[go: up one dir, main page]
Scribd
Upload
24 views6 pages

Advanced Executive Program in Cybersecurity: Virtual Internship Project Problem Statement

The document outlines a virtual internship project for a security analyst at El Banco Bank, focusing on updating the organization's outdated password policy to align with PCI DSS, NIST, and CIS standards. It details tasks including reviewing existing password guidelines, assessing Active Directory policies, ensuring compliance for cloud resources, and evaluating firewall configurations and security practices. The bank, which manages significant assets and processes millions in transactions daily, faces increasing cyber threats, necessitating robust security measures.

Uploaded by

aadhikar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views6 pages

Advanced Executive Program in Cybersecurity: Virtual Internship Project Problem Statement

The document outlines a virtual internship project for a security analyst at El Banco Bank, focusing on updating the organization's outdated password policy to align with PCI DSS, NIST, and CIS standards. It details tasks including reviewing existing password guidelines, assessing Active Directory policies, ensuring compliance for cloud resources, and evaluating firewall configurations and security practices. The bank, which manages significant assets and processes millions in transactions daily, faces increasing cyber threats, necessitating robust security measures.

Uploaded by

aadhikar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Advanced Executive Program in Cybersecurity

Virtual Internship Project Problem Statement


Security Analyst

Problem Statement:

You are working as a security analyst for El Banco Bank, where your primary responsibility is to
implement best practices to secure the organization’s assets.

You are reviewing the password policy for internal users and realize that it is outdated and has
not been updated in the last five years. Therefore, it does not align with the latest
recommendations published by PCI DSS, NIST, and CIS.

The organization currently does not use multi-factor authentication. Users are encouraged to
use password managers authorized by the organization to store passwords.

Your goal is to review and update the organization’s password policy settings to comply with
the latest security requirements. Since the bank processes credit cards, you need to ensure that
the password policy complies with Payment Card Industry Data Security Standard (PCI DSS)
security requirements.

However, PCI DSS encourages referring to other industry standards. Therefore, you have
decided to compare PCI DSS requirements with NIST and CIS recommendations.

Background of the problem statement:

El Banco Bank is one of the fastest-growing banks in Europe with more than 1200 branches
across the country and manages €200 billion in assets.

Handling millions of dollars of banking transactions per day, its customers hugely depend upon
the security of their banking data. The recent surge in cyber attacks and data breaches has
become a significant issue for every organization.

According to the latest reports, 81% of successful cyberattacks are due to compromised
usernames or passwords.
Reference Documents: https://github.com/Simplilearn-Edu/AEPCS-Capstone-Project

Expected Deliverables:

TASK 1:

As a security analyst, you have to review the documents published by PCI DSS, NIST, and CIS for
password guidelines and determine the recommendations for the following policy. Use NA (Not
Applicable) if the policy is not explicitly mentioned.

NIST CIS PCI DSS


Policy
Recommendations Recommendation Recommendation

Minimum password length

Password history (number)

Complexity
(Enabled/Disabled)

Password expiration (days)

Minimum password age


(days)

Session idle time-out (mins)

Suspend/remove/disable
inactive user accounts
(days)

Limit failed login attempts


by locking out the user
(attempts)
TASK 2:

Review the Password Policy configured in Active Directory and determine if the given default
policy is compliant with the NIST, CIS, and PCI DSS recommendations.

Note: To access the Password Policy, launch the Local Group Policy Editor by pressing
Windows+R, typing gpedit.msc into the box, and then pressing the Enter key. Next, navigate to
Computer configuration > Windows settings > Security settings > Account policies > Password
policy.

Make relevant changes to ensure the password policy settings are compliant with the given
recommendations. Use 0 if the value is NA.

NIST CIS PCI DSS

Enforce password
history

Maximum password
age

Minimum password
age

Minimum password
length

Password must meet


complexity
requirements

Store passwords
using reversible
encryption

TASK 3:

To ensure that the organization’s cloud resources are also compliant with the PCI DSS
requirements, review the IAM Password Policy on AWS (as shown in the screenshot) to
determine if the account password policy meets the PCI DSS requirements.
Make the relevant changes to ensure that the IAM policy is compliant with PCI DSS
requirements.

Parameters Description Default Value

Require Uppercase Characters

Require Lowercase Characters

Requires Symbols

Require Numbers

Minimum Password Length

Password Reuse Prevention

Max Password Age


TASK 4:
As a security analyst for the bank, review the PCI DSS v3.2.1 Quick Reference Guide to
determine the following:

1. Review firewall configuration rules at least every ___________.

2. Purge unnecessarily stored data at least ___________.

3. Install critical security patches within ___________ of release.

4. Scan internal and external network vulnerabilities at least ___________ and after any
significant change in the network.

5. Retain visitor logs for at least ___________ unless otherwise restricted by law.

6. Perform critical log reviews at least ___________.

7. Retain audit trail history for at least ___________.

8. Common Vulnerability Scoring System (CVSS) base score for external scans of the
components in the cardholder data environment must not be equal to or higher than
___________.

9. Service providers using segmentation must confirm PCI DSS scope by performing
penetration testing on segmentation controls at least every ___________ and after
making changes to these controls.

10. Review security policy at least ___________.

11. Perform a risk assessment process at least ___________ and upon significant changes to
the environment that identify critical assets, threats, and vulnerabilities and result in a
formal assessment.

12. Conduct reviews at least ___________ to confirm personnel is following security policies
and operational procedures.

You might also like