Requirement 2 Flashcards

1
Q

Requirement 2

A

Do not use vendor-supplied efaults for system passwords and other security parameters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Requirement 2.1

A

Always change vendor supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords including, but not lmited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Requirement 2.1.a

A

Choose a sample of system components and attempt to log on (with system administrator help) to the devices and applications using default vendor supplied accounts and passwords to verify that ALL default passwords have been changed. Use vendor manuals and sources on the internet to find vendor supplied accounts / passwords).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Requirement 2.1.b

A

For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications systems, POS terminals, SNMP, etc.) are removed or disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Requirement 2.1.c

A

Interview personnel and examine supporting documentation to verfiy that all vendor defaults are changed before a system is installed on the network and that unecessary default accounts are removed or disabled before a system is insalled on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Requirement 2.1.1

A

For wireless environments connected to the cardholder data environment or transmitting cardholder dta, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP commuinty strings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Requirement 2.1.1.a

A

Interview responsible personnel and examine supporting documentationt o verify that encryption keys were changed from default at installation and are changed any time anyone with knowledge of the keys leaves the company or changes position.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Requirement 2.1.1.b

A

Interview personenl and examien policies and procedures to verify default SNMP community strings are requirement to be changed upon installation and default passwords/prhases on access points are required to be changed upon installation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Requirement 2.1.1.c

A

Examine vendor documentation and login to wireles devices, with system administrator help, to verify default SNMP community strings are not used and default passwords/passphrases on access points are not used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Requirement 2.1.1.d

A

Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Requirement 2.1.1.e

A

Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed if applicable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Requirement 2.2

A

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted ssytem hardening standards. Sources of industry accepted system hardenign standards may include but are not limited to the Center for Internet Security (CIS), International Organisation for Standarisation (ISO), SysAdmin Audit Network Security (SANS) institute, and National Institute of Standards Technology (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Requirement 2.2.a

A

Examine the organisation’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Requirement 2.2.b

A

Examien policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Requirement 2.2.c

A

Examien policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Requirement 2.2.d

A

Verify that system configuration standards include the folloing procedures for all types of system components: changing of all vendor supplied defaults and elimination of all unnecessary default accounts; implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server; enabling only necessary services, protocols, daemons, etc., as required for the function of the system; implementing additional security features for any required services, protocols, or daemons that are considered to be insecure; configuring system security parameters to prevent misuse; and removing all unnecesary functionality, such as scripts, drivers, features, subsystems, fie systems, and unnecessary web servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Requirement 2.2.1

A

Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server (for example, web servers, database servers, and DNS should be implemented on separate servers). Note: where virtaulisation technologies are in use, implement only one primary function per virtual system component.

18
Q

Requirement 2.2.1.a

A

Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented per server.

19
Q

Requirement 2.2.1.b

A

If virtualisation technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device.

20
Q

Requirement 2.2.2

A

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

21
Q

Requirement 2.2.2.a

A

Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are neabled.

22
Q

Requirement 2.2.2.b

A

Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuraiton standards.

23
Q

Requirement 2.2.3

A

Implement additional security features for any required services, protocols, or daemons that are considered to be insecure - for example, use secured technologies such as SSH, S=FTP, SSL, or IPSec VPN to protect insecure services such as NetBUIS, file-sharing, Telnet, FTP, etc. // Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.

24
Q

Requirement 2.2.4

A

Configure system security parameters to prevent misuse.

25
Q

Requirement 2.2.4.a

A

Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.

26
Q

Requirement 2.2.4.b

A

Examine the system configuration standards to verify that common security parameter settings are included.

27
Q

Requirement 2.2.4.c

A

Select a sample of system components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.

28
Q

Requirement 2.2.5

A

Remove all unnecessary functionality such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

29
Q

Requirement 2.2.5.a

A

Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.

30
Q

Requirement 2.2.5.b

A

Examien the documentation and security parameters to verify that only documented functionality is present on the sampled system components.

31
Q

Requirement 2.3

A

Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. // Select a sample of system components and verify that non-console administrative access is encrypted by performing the following.

32
Q

Requirement 2.3.a

A

Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.

33
Q

Requirement 2.3.b

A

Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.

34
Q

Requirement 2.3.c

A

Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.

35
Q

Requirement 2.3.d

A

Examien vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implememented acording to industry best practices and/or vendor recommendations.

36
Q

Requirement 2.4

A

Maintain an inventory of system components that are in scope for PCI DSS.

37
Q

Requirement 2.4.a

A

Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of each function/use for each.

38
Q

Requirement 2.4.b

A

Interview personnel to verify the documented inventory is kept current.

39
Q

Requirement 2.5

A

Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.

40
Q

Requirement 2.6

A

Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.