+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member
    Join Date
    Oct 2014
    Posts
    1,441

    Certifications
    VCAP6-DCV Deploy, VCP6-DCV, MCSA 2012, CCNA R&S, CCNA Sec, Linux+ Storage+ Sec+ Net+ A+ Proj+ ITILF
    #1

    Default PCI DSS Requirements

    After research has led mixed results I could use more info on PCI DSS compliance.

    1, Does Linux require full AV software? Regular rootkit scans?
    2. If code is based on EoL PHP libraries does it need to be updated, thus breaking compatibility?
    2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    May 2006
    Posts
    2,026

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #2
    Incidentally I was doing some reading on this too. From what I've gathered vulnerability scanning software out there will fail you for PCI compliance if things like that are not resolved. However you can submit exception forms which detail other compensating or complimentary controls that will make the findings get a pass.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    996

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #3
    I believe it is yes on both. But that would be a perfect compliance, but almost nobody is perfect.
    Reply With Quote Quote  

  5. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    242

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, C|EH, OSCP
    #4
    As someone who works in compliance, the answer is yes to the first question. The second one would require justification for having an open finding and as long as whoever is reviewing the findings agrees with the justification, it is allowed. You will also need a plan on how to deal with fixing the open finding and set a date for the issue to be fixed. This is what we call a POA&M (Plan of action and milestones)
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Oct 2014
    Posts
    1,441

    Certifications
    VCAP6-DCV Deploy, VCP6-DCV, MCSA 2012, CCNA R&S, CCNA Sec, Linux+ Storage+ Sec+ Net+ A+ Proj+ ITILF
    #5
    The reason for the confusion on AV is the requirements state "PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware." Which leads me to believe it refers to Windows specifically.

    Is AV required on Linux or just rootkit scans? If AV, does it need to have real time protection?

    It looks like PHP 7.1 compatibility is going to the top of the list. Thanks for that information.
    2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Oct 2014
    Posts
    1,441

    Certifications
    VCAP6-DCV Deploy, VCP6-DCV, MCSA 2012, CCNA R&S, CCNA Sec, Linux+ Storage+ Sec+ Net+ A+ Proj+ ITILF
    #6
    Regarding restricting physical access what would auditors see as sufficient?

    Key locked door and rack good enough or are they looking for typical datacenter security with man traps, security guards, biometric scans, etc.?
    2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    May 2013
    Posts
    1,265

    Certifications
    CISSP, GWAPT, GSEC, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #7
    Quote Originally Posted by techfiend View Post
    The reason for the confusion on AV is the requirements state "PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware." Which leads me to believe it refers to Windows specifically.
    To me that would include Linux/UNIX/MAC...but might exclude embedded type of operating systems. To be honest, if you don't have anti-virus on your non-windows systems, even if not regulated, that is being irresponsible.

    Regarding restricting physical access what would auditors see as sufficient?

    Key locked door and rack good enough or are they looking for typical datacenter security with man traps, security guards, biometric scans, etc.?
    Typical would be at least a badge proximity scanner...if you are of decent size and using a key lock, I would resolve that pretty quick. Think about if there is turnover with key holders and locks don't get changed, or if you have a weak lock...not the best security. It's all a risk management calculation how much further to go...if the data gets compromised and you lose $10,000...are you really gonna spend $50,000 on a security guard? Probably not.

    A receptionist could double as somewhat of a "security guard" in the sense that they are monitoring access in and out. Biometrics aren't very common except in high security areas...and still don't seem to be widely accepted by would be users.
    Reply With Quote Quote  

  9. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    242

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, C|EH, OSCP
    #8
    Have you been officially trained in PCI DSS by their organization? This may help you out in this aspect. I noticed their documents refer to "heavy research" and using CIS to help with issues. This to me seems extremely lazy on their part, where as in my line of work we would just refer to the STIG and those are so cut and dry that a brain dead monkey could secure a system with them.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Oct 2014
    Posts
    1,441

    Certifications
    VCAP6-DCV Deploy, VCP6-DCV, MCSA 2012, CCNA R&S, CCNA Sec, Linux+ Storage+ Sec+ Net+ A+ Proj+ ITILF
    #9
    The lack of detail in the official standard should really hurt it's reputation. Clearly some of it is auditor discretion.
    2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
    Reply With Quote Quote  

  11. IOCs? What IOCs???!! jcundiff's Avatar
    Join Date
    Jan 2016
    Location
    Morehead, KY
    Posts
    414

    Certifications
    CISSP, CRISC, ITILFv3, PCIP, RSA Archer, MSCE Win2000, A+, N+, Server+, Proj+, eBiz+,iNet+
    #10
    Quote Originally Posted by techfiend View Post
    The lack of detail in the official standard should really hurt it's reputation. Clearly some of it is auditor discretion.
    considering 85-90% of the standard is common sense / basic security hygiene, I doubt it...
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks