PCI DSS Control Objectives PCI High Level PCI DSS Requirement Sections Supported How Core Security Helps Build and Maintain a Secure Network and Systems 2 Do not use vendor-supplied defaults for system passwords and other security parameters 2.2 Develop confguraton standards for all system components. Assure that these standards address all known security vulnerabilites and are consistent with industry- accepted system hardening standards. Core Impact Pro is contnually updated with the latest commer- cial-grade exploits designed to safely test your organizatons exposure to newly discovered vulnerabilites in operatng systems and services. Each exploit tests as many target OS confguratons and methods of atack as possible. Core Impact Pros Identty Verifer modules are updated with the latest default username/password for the most common services running (MSSQL, ORACLE, HTTP, SMB, SSH, etc). Maintain a Vulnerability Management Program 5 Protect all systems against malware and regularly update ant-virus sofware or programs 5.1.1 Ensure that ant-virus programs are capable of de- tectng, removing, and protect- ing against all known types of malicious sofware. 5.2 Ensure that all ant-virus mechanisms are maintained. Test the efectveness of your entre security infrastructure, including ant-virus programs and other PCI-mandated applica- tons, with Core Impact Pro. 6 Develop and Maintain Secure Systems and Applicatons 6.1 Establish a process to iden- tfy security vulnerabilites, us- ing reputable outside sources for security vulnerability informaton, and assign a risk ranking to newly discovered security vulnerabilites. Core Impact Pro vulnerability reports include industry-standard rankings such as the Common Vulnerability Scoring System (CVSS), which can inform your internal risk ratng system. 6.2 Ensure that all system components and sofware are protected from known vulner- abilites by installing applicable vendor- supplied security patches. Install critcal security patches within one month of release. Test patch efectveness by using Core Impact Pro to safely ex- ecute the atack that the patch was designed to stop. 6.5.1 Injecton faws, partcu- larly SQL injecton. Also con- sider OS Command Injecton, LDAP and XPath injecton faws as well as other injecton faws. 6.5.7 Cross-site scriptng (XSS) 6.5.8 Improper access control 6.5.9 Cross-site request forgery (CSRF) 6.5.10 Broken authentcaton and session management Core Impact Pro ofers web applicaton penetraton testng capa- bilites that address elements of all OWASP Top 10 vulnerabilites, including those listed in this Requirement: SQL Injecton - Traditonal and Blind (OWASP A1) OS Command Injecton (OWASP A1) Cross-Site Scriptng (OWASP A2), including refectve, persis- tent and Adobe Flash XSS vulnerabilites, Broken Authent- caton and Session Managment Insecure Direct Object References (OWASP A4) Cross-Site Request Forgery (OWASP A5) The Core Attack Intelligence Platform Core Security ofers the industrys most comprehensive and extensible atack intelligence platorm. Core is able to simulate atacks on your infrastructure, using our patented atack path planner, by correlatng known exploits, atack paterns, network and security data, with identfed vulnerabilites. Following simulaton, our patented atack engine can be used for automated live testng or targeted manual testng. The result of this is the creaton of potental atack paths to critcal business assets based on both simulaton and testng. The Core Atack Intelligence Platorm helps you Think Like An Atacker to proactvely address security threats based on real atacks a hacker would use. This matrix will help you understand how the Core Atack Intelligence Platorm helps you address applicable PCI-DSS requirements. TM Core Security +1 (617) 399-6980 info@coresecurity.com www.coresecurity.com 2014 Core Security Technologies & CORE Insight are trademarks of CORE SDI, Inc. All other brands & products are trademarks of their respectve holders. blog.coresecurity.com www.twiter.com/coresecurity www.facebook.com/coresecurity About Core Security Core Security provides the industrys frst comprehensive atack intelligence platorm. With Core Security, enterprises and security professionals can focus on the most likely threats to their critcal business assets by modeling, simulatng and testng what an actual atacker would do. Core Security helps more than 1,400 customers worldwide identfy the most vulnerable areas of their IT environments to improve the efectveness of remediaton eforts and ultmately secure the business. Our patented, proven, award-winning enterprise products and solutons are backed by more than 15 years of applied expertse from Core Labs research and Core Security Consultng Services. 6.6 For public-facing web ap- plicatons, address new threats and vulnerabilites on an ongo- ing basis and ensure these ap- plicatons are protected against known atacks. Core Impact Pro enables you to proactvely assess your web ap- plicatons, plus frewalls and other defenses, against todays most pressing threats, including those referenced in the OWASP Top 10 Web Applicaton Vulnerabilites. 11 Regularly Test Security Systems and Processes 11.1 Implement processes to test for the presence of wire- less access points (802.11), and detect and identfy all authorized and unauthorized wireless access points on a quarterly basis. Core Impact Pro ofers several capabilites for identfying and assessing wireless networks, including: Discovery of both known and unauthorized Wi-Fi networks and access points Informaton gathering on network strength, security proto- cols and connected devices Atack and penetraton of networks encrypted with WEP, WPA-PSK and WPA2-PSK Automated trafc snifng for fnding streams of sensitve data Capabilites for joining cracked networks and testng back- end system 11.2 Run internal and external network vulnerability scans at least quarterly and afer any signifcant change in the network. 11.3 Implement a methodol- ogy for penetraton testng. Core Impact Pro ofers complete penetraton testng capabilites for network-layer and web applicaton testng, addressing all OWASP Top 10 vulnerabilites, including SQL injecton, OS com- mand injecton, cross-site scriptng, and others. Maintain an Informaton Security Policy 12 Maintain a Policy that Addresses Informaton Security 12.2 Implement a risk-assess- ment process that: Is performed at least annually and upon signifcant changes to the environment (for example, acquisiton, merger, relocaton, etc.), Identfes critcal assets, threats, and vulnerabili- tes, and Results in a formal risk assessment. Core Insight contnously monitors the sources that introduce the most risk across your network and distlls this informaton into a single dashboard, with powerful PCI-DSS reportng. This can be easily delivered to auditors and other PCI-focused staf as com- prehensive proof of a risk assessment on a regular basis.