How to catch what is not. Part six. Viruses in the bank
Financial institutions at the moment are the most regulated in terms of security. The presence of numerous orders, letters and standards allows, it would seem, to answer any question during the development and implementation of a security policy.
But this is only at first glance, and in fact the fulfillment of the requirements of the same standard STO BR RF will not provide any anti-virus security - the standard developers are captivated by traditional ideas about antivirus and anti-virus protection system. On the other hand, the availability of free interpretation of the provisions of laws and standards allows unscrupulous suppliers to justify their “compliance” with the letter of requirements.
What do you need to pay attention to when implementing anti-virus protection in the banking sector?
')
As practice shows, the lion's share of questions and delusions is related to the protection of ATMs and terminals. And they are caused by ignorance of the provisions of the same PCI-DSS. Therefore, we begin the review with them.
PCI-DSS / PA-DSS requirements
As a rule, all such devices can work with Visa and MasterCard cards and, accordingly, fall under the requirements of the PCI-DSS standards (Payment Card Industry Data Security Standard, the security standard of the data of the payment card industry describes the security requirements for information on payment card holders processing, transfer or storage, so let's start with it) / PA-DSS. At the moment, the version of the standard PCI-DSS 3.1.
The PCI-DSS standard was developed by the Payment Card Industry Security Standards Board (PCI SSC). PCI SSC was founded by leading international payment systems - Visa, MasterCard, American Express, JCB, Discover. Information about its activities PCI SSC publishes on the site . There is a Russian translation of the standard version 3.05.
The standard combines the requirements of a number of information protection programs, in particular:
The requirements of the PCI DSS standard apply to organizations that process information about cardholders. If an organization stores, processes or transmits information on at least one card transaction or a cardholder for a year, then it must comply with the requirements of the PCI DSS standard. Such organizations include trade and service enterprises (including retail stores and e-commerce services), as well as service providers involved in processing, storing and transmitting card information (processing centers, payment gateways, call centers, data backup media storages, organizations involved in card personalization, etc.).
The PCI DSS standard contains detailed information security requirements, divided into 12 thematic sections:
Since questions on the existence of requirements for anti-virus protection arise both in the standard itself and in its translation, we will quote both options. Accordingly, the English and Russian versions.
We immediately see why you need to read the sources:
The standard once again confirms that the antivirus must be installed on all systems susceptible to infection - without exception. The only caveat is the availability of anti-virus solutions.
Unfortunately, the clarification given in brackets (especially on personal computers and servers), in practice, is made absolute. A huge part of infections of stand-alone devices is carried out from the devices and removable media of service personnel. In particular, due to the fact that the level of protection at the time of infection on the infected device is lower than necessary (including due to the non-installation of updates requiring a reboot). Cases when the protection of personal devices and home computers of employees is carried out by the company without fail
Oddly enough against the background of the requirement looks like a note on zero-day threats. Indeed, the antivirus is not able to recognize all up to one malware at the time of their penetration. But the standard actually only notes this fact, but does not offer any measures to combat the threats unknown to the anti-virus.
PCI-DSS is one of the few standards that correctly determine the purpose of an antivirus - it can detect only malicious programs known to it and should be able to cure! The latter is generally an extremely rare guest in the requirements for anti-virus protection.
Also extremely important point. You can not, creating protection, rest on its laurels. It is necessary to constantly receive information about possible vulnerabilities and improve protection.
Errors in the numbering of paragraphs and punctuation of the translation are taken from the original
Here, perhaps the most important thing is the logging requirement. Item, the implementation of which allows for the analysis of incidents.
Quotation is quite lengthy, but necessary against another myth - that after installing the antivirus it can be disabled. According to the standard, shutdown is an extraordinary thing.
The above quotes essentially described the requirements for anti-virus protection in general. There are no requirements for how an antivirus should detect and counteract it. In fact, the standard requires simply using and regularly updating anti-virus software. The only requirement for the antivirus itself is described in Section 5.1.1 - the products used must detect all types of threats. Clauses 5.1, 5.2 refer to the service services serving the protection systems.
However, market participants quite often require the vendors of the antivirus industry to be PCI-DSS certified products. Therefore, another quote from PA-DSS:
The PA-DSS (Payment Application Data Security Standard) standard is a development of the Visa PABP (Payment Application Best Practices) prescription, as well as the adaptation of the requirements of the PCI DSS standard to applications. More specifically, the requirements of the PA-DSS standard apply to applications ( www.pcidss.ru/files/pub/pdf/which_application_are_eligible_for_padss.pdf , www.pcidss.ru/download/#padss ) processing data on cardholders at the authorization stage transactions.
From the above quotation it follows that anti-virus products do not relate to PA-DSS, since they are not intended for processing, storing and transmitting cardholder data - they are not a “payment application” in principle!
This is confirmed by the following phrase, in which the antiviruses and payment application are clearly separated:
As a result, in the list of certified solutions (Validated Payment Applications ( www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true# , www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php ) ispraved_companies_providers / approved_scanning_vendors.php. Chef. product. The list is actually present product of Symantec - but the company Symantec in the portfolio is not only antivirus solutions.
In the context of PA-DSS, a payment application to be audited and included in the program by the PCI SSC Council is defined as such an application that stores, processes or transfers cardholder data (DDC) during authorization or transaction confirmation.
The Payment Application Data Security Standard standard contains a very interesting requirement for a payment application (but not for an anti-virus product):
That is, again, anti-virus products and firewalls do not belong to the payment application, and as a result, anti-virus products do not fall within the coverage area of ​​PA-DSS.
Requirements of the Regulations of the Bank of Russia of June 9, 2012 No. 382-P
The Federal Law of June 27, 2011 No. 161 “On the National Payment System” states that all subjects of the national payment system “are obliged to protect information when making money transfers in accordance with the requirements established by the Bank of Russia”. Such requirements are the Bank of Russia Regulation No. 382-P dated June 9, 2012 “On the Requirements for Ensuring Information Security in Transfers of Funds and the Procedure for the Bank of Russia to Control Compliance with Requirements for Ensuring Information Security in Transfers” and the Government Decree No. 584 of June 13, 2012 “On Approval of the Regulations on the Protection of Information in the Payment System”. This order is described in www.cbr.ru/PSystem/P-sys/faq_382-P.pdf .
The regulations of the Bank of Russia Regulation No. 382-P dated June 9, 2012 (with changes according to Bank of Russia Instructions 3007-U of 06/05/2013, N 3361-U of August 14, 2014) “On the requirements for ensuring the protection of information in the implementation of money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements to ensure the protection of information in the implementation of money transfers. ”
As in the PCI-DSS standard, the requirement to protect all elements of the infrastructure is confirmed if there are appropriate security features on the market and the need for their continued operation is the inadmissibility of periodic inspections only.
Only antivirus can automatically detect the presence of malicious code. All other means may try to respond to changes in the system.
Also focuses attention on self-defense - critical functionality, the need of which is unaware of the majority of companies using anti-malware tools.
Another very important point, but, unfortunately, not clearly articulated. In principle, it is clear that measures should be taken, but how? Assign an action in the antivirus control center, manually track incidents or implement an automatic response system? A sufficient number of attacks are made on companies during the holidays, when everybody (often due to the fact that he is alone) is an information security officer on vacation, there is no rapid response brigade.
Formally, these two points are not related to the functionality (according to 382-P) are protected from malicious programs - but in fact they describe it - the traffic analysis system, protection against unauthorized access, backup and backup, firewall.
Requirements Letters of the Bank of Russia of March 24, 2014 No. 49-T
Bank of Russia Letter No. 49-T, dated March 24, 2014, “On Recommendations for Organizing the Use of Security Measures Against Malicious Code in Banking Activities” requires “the protection of computer equipment and the following components of automated systems and telecommunications equipment of a credit institution (hereinafter referred to as objects of protection): "
â„– 17 , .
. , , , . .
, , , — , , .
â„– 49-T. , :
, , .
.
, . .
. .
, - .
-1.0-2014
, .
, 7.5.6, .
, .
, № 49- — , .
, â„– 49-. , , .
, № 382-, — - , . .
, , , .
, PCI-DSS, — .
, , , , .
Total:
But this is only at first glance, and in fact the fulfillment of the requirements of the same standard STO BR RF will not provide any anti-virus security - the standard developers are captivated by traditional ideas about antivirus and anti-virus protection system. On the other hand, the availability of free interpretation of the provisions of laws and standards allows unscrupulous suppliers to justify their “compliance” with the letter of requirements.
What do you need to pay attention to when implementing anti-virus protection in the banking sector?
')
As practice shows, the lion's share of questions and delusions is related to the protection of ATMs and terminals. And they are caused by ignorance of the provisions of the same PCI-DSS. Therefore, we begin the review with them.
PCI-DSS / PA-DSS requirements
As a rule, all such devices can work with Visa and MasterCard cards and, accordingly, fall under the requirements of the PCI-DSS standards (Payment Card Industry Data Security Standard, the security standard of the data of the payment card industry describes the security requirements for information on payment card holders processing, transfer or storage, so let's start with it) / PA-DSS. At the moment, the version of the standard PCI-DSS 3.1.
The PCI-DSS standard was developed by the Payment Card Industry Security Standards Board (PCI SSC). PCI SSC was founded by leading international payment systems - Visa, MasterCard, American Express, JCB, Discover. Information about its activities PCI SSC publishes on the site . There is a Russian translation of the standard version 3.05.
The standard combines the requirements of a number of information protection programs, in particular:
- Visa Europe & other regions: Account Information Security (AIS);
- Visa USA: Cardholder Information Security (CISP);
- MasterCard: Site Data Protection (SDP).
The requirements of the PCI DSS standard apply to organizations that process information about cardholders. If an organization stores, processes or transmits information on at least one card transaction or a cardholder for a year, then it must comply with the requirements of the PCI DSS standard. Such organizations include trade and service enterprises (including retail stores and e-commerce services), as well as service providers involved in processing, storing and transmitting card information (processing centers, payment gateways, call centers, data backup media storages, organizations involved in card personalization, etc.).
The PCI DSS standard contains detailed information security requirements, divided into 12 thematic sections:
- the use of firewalls;
- equipment configuration rules;
- protection of stored data on cardholders;
- the use of cryptographic security tools for data transmission;
- use of antiviral agents;
- secure development and support of applications and systems;
- control user access to data;
- account management;
- physical security;
- data security monitoring;
- regular testing of systems;
- development and support of information security policies.
Since questions on the existence of requirements for anti-virus protection arise both in the standard itself and in its translation, we will quote both options. Accordingly, the English and Russian versions.
Requirement 5: Protect all systems or anti-virus software or programs
Malicious software, commonly referred to as “malware” —including viruses, worms, and Trojans — enters the network, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software threats. Additional anti-malware solutions can be considered; however, there is no need for additional software .
Requirement 5. Protect all systems from malware and regularly update anti-virus software or programs.
Malicious software, including viruses, worms, and Trojans, penetrates the network during many business actions, including email, Internet, mobile computers, and storage devices, leading to exploitation of system vulnerabilities. Antivirus software should be used on all systems that are usually exposed to malware in order to protect the system from current and potential malware threats. Additional anti-malware solutions can be used as an add-on to antivirus software; however, such additional solutions do not remove the requirement for the presence of anti-virus software .
We immediately see why you need to read the sources:
- You can not narrow the channels of penetration to the mail, flash drives and the Internet. The source code contains the phrase “during many business-approved activities”. Who knows what will be used in a particular organization? Maybe ICQ?
- The standard states that protection should be installed on all systems susceptible to infection.
A common misconception is that this suggests that there is no need to install an antivirus where the introduction of viruses is unlikely. However, it is not. According to the spirit of the law, it follows that malware can be created for any system and everything must be protected:As a rule, mainframes, mid-level computers (for example, AS / 400) and similar systems are currently not susceptible to malware infection or are not its target. However, malware trends can change rapidly, which means it is important for organizations to be aware of new types of malware that could be dangerous to their systems.
- Very often, instead of antiviruses in ATMs and terminals, it is proposed to use software control tools based on checksums. This is also unacceptable from the point of view of the standard: “Additional anti-malware solutions can be used as an add-on to antivirus software; however, such additional solutions do not remove the requirement for the presence of anti-virus software. ”
5.1 Deploy anti-virus software ( particularly personal computers and servers ).
5.1.1. It can be used if it is an operating system.
It is often called “Zero day”, against otherwise secured systems. It is a system that allows you to disable, interrogate, or compromise of data.
5.1 Deploy antivirus software on all systems that are usually affected by malware ( especially on personal computers and servers ).
5.1 Verify that anti-virus software is deployed in a selection of system components, including all types of operating systems that are usually affected by malware, with applicable anti-virus technology.
Against seemingly protected systems, there is a constant stream of attacks that use widely available exploits and which are often called “zero-day attacks” (such attacks exploit previously unknown vulnerabilities). Without regularly updated anti-virus software, new forms of malware can attack the system, disrupt the network, and lead to data compromise.
