Introduction to PCI DSS
Risk register
is a critical component of a comprehensive risk management strategy, as it enables organizations to proactively identify and manage potential risks, and to take appropriate action to reduce the likelihood and impact of negative events.
PCI PIN Security
is a set of requirements for protecting PIN numbers associated with payment cards. The standard provides guidance for securing PIN pads, encryption of PIN data, and other measures to protect against PIN fraud.
PA-DSS - Payment Application Data Security Standard
is a set of security requirements for payment applications that process sensitive cardholder data. This standard was designed to help software vendors and integrators develop secure payment applications that comply with the PCI DSS.
P2PE - Point-to-Point Encryption
is a set of standards for encrypting payment card data from the point of capture at a payment terminal to the point of decryption at the payment processor. This standard helps to protect sensitive cardholder data from theft and fraud.
Risk mitigation
is the process of reducing or eliminating the potential impact and probability of risks to an acceptable level. In cybersecurity, _________ refers to the implementation of measures to reduce the risk of a security breach, data loss, or other negative impact on an organization's information assets.
What is the ultimate goal of cybersecurity?
is to protect electronic systems, networks, and sensitive information from unauthorized access, theft, and damage. Cybersecurity aims to ensure the confidentiality, integrity, and availability of digital assets and systems. This includes protecting against a range of threats such as malware, phishing, denial of service attacks, and other types of cybercrime.
Residual risk
refers to the risk that remains after security controls have been put in place to mitigate or reduce the impact and likelihood of a security incident.
Define the Confidentiality, Integrity, and Availability
1. Confidentiality: This refers to the protection of sensitive information from unauthorized disclosure. Confidentiality controls ensure that data is only accessible by authorized personnel and that it is not exposed to unauthorized individuals or entities. 2. Integrity: This refers to the protection of information from unauthorized modification or alteration. Integrity controls ensure that data is accurate, complete, and uncorrupted. 3. Availability: This refers to the assurance that information and systems are available and accessible to authorized users when needed. Availability controls ensure that systems are reliable and that downtime is minimized.
Threat assessment
A process of evaluating potential threats, their likelihood, and their potential impact on an organization's systems and data. This process involves identifying vulnerabilities in the organization's systems and assessing the risk of a threat exploiting these vulnerabilities. ________ help organizations to prioritize their security efforts and allocate resources effectively to protect against potential threats.
PCI DSS - Payment Card Industry Data Security Standard.
A widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
List ways to enforce Confidentiality
Access controls: Limiting access to sensitive information by enforcing permissions and access controls to ensure that only authorized personnel can access it. Encryption: Using encryption technologies to ensure that data is protected from unauthorized access, even if it is intercepted or stolen. Data masking: Masking or obfuscating(the action of making something obscure, unclear, or unintelligible) sensitive data in non-production environments or when accessed by unauthorized users to prevent unauthorized access. Such as Steganography (hiding data inside other data) which is one method of supporting obfuscation(the action of making something obscure, unclear, or unintelligible) by making the hidden data harder to see.
List and explain four ways of responding to risk (reducing risk).
Avoidance: Avoidance involves eliminating or removing the risk altogether. This can be achieved by removing vulnerable systems, discontinuing certain activities or practices, or moving to a different technology or platform that offers better security. Mitigation: Mitigation involves reducing the likelihood or impact of a risk. This can be achieved by implementing security controls such as access controls, encryption, and monitoring systems. Mitigation measures aim to reduce the risk to an acceptable level, rather than eliminating it altogether. Transfer: Transferring risk involves shifting the responsibility for the risk to another party, such as an insurance provider. This is typically done when the cost of mitigating or accepting the risk is higher than the cost of transferring it to another party. Acceptance: Acceptance involves acknowledging and accepting the risk and its potential impact, while still implementing measures to minimize the impact. This can be done by developing a contingency plan or disaster recovery plan to respond to security incidents if they occur.
What are backdoors and how are they typically inserted into systems?
Backdoors are a type of malicious software or code that allows an attacker to bypass normal authentication procedures and gain access to a system or network. Backdoors can be used to steal sensitive data, modify system settings, or install additional malware.Backdoors are typically inserted into systems by exploiting vulnerabilities in software, hardware, or network configurations. They can be introduced through various methods, including: Exploiting software vulnerabilities: Attackers may take advantage of vulnerabilities in software applications to install a backdoor. This could involve exploiting a known vulnerability or developing a new one. Social engineering: Backdoors can be installed through social engineering attacks, such as phishing or pretexting. Attackers may trick users into downloading and installing malicious software that contains a backdoor. Physical access: Backdoors can also be inserted by physically accessing a system. For example, an attacker might install a hardware backdoor in a server or network device.
Name one type of threat actor that may engage in attacks to gain proprietary information about another company.
Competitors sometimes engage in attacks to gain proprietary information about another company.
