 On-site WIPS 2 1 SpectraGuard Online 0.5 500 1000 2000 3000 5000 Number of sites Estimated one year expense for PCI wireless scanning. For SpectraGuard Online and on-site WIPS, one wireless sensor per location is assumed. Cost for scanning with a wireless analyzer includes logistics cost such as travel and lodging. The total cost of ownership for SpectraGuard Online is radically less expensive — 60 to 75 percent lower — than any competitive WIPS solutions on the market today. For large enterprises with hundreds or even thousands of sites across the globe, PCI compliance wireless scanning using the SpectraGuard Online automated, hosted solution is dramatically less expensive in both manpower and cost than walk-around scanning using any wireless analyzer. h Conclusions The PCI Security Standards Council has made it clear that wireless security is a concern that all merchants, regardless of whether or not wireless is deployed, must address. Scanning all sites for wireless vulnerabilities and threats such as Rogue APs and eliminating them from the cardholder data environment (CDE) is mandatory. © 2009 AirTight Networks, Inc. All rights reserved. 10
  • 11. AIRTIGHT NETWORKS WHITEPAPER Don’t Let Wireless Detour Your PCI Compliance A wireless IPS (WIPS) can automate wireless scanning, alerts monitoring, ABOUT compliance reporting and threat prevention. AIRTIGHT NETWORKS AirTight Networks’ SpectraGuard Online delivers PCI wireless scanning and AirTight Networks is the global wireless intrusion prevention as a SaaS. It makes wireless scanning for PCI leader in wireless security and compliance solutions providing compliance easy and cost-effective. Organizations can choose the features customers best-of-breed they need depending on their size and use of wireless, and save significantly technology to automatically as compared to on-site WIPS installations or manual scanning using a detect, classify, locate and wireless analyzer. block all current and emerging wireless threats. AirTight offers both the industry’s leading wireless intrusion prevention system (WIPS) and the world’s first wireless vulnerability management (WVM) security- as-a-service (SaaS). AirTight’s award-winning solutions are used by customers globally in the financial, government, retail, manufacturing, transportation, education, healthcare, telecom, and technology industries. AirTight owns the seminal patents for wireless intrusion prevention technology with 11 U.S. patents and two international patents granted (UK and Australia), and more than 20 additional patents pending. AirTight Networks is a privately held company based in Mountain View, CA. For more information please visit www.airtightnetworks.com The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.