Branden R. Williams
Anton A. Chuvakin
Copyright
Acquiring Editor:Chris Katsaropolous
Development Editor:Heather Scherer
Project Manager:Jessica Vaughan
Designer:Russell Purdy
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
2012 ELSEVIER, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-948-4
Printed in the United States of America
12 13 14 15 16 10 9 8 7 6 5 4 3 2 1
For information on all Syngress publications visit our website at www.syngress.com
Acknowledgements
This revision has been a long time coming, and weve made adjustments that you readers have asked for. My sincere thanks to all of you out there for continuing to fight the good fight while using this book as a guide!
This book is dedicated to my wife Christine, my children Garrett and Payton, and my extended family for supporting the effort to make this work the central tome for the industry. Still looking forward to that day where our biggest decision is the bench on which we will enjoy lunch!
We need to give a HUGE thanks to Derek Milroy for stepping up and providing great content around Windows, vulnerability management, and being the sole technical editor for this book. You will find his influence in every chapter of this edition. Without him, we never would have been able to release this book when we did.
And finally, to you, the reader. Whether you are in internal audit, a QSA, or simply someone responsible for some portion of PCI DSS, you live in the trenches implementing solutions every day. Keep at it, and dont lose sight of the end game: to securely grow your business!
Branden R. Williams
First and foremost, the most important part: Id like to thank my wife Olga for being my eternal inspiration for all my writing, for providing invaluable economic advice, and for tolerating (well, almost always) my work on the book during those evening hours that we could have spent together.
Next, Id like to specially thank Derek Milroy for his exclusive material used in Chapter 9, Vulnerability Management, and also for reviewing the book contents.
Also, Id like to personally thank the following people for their contributions to the book:
Walt Conway from 403 Labs for his insightful example used in Chapter 3, Why Is PCI Here?
John Kindervag from Forrester Research for inventing the concept of customer data security as part of corporate social responsibility (mentioned in Chapter 17, Myths and Misconceptions of PCI DSS).
Dr. Anton A. Chuvakin
About the Authors
Branden R. Williams (CISSP, CISM) is a CTO at RSA, the security division of EMC and represents RSA on the PCI Board of Advisors. He has been involved in information technology since 1994 and has focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and MasterCard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.
Branden spent several years as an Adjunct Professor at the University of Dallas, Graduate School of Management, and is an ISSA Fellow. He publishes a monthly column in the ISSA Journal entitled Herding Cats and authors a blog at www.brandenwilliams.com/.
Dr. Anton A. Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. Anton is the co-author of Security Warrior (ISBN: 978-0-596-00545-0) and a contributing author to Know Your Enemy: Learning About Security Threats, Second Edition (ISBN: 978-0-321-16646-3); Information Security Management Handbook, Sixth Edition (ISBN: 978-0-8493-7495-1); Hackers Challenge 3: 20 Brand-New Forensic Scenarios & Solutions (ISBN: 978-0-072-26304-6); OSSEC Host-Based Intrusion Detection Guide (Syngress , ISBN: 978-1-59749- 240-9); and others.
Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management, and other security subjects. His blog, www.securitywarrior.org, was one of the most popular in the industry. In addition, Anton taught classes and presented at many security conferences across the world; He recently addressed audiences in the United States, United Kingdom, Singapore, Spain, Russia, and other countries. He worked on emerging security standards and served on the advisory boards of several security start-ups. Until recently, Anton ran his own consulting firm, Security Warrior. Prior to that, he was formerly a Director of PCI Compliance Solutions at Qualys and as Chief Logging Evangelist at LogLogic, tasked with educating the world about the importance of logging for security, compliance, and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.
Technical Editor
Derek Milroy(CISSP, CISA) Derek Milroy is a corporate security professional that has been implementing security in corporate environments, as both an internal employee and as a consultant, for the past ten plus years. His main areas of focus include implementing: Windows Hardening (also Forest/Domain/GPO architectures), Vulnerability Management, Patch Management, Log Management/SIM/SEIM, and Intrusion Prevention technologies. He is a former QSA and has also performed ISO 72001/27002 and NIST 800-53A assessments.