CIA Triad
Confidentiality, Integrity, Availability
List ways to enforce Integrity
Data backups: Regularly backing up data to ensure that it can be restored in case of corruption or accidental deletion. Digital signatures: Using digital signatures to verify the integrity of data and ensure that it has not been modified or tampered with. Version control: Maintaining version control over important documents or files to ensure that only authorized changes are made and that previous versions can be restored if needed.
Target Data Breach
In 2013, a large retailer, suffered a data breach that exposed the personal and financial information of 40 million customers. The breach was caused by malware installed on its point-of-sale systems, which allowed attackers to steal credit and debit card data as it was being processed. The breach resulted from poor information security practices, such as failing to segment its payment system network, not responding to security alerts, and having weak passwords.
Equifax Data Breach
In 2017, _______, a consumer credit reporting agency, suffered a data breach that exposed the personal information of 143 million individuals. The breach was caused by a vulnerability in _________ web application framework, allowing attackers to access sensitive data such as names, social security numbers, birth dates, and addresses. The breach resulted from poor information security practices, such as failing to patch known vulnerabilities, inadequate network segmentation, and weak authentication controls.
PCI - Payment Card Industry.
It is compliance mandated by credit card companies to help ensure the security of credit card transactions in the payments industry.
What is open source intelligence (OSINT ) commonly used by attackers before launching an attack?
OSINT is used to gain insights, assess risks, and make informed decisions in various domains, including security, business intelligence, and investigations. Attackers can use ______________ for a variety of purposes before launching an attack. Here are some of the most common ways attackers might use OSINT: Reconnaissance: Attackers use ________ to gather information about their target, such as identifying potential vulnerabilities, learning about the target's employees, and understanding their technology stack. Phishing: Attackers might use ________ to gather information about their target's employees and create targeted phishing emails that appear legitimate and increase the chances of success. Social engineering: Attackers can use _________ to build profiles of their target's employees and use that information to craft convincing social engineering attacks, such as pretexting or baiting. Exploitation: Attackers may use ________ to identify vulnerable software or services in use by their target and identify weak or common passwords used by employees. Malware delivery: Attackers can use_______to identify potential victims and deliver malware to them using phishing emails, watering hole attacks, or other methods.
List ways to enforce Availability
Redundancy: Implementing redundant systems to ensure that if one system fails, there are backup systems that can continue to provide services to authorized users. Disaster recovery planning: Developing and testing disaster recovery plans to ensure that critical systems can be restored quickly in case of a natural disaster, cyber attack, or other disruptive event. Service-level agreements (SLAs): Establishing SLAs to define expectations for availability and performance and ensuring that systems and services meet those expectations.- Methods used to increase or maintain availability include fault tolerance, failover clusters, load balancing, backups, virtualization, HVAC systems, and generators.
Describe the characteristics of script kiddies and their approach to launching attacks.
Script kiddies are individuals who lack the technical expertise and knowledge to develop their own exploits or attacks, but instead, use pre-existing scripts or tools to launch attacks on vulnerable systems.
Explain the concept of social engineering and provide examples of its different forms.
Social engineering is the use of psychological manipulation and deception to trick people into divulging confidential information or performing actions that could compromise the security of a system or organization. Unlike other types of cyberattacks that rely on technical exploits, social engineering attacks exploit human behavior and emotions to achieve their objectives.Social engineering attacks can take various forms, including: Phishing: Phishing is a type of social engineering attack that involves sending emails or messages that appear to be from a legitimate source, such as a bank or social media platform. The message typically includes a request for the recipient to provide sensitive information, such as passwords or credit card numbers, or to click on a link that leads to a fake login page or malware-infected website. Pretexting: Pretexting is a type of social engineering attack that involves creating a fake scenario or pretext to obtain sensitive information from the victim. For example, an attacker might impersonate a bank representative and request personal information under the guise of a security check. Baiting: Baiting is a type of social engineering attack that involves offering a tempting reward, such as a free movie download, in exchange for the victim's personal information or login credentials. The reward is usually delivered in the form of malware or other malicious code. Tailgating: Tailgating is a type of social engineering attack that involves following an authorized person into a secure area without proper authentication. For example, an attacker might pretend to be a delivery person and follow an employee into a secure building. Watering hole attacks: Watering hole attacks involve compromising a popular website or web application that is commonly visited by the target audience. The attackers then exploit vulnerabilities in the site to install malware or steal login credentials from unsuspecting visitors.
Who has to stay in compliance with PCI DSS (Payment Card Industry Data Security Standard.)?
Standards apply to all entities that store, process or transmit cardholder data - with requirements for software developers and manufacturers of applications and devices used in those transactions
When was the PCI SSC ( Payment Card Industry Security Standards Council) formed?
The council was founded in 2006
Who are the founding members of the PCI SSC (Payment Card Industry Security Standards Council)?
The founding members are American Express, Discover, JCB International, MasterCard and Visa Inc.
How does a logic bomb function in response to an event?
