it's not a far-fetched statement to say that you can make six figures in cyber security without being able to hack code or have the must-have technical skills or even college degrees and in this video I'm going to prove it to you because I'm going to show you the day in the life of a cyber security auditor and how to perform a cyber security assessment so that you get the confidence and the clarity to start your six-figure cyber security career this year are you ready for this let's go [Music] foreign [Music] if you're new I'm Boyd clewas an internationally recognized cyber security expert and I help it guys upgrade their jobs into a six-figure cyber security career and if you want to join me on this journey be sure to subscribe to the channel and hit the Bell so that you're notified whenever I drop new content guaranteed to help you take your career to the next level okay guys so the first thing that we have to talk about is the framework if you're going to be a cyber security auditor you need to be following some type of framework in order to audit systems so that you can hold the proper Personnel accountable for the security standards I built my career on the PCI DSS framework which is the payment card industry data security standard this is the security standard that all companies must follow if they store process or transmit credit card data so you think about that it's International standard and it is huge huge impact as a matter of fact let's jump over to the PCI council's website real quick all right guys so this is the PCI council's website they are the governing body for these security standards and it's where you actually need to get the framework before you can even start as security assessment so if you come over to website you go to resources you go to the document Library you will see that there's the PCI DSS standard the current version right now is version 3.2.1 although version 4.0 will be live and in action in 2025 right now it is out but the current version 3.2.1 can still be used so you would need to come over to the PCI council's website and then you would need to download the standard because you need to understand what rules that you're going to hold the business units and the leaders Executives accountable for so that is step one we got to get the standard alright guys so I have downloaded the PCI DSS version three two one this is a 200 Page Plus document that has all of the applicable controls that companies need to follow if they store process or transmit credit card data and of course because this is YouTube and I'm not getting paid for this I am not going to go through every single requirement of the PCI DSS standard but again you see that it is free and available to download so what I'm going to do is walk through a couple of requirements as if I was performing a security assessor because what you have to understand is there's a few different types of roles when it comes to PCI you have an Isa which is an internal security assessor and then you have a qsa which is a qualify security assessor the ISA works at the company as an interim employee that helps that company prepare for the security assessment the qsa is a third-party auditor external consultant that comes in and performs the audit to make sure that the company is compliant so you can see there's several different types of roles that are needed and those are just two types of rules right so in my career I was an Isa and I was a qsa and I made all the money as a qsa side note anywho so what I'm going to do is I'm going to jump over to requirement eight and we're going to look at some controls there and I'm going to bring up a firewall so that we can do a security assessment okay and I just have to throw this Shameless plug in here you know I built my career on the PCI DSS and yes that is me speaking on the stage in the community meeting for the PCI Council back in 2019 in Vancouver and also I did the same thing in Dublin Ireland and so if we go there you will see your man on the stage talking about PCI DSS stuff and I recently did it this year as well in Toronto Canada so I just you know I had to I had to give you guys the Insight so you actually know that I know what I'm talking about now let's continue all right guys so let's jump into the security assessment what I'm going to do is I'm going to bring up my sonic wall NSA firewall right and so in this situation what I'm going to do is I'm going to perform a security assessment on this firewall as if I was a qsa or an Isa to show you how simple this can be when you actually understand the framework and so as I'm doing this you guys are going to learn and I'm going to ask you a series of questions that's going to give you the confidence to pursue this career in cyber security get ready for it okay so the first control that we're going to look at is PCI DSS requirement 816 right here and it says limit repeated access attempts by locking out the user ID after not more than six attempts and playing English if a user has entered the incorrect password at least six times their account needs to be locked out so our number that we're looking for should not be greater than six so what I'm going to do now is switch over to my firewall and we're going to validate this control so I'm over here now on my sonic wall NSA firewall and let's look at the administrator user account lockout so this has failed login attempts per minute before being locked out and it says 10 is that greater than six it is so the question is is this setting compliant or not hopefully the answer that you came up with it is not because requirement 816 says the user account should be locked after no more than six attempts this firewall is set up to lock in a count out after 10 attempts so it's not compliant so as a security assessor a security auditor I would write up a finding saying hey client you violated requirement 816 which requires user accounts to be locked out after no more than six failed attempts your system was configured with locking out accounts after 10 attempts so you need to address this and then provide evidence that the system is locking accounts after no more than six attempts that's the way it goes pretty simple let's do another one so continuing down this vein right here let's go to requirement 817-817 says set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID so we're still talking about an account being locked out so what this is saying is after those six failed attempts and this account is locked out it should not be re-enabled unless an system administrator enables the account or at least 30 minutes passes that is the standard so let's go back to the firewall and see what is configured okay so if we look at the firewall we look at the lockout period is five minutes now remember 817 said lock out for a minimum of 30 minutes or into a system administrator enables the user so therefore is this system compliant or not compliant it's not compliant do you see how simple this is let's just keep something in mind real quick you just did a firewall audit seriously did you need a certification did you need a college degree all you did was follow the standard and did a validation you don't need to be a rocket scientist you don't need to have years of experience to do this it's important that you understand where to find the answers and how to interpret the standard that is how you add value and that's how you get paid okay guys so let's do one more requirement 818 if a session has been idle for more than 15 minutes require the user to re-authenticate to reactivate the terminal or session in English what it's saying is if we're talking about like a screensaver timeout if a system administrator or a user has been idle for more than 15 minutes whenever they come back to that computer they need to enter a password before they can log back into that system it's not just the screen goes blank I hit something on the keyboard and I can use the computer again it needs to lock so let's check out the firewall okay so if we look at the firewall we see that the inactivity timeout says log out the administrator after inactivity of minutes 30 minutes is that compliant absolutely not absolutely not again you would write up the finding and send it over to the business unit whoever owns this system and saying they need to fix it and provide evidence when it's done that is the way this game is played so what you got to understand is it's not just enough to read these requirements and say what's right and what's wrong you need to understand the why behind each one of the requirements for example when we're talking about requirement 816 we want to limit failed attempts to lock an account out after no more than five attempts because of Brute Force attacking there's Bots out there and malicious systems that will try thousands of thousands of different password combinations and eventually it could come up with the right password but if we are locking out an account after five attempts right and then we have this period of 30 minutes where you can't log in anyway because the account is locked then you reduce the risk of a Brute Force attack being able to gain access to that system so this is why you need to understand the why behind the controls when you understand the why not only is that going to make you a better consultant but it's going to make you a better cyber security professional okay guys so I showed you how to perform a security assessment using the PCI DSS standard did you know there are several I mean several I mean thousands of six-figure jobs that are open and vacant waiting for people just like you that have an understanding of the PCI DSS framework to fill it so the question might be where the heck do I find the training so I can understand this framework so I can do these security audits where hmm right here I can teach you how to expertly master this cyber security framework so that you can take your career to the next level all you got to do is click the link in the description you can go to boydclewis.com forward slash GRC to learn about the Baxter clue of cyber security training academy and apply for an opportunity to join I'll be honest it's an exclusive Academy and we do not accept everybody but if you're willing to put in the work I'm pretty sure our team might be able to find a spot for you all right guys so we looked at some firewall configurations let me know in the comments did you know that cyber security auditing could be this easy let me know what you think also again this is a good time for you to like this video subscribe to the channel share it with friends because you would not believe I get hit up by thousands of people that never even knew that this framework or career path existed you could be the Catalyst for them starting their career and having huge income and high impact in cyber security so let me know in the comments if you find this useful was this new information I want to hear from you [Music]