Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.
What Is Penetration Testing?
Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective. PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI.
Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE). While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks.
By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.
Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems, processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings.
There are three main strategies used to approach penetration testing:
The tester is provided full disclosure of the environment prior to commencement.
- Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
- Time and cost effective way to address the in depth surveillance and research used by this type of attack
- Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved
The tester is provided partial disclosure prior to commencement.
- Helps balance the advantages and disadvantages of white and black box methods
- Can provide very convincing demonstrations of vulnerabilities
- Difficulties can be experienced when determining the exact level of knowledge to provide
- Reporting can be a challenge if your audience (e.g. management) believes too much was shared
The tester is provided minimal knowledge of the environment prior to attack.
- Effectively simulates common attack scenarios and attacks of opportunity
- Allows entities to test their detection and response methods
- Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed
Penetration Testing and PCI Compliance
Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises.
The objectives will not only cover the scope and methods employed, but will guide how results are reported. For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience.
PCI DSS requires entities to complete penetration and segmentation tests as follows:
- Following a methodology based on an industry accepted approach
- Penetration tests annually and after any significant change
- Coverage of the entire cardholder data environment perimeter and critical systems
- Both network and application layer testing
- Segmentation tests semi-annually and after any significant change
- Review of threats and vulnerabilities over the previous 12 months
- Retention of records of testing and remediation
Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.
For more information on penetration testing, see: