PCI DSS Requirement 6


PCI DSS Requirement 6: Maintain & Secure Applications & Systems


> Monitor and record endpoints.

> Alert when application become vulnerable or dated (old versions or not patched).

> Set baseline policies for application versions.



Requirements Addressed

6.2 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.

Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the internet). Update standards to address new vulnerability issues.

6.3.6 Applications, User Identity & Passwords

6.4.5: Test and verify successful patch changes

6.6: Web Application Security

Solution Features
 
> Endpoints

- Keeping endpoint configurations in check by finding vulnerable applications in the enterprise

- Checking all desktops and laptops against your security policy – on access and on schedule – to ensure patches are installed and up-to-date.

- Any non-compliant computers are fixed or blocked from the network.

- Alerting features ensure real time notice the instant the enterprise becomes vulnerable or drifts outside of the system configurations.
- Web and email appliances automatically alert the administrator when updates are available, and can optionally auto-install.

- Discovery of unknown or unauthorised virtual machines.

- Reporting on configuration changes, patch levels and critical policy violations on VMware vSphere.

- Delivering small, frequent, security updates to ensure you have the latest and best protection.

- You can also get an RSS feed on newly-discovered vulnerabilities from security vendors.


> Patch Management / Change Control (Firewalls) -  24 Hours for Critical Updates


> Anti-Virus
Local system AV, with Up to date Signatures


> Removal of custom application accounts, user IDs, and passwords before applications become active.


> Password policy management
Password policies for the users and administrators, for endpoints and cloud locations (Microsoft 365, Dropbox)

- Strong passwords are mandated. A password is strong if it is at least 8 characters long and contains at least one alphabet [a-z, A-Z], one numeric character [0-9], and one special character.

- Users cannot reuse passwords.

- Mandate password change at regular intervals.


> Web Application Testing
Test Applications for broken authentication and session management flaws

> Web Application Firewall
“Web Application Firewall” was renamed to “Automated Technical Solution” to detect flaws.

Web Application Firewall deployed in front of public-facing web applications protects web applications, databases, and the information exchanged between them. WAF’s use advanced techniques to provide bi-directional protection against malicious sources, network and application layer DoS attacks and sophisticated threats like SQL injection and XSS, help prevent identity theft, financial fraud and denial of service.

In particular, it addresses the PCI DSS requirements 6.5 and 6.6 regarding web application vulnerabilities such as cross-site scripting, SQL injection, and information leakage.


> For public-facing web applications, address new threats and vulnerabilities on an on-going basis and ensure these applications are protected against known attacks by either of the following methods:

- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.





Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk