 |
You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>UserGuide>UsingSheriffCSMForPCICompliance>PCIDSS32Requirement2 (29 Apr 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next Sheriff CSM™
Previous Next Sheriff CSM™
PCI DSS 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
| Testing Procedure | How Sheriff CSM Delivers | Sheriff CSM Instructions | Sheriff CSM Documentation |
|---|---|---|---|
| 2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords have been changed (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings). (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) | In Sheriff CSM, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. | In Sheriff CSM, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
|
2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify: • Default SNMP community strings are not used. • Default passwords/passphrases on access points are not used. | In Sheriff CSM, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.1.1.e Examine vendor documents were changed, if applicable. | In Sheriff CSM, you can configure a Vulnerability Scan to test for default accounts and passwords on wireless devices. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards. | In Sheriff CSM, you can configure a Vulnerability Scan to test for system hardening standards. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the appropriate checks in the scanning profile for the target host. | Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.2.d Verify that system configuration standards include the following procedures for all types of system components: • Changing of all vendor-supplied defaults and elimination of unnecessary default accounts • Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server • Enabling only necessary services, protocols, daemons, etc., as required for the function of the system • Implementing additional security features for any required services, protocols or daemons that are considered to be insecure • Configuring system security parameters to prevent misuse • Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. | The Vulnerability Scan in Sheriff CSM can assist in testing for system default passwords, detecting running services, and testing system hardening configurations. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.2.2.b Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards. | The Vulnerability Scan in Sheriff CSM can assist in identifying insecure services, daemons and protocols. Sheriff CSM active and passive Asset Discovery can identify ports/protocols used by a monitored device. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.2.3.a Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols. | The Vulnerability Scan in Sheriff CSM can assist in identifying insecure services, daemons and protocols. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.2.4.b Examine the system configuration standards to verify that common security parameter settings are included. | In Sheriff CSM, you can configure a Vulnerability Scan to test for system hardening standards. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.2.4.c Select a sample of system components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards. | In Sheriff CSM, you can configure a Vulnerability Scan to test for system hardening standards. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. | The Vulnerability Scan in Sheriff CSM can assist in testing for the presence of Telnet services or other insecure remote-login commands. Sheriff CSM asset scan discovers open ports and lists them in the inventory. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each. | Sheriff CSM has built-in capability for asset management and discovery. | Run an Asset Scan to discover all assets. | Running Asset Scans |
| Update and maintain the description field for each asset. | Editing the Assets | ||
| Run the existing Asset Report for an inventory of all assets. | How to Run Reports |
Edit | Attach | Print version | History: r15 < r14 < r13 < r12 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r15 - 29 Apr 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.