Documentation Center
AlienVault® USM Appliance™

PCI DSS 3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Applies to Product: USM Appliance™ AlienVault OSSIM®

Testing Procedure

How USM Appliance Delivers

USM Appliance Instructions

USM Appliance Documentation

2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords have been changed (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings). (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.)

In USM Appliance, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Default Accounts

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled.

In USM Appliance, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Default Accounts

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify:
• Default SNMP community strings are not used.
• Default passwords/passphrases on access points are not used.

In USM Appliance, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Default Accounts

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.1.1.e Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable.

In USM Appliance, you can configure a Vulnerability Scan to test for default accounts and passwords on wireless devices.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Default Accounts

Creating a Custom Scan Profile

 

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards.

In USM Appliance, you can configure a Vulnerability Scan to test for system hardening standards.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the appropriate checks in the scanning profile for the target host.

Creating a Custom Scan Profile

 

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.2.d Verify that system configuration standards include the following procedures for all types of system components:
• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
• Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
• Enabling only necessary services, protocols, daemons, etc., as required for the function of the system
• Implementing additional security features for any required services, protocols or daemons that are considered to be insecure
• Configuring system security parameters to prevent misuse
• Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

The Vulnerability Scan in USM Appliance can assist in testing for system default passwords, detecting running services, and testing system hardening configurations.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Default Accounts
  • Family: Brute force attacks

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.2.2.b Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards.

The Vulnerability Scan in USM Appliance can assist in identifying insecure services, daemons and protocols.

USM Appliance active and passive Asset Discovery can identify ports/protocols used by a monitored device.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Service detection
  • Family: Port scanners
  • Family: Firewalls
  • Family: Useless services

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.2.3.a Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.

The Vulnerability Scan in USM Appliance can assist in identifying insecure services, daemons and protocols.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Service detection
  • Family: Port scanners
  • Family: Firewalls
  • Family: Useless services

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.2.4.b Examine the system configuration standards to verify that common security parameter settings are included.

In USM Appliance, you can configure a Vulnerability Scan to test for system hardening standards.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: General
  • Family: Compliance

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.2.4.c Select a sample of system components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.

In USM Appliance, you can configure a Vulnerability Scan to test for system hardening standards.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: General
  • Family: Compliance

Creating a Custom Scan Profile

 

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.

The Vulnerability Scan in USM Appliance can assist in testing for the presence of Telnet services or other insecure remote-login commands.

USM Appliance asset scan discovers open ports and lists them in the inventory.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: General

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.

USM Appliance has built-in capability for asset management and discovery.

Run an Asset Scan to discover all assets.

Running Asset Scans

Update and maintain the description field for each asset.

Editing the Assets

Run the existing Asset Report for an inventory of all assets.

How to Run Reports