PCI DSS compliance is a requirement for any business that stores, processes, or transmits cardholder data. The PCI-DSS standard has various requirements. Requirement 2.2 poses a fundamental challenge to many organizations managing large server environments as it requires enforcement and management of servers hardening baselines.
Default operating systems and application configurations are not built for purposes of security, but for ease of deploying a system and for ease of use. Such systems, when used as supplied, make your entire infrastructure vulnerable to attacks. Hardening the servers (OS and applications) is a basic requirement in an enterprise security posture. The process of hardening servers involves both IT ops. and security teams and require changes to the default configuration according to industry benchmarks.
PCI-DSS v4.0 requirement of system configuration standards in requirement 2.2 guides organizations on how: “System components are configured and managed securely.”
Although finding a baseline and approving it is a relatively easy task, enforcing and managing a baseline such as CIS is labor-intensive and error-prone for IT teams. Enforcing baseline configuration changes on production servers might create system outages and application malfunction. Configuration changes must be carefully tested in lab environments before deployed in production, and yet after tested, services will break as the ability to simulate the production dependencies in a lab is impossible.
The challenges of managing a hardening process often reflect as IT audit points for lack of configuration hardening and fines from the PCI-DSS council.
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Source of industry-accepted system hardening standards may include, but are not limited to:
2.2.1.a. Examine system configuration standards to verify they define processes that include all elements specified in this requirement.
2.2.1.b. Examine policies and procedures and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.3.1
2.2.1.c. Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment.
2.2.2. Vendor default accounts are managed as follows:
• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled
2.2.2.a Examine system configuration standards to verify they include managing vendor default
accounts in accordance with all elements specified in this requirement.
2.2.2.b Examine vendor documentation and observe a system administrator logging on using vendor default accounts to verify accounts are implemented in accordance with all elements specified in this requirement.
2.2.2.c Examine configuration files and interview personnel to verify that all vendor default accounts that will not be used are removed or disabled
There are known weaknesses with many operating systems, databases, network devices, software, applications, container images, and other devices used by an entity or within an entity’s environment. There are also known ways to configure these system components to fix security vulnerabilities. Fixing security vulnerabilities reduces the opportunities available to an attacker.
By developing standards, entities ensure their system components will be configured consistently and securely, and address the protection of devices for which full hardening may be more difficult.
Easily achieve compliance with PCI-DSS requirement 2.2., Reduce IT administration costs for server hardening tasks and ensure continuous compliance with known hardening standards while avoiding system crashes and outages.
CHS is a baseline hardening solution designed to address the needs of IT operations and security teams. IT significantly reduces operational costs and eliminates service downtime by indicating the impact of a security baseline change directly on the production environment. An automated process simulates the impact of a change in a production environment, thus, saving the need for testing changes in a lab environment.
CHS is an automated hardening solution designed to address the needs of IT Operations and Security teams. It significantly reduces operational costs and eliminates the risk of production downtime by indicating the impact of a security baseline change directly on the production environment. CHS saves the need for testing changes in a lab environment before pushing them to production.
CHS will help you easily achieve compliance with PCI-DSS requirement 2.2., Reduce IT administration costs for server hardening tasks and ensure continuous compliance with known hardening standards while avoiding system crashes and outages.
