Friday, April 23, 2010

PCI DSS 1.2 - Check for rogue Wireless Networks

PCI DSS requirement 11.1 states:

"Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use"

This requirement to change from WEP to WPA came several years ago - so hopefully you have already put this into your budget. Smaller companies can use a wireless analyzer to scan the network periodically for rogue and/or non-WPA wireless networks. If you find them you can take them offline as they are discovered. It is better to perform scans frequently. Once per month is the minimum suggested - the more the better.

If your company has a large physical footprint wireless surveys are not feasible. Consider using an existing wireless infrastructure to act as a sensor in a rogue wireless detection system by using a wireless IDS/IPS. Tools you can use are Kismet(open source tools), AirMagnet or AirTight Networks.

Best practice when upgrading is to eliminate any impact to your credit card processing systems. It is recommended that you run both WEP and WPA networks simultaneously for a few weeks and then make the transition of all hardware to your new WPA network. Don't put this off as merchant banks won't be willing to open up the possibility for an attack. Securing your wireless network is critical and it will lead you one step closer to PCI Compliance! If you need any assistance send me an email and I will help! jgrahamusa@yahoo.com

Jamie"s MOTTO.....

Don't follow the path that is already there....go instead where there is no path....and leave a trail....

This trail is a part of a long journey .....