3.11 Requirement 8

00:00

welcome to the cyber E d. Mystifying P. C. I. D. S s compliance course.

00:05

This module will focus on the goals of the PC idea sets and the requirements associated with them.

00:11

This video introduces you to a requirement eight.

00:14

We will talk about the requirements associating with how do you handle identity within the CD?

00:21

The learning objective of this video is to discuss some of the ends and outs of each of the mandates associated with the identity in the CD.

00:31

This section of the PC idea says compliance requirements is focused around how the merchant manages the identities or user accounts for administration and use of the CD.

00:43

These requirements don't extend to your customers who may be interacting with your environment to provide payment information

00:49

will explore how you should handle naming your accounts, policies associated with those accounts and the minimum password requirements, which I'll briefly talk how you should go above and beyond what PC I requires.

01:02

I do want to know early that requirements 8.1 dot one

01:04

81.6 through 81.8

01:07

ate that 28.5

01:11

eight dot to 8.0.338 dot to 0.6

01:15

do not apply to user accounts within a point of sales payment application that only has access to one card number at a time to facilitate a single transaction.

01:25

Essentially, these are accounts associated with cashier accounts and point of sale systems.

01:32

81 wants you to define an implement policies and procedures that ensure proper user identification management.

01:40

All right, so eight, not 1.1, is an easy one.

01:42

Everyone that operates in the CD should have their own account assigned to them.

01:48

There shouldn't be any shared user accounts.

01:51

If two or more people are using the same account, then it becomes increasingly difficult to attribute any action to a specific person.

01:57

If someone is using a shared account and delete some critical data, how are you able to figure out who actually did this action

02:05

To eliminate this risk? All users should have a unique I. D.

02:08

Again, the exception is the point of sale systems.

02:13

The auditor will be looking to validate that these accounts have very few privileges.

02:20

As a merchant, you must have tight controls around the creation and modification of user accounts.

02:24

An auditor will be looking to ensure that user accounts granted access to systems are all valid and recognized. Users

02:31

have strong processes must be put in place to manage all changes to user I. D. S and other authentication credentials,

02:39

the more detail you can provide around this process that better

02:45

for 813 and 814 The requirement states that you have to have processes around old and revoked accounts.

02:53

Stale accounts are frequently used as an attack vector.

02:57

You have to make sure that accounts associated with people who no longer work for your organization are disabled and then removed.

03:05

An auditor would do things like interview your human resource is personnel to get an understanding of how employees are on board it and what termination looks like.

03:17

It is often the case that third party service providers will be helping you maintain or deliver service is for your CD.

03:24

In order to facilitate this, you will need to be able to grant them access to your environment.

03:30

There have been many breaches in the news that were due to these types of service providers being breached and then using their networks to break into the network of the real target.

03:39

This requirement is around making sure you haven't placed some controls to prevent that from happening to you.

03:46

Make sure that at a minimum they have the minimum privileges and they're monitored closely.

03:53

Thes sets of requirements are the minimums.

03:57

Six. Failed log on attempt should lock out the user.

04:00

The lockout should be at least 30 minutes or unless it's manually reset by an admin.

04:05

And if a session has been idle for 15 minutes, the user needs to re authenticate

04:14

toe off. Indicate into CD systems. You have to have a password, a token or a biometric control.

04:20

Essentially, you can't just walk up to a system and access it without at least one of these things

04:26

again, accounts that are associative a point of sale systems are exempt

04:31

for requirement 8 to 1. You need to make sure that passwords are not stored or transmitted via clear text.

04:39

There needs to be strong cryptographic controls in place For both instances,

04:43

this means that protocols like Telenet should not be used or must have mitigating controls put in place because telnet transmit traffic and clear text over the network.

04:51

You should also take care tohave some networking equipment

04:56

because If you explicitly tell it to encrypt passwords of strong cryptography, it may be stored in the configuration. In the clear text,

05:06

the 8 to 2 requirements around password reset functions.

05:12

Someone should not be able to circumvent any of your controls and processes to force the reset of a password and potentially log and Impersonating another user.

05:20

For instance, if I call into your help desk and say hi, I'm Sam and I need a new password,

05:26

your health desk needs to be able to validate that. I am saying somehow

05:30

I commonly see problems for them itself in applications with poor logic around password reset functions.

05:40

Okay, so here's a list of what are commonly considered to be what you need to do to have a secure password policy.

05:46

Unfortunately, the research has proven that these requirements are actually ineffective, and Attackers can frequently abuse password with these minimums.

05:55

So I always recommend that merchants trying to go above and beyond these requirements

06:00

recommend password to be longer than seven characters,

06:02

and I recommend password should include special characters. In addition to numbers and characters,

06:10

the characters should consist of upper and lower case characters.

06:14

None of these are necessary to be compliant and are probably still the mandate to support legacy applications.

06:19

But if you want to be more secure instead of just compliant than revisit your password policy,

06:28

this requirement grouping is around the utilization of multi factor authentication into the CD.

06:35

So some merchants struggle with this requirement.

06:39

In all instances of access in the CD remotely for administrative function, the merchant must use multi factor authentication.

06:46

So this means two out of the three things we mentioned earlier with something you know, something you have and something you are.

06:54

There are numerous ways to meet this requirement, so I don't really want to dive too deep into the potential solutions. But I will note that your authentication mechanisms need to be separate and independent of each other.

07:05

There needs to be a physical separation so that access toe one factor does not great access to another.

07:11

And if one factor is compromised, it does not affect the integrity and confidentiality of the other factor.

07:19

Missile crime and extends on multi factor authentications, all users that access a CD from untrusted networks or the Internet,

07:31

like with all other requirements, all of the policies and procedures need to be documented and disseminated.

07:38

You need to provide to your end users basic instructions on how to manage your user accounts and how they should be protected.

07:44

A lot of times, this is embedded in the on boarding documentation or in regular security trainings.

07:53

The 85 grouping is around the handling of shared and generic user accounts.

07:58

As you mentioned before, just don't you shared accounts exempting point of sale systems.

08:03

Examples of generic accounts are the guests and administrator user accounts in window systems.

08:09

These generic accounts need to be disabled or renamed so that an attacker can't just attack known accounts that are often generally less secure.

08:20

Requirement 851 is for service providers.

08:22

The mandate is that they do not share credentials with each customer they support.

08:28

In the event that one of these credentials is compromised, the attacker cannot pivot to the entire customer base of the service provider,

08:35

so the 86 requirement is a bit of a restatement of the previous requirements.

08:41

If you're using multi factor authentications,

08:43

you just need to make sure no one else can leverage that second factor for authentication.

08:48

For example, if you're using a token that is auto generated. That same token can't be shared by two separate administrators.

08:58

The 87 requirement is around database access

09:01

and users or not to have direct access to the database.

09:05

Any data that they need for their job function needs to be collected via another front end application.

09:11

No queries or any other interaction is allowed on the database itself.

09:16

This access is only allowed for database administrators.

09:22

The final requirement for this group is document document document.

09:26

All of your policies and procedures need to be put in writing and deliver to all that are impacted.

09:35

That summary. We discussed all of the mandates associated with PC I. Requirement eight.

09:39

Requirement eight is all about the handling of identities and accounts. Within your CD,

09:43

you need to incorporate multi factor authentication and tracked the potential for account abuse throughout your environment.

09:50

This includes regular users, administrators and service providers,

09:56

and now, for a quick quiz.

09:58

Inactive user accounts need to be removed within 30 days.

10:03

Be 60 days

10:05

C, 90 days

10:07

or D 120 days.

10:13

Inactive user accounts need to be removed within 90 days

10:20

when accessing the CD from untrusted networks, the user must a provide a user name and password.

10:26

BU shared admin credentials. See use multi factor authentication

10:31

or D use a service account.

10:37

Multi factor authentication of is required whenever accessing the CD from an untrusted network.

10:46

Users cannot submit passwords that are the same as any of the previous

10:52

A three passwords. Be two passwords

10:56

C four passwords, D five passwords.