Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
PCI/DSS Requirement 1 ( Install and maintain a firewall configuration to protect cardholder data
PCI/DSS 1.1.5 Documentation and business 1.1.5.b Identify insecure services, Secure Auditor’s port scanner allow users to
justification for use of all protocols, and ports allowed; and check insecure ports like FTP, HTTP, TFTP
services, protocols, and ports verify they are necessary and that and SNMP it also identifies Peer to Peer data
allowed, including security features are documented sharing application (P2P), Voice over IP
documentation of security and implemented by examining (VoIP), Games Ports and Trojan Ports on the
features implemented for those firewall and router configuration host system or network. This helps in checking
protocols considered to be standards and settings for each if the host computer is running any software
insecure. service. An example of an insecure against policy and to find the Trojans present
service, protocol, or port is FTP, on the host computer. It also provides
which passes user credentials in information about the Trojan ports to the end
clear-text. users, which they can use to double check
whether it is a Trojan port or not and if yes then
how to remove the Trojan.
PCI/DSS 1.2.2 Secure and synchronize router Verify that router configuration files Secure Auditor’s Cisco configuration Manager
configuration files. are secure and synchronized for utility allows the user to download ‘Startup’ and
example, running configuration files ‘Running’ configurations of Cisco Routers and
(used for normal running of the change/compare the configurations of different
routers) and start-up configuration routers on the network. This utility not only
files (used when machines are allows the users to change or compare
rebooted), have the same, secure configurations but also creates a date-wise
configurations. backup each time a configuration is uploaded
into a router. This allows the user to have a
complete trail of changes made on each router
with dates and fulfill compliance requirements.
Users can also use embedded TFTP server
provided with this utility to save configurations.
PCI/DSS 1.3.6 Implement stateful inspection, Verify that the firewall performs Secure Auditor’s port scanner provides option
also known as dynamic packet stateful inspection (dynamic packet to check all TCP ports along with UDP ports.
filtering. (That is, only filtering). [Only established
”established” connections are connections should be allowed in,
allowed into the network. and only if they are associated with
a previously established session
(run a port scanner on all TCP ports
with “syn reset” or ”syn ack” bits
set—a response means packets are
allowed through even if they are not
part of a previously established
session).
PCI/DSS 1.4 Install personal firewall software Verify that the personal firewall Secure Auditor conducts audit on Windows
on any mobile and/or employee software is configured by the based machines in which it detects whether
owned computers with direct organization to specific standards desktop firewall software is installed or not. It
connectivity to the Internet (for and is not alterable by mobile verifies the presence of personal firewalls on
example, laptops used by computer users. both office and mobile users.
employees), which are used to
access the organization’s
network.
PCI/DSS Requirement 2 ( Do not use vendor-supplied defaults for system passwords and other security parameters
PCI/DSS 2.1 Always change vendor-supplied Choose a sample of system Secure Auditor provides multiple tools to
defaults before installing a components, critical servers, and identify default passwords in a system. Secure
system on the network—for wireless access points, and attempt Auditor embedded tools like Oracle password
example, include passwords, to log on (with system administrator Auditor, MSSQL Password Auditor, Oracle
simple network management help) to the devices using default Default Password Tester, MSSQL Default
protocol (SNMP) community Vendor-supplied accounts and Password Tester, MSSQL Password Auditor
strings, and elimination of passwords, to verify that default and Windows Password Auditor, all these tools
unnecessary accounts. accounts and passwords have been identify the existence of default passwords in
changed. (Use vendor manuals and the system and facilitate compliance with PCI
sources on the Internet to find clause. With the help of SNMP Browser, user
vendor-supplied counts/passwords.) can easily view the entire list of default SNMP
enabled devices. SNMP Scanner identifies the
default community string enabled on the
network. All of these tools facilitate the
compliance tasks of an organization with ease
of use.
PCI/DSS 2.1.1 For wireless environments Default SNMP community strings on SNMP Browser identifies the default SNMP
connected to the cardholder data wireless devices were changed. community names on the machines. SNMP
environment or transmitting Brute Force attacker clearly shows that SNMP
cardholder data, change wireless default community strings are changed or not.
vendor defaults, including but not
limited to default wireless
encryption keys, passwords, and
SNMP community strings.
Ensure wireless device security
settings are enabled for strong
encryption technology for
authentication and transmission.
