Information Security Asked by shywolf91 on November 8, 2021
So family operates a small bar/lounge in Florida and I work for them part time as a bar back / IT technician. For the past couple months we have been trying to become pci compliant. However, we keep running into issues with passing a network vulnerability scan (which I think is being caused by our icrealtime security camera nvr)
We use clover stations for our 3 pos/terminal systems and are, according to cloversecurity site, SAQ type C.
The vulnerability report is as follows:
General remote services - SSL Certificate - Signature Verification Failed Vulnerability httpsport / tcp over ssl
CGI - HTTP Security Header Not Detected httpsport / tcp
General remote services - SSL Certificate - Invalid Maximum Validity Date Detected - httpsport / tcp over ssl
General remote services - SSL/TLS Server supports TLSv1.0 - httpsport / tcp over ssl
This is how I have the network set up:
Spectrum modem – > Edgerouter X
On the ERX all 4 ethernet ports are separated (e.g. .1.x , .2.x, .3.x , .4.x).
The .1.x has our jukebox and ATM machine.
The .2.x has our IoT (atm only security camera)
The .3.x and .4.x contain our pos on one and employee and guest wifi (on a r500 AC point)
I have a firewall ruleset allowing only related/established access to the security camera but blocking IoT network from accessing other lans. I am also dropping connections to the http and https ports for the security camera network but the scan still fails.
I can disable https on the box but can’t disable the http and when I do that I still get an error for:
HTTP Security Header Not Detected httpport / tcp
I’m not sure what else I can do? AFAIK its only the remote gui/webserver of the security camera nvr causing the issues.
additional information: I should have a working security certificate from letsencrypt on the ERX so as I don’t get a warning when accessing the gui on my local network (router gui can’t be accessed outside network and POS network and guest network are blocked from accessing that gui)
It sounds like you've already taken the appropriate step - segregated your networks and limited access between them using a firewall. Now that your IoT network is segregated and out of scope, stop scanning it (for PCI purposes*) and the finding will drop off your PCI report. If you're dealing with an auditor (as opposed to doing a SAQ) then show him a diagram of the separate networks and the firewall separating them.
In short, limit your PCI scope to the .3.x network containing the POS equipment in line with the Network Segmentation section of the DSS. Stop including systems outside that scope in your audit or self assessment.
*Keep scanning it for security purposes
Answered by gowenfawr on November 8, 2021
PCI compliance is for payment processing. Don't put your cameras on your payment processing system.
You want the cameras on their own network so that any camera system compromise doesn’t become a stepping stone into your financial transactions.
You should of course secure the cameras as well, but they need not have any interaction with PCI once they are isolated.
Answered by user10216038 on November 8, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP