3.14 Requirement 11

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

PCI DSS: Payment Card Industry Data Security Standard

Course

Time

3 hours 37 minutes

Difficulty

Beginner

Video Transcription

00:01

Welcome to the cyber. Very de mystify ing P C I. D. S s complaints. Course,

00:07

Miss Module, focus on the goals of the P C. I. D. S s and the requirements associated with them.

00:14

This video introduces you to requirement 11.

00:17

We will talk about the requirements associated with testing the security controls of the CD.

00:23

The learning objective of this video is to discuss the requirements in all the ends and out of testing security controls within the CD

00:34

requirement 11 is designed around testing the effectiveness of your security controls.

00:39

You need testing to make sure your controls air doing what you think they're doing, as well as discover any blind spots you may not have seen during your vulnerability analysis.

00:48

It also helps to discover assets that may exist that you don't even know about.

00:53

Or you might find some vulnerabilities that aren't covered in the rest of the P. C. I. D. S s requirements.

00:59

A lot of the time, you'll end up finding some configurations that have unintended adverse security effects

01:07

11 1 and is about handling of access points.

01:11

First, you need to check for all the rogue access points every three months.

01:15

Next, you need to make sure that you have an inventory of all of your authorized access points.

01:21

Managing your devices is covered in several crime. It's but we stated again here to make sure you know all of your devices.

01:27

Next, in the event that an unauthorized access point is detected, you need to have an incident response process to handle them.

01:34

You need to have an incident response policy anyway, but we're just calling it out here again, especially for wireless.

01:42

Now here's a bit of a wordy slide.

01:46

I group them together because they all focused on the same thing.

01:49

Scanning

01:49

To summarize the requirement, you need tohave an internal and external scans conducted quarterly

01:57

internally, it has to be run by someone qualified

02:00

PC. I stays that the internal scans must be run by someone that is a reasonably independent from the system component being scanned or by a firm that specializes in vulnerability Scanning.

02:13

The external scan must be done by PC. I certified Approve scanning vendor or a SP.

02:20

This scan is against service Is that our public facing and used by your customers,

02:24

the scans were re occurring until you're gonna passing score

02:29

11 to 3 states that scans must occur after any significant change.

02:34

The guidance is that a significant changes when an upgrade or modification could allow access to cardholder data

02:39

or affect the security of the cardholder data environment.

02:46

So there's a significant difference between scans and penetration testing.

02:50

PC I recognizes this and mandates of penetration test occur annually or after any significant change.

02:57

Penetration test is more in depth and cannot be conducted via automated tools.

03:01

Penetration testers are testing controls and applying logic to circumvent what you have in place.

03:07

Penetration tests must occur from from external to your network

03:12

and internal to your network.

03:15

As threats can exist from both the inside and outside, it's important to test both.

03:20

A penetration test can be conducted by an internal independent resource or an external firm.

03:25

The penetration test methodology must follow Industry accepted best practices and include testing of controls as mandated in previous requirements like that of requirement six, not five,

03:38

11 33 states that any vulnerabilities that air discovered during the penetration test, you must implement a fix and then have it retested.

03:47

11 34 is just saying that if you have a limited scope in your CD, evey of via segmentation.

03:54

Those controls must be tested to confirm that they are effective

03:59

for service providers. They need to be tested every six months instead of annually.

04:04

11 4 Simple enough.

04:06

Along with firewalls, you need tohave, an intrusion detection system or I. D. S at your perimeter.

04:13

A lot of times these air built into firewalls or they can be dedicated devices,

04:17

but you need to make sure any signatures are up to date, as well as follow all the auditing and logging rules for previous requirements.

04:26

11 5 requires you haven't placed a tool that monitors important files for changes.

04:31

Clearly, this isn't meant for files that are constantly changing due to regular operations.

04:35

This is meant for files that should very rarely change under North normal circumstances.

04:42

Miss Control is meant to protect against a malicious person, replacing files that others could

04:46

used to compromise. A sense system

04:49

changing executed bols and D L L's could lead to an attacker breaking into a system

04:55

a lot of the time. Regular patching contribute this monitoring, so having in place a process to deal with normal operations

05:01

will help deal with the expected noise,

05:04

but you need to have a process to respond to unexpected alerts

05:11

and out for 11 6 you need to make sure you're documenting all your policies and procedures.

05:15

It's important to make sure that you have a process in place that lets auditor know when you have your test scheduled and have your results ready to show that you address any vulnerabilities that have been discovered.

05:28

So in this video, we went over how to go about testing your security control to be a scanning and penetration testing.

05:34

We also touched on some monitoring to detect potential malicious intrusions

05:40

and not for quick quist.

05:43

How often should penetration tests be conducted?

05:46

A. Every quarter,

05:46

be every two years,