Download Support Guide

How to audit for PCI DSS using Nipper

Running a PCI DSS report with Nipper

Automate the auditing of your most critical PCI DSS (Payment Card Industry Data Security Standard) checks with Titania Nipper. You can easily, accurately and quickly assess your firewalls, switches and routers and cover many aspects of the PCI DSS compliance requirements.

This PCI DSS ‘How to’ guide has been designed to demonstrate how Nipper software can help simplify meeting the requirements of PCI DSS.

The guide gives a simple step-by-step process in running the relevant audits to produce an easy-to-read, comprehensive report from which you can choose the most relevant information to report and evidence the PCI DSS requirements.

The report will prioritize risks found and offer remediation advice for each, that you can action to then be able to meet the respective PCI DSS requirements.

These reports assist you in addressing the aspects of the PCI DSS Compliance as shown in the table.

By the end of the guide you will be able to run the necessary audits to cover these requirements, which you can use to demonstrate how you cover them off and what measures you have in place to mitigate potential risks.

Scoping the report

Nipper includes an IP scoping feature which allows you to reduce the scope of your audit to specific sets or ranges of IP addresses; allowing you to define your Cardholder Data Environment (CDE) by IP address, CIDRs or IP ranges.

This restricts the audit report to just rules, services, issues etc. that only affect items included in the scope you have defined – saving you both time and effort by excluding irrelevant issues within the report

For further information on how to set up IP Scoping, refer to the IP Scoping section found in the Nipper Beginner’s Guide, which is in the User Guides area of the website.

Step 1 – Installing Nipper and your license

»   If you have Nipper already installed – Go to Step 2

»   If you need to install Nipper:

  »  Go to the ‘Installing Nipper’ section of the Nipper Beginner’s Guide

»   If you need to install your license:

  »   Go to the ‘Adding a license to Nipper’ section of the Nipper Beginner’s Guide

»   The Nipper Beginner’s Guide can be found in the user guides section of the website

»   Go to Step 2

Step 2 – Create a new report

»   Open Nipper and select ‘New Report’ on the Nipper homepage.

Step 3 – Choose your devices to audit

Here you will see 3 options to;

»   Add File (this is a single, manually exported device configuration file)

»   Add Directory (containing one or more manually exported device configuration files

»   Add Network (configuration files of supported devices)

You will need to navigate to where you have stored your files to be able to add them.

For further information on how to choose your devices refer to the ‘Creating your first report with Nipper’ section of the Nipper Beginner’s Guide.

Once you have chosen your devices, click on ‘Next’.

Step 4 – Choose your reporting options

»   The reporting options screen will appear

»   Scroll down the screen and check the box next to PCI DSS Audit

»   By clicking on this, the following will automatically be chosen:

  »  Configuration Report

  »   Vulnerability Audit

  »   Go to the ‘Adding a license to Nipper’ section of the Nipper Beginner’s Guide

  »   *CIS Benchmarks

»   Click ‘Next’ and a notification regarding the relevant reports selected will appear

»   Click ‘OK’

*The CIS Benchmarks audit will run if you include CISCO ASA, IOS12 or IOS15 devices in your PCI audit.

Step 5 – Compare the results with a previous report

»   The next screen will give you the option to compare against a previous report. Instructions on how to do this can be found in the Nipper’s Beginner’s Guide

»   If not required simply select ‘Next’

The report will be generated, taking only a few moments to appear.

Note: At this stage if you have selected CISCO ASA, IOS 12 or IOS15 devices to audit, you will see additional boxes appear:

»   CIS Settings

  »   Click ‘OK’

»   Interface Definitions

  »   Click ‘OK’

Step 6 – Once the report has run

»   When the report has finished running an advisory note, about handling the sensitive data contained, will appear

»   Click ‘Finish’

Your report will appear and give comprehensive detail. There is a summary at the top which is handy for a quick view of content and top-line reporting.

Note: The report does not save within the software. If you need to save, you will need to do this to an external file separate from the Nipper software. For further information on how to save a copy of your report please refer to ‘Saving your reports’ section in the Nipper Beginner’s Guide.

There are a number of options to ‘save file as’, however by saving as an html file will keep the links in the report live.

Step 7 - Navigating the report

»   Below the summary is a Contents list

»   Scroll up and down this list to find the section you want

»   Click on the title to be taken to its relevant section

Note: To return to the contents menu at any point, right click and click on ‘Back’.

Step 8 - Interpreting the report

Requirement 1: Install and maintain a firewall configuration to protect card-holder data.

Nipper assists with: 1.1.6, 1.1.7 & 1.2.1 of this requirement.

The following parts are met by having run the Configuration Report & Security Audit:

Identify all network services enabled on your scope

»   Within the Configuration Report, > go to the Network Services section

Identify all firewall and router rule sets, highlight crucial information relating to permitted and denied network traffic

»   Within the Configuration Report, > go to the Network Services section

»   The list of Rules will be listed and can be checked lineby-line for issues.

Review issues in the rule sets, such as Any-to-Any rules against the CVSS scoring system

»   Go to the Security Audit section to review this.

Requirement 2: Do not use vendor-supplied defaults for system password and other security parameters.

Nipper assists with: 2.1.a, 2.1.b & 2.3.b of this requirement.

Within theConfiguration Report, > go to the Authentication section.

»   Here you can review the listing of all user accounts and passwords (that are not encrypted) for unused accounts and security roles.

By including the Security Audit as part of your report, you evidence your effort in identifying and highlighting insecurities in the devices included in your scope, (such as vendorsupplied default passwords, insecure protocol settings and more).

Note: If you have CISCO ASA, IOS12 or IOS15 we also include CIS (Center for Internet Security) Benchmarks to assist with meeting this requirement.

Requirement 6: Develop and maintain secure systems and applications.

Nipper assists with: 6.2.b of this requirement.

By running the Configuration Report, you can identify software vulnerabilities known through the NIST NVD within your report.

All the details known about the vulnerability such as the following will be displayed in the report:

»   Issue Severity (ranked and colour coded)

»   CVE number and references

»   CVSS v2 information

»   Summary information

»   Affected devices from the scope

»   Any vendor security advisories

Requirement 8: Identify and authenticate access to system components.

Nipper assists with: 8.1.4, 8.1.6, 8.1.7, 8.1.8, 8.2.3, 8.2.4 & 8.2.5 of this requirement.

Read through the Security Audit report to see any highlighted issues where your user and password policies are in violation.

Note: The following parameters for password policies can be configured in the Security Audit settings:

»   Minimum Password Length

»   Password Complexity, such as character case, including nonalphanumeric

»   characters, repeating characters, excluding common dictionary-based words and more

»   Password Age (Minimum and Maximum)

»   Password History and Expiry

»   Session Lockout

To change the settings of the Security Audit to suit the User

Policy and Passwords rules required to then audit against:

»   Go to ‘Tools’ and then ‘Settings’

»   Click on ‘Reports’

To then come out of the Security Audit settings:

»   Click ‘Cancel’

Requirement 10: Track and monitor all access to network resources and cardholder data.

Nipper assists with: 10.4.1 & 10.4.2 of this requirement.

Recording logs is a common way to monitor network resource access, which involves ensuring the correct time is logged for events to enable better issue investigation.

»   To monitor network resources, use the Configuration Report to give information about the Network Time Protocol (NTP)

»   The Security Audit then highlights the issues with that configuration, such as:

  »   Identifying if time synchronization is enabled

  »   Identifying if the time synchronization is secure

Note: As necessary, use the ‘Find’ function at the bottom of the screen to find where ’NTP’ features within the report. By using the Find function, NTP will be highlighted for easy identification.

Requirement 11: Regularly test security systems and processes

Nipper assists with: 11.2.1 & 11.2.3 of this requirement.

Use the Security Audit section to evidence your testing of network devices. From the Security Audit report you can highlight the identified security issues and provide the following information:

»   Issue severity (ranked and colour coded)

»   Description of the finding

»   Description of the impact if the finding isn’t addressed

»   Description of the ease of exploiting the finding

»   *Recommended remediation steps

By saving a copy of the report each time it is run you can demonstrate the regularity for this requirement.

* If CISCO devices are being audited, the report will give command lines to fix the vulnerability, which can be copied and pasted

Conclusion and further help

You should now find that you have quickly and easily audited several sub sections of the PCI DSS requirements.

With IP Scoping in place you will find your audit condensed to only include relevant information, providing an easier to navigate and interpret report.

For any further help or advice, contact the Support team on:
Tel: (+44)1905 888 785

Our team are more than happy to help walk you through this or any other auditing processes with our Nipper software.