Basically the fear are base camps from which to launch an attack. As
Erin stated below, if there are measures in place (not just vlans) to
prevent access from the log machine to the Card Holder data environment
then it may be that the device will be out of scope.

You may want to research "compensating controls" and log servers. You
may find some creative ways others were able to ensure their log servers
were out of scope.

I hope that helps a little.

Eric

Erin Carroll wrote:
> It's been a bit since I was forced to do PCI on a daily basis so someone
> will come along and correct me if I'm wrong....
>
> If the logs contain no PII/cardholder data and the logs are pushed to the
> central log storage device (not pulled from device) then the log server is
> not in scope. If the logs do contain PII/cardholder data then the log device
> is in scope but does not make the 300+ other devices which log to the device
> in scope.
>
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> "Do Not Taunt Happy-Fun Ball"
>
>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Danux
>> Sent: Thursday, November 12, 2009 7:27 AM
>> To: pen-test (at) securityfocus (dot) com [email concealed]
>> Subject: PCI Compliance Scope
>>
>> Question for PCI experts:
>>
>> During a PCI Audit the Auditor told us that all the Security Devices
>> protecting Cardholder Data are also part of PCI Scope, which makes
>> sense for IDS/IPS, FW, AD, so on but what about a Log Management tool?
>>
>> This means that my Log Management Centralized Server solution which is
>> getting logs not just for PCI assets but for the whole network ... is
>> gonna be in scope?
>> if so? This means all 300 security devices sending the logs (Servers,
>> WStations, Data Bases, AV) to the Centralized server are in scope Too?
>>
>> if so?
>>
>> Then, obviously I need to find a way to isolate & split the Log
>> Management Server from the whole network to only monitor PCI assets
>> but that entails to buy a new costly license to have another
>> Centralized log server, which is not doable for us.
>>
>> Have you ever had the same problem? so that you can share the way to
>> resolve it WITHOUT adding new software/hardware?
>>
>> I think I need to create a kind of PCI Security Devices Zone isolated
>> from the network but not sure if that works for PCI Auditor.
>>
>> Please share your ideas.
>> --
>> Danux
>>
>> -----------------------------------------------------------------------
>> -
>> This list is sponsored by: Information Assurance Certification Review
>> Board
>>
>> Prove to peers and potential employers without a doubt that you can
>> actually do a proper penetration test. IACRB CPT and CEPT certs require
>> a full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> -----------------------------------------------------------------------
>> -
>>
>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]