TM

PCI-DSS Version 3.0 Matrix

PCI DSS Control
Objectives
PCI
High Level PCI DSS
Requirement
Sections Supported How Core Security Helps
Build and Maintain a
Secure Network and Systems
2 Do not use vendor-supplied
defaults for system passwords
and other security parameters
2.2 Develop confguraton
standards for all system
components. Assure that these
standards address all known
security vulnerabilites and
are consistent with industry-
accepted system hardening
standards.
Core Impact Pro is contnually updated with the latest commer-
cial-grade exploits designed to safely test your organizatons
exposure to newly discovered vulnerabilites in operatng systems
and services. Each exploit tests as many target OS confguratons
and methods of atack as possible.
Core Impact Pros Identty Verifer modules are updated with the
latest default username/password for the most common services
running (MSSQL, ORACLE, HTTP, SMB, SSH, etc).
Maintain a Vulnerability
Management Program
5 Protect all systems against
malware and regularly
update ant-virus sofware or
programs
5.1.1 Ensure that ant-virus
programs are capable of de-
tectng, removing, and protect-
ing against all known types of
malicious sofware.
5.2 Ensure that all ant-virus
mechanisms are maintained.
Test the efectveness of your entre security infrastructure,
including ant-virus programs and other PCI-mandated applica-
tons, with Core Impact Pro.
6 Develop and Maintain Secure
Systems and Applicatons
6.1 Establish a process to iden-
tfy security vulnerabilites, us-
ing reputable outside sources
for security vulnerability
informaton, and assign a risk
ranking to newly discovered
security vulnerabilites.
Core Impact Pro vulnerability reports include industry-standard
rankings such as the Common Vulnerability Scoring System
(CVSS), which can inform your internal risk ratng system.
6.2 Ensure that all system
components and sofware are
protected from known vulner-
abilites by installing applicable
vendor- supplied security
patches. Install critcal security
patches within one month of
release.
Test patch efectveness by using Core Impact Pro to safely ex-
ecute the atack that the patch was designed to stop.
6.5.1 Injecton faws, partcu-
larly SQL injecton. Also con-
sider OS Command Injecton,
LDAP and XPath injecton faws
as well as other injecton faws.
6.5.7 Cross-site scriptng (XSS)
6.5.8 Improper access control
6.5.9 Cross-site request forgery
(CSRF)
6.5.10 Broken authentcaton
and session management
Core Impact Pro ofers web applicaton penetraton testng capa-
bilites that address elements of all OWASP Top 10 vulnerabilites,
including those listed in this Requirement:
SQL Injecton - Traditonal and Blind (OWASP A1)
OS Command Injecton (OWASP A1)
Cross-Site Scriptng (OWASP A2), including refectve, persis-
tent and Adobe Flash XSS vulnerabilites, Broken Authent-
caton and Session Managment
Insecure Direct Object References (OWASP A4)
Cross-Site Request Forgery (OWASP A5)
The Core Attack Intelligence Platform
Core Security ofers the industrys most comprehensive and extensible atack intelligence platorm. Core is able to simulate atacks on
your infrastructure, using our patented atack path planner, by correlatng known exploits, atack paterns, network and security data, with
identfed vulnerabilites. Following simulaton, our patented atack engine can be used for automated live testng or targeted manual testng.
The result of this is the creaton of potental atack paths to critcal business assets based on both simulaton and testng.
The Core Atack Intelligence Platorm helps you Think Like An Atacker to proactvely address security threats based on real atacks a
hacker would use. This matrix will help you understand how the Core Atack Intelligence Platorm helps you address applicable PCI-DSS
requirements.
TM
Core Security
+1 (617) 399-6980
info@coresecurity.com
www.coresecurity.com
2014 Core Security Technologies & CORE Insight are trademarks of CORE SDI, Inc. All other brands
& products are trademarks of their respectve holders.
blog.coresecurity.com
www.twiter.com/coresecurity
www.facebook.com/coresecurity
About Core Security
Core Security provides the industrys frst comprehensive atack intelligence platorm. With Core
Security, enterprises and security professionals can focus on the most likely threats to their critcal
business assets by modeling, simulatng and testng what an actual atacker would do. Core
Security helps more than 1,400 customers worldwide identfy the most vulnerable areas of their
IT environments to improve the efectveness of remediaton eforts and ultmately secure the
business. Our patented, proven, award-winning enterprise products and solutons are backed by
more than 15 years of applied expertse from Core Labs research and Core Security Consultng
Services.
6.6 For public-facing web ap-
plicatons, address new threats
and vulnerabilites on an ongo-
ing basis and ensure these ap-
plicatons are protected against
known atacks.
Core Impact Pro enables you to proactvely assess your web ap-
plicatons, plus frewalls and other defenses, against todays most
pressing threats, including those referenced in the OWASP Top
10 Web Applicaton Vulnerabilites.
11 Regularly Test Security
Systems and Processes
11.1 Implement processes to
test for the presence of wire-
less access points (802.11),
and detect and identfy all
authorized and unauthorized
wireless access points on a
quarterly basis.
Core Impact Pro ofers several capabilites for identfying and
assessing wireless networks, including:
Discovery of both known and unauthorized Wi-Fi networks
and access points
Informaton gathering on network strength, security proto-
cols and connected devices
Atack and penetraton of networks encrypted with WEP,
WPA-PSK and WPA2-PSK
Automated trafc snifng for fnding streams of sensitve
data
Capabilites for joining cracked networks and testng back-
end system
11.2 Run internal and external
network vulnerability scans
at least quarterly and afer
any signifcant change in the
network.
11.3 Implement a methodol-
ogy for penetraton testng.
Core Impact Pro ofers complete penetraton testng capabilites
for network-layer and web applicaton testng, addressing all
OWASP Top 10 vulnerabilites, including SQL injecton, OS com-
mand injecton, cross-site scriptng, and others.
Maintain an Informaton
Security Policy
12 Maintain a Policy that Addresses
Informaton Security
12.2 Implement a risk-assess-
ment process that:
Is performed at least
annually and upon
signifcant changes to
the environment (for
example, acquisiton,
merger, relocaton, etc.),
Identfes critcal assets,
threats, and vulnerabili-
tes, and
Results in a formal risk
assessment.
Core Insight contnously monitors the sources that introduce the
most risk across your network and distlls this informaton into a
single dashboard, with powerful PCI-DSS reportng. This can be
easily delivered to auditors and other PCI-focused staf as com-
prehensive proof of a risk assessment on a regular basis.