Rough PCI 4.0.2 Script 1

Summary:

This document is about making sure everything stays organized while checking how well a store follows some rules. There are two big boards with numbers on them, like 1 and 10, which help show if the store is following those rules or not. The store has maps of all its stuff inside it, and there are special places where they keep credit card information safe. They also use different systems to send money from customers' cards to their own account. Sometimes, stores have problems with some parts of the building that can be dangerous for keeping important things secure. To make sure everything is safe and up-to-date, people look at what kind of computers are used, who logs in, and if they follow rules about talking to each other when sending money.

Details:

The document outlines a comprehensive review of various aspects related to retail operations and compliance, focusing primarily on ArcNet Retail Stores. Key components include: 1. **Compliance Dashboard**: Two dashboards are mentioned as open for review—one likely specific to requirements #1 and another possibly for requirement #10. This suggests an ongoing focus on regulatory adherence. 2. **Assets Mapping**: The navigator is highlighting assets related to ArcNet Retail Stores, specifically focusing on brick-and-mortar locations. These include detailed mapping of each store's assets. 3. **Billing Systems**: There are two billing systems being used:

• **DMZ (Direct Messaging Zone)**: Where stores communicate with the billing department to process credit card transactions.

• **Backend System**: This is where actual credit card data is stored and processed securely.

4. **Web Presence**: The ecommerce platform uses a third-party billing system for processing transactions, which requires monitoring to ensure PCI compliance (Payment Card Industry Data Security Standard). 5. **SOC/NOC (Security Operations Center/Network Operations Center)**: This involves monitoring the online presence and direct communication with the 3rd party billing system via the DMZ. 6. **Geographical Representation**: The geographical distribution of stores across North America (NA) is analyzed, including a deeper look at the West region to specifically highlight stores in the Bay area. Two non-compliant stores are identified: Store 2 and Store 22. Further investigation revealed that these stores use insecure methods such as accepting FTP port 21 for communication and having telnet services enabled on Windows systems, both of which violate security protocols. 7. **Insecure Services**: This includes the acceptance of FTP port 21 (cleartext protocol) and enabling telnet services on Windows machines, leading to violations of disallowed port access rules and insecure communications with the billing DMZ. 8. **Back End Processing System**: Investigations into the login activities:

• A terminated user account attempted a logon using JimmyJ's credentials but failed due to the system detecting termination (PCI violation).

• Fairlane, another default user, successfully logged in with Scott, which triggered updates on current user sessions through session correlation.

The document concludes by emphasizing the need for immediate action to address these security breaches and compliance issues highlighted during the review. This summary outlines a series of security measures and actions taken in response to an incident involving the user account "fairlane" within an organization. The scenario involves multiple aspects such as logins, data access, email communications, audit logs, file deletions, and compliance checks related to PCI (Payment Card Industry) standards. Here's a breakdown: 1. **Logon and Access**: Fairlane logs into the system using a shared account "Shared_dba". He then runs a query on CC_Numbers for the company "by fairlane", which is sent via email to secret@hushmail.com. The email contains the result set of credit card numbers (CC#’s). 2. **Identity Correlation**: Using identity mappings, it's discovered that fairlane is associated with user ID 12345. This step involves reviewing all attributes linked to fairlane in the system. 3. **Snort Event and Correlations**: The use of Snort (a network intrusion detection system) detects suspicious activity related to authentication for CC numbers, triggering two correlations: "insecure services" and "CC number in the clear". This is where session information helps tie events back to fairlane. 4. **Excessive File Deletes and Audit Log Manipulation**: Fairlane deletes several transaction records and customer data files, which triggers a Tripwire alert for excessive file deletions (no user concept). He also clears audit logs and modifies the Oracle database table 'audit$', leading to further security alerts regarding audit log clearing. 5. **Audit Management and Compliance**: Deleting audit logs and modifying the audit tables lead to specific rules being triggered in the audit logging section, violating Sect 10 standards. This involves customizing rules for actions like adding new ones, notifications, escalation, integration with Remedy, and creating a case. 6. **Event Graph and Compliance Dashboard**: Using event graphs and compliance dashboard, it's checked if the organization is compliant with PCI standards related to contractor access to the building. This includes reviewing all events correlated to fairlane and Bryant's restricted badge access. 7. **Compliance Review**: The final step involves checking compliance through a PCI all events grid view, which shows convergence around physical and logical aspects of contractor access in relation to section 9 of PCI standards. This summary underscores the importance of robust identity management, audit logging, and correlation mechanisms in detecting anomalous activities within an organization's IT infrastructure, particularly focusing on data security and compliance with regulatory requirements like PCI DSS. This text seems to be a set of instructions or guidelines for working with a tool related to compliance and reporting. The key points are: 1. Avoid making changes that affect the default views, such as customizing them, conducting investigations, drilling down into data, or using specific tools like in-line filtering. These actions are discouraged because they might interfere with the intended use of the dashboard or other features related to compliance and reporting. 2. Once you return to the Compliance dashboard, consider displaying Requirement 1 specifically if a separate dashboard for this requirement is available. This could be useful for focusing on specific aspects of compliance. 3. For reports, the text refers to archives, which might indicate that old or historical data related to compliance and using specific tools like ArcSight Solutions (which are typically used in security monitoring) should be considered when creating PCI-related reports. In summary, this text is providing guidance on how not to modify default settings of a tool for compliance and reporting purposes, focusing instead on maintaining the integrity of the Compliance dashboard and considering special requirements in specific situations. It also highlights that older data related to security measures (with ArcSight Solutions) should be included in PCI reports.