User's Guide
AirTight Management Console User Guide
242
4. Requirement 6.2: Establishing a process to identify newly discovered vulnerabilities and
updating configuration standards to address the new vulnerability issues. Generate and review
contents of this report periodically so that newly discovered vulnerabilities can be identified and
acted upon.
5. Requirement 10.5.4: Copy logs for wireless networks onto a centralized internal log server or
media that is difficult to alter. The report generation engine maintains logs of all wireless activity for
archival purposes.
6. Requirement 11.1: Use a wireless analyzer at least quarterly to identify all wireless devices in
use. This report provides a list of all wireless devices in use. In addition, scanners continuously
monitor all wireless devices in use and automatically update the list of wireless devices maintained
at the server.
7. Requirement 11.2: Run network vulnerability scans quarterly and after any significant change in
the network. This report provides a list of wireless vulnerabilities discovered during the report
generation interval. This report can be generated on demand or at scheduled intervals.
8. Requirement 11.4: Use of network intrusion detection and prevention system to monitor
network traffic and alert personnel of suspected compromises. Intrusions can also happen through
wireless. Wireless scanners continuously monitor, log and (optionally) alert and block wireless
intrusion attempts.
9. Requirement 12.10: Implement an incident response plan. Be prepared to respond immediately
to a system breach (including those happening through wireless back doors). Wireless scanners
monitor airwaves 24/7 and instantly detect any unauthorized wireless activity. Incident response
can be done either manually or automatically using wireless scanners.
Since wireless environments change dynamically, it is recommended that you conduct a PCI
Wireless Compliance assessment at least once every 15 days. Archive the PCI wireless
compliance reports.
Establish an ongoing wireless security program to fix the top vulnerabilities and to minimize your
wireless security exposure.
The sections of this report list the wireless vulnerabilities detected in your network and the severity
of security risk caused by these vulnerabilities.
x PCI DSS 3.0 Wireless Compliance Internal Audit Report
PCI DSS 3.0 Wireless Compliance Report is relevant for only those VLANs that process or store
credit card data; these VLANs are commonly known as cardholder data environment (CDE).
Violations reported in the PCI DSS 3.0 Wireless Compliance Report are based on wireless security
incidents that occur on a CDE network. Occasionally, if the system is not able to determine if the
network where a security incident has occurred, is a CDE network or not, then the incidents are
classified as a Potential Violation. PCI DSS 3.0 Wireless Compliance Internal Audit Report
includes all sections which belong to PCI DSS 3.0 Wireless Compliance Report and, in addition, it
contains Potential Violation sections for networks not confirmed to be a part of the CDE.
The following sections from PCI DSS 3.0 Wireless Compliance Internal Audit Report, are relevant
from the perspective of protecting cardholder data from unauthorized wireless access. This report
is intended to be simply an aide to review PCI DSS 3.0 compliance of WLAN deployments. It is not
meant to automatically fulfill PCI DSS 3.0 requirements related to your WLAN network. Consult a
PCI Qualified Security Auditor (QSA) for obtaining compliance certification.
1. Requirement 1.2: Deny traffic from 'untrusted' networks and hosts, except for protocols
necessary in the cardholder's data environment. This report provides a list of rogue or
misconfigured wireless access points detected during the report interval. Unauthorized cardholder
data access is possible through these access points.
2. Requirement 2.1.1: Change vendor-supplied defaults for wireless equipment. For wireless
equipment,default password, SSID, WEP key and security settings should be changed. WPA or
WPA2 should be used wherever possible. This report provides a list of wireless access points
using default SSID or security configurations.