technical-req-pci-dss
PCI DSS best practices for commons environments.
Servers
- Install or Enable the audit app into those servers.
- Create a specific user to access those servers, those keys never need to use.
- Configure those logs (messages, security, firewall, IPS/IDS and audit) to store in CloudWatch Logs.
- Those logs must have:
- User ID, Event type, Date/Hour, Status (Success or fail), Event Origin, description of data, components or items affected.
- Monitor the changes in critical files like passwd, groups, audit.conf, sshd_config, ntp.config and others.
- Enable two-factor authentication into the bastion.
- Configure into ssh a connection timeout, max 8 hours.
- Create, document and apply a Hardening baseline for servers.
- Rotate the user's password of servers and database every 90 days.
- Create a Password policy to users on the servers:
- min: 8 char / min: 1 upper and lower char / min: 1 num char / min: 1 special char
- Block to the user doesn't use the 4 previous (min) passwords.
- Set up to user change the first password in the first access.
- Limit and block after 6 tries (in max) of wrong access for the same user.
- Set up the duration of the block to 30 minutes or until that administration enables the user.
- During connection, set up to request to type the password again every 15 minutes.
- If the connection is away, set up to request to type the password again after 15 minutes.
- Install an anti-virus into the servers and execute a scan weekly.
- Update the anti-virus into server daily.
- Apply the system update (at least the security update) monthly.
- Restrict the servers to have just one a responsibility, like web servers, mail servers and etc.
- Maintain into servers the date and hour synchronized.
Environment
- Create and keep update a diagram from environment topology (network side and applications).
- Create some alerts to suspects activities based on the logs (SIEM).
- Installed an IPS/IDS (squid) into the environment.
- Create and maintain an inventory from servers.
- The inventory app or list must be accessed restrict to the authorized people.
- Execute a Pentest annually in the majors URLs.
- Execute an external vulnerability scan in the majors URLs every 3 months and generate evidence.
- Review the firewall rules every 3 months and generate evidence.
- Restrict as much you can the Firewall rules to input/output traffic.
- Rotate the AWS keys every 90 days.
- Use only security connection to transfer data, like SCP, SFTP, and HTTPS.
- Each user needs to have an exclusive and confidential ID and password.
- Enable the NTP Service into servers, the AWS has an internal server to do that.
- Restrict the access to logs centralized, is good to have a group with the application logs to analyze from developers and another group to store the same log from the application and the system operational logs.
- Prioritize the solution to security issues.
- Create an assessment to contract new third-party applications, like the third-party should provide a connection over https, production, and non-production environment, they need to have at least one security certification and others.
Miscellaneous
- Create an issue for any change into production, even to create users, release IP, the issue must be approved by a person that doesn't be involved in development or Devops.
- Don't publish internal IP or any information from the environment to not authorized person.
- Remove or change the default password from accounts or devices.
- Revoke immediately all access for an employee if he leaves the office.
- Remove all access from the inactive account in a period of 90 days.
- Forbid and avoid shared accounts or users.
- Enable MFA into all applications, servers or other components that have access to environment and data.