Time
3 hours 7 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Welcome to the cyber ery de mystifying PC idea, says Compliance. Course
00:06
this module focus on the goals of the P C I. D SS and the requirements associated with him.
00:12
This video introduces you to requirement, too.
00:15
We will talk about the fault configurations, and the PC idea says requirements associated with them.
00:23
The learning objective of this video is to explore a vendor default requirements and ways you can implement them to satisfy the PC idea says requirement, too.
00:33
Now,
00:35
let's get into PC Idea says Requirements around Default Configurations and Passwords.
00:40
This is all about making sure that you changed the default user names and passwords before implementing them in the CD.
00:47
This is
00:49
this is a general best practice and security and should be applied throughout the enterprise.
00:55
Changing credentials should not be limited toe work stations or network devices.
01:00
All software and devices should be changed.
01:03
This includes changing the S and M P. Strings from public and private
01:08
requirement 2.1 dot one is aimed at wireless networks.
01:14
So for your access points, you need to change the default user name and password for the access point.
01:19
You also need to change the S and M P strings.
01:23
You also need to change the default password to join the network
01:30
requirement group to dot to aligns with several other PC I requirements.
01:34
Everything in the CD E needs to be fully documented and have a standardized deployment associated with it
01:42
for guidance and best practices. How to develop the standards you can consult with n'est ice, O. C. S or other organizations that developed frameworks
01:53
requirement to dot to 0.0.1 is in the same vein as other requirements throughout the P. C. I. D. S s.
02:00
Whenever possible, you should minimize your attack surface
02:04
when deploying systems. You should only allow one primary function per server, and the server should be scaled. It's such
02:10
with the existence of virtual technology, this requirement is easier to meet Ben in times past.
02:16
The thinking here is to make sure that merchants don't do things like deploy our Web servers on the same system that's running the database with credit cards on it
02:24
or your domain controller isn't running on the same system as your database server.
02:30
You don't want to co locate. Service is on systems that require different security controls.
02:38
Requirement to dot to 0.0.2 is also designed to minimize your attack surface
02:43
and previous requirements merchants must define. The service is on protocols that are necessary to operate,
02:50
and then on Lee. Those service's should be allowed
02:53
supplementing that everything else should be explicitly denied or turned off.
02:58
This prevents Attackers from leveraging insecure service is to exploit your environment.
03:05
Requirement to dot to 0.0.3 is to implement additional security features for any required service's protocols or demons that are considered to be insecure.
03:15
So they're going to be times when your organization must use an insecure protocol to operate.
03:21
You may have to use some legacy software that doesn't natively support encryption.
03:25
You will have to be able to demonstrate to the auditor that you have put in place some sort of controls that will mitigate risks.
03:32
For example,
03:34
if you have to use tell Net to administer system, you can isolate that system so that there's no way anyone else could eavesdrop of the connection by directly plugging into it.
03:46
Requirement to dot to 0.0.4 mandates that you configure system security parameters to prevent misuse.
03:53
This is a general term that's relatively ambiguous.
03:55
All it really means is that an auditor is going to look to see that you deploy systems in accordance the best practice. To limit the attack surface,
04:03
the auditor will look to see what guy do you follow. And if you have implemented systems accordingly
04:10
here she will take a sample of systems and observe them to make sure toe draw conclusions.
04:18
The requirement to doctored up five reflects that what we've mentioned in to got to got to
04:25
anything that isn't absolutely necessary to function needs to be disabled or removed.
04:30
This includes scripts, drivers, features, subsystems, file systems and unnecessary Web service. Is
04:41
requirement to 0.3 is about how you administer the CD.
04:46
Any time you remotely administer any system, the communication path from beginning to end should be encrypted.
04:51
It has to have strong cryptography.
04:55
There are many antic, ated, antiquated encryption ciphers out there that are proven to be vulnerable.
05:01
So you, as a merchant, must do your due diligence to make sure you aren't using any bad cipher. Sweets.
05:08
This includes management via Web councils.
05:14
Requirement to doubt for really is fundamental to operating at secure environment.
05:18
You can't secure anything you don't know about
05:21
everything in the CD has to be accounted for and maintained in an inventory.
05:28
You should include version numbers and software versions as well.
05:33
Requirement to 0.5 is going to be a recurring theme throughout the PC. Idea says
05:40
the merchant needs to ensure that security policies and operational procedures for mapping, vendor defaults and other security parameters are documented.
05:47
This could be maintained in the standard configuration guy
05:54
requirement to 0.6 may or may not apply to you.
05:58
This requirement is aimed at hosting providers that may have systems and service is for multiple clients.
06:04
The requirement is to make sure that one client cannot infringe on the security of another client by using the same service.
06:14
In summary, we discussed all of the mandates associated with PC I requirement too
06:18
requirement to wants to make sure all of the default credentials are removed and that your systems are configured with a small attack surface.
06:28
You are to have a configuration guide for your systems that are based on best practices
06:32
and make sure your systems are only running. One major application and minimal circuses are running
06:41
now for a quick quist,
06:43
it is accessible, acceptable to run a system that is running
06:47
of domain controller and a Web application,
06:50
a Web application and a database server,
06:54
a Web application and be HCP server
06:57
or none of the above.
07:01
In general, it's not okay to run to service is on the same system.
07:05
So none of the above
07:11
The following is an acceptable S and M p string
07:15
public,
07:15
private,
07:17
new string
07:19
or none of the above.
07:25
Technically new string is an acceptable S and M P string,
07:29
although you should probably pick a stronger alternative.
07:31
Both public and private are typical default strings that need to be changed
07:39
and true or false.
07:40
Tell him that is an acceptable protocol for communications between systems. Without further controls
07:49
tone, it is considered an insecure protocol that will need tohave controls in place to protect them.
07:56
Other examples of insecure protocols are t ftp FTP http and pop

Up Next

PCI DSS: Payment Card Industry Data Security Standard

This online course covers the basic aspects of the PCI Data Security Standard for handling credit card data. It’s designed for professionals working for companies that must comply with the PCI DSS and its impact on company operations.

Instructed By

Instructor Profile Image
Timothy McLaurin
Director of Information Security at Wildcard Corp
Instructor