PCI/DSS 2.2 Develop configuration standards Examine the organization’s system Secure Auditor examines the overall health of
for all system components. configuration standards for all types an organization through its audit process in
Assure that these standards of system components and verify the which it identifies system components and
address all known security system configuration standards are configuration settings. Secure Auditor follows
vulnerabilities and are consistent consistent with industry-accepted standards of NIST and contains profiles
with industry accepted system hardening standards—for example, according to guidelines of PCI DSS, SANS,
hardening standards. SysAdmin Audit Network Security SOX, CIS etc. According to these profiles audit
(SANS), National Institute of is conducted on specified machines.
Standards Technology (NIST), and
Center for Internet Security (CIS).
PCI/DSS 2.2 .2 Disable all unnecessary and For a sample of system Secure Auditor checks registry and
insecure services and protocols components, inspect enabled unnecessary or insecure services or protocols
(services and protocols not system services, daemons, and which are enabled, It is also capable to identify
directly needed to perform the protocols. Verify that unnecessary or security flaws in it.
device’s specified function) insecure services or protocols are
not enabled, or are justified and
documented as to appropriate use of
the service. For example, FTP is not
used, or is encrypted via SSH or
other technology.
PCI/DSS 2.2.3 Configure system security 2.2.3.b Verify that common security Secure Auditor contains embedded profiles
parameters to prevent misuse. parameter settings are included in the that are based on common security
system. parameters defined by international
institutions and compliance standards like PCI
DSS, SANS, SOX, ISACA, CIS etc. Once an
audit is conducted against these standards,
systems are verified according to common
security parameters.
PCI/DSS 2.2.4 Remove all unnecessary For a sample of system components, Secure Auditor checks default registry
functionality, such as scripts, verify that all unnecessary settings that can facilitate in identification of
drivers, features, subsystems, functionalities (for example, scripts, unnecessary functions, configured and
file systems, and unnecessary drivers, features, subsystems, file allowed on a system.
web servers. systems, etc.) are removed. Verify
enabled functions are documented
and support secure configuration, and
that only documented functionality is
present on the sampled machines.
PCI/DSS 2.3 Encrypt all non-console 2.3 For a sample of system Secure Auditor after conducting an audit
administrative access. Use components, verify that no console informs you about the access control for all
technologies such as SSH, VPN, administrative access is encrypted by users and also shows services, encryption,
or SSL/TLS for web based :-Observing an administrator log on to remote log-in and parameter files on systems.
management and other non- each system to verify that a strong By using the Secure Auditor's Event Log
console administrative access. encryption method is invoked before Viewer utility all logs of administrative access
the administrator’s password is can be checked.
requested; - Reviewing services and
parameter files on systems to
determine that Telnet and other
remote log-in commands are not
available for use internally; and –
Verifying that administrator access to
the web based management
interfaces.
PCI/DSS 3.5.1 Restrict access to cryptographic 3.5.1 Examine user access lists to Secure Auditor’s Access rights auditor inform
keys to the fewest number of verify that access to keys is restricted about access privileges to tables which
custodians necessary. to very few custodians. contain cryptographic keys.
PCI/DSS 3.6 Fully document and implement 3.6.a Verify the existence of key- Secure Auditor by conducting, an audit
all key-management processes management procedures for keys according to PCI DSS, SANS, SOX, ISACA
and procedures for cryptographic used for encryption of cardholder and CIS helps in indentifying key
keys used for encryption of data. Note: Numerous industry management from different resources
cardholder data, including the standards for key management are including NIST.
following. available from various resources
including NIST, which can be found at
http://csrc.nist.gov.
PCI/DSS Requirements 4 ( Encrypt transmission of cardholder data across open, public networks)
PCI/DSS 4.2 Never send unencrypted PANs 4.2.b Verify the existence of a policy Secure Auditor's port scanner identifies open
by end-user messaging stating that unencrypted PANs are ports which uses plain text data like FTP,
technologies (for example, e- not to be sent via end-user HTTP, TFTP and SMTP software, because
mail, instant messaging, chat). messaging technologies. the data should be encrypted on both public
and private networks, usage should be limited
only to those protocol and software's that
support encryption.
PCI/DSS 5.1 Deploy anti-virus software on all For a sample of system Secure Auditor checks for
systems commonly affected by components including all antivirus software and its last
malicious software (particularly operating system types updated file. Making it easily
personal computers and servers.) commonly affected by malicious verifiable through Secure Auditor
software, verify that anti-virus whether Antivirus is deployed and
software is deployed if applicable up to dated.
anti-virus technology exists
PCI/DSS 5.1.1 Ensure that all anti-virus 5.2.c For a sample of system Secure Auditor's Software
programs are capable of components including all Inventory viewer helps to identify
detecting, removing, and operating system types all installed software on the
protecting against all known types commonly affected by malicious system according to company
of malicious software. software, verify that automatic policy and also indentifies all
updates and periodic scans are extra or malicious software’s.
enabled. Secure Auditor also informs
whether periodic scan and
automatic updates are enabled.
