Requirement 2 Flashcards
Requirement 2
Do not use vendor-supplied efaults for system passwords and other security parameters.
Requirement 2.1
Always change vendor supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords including, but not lmited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.
Requirement 2.1.a
Choose a sample of system components and attempt to log on (with system administrator help) to the devices and applications using default vendor supplied accounts and passwords to verify that ALL default passwords have been changed. Use vendor manuals and sources on the internet to find vendor supplied accounts / passwords).
Requirement 2.1.b
For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications systems, POS terminals, SNMP, etc.) are removed or disabled.
Requirement 2.1.c
Interview personnel and examine supporting documentation to verfiy that all vendor defaults are changed before a system is installed on the network and that unecessary default accounts are removed or disabled before a system is insalled on the network.
Requirement 2.1.1
For wireless environments connected to the cardholder data environment or transmitting cardholder dta, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP commuinty strings.
Requirement 2.1.1.a
Interview responsible personnel and examine supporting documentationt o verify that encryption keys were changed from default at installation and are changed any time anyone with knowledge of the keys leaves the company or changes position.
Requirement 2.1.1.b
Interview personenl and examien policies and procedures to verify default SNMP community strings are requirement to be changed upon installation and default passwords/prhases on access points are required to be changed upon installation.
Requirement 2.1.1.c
Examine vendor documentation and login to wireles devices, with system administrator help, to verify default SNMP community strings are not used and default passwords/passphrases on access points are not used.
Requirement 2.1.1.d
Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks.
Requirement 2.1.1.e
Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed if applicable.
Requirement 2.2
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted ssytem hardening standards. Sources of industry accepted system hardenign standards may include but are not limited to the Center for Internet Security (CIS), International Organisation for Standarisation (ISO), SysAdmin Audit Network Security (SANS) institute, and National Institute of Standards Technology (NIST)
Requirement 2.2.a
Examine the organisation’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards.
Requirement 2.2.b
Examien policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.
Requirement 2.2.c
Examien policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.
Requirement 2.2.d
Verify that system configuration standards include the folloing procedures for all types of system components: changing of all vendor supplied defaults and elimination of all unnecessary default accounts; implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server; enabling only necessary services, protocols, daemons, etc., as required for the function of the system; implementing additional security features for any required services, protocols, or daemons that are considered to be insecure; configuring system security parameters to prevent misuse; and removing all unnecesary functionality, such as scripts, drivers, features, subsystems, fie systems, and unnecessary web servers.