IT Security Home Work

Week's Word/Excel topics: Excel pie/bar-chart 2D graphs, Excel Count, CountIF, IF-then; excel/word row repeat at top; Visio; PowerPoint and Outlook.

Week 7:

1.What is the full meaning/name for PCI DSS?

2.Name 2 of the companies that constitute the PCI Security Standards Council (PCI SSC)

3.Name 2 examples of credit card merchants that need to comply with PCI DSS

4.How frequently is PCI DSS audit required and filed with PCI SSC?

5.Name the report prepared by a Qualified Security Assessor (QSA) on the completion of PCI DSS audit

6.What is the PCI compliance requirement for merchants processing fewer than 20,000 transactions annually?

7.QSA and Approved Scanning Vendor (ASV) are approved by whom to perform PCI DSS service?

8.State the control requirement number 9 of the 12 PCI standards and its associated control objective

9.Is penetration testing an authorized or unauthorized attempt to hack or exploit computer systems?

10.Name 2 benefits of performing penetration testing

11.What step follows the scanning step in penetration testing, and what is the ultimate goal of this step?

12.What is the most popular tool is used for regular port scanning to determine the list of open/active ports and potential services running on the target system?

13.Name the most popular tool used to determine the vulnerabilities in the services that exist on the open ports and services identified to be running on the target system in penetration testing.

14.What is a botnet in penetration testing?

15.When is denial of service attack typically launched by an attacker against the target system? Is it when the attacker successfully gains access to the system or when he is frustrated and unable to gain access?

16.Name one example of the penetration tools that do or represent the following features:

(i)collection of hundreds of security tools (i.e., a one-stop shop of hacking tools)

(ii)executes exploit code or script against a system, including scripts on next course of action after gaining access known as payloads

(iii)analyzes network protocol and captures the traffic running on a computer network

(iv)password cracker capable of detecting weak and dictionary passwords

17.VMware or virtual machine is used in penetration testing to enable the running of tools that may be running on operating systems other than the one that our primary system (laptop or host system) runs on. Is this true or false?

18.Name two examples of service providers that require SSAE 18 report to be prepared on the state of design and operating effectiveness of their internal controls.

19.What is the goal of service providers in preparing SSAE 18 reports to their clients?

20.What two other names is SSAE 18 report called?

21.Is SSAE 18 report prepared by the service organization or a third party/independent organization?

22.Name the service organization controls (SOC) report that is focused on information security controls and most useful to IT Security professionals.

23.Which of the SOC reports is focused on financial controls and are more useful to IT Auditors?

24.Which of SOC-2 and SOC-3 reports are:

(i)provided to the clients by the service organization upon their request?

(ii)made available on the service organization's website?

25.Which of type 1 or type 2 SOC report is more detailed, goes beyond control design and contains test of controls including the sample of transactions tested?

26.Are Service Level Agreements (SLAs) primarily used to document service vendors' security responsibilities or used to document their key service expectations?

27.Using the Nessus tool again, and the Nessus vulnerability scanning procedures document, perform vulnerability scan of your Windows server on your VMware or VirtualBox (after obtaining its IP address), following the process below:

- use your account with administrative right and its password on the Windows server,

- ensure the server is kept running in network bridge setting, in order to have your laptop and server on the same subnet or IP address range. and

-create and use the Advanced Scan Policy template with all plug-ins enabled for this scan, and uncheck the "Test the local Nessus host" setting within the Nessus policy Discovery setting;

- also indicate the Windows server domain/workgroup name in the domain field of the credential settings tab (the domain or workgroup name of your server could be found within the system folder inside its control panel).

- send me the CSV format of the scan report in your response to your homework, with the CSV/Excel filter on the highest risk vulnerabilities as usual.

- indicate the system weakness analysis information for one of the highest risks in the scan report, by completing the section below:

Finding/Synopsis:

Risk Level:

Plugin ID:

Affected Server IP Address/Host:

Business Risk/Description:

Remediation Procedure/Solution: