PCI DSS 3.0 PENETRATION TESTING - Praetorian · PDF filePCI DSS 3.0 PENETRATION TESTING...
4
PCI DSS 3.0 PENETRATION TESTING Penetration testing identifies organizational weaknesses the same way an attacker would—by hacking it. This enables organizations to better understand and ultimately minimize the risk associated with the people, process, and technology that store, process, or transmit cardholder data or sensitive data. Today, creating a truly secure application and network infrastructure requires access to highly specialized knowledge, intelligence, and expertise in order to stay at least one step ahead of the evolving risks. Because Praetorian is an authority on information security, your business can leverage our subject matter expertise to solve these challenging business problems. PRAETORIAN’S METHODOLOGY IS BASED ON INDUSTRY-ACCEPTED STANDARDS RECOGNIZED BY THE PCI SECURITY STANDARDS COUNCIL PRAETORIAN / P1 Praetorian ® YOUR WORLD, SECURED KEY BENEFITS Obtain an accurate understanding of your security and risk posture Comprehensive reporting, relevant to your organization and stakeholders Comply with industry regulations and information security best practices » » » READY TO GET STARTED? Contact us at 1 (800) 675-5152 to learn how Praetorian security services can help you accomplish your specific business and IT goals, or explore more by visiting: www.praetorian.com 1 (800) 675-5152 www.praetorian.com Obtain an accurate understanding of your security and risk posture, while ensuring compliance with industry regulators and information security best practices. Coverage for the entire CDE perimeter and critical systems Testing from both inside and outside the network Testing to validate any segmentation and scope-reduction controls Defining application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI DSS 3.0 Requirement 6.5 Defining network-layer penetration tests to include components that support network functions as well as operating systems Reviewing and consideration of threats and vulnerabilities experienced in the last 12 months Specifying retention of penetration testing results and remediation activities results Praetorian’s methodology is based on industry-accepted penetration testing approaches found in NIST SP 800-115 and the OWASP Testing Guide, which are both recognized by the Payment Card Industry (PCI) Security Standards Council. In accordance with PCI requirements, engagement scope will include both application-layer and network-layer assessments to provide coverage across the entire cardholder data environment (CDE). Praetorian’s methodology meets all PCI DSS 3.0 requirements, including: » » » » » » »
Transcript of PCI DSS 3.0 PENETRATION TESTING - Praetorian · PDF filePCI DSS 3.0 PENETRATION TESTING...
PCI DSS 3.0 PENETRATION TESTING
Penetration testing identifies organizational weaknesses the same way an attacker would—by hacking it. This enables organizations to better understand and ultimately minimize the risk associated with the people, process, and technology that store, process, or transmit cardholder data or sensitive data.
Today, creating a truly secure application and network infrastructure requires access to highly specialized knowledge, intelligence, and expertise in order to stay at least one step ahead of the evolving risks. Because Praetorian is an authority on information security, your business can leverage our subject matter expertise to solve these challenging business problems.
PRAETORIAN’S METHODOLOGY IS BASED ON INDUSTRY-ACCEPTED STANDARDS RECOGNIZED BY THE PCI SECURITY STANDARDS COUNCIL
PRAETORIAN / P1
Praetorian®
Y O U R W O R L D , S E C U R E D
KEY BENEFITS
Obtain an accurate understanding of your security and risk posture
Comprehensive reporting, relevant to your organization and stakeholders
Comply with industry regulations and information security best practices
»
»
»
READY TO GET STARTED?
Contact us at 1 (800) 675-5152 to learn how Praetorian security services can help you accomplish your specific business and IT goals, or explore more by visiting:
www.praetorian.com
1 (800) 675-5152www.praetorian.com
Obtain an accurate understanding of your security and risk posture, while ensuring compliance with industry regulators
and information security best practices.
Coverage for the entire CDE perimeter and critical systems
Testing from both inside and outside the network
Testing to validate any segmentation and scope-reduction controls
Defining application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI DSS 3.0 Requirement 6.5
Defining network-layer penetration tests to include components that support network functions as well as operating systems
Reviewing and consideration of threats and vulnerabilities experienced in the last 12 months
Specifying retention of penetration testing results and remediation activities results
Praetorian’s methodology is based on industry-accepted penetration testing approaches found in NIST SP 800-115 and the OWASP Testing Guide, which are both recognized by the Payment Card Industry (PCI) Security Standards Council. In accordance with PCI requirements, engagement scope will include both application-layer and network-layer assessments to provide coverage across the entire cardholder data environment (CDE).
Praetorian’s methodology meets all PCI DSS 3.0 requirements, including:
»
»
»
»
»
»
»
PCI DSS 3.0 PENETRATION TESTING METHODOLOGY OVERVIEW
Praetorian’s PCI DSS 3.0 Penetration Testing methodology assesses the targeted cardholder data environment (CDE) using a three-phased approach:
1. Host and service discovery 2. Vulnerability identification and verification 3. System exploitation and compromise
Host and service discovery compiles a complete list of all accessible systems and their respective services with the goal of obtaining as much information about your external and internal CDE environments as possible. Externally, this includes initial domain foot printing, live host detection, service enumeration, and operating system and application fingerprinting. Internally, this includes critical assets and major technologies in the environment such as Active Directory, ACS, and critical applications and databases.
With the information collected from the discovery phase in hand, security testing transitions to identifying vulnerabilities in externally facing systems and applications using automated scans and manual testing techniques. Praetorian begins the vulnerability identification process with commercial and open source vulnerability scanners. Automated scans are good at identifying known and common vulnerabilities; however, automated scans are not good at detecting complex security issues, uncovering system and application specific vulnerabilities, developing attack chains, or validating the findings reported. For this reason, automated scans represent only a small facet of the overall security assessment with the majority of vulnerability testing focused on manual testing and verification. Finally, risk priorities are assigned to each vulnerability according to Praetorian’s comprehensive risk rating scale.