The key characteristic of a logic bomb is that it is designed to remain dormant until the trigger event occurs. This can make it difficult to detect and prevent, as it may not exhibit any malicious behavior until it is activated.The trigger could be a specific date and time, the launch of a certain application, or the detection of a particular system condition, among other things. When the trigger event occurs, the logic bomb is activated and executes its payload, which can include a variety of malicious actions, such as deleting files, stealing data, or disrupting system operations.
What is the primary motivation behind organized crime's involvement in cyber attacks?
The primary motivation is money. Organized crime groups are motivated by financial gain and profit in their involvement in cyber attacks. They see cybercrime as an opportunity to make money quickly and easily.
What is the goal of the PCI DSS (Payment Card Industry Data Security Standard.) Framework?
The ultimate goal of the __________ is to protect Confidentiality, Integrity, and Availability.
PCI SSC Cloud Computing Guidelines
These guidelines are designed to help organizations that use cloud computing services to maintain compliance with the PCI DSS. The guidelines recommend assessing cloud service providers, selecting appropriate cloud configurations, and implementing security controls.
PCI SSC Software Security Framework
This framework provides guidelines for the secure development and maintenance of software applications that handle payment card data, from design and development to testing and deployment. It is intended to help software developers build secure payment applications that comply with the PCI DSS.
PCI SSC Card Production Security Requirements
This standard is focused on security requirements for the production of payment cards, such as the physical production of cards, data storage, and the management of card issuance
PCI SSC - Payment Card Industry Security Standards Council
To enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.
What is the goal of PCI SSC (Payment Card Industry Security Standards Council)?
To protect cardholder data and develop standards and supporting services that drive education, awareness, and effective implementation by stakeholders
What are some examples of malware types mentioned in the paragraph?
Viruses: A virus is a type of malware that infects a system by attaching itself to a legitimate program or file and then replicating itself. Viruses can cause damage to files and data, slow down system performance, or steal sensitive information. Worms: Worms are similar to viruses, but they do not require a host program to spread. Instead, they replicate themselves across networks and systems, causing damage and consuming resources. Trojans: A trojan is a type of malware that is disguised as a legitimate program or file but actually contains a malicious payload. Trojans can be used to steal sensitive data, install other types of malware, or provide remote access to a system. Ransomware: Ransomware is a type of malware that encrypts a victim's files and demands a ransom payment in exchange for the decryption key. Ransomware attacks can be devastating, as they can result in permanent loss of data or financial damage. Adware: Adware is a type of malware that displays unwanted advertisements or pop-ups on a user's system. Adware can slow down system performance and compromise the user's privacy. Spyware: Spyware is a type of malware that is designed to monitor a user's activities and collect sensitive information, such as login credentials or financial data. Spyware can be used for identity theft, fraud, or other malicious purposes.
How do watering hole attacks work and what is their objective?
Watering hole attacks are a type of cyberattack that targets a specific group of people by infecting a website that the group is known to frequent. The objective of a watering hole attack is to compromise the devices of the targeted group, either to steal sensitive data or to gain access to a network or system.
What is an advanced persistent threat (APT) and what distinguishes it from other types of attacks?
What distinguishes APT attacks from other types of attacks is their persistence and their focus on a specific target. APT attacks are typically aimed at high-value targets, such as government agencies, defense contractors, or large corporations, and they often involve a long-term campaign that spans several months or even years.
Risk
_______ is the potential for harm, loss or damage that can result from a cybersecurity incident. _____ can be caused by threats exploiting vulnerabilities in an organization's systems, processes or people.
Vulnerability
____________ a weakness or gap in an organization's security defenses that a threat actor can exploit to gain unauthorized access, damage or steal information, or disrupt business operations.
What is the difference between qualitative and quantitative risk assessment?
____________ is a subjective approach that relies on expert judgment and analysis of the likelihood and impact of risks. It involves identifying and evaluating potential risks and their potential impact, without assigning specific numerical values to the likelihood or impact of the risks. ____________ often use descriptive terms such as "low," "medium," or "high" to represent the likelihood and impact of risks. ____________ is a more objective approach that involves assigning numerical values to the likelihood and impact of risks. This involves using statistical and analytical techniques to quantify the potential impact of risks, based on historical data or other empirical evidence. _____________ often use mathematical models and simulations to estimate the likelihood and impact of risks, and typically produce more precise and quantifiable results than qualitative risk assessments. Qualitative risk assessment may be more appropriate for smaller organizations with limited resources or less complex risk environments, while quantitative risk assessment may be more appropriate for larger organizations with more complex risk environments and greater resources for data analysis and modeling.
PCI DSS (Payment Card Industry Data Security Standard)
a set of security standards established by the PCI Security Standards Council (PCI SSC) to help organizations that accept payment cards to protect cardholder data. It consists of 12 requirements that organizations must follow to ensure the security of cardholder data.
Threat
any potential danger or harm that can exploit a vulnerability in an organization's system or processes. This can come from external sources such as hackers or internal sources such as employees with malicious intent.