Up
Previous Next

Sheriff CSM™

PCI DSS 3.2 Requirement 11: Regularly Test Security Systems and Processes

Testing Procedure How Sheriff CSM Delivers Sheriff CSM Instructions Sheriff CSM Documentation
11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel. Sheriff CSM can provide alerting for events that are collected and sent to the SIEM. Verify that policies, especially those in the "Policies for events generated in server" section, are enabled and configured to use an Action that generates an email to the appropriate contact. Tutorial: Create a Policy to Send Emails Triggered by Events
11.1.1 Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points. Sheriff CSM provides asset management features that can assist in collecting this data. Schedule Asset scans to run regularly in Sheriff CSM. Running Asset Scans
Run the existing Asset Report for an inventory of all assets How to Run Reports
If you find any information outdated or missing, you may edit the asset to enter the appropriate information. Editing the Assets
11.2.1.a Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period. Configure Vulnerability Scan in Sheriff CSM to satisfy this requirement. See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans. Viewing the Scan Results
11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved. Configure Vulnerability Scan in Sheriff CSM to satisfy this requirement. See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans. Viewing the Scan Results
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
• For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
• For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
Configure Vulnerability Scan in Sheriff CSM to satisfy this requirement.

Sheriff CSM keeps copies of scans results.
Use them to show that ongoing internal scanning is being performed
See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans. Viewing the Scan Results
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:
• At the perimeter of the cardholder data environment
• At critical points in the cardholder data environment.
Sheriff CSM provides NIDS/HIDS functionality and NetFlow information to trace data flow. From Analysis > Security Events, select “Sheriff NIDS” from the Data Source drop-down. Verify that events are being generated from network traffic that is not local to the Sheriff CSM device. Security Events Views
11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection. Sheriff CSM provides NIDS/HIDS functionality and NetFlow information to trace data flow. From Analysis > Security Events, select “Sheriff NIDS” from the Data Source drop-down. Verify that events are being generated from network traffic that is not local to the Sheriff CSM device. Security Events Views
11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.
Examples of files that should be monitored:
• System executables
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log and audit files
• Additional critical files determined by entity (i.e., through risk assessment or other means)
Sheriff CSM provides registry integrity monitoring and File Integrity Monitoring (FIM) through Sheriff HIDS. Create a Security Events view with the search on Event Name containing "integrity" and the data source as "Sheriff HIDS". Then export the view as a report module and run the report. Create Custom Reports from SIEM Events
Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms. Tutorial: Create a New Directive to Detect DoS Attack
Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "Sheriff HIDS". Search Raw Logs
11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly. Sheriff CSM provides File Integrity Monitoring (FIM) through Sheriff HIDS. Create a Security Events view with the search on Event Name containing "integrity" and the data source as "Sheriff HIDS". Then export the view as a report module and run the report. Create Custom Reports from SIEM Events
Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms. Tutorial: Create a New Directive to Detect DoS Attack
Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "Sheriff HIDS". Search Raw Logs
Topic revision: r8 - 30 Apr 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.