1 / 4100%
1
SNHU
c ISEc 510c Securityc Riskc Analysisc &c Planc
2-2c Jonesc &c Bartlettc Lecturec Presentationc andc Assignment:c
PCIc DSSc andc thec Sevenc Domains
c c
Weekc 2c HWc
30c pointsc
c
2
1a)c Findc onec controlc fromc NISTc 800-53c thatc pertainsc toc thisc PCIc Goalc (GOALc 1:c Buildc andc
maintainc ac securec networkc thatc isc PCIc DSSc compliant).
Controlc “SC-7”,c alsoc knownc asc Denialc ofc Servicec Protectionc isc ac controlc underc thec
Systemc andc Communicationsc Protectionc groupc inc NISTc 800-53.c Itc basicallyc protectsc
againstc andc limitsc thec impact,c andc possiblec outcomec relatingc toc differentc kindsc ofc
denialc ofc servicec attacks.c Somec ofc thec mostc commonc typesc ofc attacksc includec SYNc
Flood,c ICMPc Flood,c andc HTTPc Flood.c Eachc ofc thesec attacksc canc blockc importantc
resourcesc inc ac company.c
b)c Howc willc thec securityc controlc youc selectedc mitigatec risksc identifiedc inc thisc goal?
Therec arec numerousc waysc toc mitigatec thec risksc thatc havec beenc identifiedc withinc thec
goal.c Itc isc possiblec toc restrictc thec internalc users,c excessc bandwidth,c excessc capacityc
andc detection,c andc monitoringc systems.c Whilec restrictingc thec internalc users,c thec
systemc basicallyc limitsc theirc abilityc toc launchc similarc attacksc againstc correspondingc
informationc systems.c c Whilec managingc excessc bandwidthc andc capacityc itc isc possiblec
toc limitc thec impactc ofc informationc floodingc whichc isc causedc byc DoSc attacks.c Thec
monitoringc andc detectingc toolc mustc bec inc placec soc thatc thec effectsc ofc floodingc onc
informationc systemsc canc bec restricted.c Thisc typec ofc controlc hasc beenc selectedc soc thatc
inc casec anyc informationc systemc willc bec PCIc DSSc compliant,c anc individualc mustc bec
ablec toc accessc relativec resourcesc andc informationc inc thec organizationc network.c
2a)c Findc onec controlc fromc NISTc 800-53c thatc pertainsc toc thisc PCIc Goalc (GOALc 2:c Protectc
cardholderc data).
Controlc “AC-3(6)”,c alsoc knownc asc Accessc Enforcement,c Protectionc ofc Userc andc
Systemc Informationc isc ac controlc underc Controlc Enhancementc groupc inc NISTc 800-53.c
Thec role-basedc accessc controlc (RBAC)c isc ac policyc whichc canc restrictc thec accessc ofc
thec informationc systemc toc onlyc thec individualsc withc authorizedc access.c Suchc accessc isc
providedc onlyc toc authorizedc users.c Itc canc offerc securec cardholderc datac fromc beingc
accessedc inc ac maliciousc manner.c
b)c Howc willc thec securityc controlc youc selectedc mitigatec risksc identifiedc inc thisc goal?
Therec arec ac numberc ofc waysc toc mitigatec accessc control.c Onec suchc methodc isc
assigningc credentials.c Thec individualsc whoc havec accessc toc cardholderc datac shouldc bec
thec onlyc onesc whoc wouldc bec givenc access.c Byc implementingc thec accessc controlc
model,c thec peoplec withc thec authorizedc credentialsc canc accessc personalc information.c c
Suchc controlc relatesc toc thec PCIc Goal.c Thec authorizedc individualsc canc accessc securec
informationc suchc asc cardholderc datac orc otherc sensitivec information.c
3a)c Findc onec controlc fromc Thec CISc Criticalc Securityc Controlsc forc Effectivec Cyberc Defensec
thatc pertainsc toc thisc PCIc Goalc (GOALc 3:c Maintainc ac vulnerabilityc managementc program).
3
Controlc CSCc 4.1,c alsoc knownc asc Continuousc Vulnerabilityc Assessmentc andc
Remediationc isc ac controlc fromc Thec CISc Criticalc Securityc Controlsc forc Effectivec
Cyberc Defensec whichc relatesc toc thec PCIc Goal.c Anc implementedc andc automatedc
vulnerabilityc scanningc toolc isc ac basicc necessityc toc improvec securityc posture.c Suchc
toolsc couldc bec runc againstc allc thec systemsc onc anyc familiarc networkc onc ac regularc
basis.c Itc wouldc providec ac rankedc listc relatingc toc thec mostc dangerousc vulnerabilitiesc toc
eachc ofc thec systemc administrators.c Itc wouldc alsoc allowc comparingc thec overallc
effectivenessc ofc thec systemc administratorsc andc departmentsc toc reducec thec riskc thatc isc
associatedc withc thec vulnerabilities.
c c
b)c Howc willc thec securityc controlc youc selectedc mitigatec risksc identifiedc inc thisc goal?
Thec securityc controlc thatc hasc beenc selectedc willc mitigatec thec risksc identifiedc inc thisc
goalc byc intimatingc thec responsiblec systemc administratorsc aboutc thec vulnerabilitiesc toc
thec systems.c Thec automatedc systemc wouldc tellc themc aboutc thec vulnerabilitiesc andc thec
bestc waysc toc reducec thec risksc thatc arisec duec toc thesec vulnerabilities.c
4a)c Findc onec controlc fromc Thec CISc Criticalc Securityc Controlsc forc Effectivec Cyberc Defensec
thatc pertainsc toc thisc PCIc Goalc (GOALc 5:c Regularlyc monitorc andc testc networks).
Controlc CSCc 20.1,c alsoc knownc asc CSCc 20:c Penetrationc Testsc andc Redc Teamc
Exercisec isc ac controlc fromc thec CISc Criticalc Securityc Controlsc whichc isc designedc forc
thec Effectivec Cyberc Defense.c Itc relatesc toc thec PCIc Goal.c Thec conductionc ofc regularc
penetrationc testsc wouldc helpc toc identifyc vulnerabilitiesc asc wellc asc possiblec attackc
vectorsc whichc couldc bec usedc toc exploitc thec initiativec systems.c Suchc testsc canc bec runc
onc internalc andc externalc informationc systems.c Butc suchc ac testc mustc bec carriedc outc
outsidec thec networkc asc itc canc simulatec externalc attacksc andc internalc attacks.
b)c Howc willc thec securityc controlc youc selectedc mitigatec risksc identifiedc inc thisc goal?
Thec securityc controlc thatc hasc beenc selectedc wouldc mitigatec thec risksc identifiedc inc thec
goal.c Thisc wouldc bec possiblec byc allowingc thec networksc toc bec testedc andc monitoredc
forc unknownc vulnerabilities.c Itc wouldc ensurec thec networkc isc securec byc testingc thec
implementedc defensec mechanisms.c Inc casec anyc vulnerabilityc wouldc bec found,c
necessaryc stepsc wouldc bec takenc toc mitigatec them.c
4
Appendixc -c PCIc DSSc 6c Goalsc fromc Managingc Riskc inc Informationc Systemsc -c Maintainingc
Compliancec (inc Classroom)
GOALc 1:c Buildc andc maintainc ac securec networkc thatc isc PCIc DSSc compliant
Allc merchantsc mustc protectc cardholderc informationc byc installingc ac firewallc andc ac routerc system.c
Install,c configure,c andc maintainc ac firewallc systemc toc maintainc controlc overc anc organization’sc network;c usec ac routerc
devicec toc connectc networksc thatc willc makec youc ac PCIc compliantc merchant.
Next,c executec thec followingc steps:
Performc testingc whenc configurationsc change.c
Identifyc allc connectionsc toc cardholderc information.c
Reviewc configurationc rulesc everyc sixc months.c
Changec allc defaultc passwords.c Defaultc passwordsc arec providedc whenc softwarec isc installed;c theyc arec discerniblec andc canc
bec easilyc discoveredc byc hackers.
GOALc 2:c Protectc cardholderc datac
Cardholderc datac isc anyc personalc informationc aboutc thec cardholderc thatc isc foundc onc thec paymentc cardc andc canc neverc bec
savedc byc ac merchant.
Merchantsc canc onlyc displayc thec maximumc ofc thec firstc sixc andc lastc fourc digitsc ofc thec primaryc accountc number.
Allc informationc mustc bec encryptedc whenc transmittingc datac acrossc publicc networks,c suchc asc thec Internet,c toc preventc
criminalsc fromc stealingc thec personalc informationc duringc thec process.
GOALc 3:c Maintainc ac vulnerabilityc managementc programc
Computerc virusesc makec theirc wayc ontoc computersc inc manyc ways,c butc mainlyc throughc e-mailc andc otherc onlinec activities.
Virusesc compromisec thec securityc ofc personalc cardholderc informationc onc ac merchant’sc computer,c andc thereforec antivirusc
softwarec mustc bec presentc onc allc computersc associatedc withc thec network.
Inc additionc toc antivirusc software,c computersc arec alsoc susceptiblec toc ac breachc inc thec applicationsc andc systemsc installedc
onc thec computer.c
Merchantsc mustc installc vendor-providedc securityc patchesc withinc ac monthc ofc theirc releasec toc avoidc exposingc cardholderc
data.c
GOALc 4:c Implementc strongc accessc controlc measures
Asc ac merchant,c youc mustc limitc thec accessibilityc ofc cardholderc information.
Installc passwordsc andc otherc securityc measurementsc toc limitc employee’sc accessc toc cardholderc data.c
Inc orderc toc tracec employee’sc activitiesc whenc accessingc sensitivec information,c assignc eachc userc anc unreadablec passwordc
usedc toc accessc thec cardholderc data.
Monitorc thec physicalc accessc toc cardholderc data;c doc notc allowc unauthorizedc personsc thec opportunityc toc retrievec thec
informationc byc securingc printedc informationc asc wellc asc digital.c
Maintainc ac visitorc logc andc savec thec logc forc atc leastc threec months.
GOALc 5:c Regularlyc monitorc andc testc networks
Keepc systemc activityc logsc thatc tracec allc activity;c reviewc thec logc dailyc forc securityc breaches.c
Thec informationc storedc inc thec logsc isc usefulc inc thec eventc ofc ac securityc breachc toc tracec employeec activitiesc andc locatec
thec sourcec ofc thec violation.c
Eachc quarter,c usec ac wirelessc analyzerc toc checkc forc wirelessc accessc pointsc toc preventc unauthorizedc access.c
Also,c scanc internalc andc externalc networksc toc identifyc anyc possiblec vulnerablec areasc inc thec system.
Installc softwarec toc recognizec anyc modificationc byc unauthorizedc personnel.c
GOALc 6:c Maintainc anc informationc securityc policy
Establishc ac securityc policyc thatc coversc allc PCIc DSSc compliancec requirementsc andc includesc annualc proceduresc toc
recognizec anyc securityc breachesc andc day-to-dayc securityc policies.
Performc backgroundc checksc onc potentialc employeesc andc educatec newc andc currentc employeesc aboutc thec compliancec
regulations.
Students also viewed