PCI/DSS 5.2 Ensure that all anti-virus 5.2.a Obtain and examine the Secure Auditor performs checks
mechanisms are current, actively policy and verify that it requires to identify that an anti virus is
running, and capable of updating of antivirus software and running on a windows based
generating audit logs. definitions. machine. It also keeps a check on
its updated definitions file are
informs the user about the last
update of the antivirus on a
particular system.
PCI/DSS 6.1 PCI DSS Requirements Ensure 6.1.a For a sample of system Secure Auditor regularly checks
that all system components and components and related software, patches installed on Windows,
software have the latest vendor compare the list of security Oracle and MSSQL. It compares
supplied security patches patches installed on each system the list of security patches
installed. Install critical security to the most recent vendor security installed on each system to the
patches within one month of patch list, to verify that current most recent vendor security patch
release. vendor patches are installed. list, to verify that current vendor
patches are installed or not. It
clearly indicates patches that are
yet to be installed.
PCI/DSS 6.2 6.2.b Verify that processes to 6.2.b Verify that processes to Secure Auditor conducts an audit
identify new security identify new security according to predefined
vulnerabilities include using vulnerabilities include using embedded profiles that are based
outside sources for security outside sources for security on common security parameters
vulnerability information and vulnerability information and defined by international
updating the system configuration updating the system configuration institutions and compliance
standards reviewed in standards reviewed in standards like PCI DSS, SANS,
Requirement 2.2 as new Requirement 2.2 as new SOX, ISACA and CIS. After
vulnerability issues are found. vulnerability issues are found. auditing it identifies vulnerabilities
and provides the description and
step by step solution for Identified
vulnerabilities.
PCI/DSS 6.3.6 Removal of custom application Custom application accounts, Secure Auditor detects default
accounts, user IDs, and user IDs and/or passwords are passwords in Oracle MSSQL and
passwords before applications removed before system goes into Oracle based applications, during
become active or are released to production or is released to the enumeration phase default
customers customers. password in windows can be
checked .With the help of Secure
Auditor default passwords can be
checked easily which should
removed, before going to
customers or before starting
production.
PCI/DSS 6.4 Follow change control procedures 6.4 b. For a sample of system System component and security
for all changes to system components and recent patches changes defined in
components changes/security patches, trace change control documents can be
those changes back to related verified through identification by
change control documentation. Secure Auditor with the help of
For each change examined. audit and enumeration.
PCI/DSS 7.1.1 Assignment of privileges is based Confirm that privileges are Access Rights auditor conducts
on individual personnel’s job assigned to individuals based on an audit on role based access
classification and function. job classification and function rights granted on oracle and
(also called “role-based access MSSQL server.
control” or RBAC).
PCI/DSS 7.1.4 Implementation of an automated 7.1.4 Confirm that access Secure Auditor provides the
access control system controls are implemented via an information about the file and
automated access control folder permission. It checks the
system. user rights and privileges on the
system.
PCI/DSS 7.2.2 Assignment of privileges to Confirm that access control Access rights auditor clearly
individuals based on job systems are configured to enforce audits and demonstrates that
classification and function. privileges assigned to individuals access rights and privileges are
based on job classification and assigned in accordance with the
function. needs and requirements of job
functions.
PCI/DSS 8.5.3 Set first-time passwords to a 8.5.3 Examine password Secure Auditor's Password
unique value for each user and procedures and observe security Auditor tools helps identify
change immediately after the first personnel to verify that first-time default, common easily guessable
use. passwords for new users are set passwords. It can help you to
to a unique value for each user identify whether a user changed
and changed after first use. their default password provided
by the administrator. Secure
Auditor also checks password
policy according to the
Company’s Standards.
PCI/DSS 8.5.5 Remove/disable inactive user Verify that inactive accounts over Secure Auditor shows in its audit
accounts at least every 90 days. 90 days old are either removed or results the number of inactive
disabled. accounts for over 90 days.
