Information Security Asked by shywolf91 on November 8, 2021
So family operates a small bar/lounge in Florida and I work for them part time as a bar back / IT technician. For the past couple months we have been trying to become pci compliant. However, we keep running into issues with passing a network vulnerability scan (which I think is being caused by our icrealtime security camera nvr)
We use clover stations for our 3 pos/terminal systems and are, according to cloversecurity site, SAQ type C.
The vulnerability report is as follows:
General remote services - SSL Certificate - Signature Verification Failed Vulnerability httpsport / tcp over ssl CGI - HTTP Security Header Not Detected httpsport / tcp General remote services - SSL Certificate - Invalid Maximum Validity Date Detected - httpsport / tcp over ssl General remote services - SSL/TLS Server supports TLSv1.0 - httpsport / tcp over ssl
This is how I have the network set up:
Spectrum modem – > Edgerouter X
On the ERX all 4 ethernet ports are separated (e.g. .1.x , .2.x, .3.x , .4.x).
The .1.x has our jukebox and ATM machine. The .2.x has our IoT (atm only security camera) The .3.x and .4.x contain our pos on one and employee and guest wifi (on a r500 AC point)
I have a firewall ruleset allowing only related/established access to the security camera but blocking IoT network from accessing other lans. I am also dropping connections to the http and https ports for the security camera network but the scan still fails.
I can disable https on the box but can’t disable the http and when I do that I still get an error for:
HTTP Security Header Not Detected httpport / tcp
I’m not sure what else I can do? AFAIK its only the remote gui/webserver of the security camera nvr causing the issues.
additional information: I should have a working security certificate from letsencrypt on the ERX so as I don’t get a warning when accessing the gui on my local network (router gui can’t be accessed outside network and POS network and guest network are blocked from accessing that gui)
It sounds like you've already taken the appropriate step - segregated your networks and limited access between them using a firewall. Now that your IoT network is segregated and out of scope, stop scanning it (for PCI purposes*) and the finding will drop off your PCI report. If you're dealing with an auditor (as opposed to doing a SAQ) then show him a diagram of the separate networks and the firewall separating them.
In short, limit your PCI scope to the .3.x network containing the POS equipment in line with the Network Segmentation section of the DSS. Stop including systems outside that scope in your audit or self assessment.
*Keep scanning it for security purposes
Answered by gowenfawr on November 8, 2021
PCI compliance is for payment processing. Don't put your cameras on your payment processing system.
You want the cameras on their own network so that any camera system compromise doesn’t become a stepping stone into your financial transactions.
You should of course secure the cameras as well, but they need not have any interaction with PCI once they are isolated.
Answered by user10216038 on November 8, 2021
4 Asked on January 20, 2021 by sentinel
1 Asked on January 18, 2021 by khalid
3 Asked on January 18, 2021 by zud
0 Asked on January 17, 2021 by gloomyfit
1 Asked on January 16, 2021 by thunderbolt
2 Asked on January 15, 2021 by helpme123
0 Asked on January 14, 2021 by mechmk1
3 Asked on January 14, 2021 by brill
5 Asked on January 13, 2021 by sfrj
1 Asked on January 13, 2021 by a-android-ucg
1 Asked on January 13, 2021 by joshnow
1 Asked on January 12, 2021 by awaaaaarghhh
2 Asked on January 10, 2021 by 888-999
22 Asked on January 9, 2021
2 Asked on January 8, 2021 by brigante
1 Asked on January 8, 2021 by newb-4-you-bb
0 Asked on January 6, 2021 by olle-hudga
0 Asked on January 6, 2021 by jian25
3 Asked on January 4, 2021 by darren19824
Get help from others!
© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP