Time
3 hours 7 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
Welcome to the cyber. Very de mystify ing P C I. D. S s complaints. Course,
00:07
Miss Module, focus on the goals of the P C. I. D. S s and the requirements associated with them.
00:14
This video introduces you to requirement 11.
00:17
We will talk about the requirements associated with testing the security controls of the CD.
00:23
The learning objective of this video is to discuss the requirements in all the ends and out of testing security controls within the CD
00:34
requirement 11 is designed around testing the effectiveness of your security controls.
00:39
You need testing to make sure your controls air doing what you think they're doing, as well as discover any blind spots you may not have seen during your vulnerability analysis.
00:48
It also helps to discover assets that may exist that you don't even know about.
00:53
Or you might find some vulnerabilities that aren't covered in the rest of the P. C. I. D. S s requirements.
00:59
A lot of the time, you'll end up finding some configurations that have unintended adverse security effects
01:07
11 1 and is about handling of access points.
01:11
First, you need to check for all the rogue access points every three months.
01:15
Next, you need to make sure that you have an inventory of all of your authorized access points.
01:21
Managing your devices is covered in several crime. It's but we stated again here to make sure you know all of your devices.
01:27
Next, in the event that an unauthorized access point is detected, you need to have an incident response process to handle them.
01:34
You need to have an incident response policy anyway, but we're just calling it out here again, especially for wireless.
01:42
Now here's a bit of a wordy slide.
01:46
I group them together because they all focused on the same thing.
01:49
Scanning
01:49
To summarize the requirement, you need tohave an internal and external scans conducted quarterly
01:57
internally, it has to be run by someone qualified
02:00
PC. I stays that the internal scans must be run by someone that is a reasonably independent from the system component being scanned or by a firm that specializes in vulnerability Scanning.
02:13
The external scan must be done by PC. I certified Approve scanning vendor or a SP.
02:20
This scan is against service Is that our public facing and used by your customers,
02:24
the scans were re occurring until you're gonna passing score
02:29
11 to 3 states that scans must occur after any significant change.
02:34
The guidance is that a significant changes when an upgrade or modification could allow access to cardholder data
02:39
or affect the security of the cardholder data environment.
02:46
So there's a significant difference between scans and penetration testing.
02:50
PC I recognizes this and mandates of penetration test occur annually or after any significant change.
02:57
Penetration test is more in depth and cannot be conducted via automated tools.
03:01
Penetration testers are testing controls and applying logic to circumvent what you have in place.
03:07
Penetration tests must occur from from external to your network
03:12
and internal to your network.
03:15
As threats can exist from both the inside and outside, it's important to test both.
03:20
A penetration test can be conducted by an internal independent resource or an external firm.
03:25
The penetration test methodology must follow Industry accepted best practices and include testing of controls as mandated in previous requirements like that of requirement six, not five,
03:38
11 33 states that any vulnerabilities that air discovered during the penetration test, you must implement a fix and then have it retested.
03:47
11 34 is just saying that if you have a limited scope in your CD, evey of via segmentation.
03:54
Those controls must be tested to confirm that they are effective
03:59
for service providers. They need to be tested every six months instead of annually.
04:04
11 4 Simple enough.
04:06
Along with firewalls, you need tohave, an intrusion detection system or I. D. S at your perimeter.
04:13
A lot of times these air built into firewalls or they can be dedicated devices,
04:17
but you need to make sure any signatures are up to date, as well as follow all the auditing and logging rules for previous requirements.
04:26
11 5 requires you haven't placed a tool that monitors important files for changes.
04:31
Clearly, this isn't meant for files that are constantly changing due to regular operations.
04:35
This is meant for files that should very rarely change under North normal circumstances.
04:42
Miss Control is meant to protect against a malicious person, replacing files that others could
04:46
used to compromise. A sense system
04:49
changing executed bols and D L L's could lead to an attacker breaking into a system
04:55
a lot of the time. Regular patching contribute this monitoring, so having in place a process to deal with normal operations
05:01
will help deal with the expected noise,
05:04
but you need to have a process to respond to unexpected alerts
05:11
and out for 11 6 you need to make sure you're documenting all your policies and procedures.
05:15
It's important to make sure that you have a process in place that lets auditor know when you have your test scheduled and have your results ready to show that you address any vulnerabilities that have been discovered.
05:28
So in this video, we went over how to go about testing your security control to be a scanning and penetration testing.
05:34
We also touched on some monitoring to detect potential malicious intrusions
05:40
and not for quick quist.
05:43
How often should penetration tests be conducted?
05:46
A. Every quarter,
05:46
be every two years,
05:48
see every year
05:50
or D every six months.
05:56
Penetration test should occur annually. Make sure you have the results for your auditor review,
06:01
but also, a penetration test should occur after any significant change.
06:09
Where does your ideas need to be monitoring traffic?
06:12
A. Every sub net.
06:14
Be at every endpoint
06:15
See at the e commerce site
06:17
or D at the perimeter.
06:23
I. D. S is must be deployed at the perimeter of your network.
06:30
Vulnerability scans must be conducted. How often?
06:32
A annually Be quarterly, see every six months D every two years,
06:43
Vulnerability scans need to happen every quarter.

Up Next

PCI DSS: Payment Card Industry Data Security Standard

This online course covers the basic aspects of the PCI Data Security Standard for handling credit card data. It’s designed for professionals working for companies that must comply with the PCI DSS and its impact on company operations.

Instructed By

Instructor Profile Image
Timothy McLaurin
Director of Information Security at Wildcard Corp
Instructor