Time
3 hours 7 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:05
Welcome to the cyber ery Dimas defined P C. I. D. S s compliance course
00:10
this module focus on the goals of the PC idea sets and the requirements associated with
00:17
this video introduces you to requirement 1.1.
00:21
We will talk about firewalls and the PC idea sets requirements 1.1 dot one through 1.1 dot seven.
00:29
The learning objective of this video is to explore firewalls and ways you can implement them to satisfy the P. C. I. D. S s requirements 1.1 dot one through 1.1 dot set.
00:40
All right,
00:41
let's start with the basics.
00:43
What is a firewall?
00:45
Firewalls are devices that filter network traffic.
00:49
Cardholder data environment is a network that should be considered sensitive. So putting in place a device that defines what traffic is allowed and not allowed. It is necessary to meet the criteria of building a secure network.
01:02
Let's talk about the two types of firewalls.
01:04
There's a hardware firewall and software fire
01:10
hardware. Firewalls are purposely built. Appliances that are typically meant to separate
01:15
trusted an untrusted networks.
01:17
They're often put at the perimeter of the network to separate what's good from the wild and crazy Internet
01:23
hardware Firewalls are also used inside an environment to create isolated network segments.
01:30
Some areas of your environment may be more sensitive than others,
01:33
so they require a higher security posture than other parts of the network.
01:38
So if you have a complex internal network, you may need to deploy hardware firewalls internally toe. Add an additional layer of production for your cardholder data environment or the CD.
01:49
Employing a hardware firewall internally may also be essential for network segmentation and reducing the scope of the CD
01:57
software. Firewalls allow you more granular control over your systems
02:02
where hardware firewall segment networks, software firewall, separate systems,
02:07
more sensitive systems that house important data should have these fireballs enabled toe add further protection.
02:15
This feature should also be enabled and configured for any remote computers that commonly connect a sensitive data networks. For example,
02:22
if you have a sales manager that accidentally clicks on the fishing email scam,
02:27
software firewall should limit the malware from propagating through the corporate. Never
02:32
now
02:34
let's get into the PC idea sets requirements around firewalls and some of the common missteps merchants make when implementing and managing firewalls.
02:42
The key here. Word here is managing.
02:45
It cannot be a setting. Forget technology.
02:47
U. S. A merchant must be able to demonstrably show that you care for your firewall and that you regularly review its configuration.
02:57
All right,
02:58
let's start with the one that one. That one requirement.
03:00
A formal process for approving and testing all network connections and changes to the firewall and router configurations.
03:08
Ah, lot of merchants fold this into their existing change control process, or they have an independent firewall change process that validates all configurations in the changes to the firewall.
03:20
Either way, an auditor is going to be looking for a document that says, Who was responsible for approving the change, who's responsible for implementing the change and who was responsible for testing that changed it, validate its functioning as expected, with no adverse impacts.
03:35
The auditor will also interview identified personnel to see if the changes are happening according to policy and in a consistent way.
03:46
Requirement 1.1 dot two and 1.1 dot three year, very similar and touch on requirements throughout the PC idea says,
03:53
As a merchant,
03:54
you must know and understand how all systems communicate in the CD
04:00
to be able to demonstrate that network diagrams and data flow diagrams need to be created. An updated to show the topology of your CD
04:10
requirement 1.1 dot two states that the current network diagram that identifies all connections between the cardholder data and environment and other networks, including wireless networks
04:24
1.1 dot three wants the merchant to maintain a current diagram that shows all cardholder data flows across systems and networks.
04:32
You must have an up to date network diagram that identifies all connections between the cardholder data environment and other networks, including wireless networks.
04:41
An auditor will be searching through your network to verify that your diagram matches your actual environment.
04:49
The one that went up for requirement is an architectural one.
04:54
We mentioned earlier the need for firewalls to protect your CD from untrusted zones.
04:59
This requirement mandates a firewall between the Internet and between what is known as a demilitarized zone or the D M Z.
05:06
It's a way to provide service is such as e commerce websites to the public, while adding an additional layer of protection to the internal systems which house more sensitive data.
05:16
This step is essential for limiting the scope of the CD E that will need to be audited.
05:23
Logically, it appears as if you need to firewalls to serve this purchase. But in practice and physically, a singer firewall with multiple security zone support can provide this functionality of the D. M. Z
05:38
Requirement 1.1 dot five wants to make sure you know and understand all the roles and responsibilities of those charged with managing the firewall and network components.
05:48
Each user and group of users need to be documented with clearly defined set of responsibilities associated with him.
05:56
This information typically lives in the firewall policy for the organization.
06:00
The auditor is going to be looking for this written, written down somewhere in a policy,
06:05
the auditor will validate the information by interviewing personnel to determine if the policy matches actuality.
06:15
The next requirement is 1.1 dot six.
06:17
The heart of this requirement is for us and merchant to carefully consider the network traffic that occurs in your environment.
06:26
The PC I counsel wants you to minimize your attack surface by understanding all the traffic that goes in your network.
06:32
To do this, they not only want documentation, but also business justification and approval for use of all the service's protocols and ports that are allowed,
06:42
including documentation of security features implemented for those port of protocols considered to be insecure.
06:48
Essentially, they're saying that envision, you have to configure a firewall to deny all traffic.
06:54
Now you have to go one by one through each of your service is runnings and evaluate if you really need it or not.
07:00
And if you really need it, you must document why you need it to function.
07:03
Then configure a firewall to allow this traffic into or out of your CD.
07:12
The 1.1 dot seven requirement is that the merchant must review firewall on router rule sets at least every six months.
07:19
Often as environments evolved, service's are decommissioned and modify.
07:25
As the service is changed, the firewall around or configurations may not reflect the change and become stale entries.
07:31
These stale entries reflect a potential attack vector for threat.
07:35
By making sure the rule sets are reviewed, the merchant may be able to plug the holes that are no longer necessary.
07:44
The auditor will be looking for documentation that the merchant requires these reviews and artifacts that proves that these reviews happened,
07:51
artifacts could exist in the form of change, control, longs or tickets that's so show what service is were updated due to bi annual review.
08:01
The auditor will also interview those responsible for the fire mall and router reviews.
08:05
One thing to consider is to remember to include review of switches that could be serving as a layer three rounder to handle all interview and traffic.
08:18
In summary,
08:18
we discussed requirements 1.1 dot one through 1.1 dot seven and some of the important artifacts that are associated with
08:30
now for quick quiz.
08:33
How does the auditor collect information to determine compliance
08:37
interviews and artifacts,
08:39
scanning tools,
08:41
third party service providers
08:43
or pass assessments?
08:50
An auditor looks for artifacts and interviews to determine if your environment is in compliance.
09:01
What purpose does reviewing firewall rules served?
09:05
Increasing efficiency of processing firewall rules,
09:07
reducing the attack surface
09:09
documentation of the CD
09:13
and a track traffic usage rates.
09:20
You want to review your firewall rules so that you can reduce the attack surface of your environment.
09:28
But what is the D. M. Z,
09:30
a wireless network to process cardholder data
09:33
firewall with multiple ports.
09:35
Protect sensitive resource is from systems public interact the public interacts with
09:41
or software fire.
09:46
The D M Z protect sensitive resource is from systems the public interacts with.

Up Next

PCI DSS: Payment Card Industry Data Security Standard

This online course covers the basic aspects of the PCI Data Security Standard for handling credit card data. It’s designed for professionals working for companies that must comply with the PCI DSS and its impact on company operations.

Instructed By

Instructor Profile Image
Timothy McLaurin
Director of Information Security at Wildcard Corp
Instructor