PCI/DSS 8.5.6 Enable accounts used by vendors 8.5.6 Verify that any accounts Secure Auditor Checks the
for remote maintenance only used by vendors to support and default accounts which exist in
during the time period needed. maintain system components are the system and also respective
disabled, enabled only when informs whether the account is
needed by the vendor, and enabled or disabled. The
monitored while being used. activities of user accounts can be
traced by using Secure Auditor’s
Event Log Viewer tool,
furthermore one can use default
password tester to test the
accounts with default passwords.
PCI/DSS 8.5.8 Do not use group, shared, or 8.5.8. A. For a sample of system Secure Auditor’s audit process
generic accounts and passwords. components, examine user ID identifies generic user IDs and
lists to verify the following shared user IDs which are
Generic user IDs and accounts present in the system. Secure
are disabled or removed. * Auditor also depicts privileges
Shared user IDs for system given to the particular shared
administration activities and other account and determines whether
critical functions do not exist. privileges for system activities
Shared and generic user IDs are and other critical functions exist.
not used to administer any Event log viewer verify this
system components. Audit, feature in much detail by showing
password audit, logs that generic user Ids are
used by someone as it is not
possible for anyone to use
disabled IDs . Password Auditor
fetches passwords and
usernames for a particular system
that determines user enabled IDs
on a system.
PCI/DSS 8.5.9 Change user passwords at least For a sample of system Secure Auditor identifies the
every 90 days. components, obtain and inspect passwords that are 90 days old or
system configuration settings to more. It also checks the
verify that user password password policy to make sure
parameters are set to require password parameters are set in a
users to change passwords at way that requires users to change
least every 90 days. passwords at least every 90 days.
PCI/DSS 8.5.10 Require a minimum password For a sample of system Secure Auditor verifies
length of at least seven components, obtain and inspect implemented password policy on
characters. system configuration settings to a system or database and checks
verify that password parameters whether the password policy
are set to require passwords to parameters are set to accept a
be at least seven characters long. minimum of at least seven
characters.
PCI/DSS 8.5.11 Use passwords containing both For a sample of system Secure Auditor also checks
numeric and alphabetic components, obtain and inspect password policy to determine that
characters. system configuration settings to password policy is set to use
verify that password parameters strong passwords that contain
are set to require passwords to numerical and alphabetical
contain both numeric and characters. It also identifies and
alphabetic characters. For service fetches weak passwords on a
providers only, review internal system that verifies extend of
processes and customer /user implications on password policy.
documentation to verify that
customer passwords are required
to contain both numeric and
alphabetic characters.
PCI/DSS 8.5.12 Do not allow an individual to For a sample of system Secure Auditor checks the
submit a new password that is the components, obtain and inspect password policy and checks if the
same as any of the last four system configuration settings to password history is properly set
passwords he or she has used. verify that password parameters according to the PCI standards.
are set to require that new
passwords cannot be the same
as the four previously used
passwords.
PCI/DSS 8.5.13 Limit repeated access attempts For a sample of system Secure Auditor checks account
by locking out the user ID after components, obtain and inspect lockout policy set on a system
not more than six attempts. system configuration settings to according to the PCI standards.
verify that password parameters This feature will verify that
are set to require that a user’s password parameters are set to
account is locked out after not require that a user’s account is
more than six invalid logon locked out after not more than six
attempts. invalid logon attempts.
PCI/DSS 8.5.14 Set the lockout duration to a For a sample of system Secure Auditor checks the
minimum of 30 minutes or until components, obtain and inspect account lock out duration
administrator enables the user ID. system configuration settings to according to the PCI standards.
verify that password parameters These auditing processes verify
are set to require that once a user that account will remain locked for
account is locked out, it remains 30 minutes or until administrator
locked for a minimum of 30 enables the user ID.
minutes or until a system
administrator resets the account.
PCI/DSS Requirements 10 ( Track and monitor all access to network resources and cardholder data )
PCI/DSS 10.2.2 All actions taken by any individual Verify actions taken by any Event log viewer clearly verifies
with root or administrative individual with root or actions taken by any individual
privileges administrative privileges are with root or administrative
logged. privileges. It fetches Oracle,
MSSQL and Windows log and
displays them in a readable
manner in the form of a report
that demonstrate all active made
by users having administrative
privileges.
PCI/DSS 10.2.3 Access to all audit trails Verify access to all audit trails is Secure Auditor checks whether
logged. audit trail is being logged or not. It
checks whether audit trail logging
is enabled or disabled on the
system.
PCI/DSS 10.2.4 Invalid logical access attempts Verify invalid logical access Event log viewer generates
attempts are logged. separate report to provide lists of
logical access attempts made on
a particular system.
PCI/DSS 10.2.5 Use of identification and Verify use of identification and Event Log viewer provides logs
authentication mechanisms authentication mechanisms is related to initialization and
logged. authentication mechanisms
defined for a particular system.
PCI/DSS 10.2.6 Initialization of the audit logs Verify initialization of audit logs is With the help of Event Log viewer
logged. user can verify initialization of
audit logs.
PCI/DSS 10.2.7 Creation and deletion of system Verify creation and deletion of With the help of event log viewer
level objects system level objects is logged. user can verify the creation and
deletion of system level objects
with details that who has
performed. Such actions on a
certain time at a particular
instance.
PCI/DSS 10.3.1 User identification Verify user identification is Event Log Viewer provides facility
included in log entries. to view logs of a particular user
that helps in verifying log entries
according to a particular user
PCI/DSS 10.3.2 Type of event Verify type of event is included in Event type is clearly mentioned in
log entries. event log viewer reports.
PCI/DSS 10.3.3 Date and time Verify date and time stamp is Event log viewer represents log
included in log entries. entries along with date and time.
It helps user in verifying time and
date of a particular query
PCI/DSS 10.3.4 Success or failure indication Verify success or failure Event log viewer generates
indication is included in log reports about successful or failed
entries. log in attempts made by different
users that help in determining the
number of successful and failed
log entries on a particular system.
PCI/DSS 10.3.5 Origination of event Verify origination of event is Whenever an event is occurred, it
included in log entries. is logged. Event log viewer
provides the user an ability to
trace the origination of events
along with the related machine
name and IP address.
PCI/DSS 10.3.6 Identity or name of affected data, Verify identity or name of affected Secure Auditor provides exact
system component, or resource data, system component, or instance details of infected data
resources is included in log along with name, system
entries. components and resources
through event log reports and fine
grained audit report viewable
through the Event log viewer.
PCI/DSS 10.4 Synchronize all critical system 10.4. Obtain and review the Secure Auditor checks the time
clocks and times. process for acquiring and settings that could be verified
distributing the correct time within through cross check with policy
the organization, as well as the that whether system is following
time-related system-parameter defined time related parameter
settings for a sample of system settings.
components. Verify the following
is included in the process and
implemented
PCI/DSS 10.7 Retain audit trail history for at 10.7.b Verify that audit logs are Secure Auditor checks if the
least one year, with a minimum of available for at least one year and Auditing is enabled according to
three months immediately processes are in place to restore company’s policy and Secure
available for analysis (for at least the last three months’ Auditor's Event Log Viewer tool
example, online, archived, or logs for immediate analysis. can show the previous log which
restorable from backup). may be required. Logs can be
maintained by saving logs on
monthly or yearly basics.
PCI/DSS 11.2 Run internal and external network 11.2. A Inspect output from the Secure Auditor conducts
vulnerability scans at least most recent four quarters of vulnerability scanning on
quarterly and after any significant internal network, host, and networks, hosts and database
change in the network (such as application vulnerability scans to assets to identify loopholes in
new system component verify that periodic security testing them. Its report facilitates
installations, changes in network of the devices within the comparison and contrast result of
topology, firewall rule cardholder data environment multiple audits conducted over a
modifications, product upgrades). occurs. Verify that the scan period of time.
process includes rescans until
passing results are obtained
PCI/DSS 11.3 Perform external and internal Obtain and examine the results Secure Auditor provides
penetration testing at least once a from the most recent penetration penetration testing tools that
year and after any significant test to verify that penetration facilitate users in performing
infrastructure or application testing is performed at least penetration tests. So using
upgrade or modification annually and after any significant Secure Auditor ensures that
changes to the environment. penetration testing is performed
at least annually to fulfill the
requirement.
PCI/DSS 11.3.1 Network-layer penetration tests 11.3.1 Verify that the penetration Secure Auditor contains utilities
test includes network-layer that provide facilities to conduct
penetration tests. These tests network penetration tests like
should include components that SNMP browser, SNMP brute
support network functions as well force attacker, Port Scanner, FTP
as operating systems. and HTTP attackers etc. their
reports are also generated so the
user can compare them to identify
significant changes to the
environment and fulfill compliance
clause requirements as well.
PCI/DSS Requirement 12: Maintain a policy that addresses information security for employees and contractors.
PCI/DSS 12.1.1 Addresses all PCI DSS 12.1.1 Verify that the policy PCI DSS requirements are
requirements. addresses all PCI DSS included in Secure Auditor which
requirements. helps an organization to comply
with PCI DSS.