The third phase includes exploitation of the underlying vulnerabilities. Because of the small potential for disruption, some clients may elect to omit this phase of the testing process and simply have a vulnerability assessment performed. For those customers that are interested in a proof of concept phase, once initial findings have been verified, Praetorian exploits the underlying issues to serve as proof the issues exist and to demonstrate the critical nature of the vulnerabilities. Praetorian will chain attacks to compromise as much of the environment as possible or focus on meeting specific objectives the client requests under a capture the flag scenario. Vulnerabilities may culminate in pilfering sensitive data such as patient records, customer credit cards numbers, and intellectual property.
THE EXPERTISE AND INTEGRITY OF OUR INFORMATION SECURITY CONSULTANTS ARE TRUSTED BY TODAY’S LEADING ORGANIZATIONS
PRAETORIAN / P2
Praetorian®
Y O U R W O R L D , S E C U R E D
WHY CHOOSE PRAETORIAN
Our team’s superior technical prowess and business acumen
Comprehensive and actionable deliverables, relevant to your organization and stakeholders
Our advanced, time-tested and thorough methodologies
»
»
»
READY TO GET STARTED?
Contact us at 1 (800) 675-5152 to learn how Praetorian security services can help you accomplish your specific business and IT goals, or explore more by visiting:
www.praetorian.com
1 (800) 675-5152www.praetorian.com
PCI DSS 3.0 REQUIREMENT 11.3 PENETRATION TESTING
PRAETORIAN / P3
Praetorian®
Y O U R W O R L D , S E C U R E D
1 (800) 675-5152www.praetorian.com
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 93 © 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved. November 2013
PCI DSS Requirements Testing Procedures Guidance
11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3 Implement a methodology for penetration testing that includes the following:
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Includes testing from both inside and outside the network
Includes testing to validate any segmentation and scope-reduction controls
Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
Defines network-layer penetration tests to include components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
Note: This update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. PCI DSS v2.0 requirements for penetration testing must be followed until v3.0 is in place.
11.3 Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following:
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Testing from both inside and outside the network Includes testing to validate any segmentation and scope-
reduction controls Defines application-layer penetration tests to include, at a
minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include
components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. A penetration test differs from a vulnerability scan, as a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps. Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment. Penetration testing techniques will be different for different organizations, and the type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment.
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 93 © 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved. November 2013
PCI DSS Requirements Testing Procedures Guidance
11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3 Implement a methodology for penetration testing that includes the following:
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Includes testing from both inside and outside the network
Includes testing to validate any segmentation and scope-reduction controls
Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
Defines network-layer penetration tests to include components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
Note: This update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. PCI DSS v2.0 requirements for penetration testing must be followed until v3.0 is in place.
11.3 Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following:
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Testing from both inside and outside the network Includes testing to validate any segmentation and scope-
reduction controls Defines application-layer penetration tests to include, at a
minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include
components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. A penetration test differs from a vulnerability scan, as a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps. Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment. Penetration testing techniques will be different for different organizations, and the type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment.
PCI DSS 3.0 REQUIREMENT 11.3 PENETRATION TESTING
PRAETORIAN / P4
Praetorian®
Y O U R W O R L D , S E C U R E D
1 (800) 675-5152www.praetorian.com
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 93 © 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved. November 2013
PCI DSS Requirements Testing Procedures Guidance
11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3 Implement a methodology for penetration testing that includes the following:
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Includes testing from both inside and outside the network
Includes testing to validate any segmentation and scope-reduction controls
Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
Defines network-layer penetration tests to include components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
Note: This update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. PCI DSS v2.0 requirements for penetration testing must be followed until v3.0 is in place.
11.3 Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following:
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
Includes coverage for the entire CDE perimeter and critical systems
Testing from both inside and outside the network Includes testing to validate any segmentation and scope-
reduction controls Defines application-layer penetration tests to include, at a
minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include
components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. A penetration test differs from a vulnerability scan, as a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps. Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment. Penetration testing techniques will be different for different organizations, and the type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment.
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 94 © 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved. November 2013
PCI DSS Requirements Testing Procedures Guidance
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.1.a Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows: Per the defined methodology At least annually After any significant changes to the environment.
Penetration testing conducted on a regular basis and after significant changes to the environment is a proactive security measure that helps minimize potential access to the CDE by malicious individuals.
The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.
11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2.a Examine the scope of work and results from the most recent internal penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. Per the defined methodology At least annually After any significant changes to the environment.
11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.
11.3.3 Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 95 © 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved. November 2013
PCI DSS Requirements Testing Procedures Guidance
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.
Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.
11.3.4.b Examine the results from the most recent penetration test to verify that penetration testing to verify segmentation controls:
Is performed at least annually and after any changes to segmentation controls/methods.
Covers all segmentation controls/methods in use. Verifies that segmentation methods are operational and
effective, and isolate all out-of-scope systems from in-scope systems.
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:
At the perimeter of the cardholder data environment At critical points in the cardholder data environment.
Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped.
11.4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.
11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 95 © 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved. November 2013
PCI DSS Requirements Testing Procedures Guidance
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.
Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.
11.3.4.b Examine the results from the most recent penetration test to verify that penetration testing to verify segmentation controls:
Is performed at least annually and after any changes to segmentation controls/methods.
Covers all segmentation controls/methods in use. Verifies that segmentation methods are operational and
effective, and isolate all out-of-scope systems from in-scope systems.
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:
At the perimeter of the cardholder data environment At critical points in the cardholder data environment.
Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped.
11.4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.
11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.
