3 hours 37 minutes
Welcome to the cyber ery de mystifying PC idea, says Compliance. Course
this module focus on the goals of the P C I. D SS and the requirements associated with him.
This video introduces you to requirement, too.
We will talk about the fault configurations, and the PC idea says requirements associated with them.
The learning objective of this video is to explore a vendor default requirements and ways you can implement them to satisfy the PC idea says requirement, too.
let's get into PC Idea says Requirements around Default Configurations and Passwords.
This is all about making sure that you changed the default user names and passwords before implementing them in the CD.
this is a general best practice and security and should be applied throughout the enterprise.
Changing credentials should not be limited toe work stations or network devices.
All software and devices should be changed.
This includes changing the S and M P. Strings from public and private
requirement 2.1 dot one is aimed at wireless networks.
So for your access points, you need to change the default user name and password for the access point.
You also need to change the S and M P strings.
You also need to change the default password to join the network
requirement group to dot to aligns with several other PC I requirements.
Everything in the CD E needs to be fully documented and have a standardized deployment associated with it
for guidance and best practices. How to develop the standards you can consult with n'est ice, O. C. S or other organizations that developed frameworks
requirement to dot to 0.0.1 is in the same vein as other requirements throughout the P. C. I. D. S s.
Whenever possible, you should minimize your attack surface
when deploying systems. You should only allow one primary function per server, and the server should be scaled. It's such
with the existence of virtual technology, this requirement is easier to meet Ben in times past.
The thinking here is to make sure that merchants don't do things like deploy our Web servers on the same system that's running the database with credit cards on it
or your domain controller isn't running on the same system as your database server.
You don't want to co locate. Service is on systems that require different security controls.
Requirement to dot to 0.0.2 is also designed to minimize your attack surface
and previous requirements merchants must define. The service is on protocols that are necessary to operate,
and then on Lee. Those service's should be allowed
supplementing that everything else should be explicitly denied or turned off.
This prevents Attackers from leveraging insecure service is to exploit your environment.
Requirement to dot to 0.0.3 is to implement additional security features for any required service's protocols or demons that are considered to be insecure.
So they're going to be times when your organization must use an insecure protocol to operate.
You may have to use some legacy software that doesn't natively support encryption.
You will have to be able to demonstrate to the auditor that you have put in place some sort of controls that will mitigate risks.
if you have to use tell Net to administer system, you can isolate that system so that there's no way anyone else could eavesdrop of the connection by directly plugging into it.
Requirement to dot to 0.0.4 mandates that you configure system security parameters to prevent misuse.
This is a general term that's relatively ambiguous.
All it really means is that an auditor is going to look to see that you deploy systems in accordance the best practice. To limit the attack surface,
the auditor will look to see what guy do you follow. And if you have implemented systems accordingly
here she will take a sample of systems and observe them to make sure toe draw conclusions.
The requirement to doctored up five reflects that what we've mentioned in to got to got to
anything that isn't absolutely necessary to function needs to be disabled or removed.
This includes scripts, drivers, features, subsystems, file systems and unnecessary Web service. Is
requirement to 0.3 is about how you administer the CD.
Any time you remotely administer any system, the communication path from beginning to end should be encrypted.
It has to have strong cryptography.
There are many antic, ated, antiquated encryption ciphers out there that are proven to be vulnerable.
So you, as a merchant, must do your due diligence to make sure you aren't using any bad cipher. Sweets.
This includes management via Web councils.
Requirement to doubt for really is fundamental to operating at secure environment.
You can't secure anything you don't know about
everything in the CD has to be accounted for and maintained in an inventory.
You should include version numbers and software versions as well.
Requirement to 0.5 is going to be a recurring theme throughout the PC. Idea says
the merchant needs to ensure that security policies and operational procedures for mapping, vendor defaults and other security parameters are documented.
This could be maintained in the standard configuration guy
requirement to 0.6 may or may not apply to you.
This requirement is aimed at hosting providers that may have systems and service is for multiple clients.
The requirement is to make sure that one client cannot infringe on the security of another client by using the same service.
In summary, we discussed all of the mandates associated with PC I requirement too
requirement to wants to make sure all of the default credentials are removed and that your systems are configured with a small attack surface.
You are to have a configuration guide for your systems that are based on best practices
and make sure your systems are only running. One major application and minimal circuses are running
now for a quick quist,
it is accessible, acceptable to run a system that is running
of domain controller and a Web application,
a Web application and a database server,
a Web application and be HCP server
or none of the above.
In general, it's not okay to run to service is on the same system.
So none of the above
The following is an acceptable S and M p string
or none of the above.
Technically new string is an acceptable S and M P string,
although you should probably pick a stronger alternative.
Both public and private are typical default strings that need to be changed
and true or false.
Tell him that is an acceptable protocol for communications between systems. Without further controls
tone, it is considered an insecure protocol that will need tohave controls in place to protect them.
Other examples of insecure protocols are t ftp FTP http and pop