The standard once again confirms that the antivirus must be installed on all systems susceptible to infection - without exception. The only caveat is the availability of anti-virus solutions.
Unfortunately, the clarification given in brackets (especially on personal computers and servers), in practice, is made absolute. A huge part of infections of stand-alone devices is carried out from the devices and removable media of service personnel. In particular, due to the fact that the level of protection at the time of infection on the infected device is lower than necessary (including due to the non-installation of updates requiring a reboot). Cases when the protection of personal devices and home computers of employees is carried out by the company without fail
Oddly enough against the background of the requirement looks like a note on zero-day threats. Indeed, the antivirus is not able to recognize all up to one malware at the time of their penetration. But the standard actually only notes this fact, but does not offer any measures to combat the threats unknown to the anti-virus.
5.1.1 Ensure that anti-virus programs are capable of detecting
5.1.1 Review configuration and verify that anti-virus programs;
- Detect all known types of malicious software,
- Remove all known types of malicious software, and
- Protect against all known types of malicious software.
Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits.
It is important to protect software.
5.1.1 Ensure that anti-virus software is able to detect, eliminate, and protect against all known types of malware.
5.1.1. Check the vendor's documentation and antivirus configurations for antivirus programs:
- detect all known types of malware;
- remove all known types of malware;
- Protect against all known types of malware.
Examples of malware are viruses, worms, trojans, spyware and adware, rootkits.
It is important to protect against ALL types and forms of malware.
PCI-DSS is one of the few standards that correctly determine the purpose of an antivirus - it can detect only malicious programs known to it and should be able to cure! The latter is generally an extremely rare guest in the requirements for anti-virus protection.
5.1.2 For these systems, it may be necessary to ensure that these systems are not affected.
5.1.2 Carry out periodic checks on systems that are generally considered unaffected by malware infection, identifying and assessing the threat of infection by new forms of malware, in order to verify that these systems still do not require anti-virus software.
Also extremely important point. You can not, creating protection, rest on its laurels. It is necessary to constantly receive information about possible vulnerabilities and improve protection.
5.2 Ensure that all anti-virus mechanisms are maintained as follows:
- Are kept current,
- Perform periodic scans
- Generate audit logs which are retained per PCI DSS Requirement 10.7
5.2.a Examine policies and procedures.
5.2.d, it checks to verify that:
- Anti-virus software log generation is enabled, and
- Logs are retained in accordance with PCI DSS Requirement 10.7.
If you are not up to date, you can’t keep it up to date.
Audit logs provide anti-malware reactions. Thus, it is imperative that anti-malware solutions have been configured to generate audit logs.
5.2 Ensure that all anti-virus mechanisms:
- maintained up to date;
- perform periodic scans;
- create event logs that are stored according to requirement 10.7 of the PCI DSS standard.
5.2.a Check the policies and procedures for the fact that they prescribe to keep anti-virus software and databases up to date.
5.2.b Check the configuration of antiviruses, including installation images and a selection of system components, to ensure that:
- creation of event logs is enabled;
- logs are stored as per PCI DSS requirement 10.7.
Even the best antiviruses have limited effectiveness in the absence of the latest security updates, antivirus databases or anti-malware mechanisms.
Event logs provide the ability to monitor the activity of viruses and malware, and respond to this activity. Therefore, it is important to configure anti-malware solutions so that you can generate entries in the event log and manage these entries in accordance with requirement 10.
Errors in the numbering of paragraphs and punctuation of the translation are taken from the original
Here, perhaps the most important thing is the logging requirement. Item, the implementation of which allows for the analysis of incidents.
5.3 Ensure that you’ve been limited to a limited time period.
Note: If you have an access control system? If you need to be formally authorized. It can be used to ensure that it is not active.
5.3.a is a system that is actively running.
5.3.b, it can not be disabled or altered by users.
5.3.c Software for a limited time period.
He will not be able to provide any security against malware.
It helps to prevent the system from being protected by malicious software.
For example, it’s not a problem. is re-enabled.
5.3 Ensure that anti-virus engines are constantly running and that users can neither turn them off nor change them without explicit permission, which is issued by the management for each particular case and for a limited period of time.
Note: anti-virus tools can be temporarily disabled only in the case of a justified technical need, with the permission of the management in each particular case. If you need to disable anti-virus protection for a specific purpose, you must obtain official permission . You may also need additional protective measures for the time during which anti-virus protection will be inactive.
5.3.a To study the configuration of antiviruses, including installation images and a sample of system components, and make sure that the antivirus software is working in active mode.
5.3.b Check the configuration of the antivirus, including the installation images of the software and the selection of system components, to the effect that the antivirus software cannot be disabled or changed by users.
5.3.c Interview the responsible employees and monitor the processes to ensure that the anti-virus software cannot be disabled or changed by users without the explicit permission of the management in each particular case and for a limited period of time.
The anti-virus, which works constantly and protected from changes, will provide reliable protection against malware.
Use policy-based protective measures on all systems to eliminate the possibility of changing or disabling anti-virus software protective measures. This will prevent the attacker from taking advantage of system vulnerabilities.
Additional security measures may also be required for the period of time during which anti-virus protection will be disabled (for example, disabling an unprotected system from the Internet while anti-virus protection is disabled and running a full scan after re-enabling it).
Quotation is quite lengthy, but necessary against another myth - that after installing the antivirus it can be disabled. According to the standard, shutdown is an extraordinary thing.
The above quotes essentially described the requirements for anti-virus protection in general. There are no requirements for how an antivirus should detect and counteract it. In fact, the standard requires simply using and regularly updating anti-virus software. The only requirement for the antivirus itself is described in Section 5.1.1 - the products used must detect all types of threats. Clauses 5.1, 5.2 refer to the service services serving the protection systems.
However, market participants quite often require the vendors of the antivirus industry to be PCI-DSS certified products. Therefore, another quote from PA-DSS:
It applies to all parties.
The PA-DSS (Payment Application Data Security Standard) standard is a development of the Visa PABP (Payment Application Best Practices) prescription, as well as the adaptation of the requirements of the PCI DSS standard to applications. More specifically, the requirements of the PA-DSS standard apply to applications ( www.pcidss.ru/files/pub/pdf/which_application_are_eligible_for_padss.pdf , www.pcidss.ru/download/#padss ) processing data on cardholders at the authorization stage transactions.
From the above quotation it follows that anti-virus products do not relate to PA-DSS, since they are not intended for processing, storing and transmitting cardholder data - they are not a “payment application” in principle!
This is confirmed by the following phrase, in which the antiviruses and payment application are clearly separated:
Not only include the following:
- Storage of Magnetic Stripe Data;
- You need to use PCI DSS, for example;
As a result, in the list of certified solutions (Validated Payment Applications ( www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true# , www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php ) ispraved_companies_providers / approved_scanning_vendors.php. Chef. product. The list is actually present product of Symantec - but the company Symantec in the portfolio is not only antivirus solutions.
In the context of PA-DSS, a payment application to be audited and included in the program by the PCI SSC Council is defined as such an application that stores, processes or transfers cardholder data (DDC) during authorization or transaction confirmation.
The Payment Application Data Security Standard standard contains a very interesting requirement for a payment application (but not for an anti-virus product):
8.1 The payment application must be implemented in a secure network environment. DSS compliance (for example, payment application, DSS compliance) .
That is, again, anti-virus products and firewalls do not belong to the payment application, and as a result, anti-virus products do not fall within the coverage area of ​​PA-DSS.
Requirements of the Regulations of the Bank of Russia of June 9, 2012 No. 382-P
The Federal Law of June 27, 2011 No. 161 “On the National Payment System” states that all subjects of the national payment system “are obliged to protect information when making money transfers in accordance with the requirements established by the Bank of Russia”. Such requirements are the Bank of Russia Regulation No. 382-P dated June 9, 2012 “On the Requirements for Ensuring Information Security in Transfers of Funds and the Procedure for the Bank of Russia to Control Compliance with Requirements for Ensuring Information Security in Transfers” and the Government Decree No. 584 of June 13, 2012 “On Approval of the Regulations on the Protection of Information in the Payment System”. This order is described in www.cbr.ru/PSystem/P-sys/faq_382-P.pdf .
The regulations of the Bank of Russia Regulation No. 382-P dated June 9, 2012 (with changes according to Bank of Russia Instructions 3007-U of 06/05/2013, N 3361-U of August 14, 2014) “On the requirements for ensuring the protection of information in the implementation of money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements to ensure the protection of information in the implementation of money transfers. ”
2.7.1 A cash transfer operator, a bank payment agent (subagent), a payment infrastructure service operator provide:
- the use of technical means of protecting information designed to detect malicious code and to prevent the impact of malicious code on information infrastructure facilities ... on computer equipment, including ATMs and payment terminals , if technically possible;
- Regular updating of versions of technical means of protecting information from the effects of malicious code and databases used in the operation of technical means of protecting information from the effects of malicious code and containing a description of malicious codes and methods for neutralizing them;
- functioning of technical means of protecting information from the effects of malicious code in automatic mode , if available, the technical possibility
As in the PCI-DSS standard, the requirement to protect all elements of the infrastructure is confirmed if there are appropriate security features on the market and the need for their continued operation is the inadmissibility of periodic inspections only.
Only antivirus can automatically detect the presence of malicious code. All other means may try to respond to changes in the system.
Also focuses attention on self-defense - critical functionality, the need of which is unaware of the majority of companies using anti-malware tools.
2.7.5 In case of detection of a malicious code or the fact of the impact of a malicious code, the money transfer operator, bank payment agent (subagent), payment system operator, payment infrastructure service operator ensure that measures are taken to prevent the spread of malicious code and eliminate the consequences of malicious code exposure ...
Another very important point, but, unfortunately, not clearly articulated. In principle, it is clear that measures should be taken, but how? Assign an action in the antivirus control center, manually track incidents or implement an automatic response system? A sufficient number of attacks are made on companies during the holidays, when everybody (often due to the fact that he is alone) is an information security officer on vacation, there is no rapid response brigade.
2.8.1. When using the Internet for money transfers, the money transfer operator, bank payment agent (subagent), and the operator of payment infrastructure services provide:
- the use of organizational measures to protect information and (or) the use of technical means of protecting information intended to prevent unauthorized access to protected information transmitted over the Internet;
- the use of organizational measures to protect information and (or) the use of technical information protection tools designed to prevent unauthorized access to the protected information at information infrastructure facilities using the Internet;
- the use of organizational measures to protect information and / or the use of technical information protection tools designed to prevent unauthorized access to protected information by exploiting software vulnerabilities;
- minimization of negative consequences associated with the delay in the implementation of money transfers, failures or refusals in the operation of the information infrastructure facility;
- filtering network packets when exchanging information between information and telecommunication networks in which information infrastructure facilities are located and the Internet to protect against negative external influences from the Internet
2.10.1 The operator for the transfer of funds, the bank payment agent (subagent), the operator of the payment infrastructure services provide accounting and control of the composition of the installed and (or) software used on computer equipment.
Formally, these two points are not related to the functionality (according to 382-P) are protected from malicious programs - but in fact they describe it - the traffic analysis system, protection against unauthorized access, backup and backup, firewall.
Requirements Letters of the Bank of Russia of March 24, 2014 No. 49-T
Bank of Russia Letter No. 49-T, dated March 24, 2014, “On Recommendations for Organizing the Use of Security Measures Against Malicious Code in Banking Activities” requires “the protection of computer equipment and the following components of automated systems and telecommunications equipment of a credit institution (hereinafter referred to as objects of protection): "
- automated workplaces (hereinafter referred to as AWS) for system and / or network administrators, database administrators, information security administrators, and the like;
- workstations;
- servers intended for storing information files (file servers) and centralized access to them;
- database servers;
- application servers;
- mail servers;
- routers;
- firewalls;
- , (Web-, FTP-, proxy-, (DNS) );
- , .
â„– 17 , .
. , , , . .
, , , — , , .
â„– 49-T. , :
2.1.5. , — .
2.1.7. .
2.1.9. .
, , .
2.1.10. - :, , , — .
- ;
- ;
- .
2.1.13. () .
.
2.1.14. ( ).
, . .
2.1.18. , , .
2.1.25. ( ) , .
. .
4.2.1. , — ( — ), — .
, , , .
2.1.16. () , , .
5.4. , , , , , , - , .
, - .
-1.0-2014
, .
7.5.1. , .
, , ) .
, 7.5.6, .
7.5.2. .
, .
7.5.3. , , .
, № 49- — , .
7.5.5. .
7.5.6. , :
- ;
- , ;
- .
, â„– 49-. , , .
7.5.7. , , . .
, № 382-, — - , . .
7.5.8. , , , , , , :
- ;
- ;
- ( ).
, , , .
7.5.9. , .
, PCI-DSS, — .
7.6.4. , , , , , , , .
, , , , .
Total:
- , ( PCI-DSS) ( ) , ( , ), — ( ).
- . . , , .
- .
- , , -. , .
- PCI DSS PA-DSS , PCI DSS PA-DSS , , PA-DSS.
- —
Source: https://habr.com/ru/post/257725/
All Articles