filmov
tv
PCI DSS Requirement 11: Test the Security of Systems and Networks Regularly | PCI 101
Показать описание
***************************************************************************************************
Additional Resources
Additional Resources
***************************************************************************************************
Transcript:
Welcome to PCI 101 by SecurityMetrics. Let’s dive into Requirement 11: Test the Security of Systems and Networks Regularly
Once your security systems are established and you are confident in your setup, it’s time to put it to the test. Requirement 11 wants to ensure that you’re thoroughly testing your systems’ and networks’ security.
Perform regular testing of your security systems and services.
The types of systems that make up a business’s IT environment influence the kinds of attacks that they’re susceptible to; because of this, a security testing plan should be tailored to its environment.
For custom in-house applications, internal code review and testing and independent penetration testing can expose many of the weaknesses commonly found in application code.
These types of scans and tests are the best line of defense in identifying weaknesses so they can be corrected before deployment.
For example, a vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities in systems and applications.
PCI DSS requires two types of vulnerability scanning: internal and external vulnerability scans.
External vulnerability scanning is like checking to see if doors and windows are locked, while internal vulnerability scanning is like testing to see if bedroom and bathroom doors have locks that would prevent an intruder from moving to more sensitive areas once they have gained access to the house.
For PCI compliance, passing quarterly vulnerability scan reports is a must.
This means that if a vulnerability is discovered during a scan that is a high risk, or that causes the scan to fail, you must work to resolve the issue, and then re-scan the affected system to show it was fixed.
This requirement could be confusing or frustrating for merchants that have never needed to scan previously. Getting help with setting up scans will reduce their chance of failing their first time.
Penetration testing takes vulnerability detection to the next level.
Think of penetration testers as friendly, ethical hackers. Real people that analyze networks and systems, identify potential vulnerabilities, misconfigurations, or coding errors, and try to exploit them in order to point out weaknesses so you can protect your organization.
Having a trusted expert try and break into your system is incredibly beneficial, as it makes your vulnerabilities immediately visible for repair, before attackers get the chance to exploit them.
Depending on how your business is required to validate PCI compliance, PCI DSS Requirement 11 may call for annual internal and external penetration testing.
Even if not required for PCI compliance, performing regular penetration testing is a security best practice.
Any organization can benefit by using a penetration test to measure the security of a system, application, or an entire network environment.
In addition to annual penetration tests, it’s smart to perform a penetration test whenever significant infrastructure changes occur to check if these changes introduced new vulnerabilities.
If your organization fills out an SAQ A, A-EP, D for Merchants, or D for Service Providers, there are additional security requirements to keep in mind.
Specifically, requirement 11.6.1 details exactly how these organizations need to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the pages used to house the TPSP iframe.
Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages. SecurityMetrics offers a tool–called Shopping Cart Monitor–that helps meet this requirement.
Security testing is one of the most effective ways to ensure your organization is prepared and protected against cyber threats.
Additional Resources
Additional Resources
***************************************************************************************************
Transcript:
Welcome to PCI 101 by SecurityMetrics. Let’s dive into Requirement 11: Test the Security of Systems and Networks Regularly
Once your security systems are established and you are confident in your setup, it’s time to put it to the test. Requirement 11 wants to ensure that you’re thoroughly testing your systems’ and networks’ security.
Perform regular testing of your security systems and services.
The types of systems that make up a business’s IT environment influence the kinds of attacks that they’re susceptible to; because of this, a security testing plan should be tailored to its environment.
For custom in-house applications, internal code review and testing and independent penetration testing can expose many of the weaknesses commonly found in application code.
These types of scans and tests are the best line of defense in identifying weaknesses so they can be corrected before deployment.
For example, a vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities in systems and applications.
PCI DSS requires two types of vulnerability scanning: internal and external vulnerability scans.
External vulnerability scanning is like checking to see if doors and windows are locked, while internal vulnerability scanning is like testing to see if bedroom and bathroom doors have locks that would prevent an intruder from moving to more sensitive areas once they have gained access to the house.
For PCI compliance, passing quarterly vulnerability scan reports is a must.
This means that if a vulnerability is discovered during a scan that is a high risk, or that causes the scan to fail, you must work to resolve the issue, and then re-scan the affected system to show it was fixed.
This requirement could be confusing or frustrating for merchants that have never needed to scan previously. Getting help with setting up scans will reduce their chance of failing their first time.
Penetration testing takes vulnerability detection to the next level.
Think of penetration testers as friendly, ethical hackers. Real people that analyze networks and systems, identify potential vulnerabilities, misconfigurations, or coding errors, and try to exploit them in order to point out weaknesses so you can protect your organization.
Having a trusted expert try and break into your system is incredibly beneficial, as it makes your vulnerabilities immediately visible for repair, before attackers get the chance to exploit them.
Depending on how your business is required to validate PCI compliance, PCI DSS Requirement 11 may call for annual internal and external penetration testing.
Even if not required for PCI compliance, performing regular penetration testing is a security best practice.
Any organization can benefit by using a penetration test to measure the security of a system, application, or an entire network environment.
In addition to annual penetration tests, it’s smart to perform a penetration test whenever significant infrastructure changes occur to check if these changes introduced new vulnerabilities.
If your organization fills out an SAQ A, A-EP, D for Merchants, or D for Service Providers, there are additional security requirements to keep in mind.
Specifically, requirement 11.6.1 details exactly how these organizations need to implement change detection procedures and technologies to alert personnel to unauthorized modifications to the HTTP headers and contents of the pages used to house the TPSP iframe.
Such tamper-detection mechanisms must run at least weekly to look for unauthorized modifications to these critical web pages. SecurityMetrics offers a tool–called Shopping Cart Monitor–that helps meet this requirement.
Security testing is one of the most effective ways to ensure your organization is prepared and protected against cyber threats.
0:05:00
0:04:28
0:01:34
0:10:19
0:01:32
0:14:27
0:01:00
0:36:36
0:15:02
0:01:24
0:02:12
0:06:22
0:01:41
0:03:52
0:58:20
0:01:11
0:00:11
0:01:03
0:14:13
0:01:16
0:29:00
0:01:31
0:01:26
0:01:00