Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
1
Replies

PCI: update your system configuration standards as new vulnerability issues are identified

ahmad82pkn
Level 2
Level 2

‎12-11-2015 04:01 AM - edited ‎02-21-2020 05:38 AM

Hi, As per PCI Clause.

Your process document detailing how to update your system configuration standards as new vulnerability issues are identified.

What should be process for networking Gear? do i need to keep upgrading my each and every network gear Router/ASA/Switch whenever Cisco release a new software version?

That is gong to cause lot of planning and downtime whenever we do upgrade.

is there any work around of not upgrading every time? or what is standard people usually follow ?

Like from ASA you can do lots of things, but if ASA is used only just for few ACL lines, then why should i need to upgrade if there is some SSL vulnerability or may be some h323 vulnerability.

Like i need to know, is there any way to evaluate, if i really need to upgrade my IOS or its fine unless i am not using any such features? or there is any tool that can scan my Firewall or Router and show result if its exposed and need upgrade for PCI compliance ? need some assistance.

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-11-2015 07:50 AM

A couple of guidelines:

1. Segment your network so that only necessary systems are "in scope" for PCI.

2. Identify the necessary services on your network equipment and disable unneeded ones. For instance, this can help with the ASA - if it is in scope but you don't use any SSL features then you don't bind a certificate to any exposed interface and thus are not affected by SSL vulnerabilities.

3. When necessary services are affected by a security advisory, there is usually a work around in addition to a new software version fix available. Consider the work around as a compensating control to mitigate the vulnerability.

All of that aside, I advise customers to monitor security advisories and new software releases in general - PCI or not. Those activities are one part of responsible network and security operations procedures and are useful in making informed decisions about how and when to upgrade.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card