PCI Security Standards Council Reference #022007249

[jbhall56]

Anyone out there ever heard of this document?

Bit9 keeps making references to it in discussions with one of our clients, but we do not have a copy of it from the PCI SSC. Nor can we find it in the PCI SSC's FAQ or anywhere else on the PCI SSC's Web site. Which seems odd.

Interestingly, if you Google 'PCI Security Standards Council Reference #022007249 ', the resulting search gives you circular references back to Bit9 and another vendor's similar white listing solution. That also seems odd and makes me suspicious.

If anyone can provide me a link to this document, I'd appreciate it.

[dbergert]

No.

However, as you probably noticed: It is in all of their PR material:
Have you requested if from them ?

visit http://www.bit9.com or call 617.393.7400.
Media Contact:
Greg Sabey
Text 100 for Bit9, Inc.
617.399.4909
gregs@text100.com

or:

Support Contact Information:

Phone: 877 BIT9-098 (877.248.9098)
E-mail: support@bit9.com
Web: http://www.bit9.com/contact/support.php


Good Luck.

[jbhall56]

We finally got the 'document' which turns out to be an e-mail message.


From: PCI SSC Information
Sent: Tuesday, February 20, 2007 10:12 AM
To: Verisign
Subject: Reply to your question for PCISSC RE: The use of Bit9 to satisfy Req 5 (Ref #022007249)

Thank you for your interest in the PCI Security Standards Council.

The answer to your inquiry is as follows. Your original query follows below:

Q: Are you aware of any merchant or service provider presently using Bit9 to meet Req 5?

A: PCI Security Standards Council does not track this type of information and cannot comment on merchants or service provider's implemented security controls.


Q: If not, what would be the expectation on VeriSign's part to accept this as a compensating control? Typically, if a company uses a known AV product (Symantec, McAfee) we take that at face value and ensure it's applied to the systems, up to date, logging enabled, etc. but we would not test the software, as there is the assumption it does what it says it does. Would a more in-depth approach to testing Bit9's capabilities be needed?

A: If Bit9 is selected as the AV solution this would not be considered a compensating control; it would be the control. Bit9 claims to stop malware and may be more effective than signature based solutions. In some companies, this type of prevention technology is installed as a complement to traditional AV software which would be used to perform the actual removal of the malware from the system (if the prevention product doesn't perform removal). The product may also include an override component to bypass the control and allow programs to be executed by the user of the system (i.e. via pop-up window). Verification of the installation on a sample of system components per the audit procedures would be appropriate including a review of the product settings to ensure it is configured to block all unknown (i.e. not configured) programs, create logs, prevent override, remove malware, etc. As a QSA, Verisign should train reviewers to have adequate knowledge of the product to conduct this verification activity or rely on subject matter experts at the client site to sufficiently demonstrate compliance on the sample systems.


Thank you and regards,

The PCI Security Standards Council Response Team

info@pcisecuritystandards.org

781-876-8855



Your original query:

VeriSign has a client who is seeking an alternate method to addressing Requirement 5, in regards to anti-virus software, for particular in-store environments, where traditional AV products have not been all that successful in the past. Bit9 is a new technology that takes an approach of white listing particular software, and blocking anything else not pre-approved to run (including viruses, spyware, adware, etc.), as opposed to relying on signatures as traditional AV products do. Attached is some product information, including Bit9's take on how their product successfully addresses Requirement 5.

My questions follow:

1. Are you aware of any merchant or service provider presently using Bit9 to meet Req 5?

2. If not, what would be the expectation on VeriSign's part to accept this as a compensating control? Typically, if a company uses a known AV product (Symantec, McAfee) we take that at face value and ensure it's applied to the systems, up to date, logging enabled, etc. but we would not test the software, as there is the assumption it does what it says it does. Would a more in-depth approach to testing Bit9's capabilities be needed?

Thanks in advance for your response and consideration of this inquiry.