External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Transcription

1 External Scanning and Penetration Testing in PCI DSS 3.0 Gary Glover, Sr. Director of Security Assessments

2 About SecurityMetrics Helping organizations comply with mandates, avoid security breaches, and prevent data theft since 2000.

3 BACKGROUND

4 PCI 3.0 (3.1) Standard Update Many clarifications, some changes, and some new requirements in 3.0 Today s focus New SAQ forms and implications for new external scanning scope PCI DSS 11.3: penetration testing requirement changes

5 NEW SAQS & EXTERNAL SCANNING

6 Background: Payment Redirection Ecommerce web servers often redirect payment collection to other service providers PCI DSS 2.0 classified this as low risk and allowed completion of SAQ A Redirection methods got sophisticated Client side redirection, client side encryption, etc. Responsibility for client side data collection logic is fuzzy How secure client side logic if merchant website is out of scope (i.e. - SAQ A)?

7 Simple Redirection Low Risk All payment data collected by 3 rd party Customer Web page with 3 rd party link or iframe 3 rd Party Payment Provider Now merchant can use SAQ A Merchant Website

8 Client Side Redirection Higher Risk Payment data collected on merchants web page then redirected to a 3 rd party Customer Web page with client side payment collection logic/code 3 rd party payment Provider SAQ A does not protect payment collection logic here, but SAQ A-EP does Merchant website

9 New SAQ A-EP Introduced SAQ A-EP introduced in 3.0 to address complex ecommerce redirection for payment data collection SAQ A-EP almost SAQ D External and internal vulnerability scanning, pen testing, etc. SAQ A now only used for simple redirect Link button or iframe Payment data collected by 3 rd party Looking forward: EMV will shift attacks to ecommerce systems be ready

10 Vulnerability Scan vs. Penetration Test VA scan: automated test that identifies and lists vulnerabilities but doesn t exploit them Penetration test: identifies vulnerabilities, attempts to exploit/circumvent security features to get access

11 SAQ Pen Test & VA Scan Summary SAQ A SAQ A-EP SAQ B SAQ B-IP n/a n/a SAQ C SAQ CVT SAQ D SAQ P2PE n/a n/a Penetration test Internal vuln scan External vuln scan

12 PCI DSS 3.0 PENETRATION TEST REQUIREMENTS

13 Penetration Testing Importance If all the other PCI DSS requirements in place, why is this necessary? Why do you get an MRI? Pen testing is real-world security testing of the requirements you say are in place Many compromised merchants thought they were secure and compliant

14 Cyber Attack Stats 33,000 websites hacked/day (Sophos) 20% of all small businesses will be hacked within 1 year (National Cyber Security Alliance) 36% of the worst 2013 security breaches caused by inadvertent human error (PWC) 61% of businesses store unencrypted payment card data (SecurityMetrics)

15 Big 2014 Breaches

16 Thanks to the Internet, supreme intelligence isn t required to be a hacker.

17

18 Hacker Tools: Cheap, Available Most stand on the shoulders of superiors Use pre-made tools to steal data Tools Memory scraping malware All-in-one hacking dashboards

19 All Your Base Belong to Us Command shell PHP script Gives attacker full admin capabilities on compromised site Hack-in-a-box Menu hacking How do you want to export card data? Choose from the following...

20 What a Pen Test Has Always Been Live, active, real-world, manual (human) attack on in-scope systems, using a set of tools Exploitation of discovered vulnerabilities Chain several exploits to break down security layer defenses Once inside, pivots to other systems

21 PCI 2.0 Pen Testing Req. Perform external and internal penetration testing at least annually and after any significant infrastructure/application upgrade/modification Network-layer penetration test Application-layer penetration test Not a lot of guidance PCI DSS 3.0 expanded Req. 11.3, added clarity, defined expectations

22 PCI DSS 3.0 Changes Better define pen test methodology both for merchant and pen test team Added additional requirements to make testing more effective New requirements take effect July 1, 2015

23 New 3.0 Pen Testing Req. Implement methodology for pen testing: Based on industry-accepted penetration testing approaches (e.g., NIST SP ) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Req. 6.5 [OWASP type Pen Test] Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in last 12 months Specifies retention of penetration testing results and remediation activities results

24 Use Industry-Accepted Practices Pen testing not a random process Industry-accepted methodologies NIST Special Publication Open Source Security Testing Methodology Manual OWASP Testing Guide, etc. Conducted by qualified person OSCP, CIH, GIAC, etc.

25 Coverage for Entire CDE & Critical Systems Difficult to scope a penetration test Merchant & QSA (if possible) define scope Pen test team works with scope provided May discover new scope during test 3.0 added testing of critical systems

26 What is a Critical System? Additional systems outside CDE boundaries that could affect CDE security Security systems Firewalls, intrusion-detection systems/intrusionprevention systems (IDS/IPS), etc. Authentication servers (Active Directory, LDAP, etc.) Assets utilized by privileged users to support and manage the CDE

27 Pen Test Scope Overlooking Critical Systems

28 PCI DSS 3.0 Pen Test Scope Clarification

29 Test From Inside & Outside Network Not a new 3.0 requirement Always good to address when talking about pen test scoping Internal vs. external penetration test Internal: Test from perspective internal to your corporate network, but outside of the CDE External: Test from perspective of an open public network (Internet) outside of the CDE

30 Internal Pen Test

31 External Pen Test

32 Segmentation Pen Testing Validation of scope reducing segmentation controls Can tester see CDE from out-of-scope network segment? Technical validation of all segmentation technologies Tests may be simple port scans using NMAP Depends on segmentation technologies Pen tester must be given knowledge of segmentation technologies used Might be a LOT of places to test from

33 University Network Segmentation Problem

34 Segmentation Scope Reduction Testing

35 Review Threats and Vulnerabilities More for pen tester than merchant Review threats/vulnerabilities encountered within past 12 months Historic look at real vulnerabilities experienced or discovered in scoped environment since last assessment Requires communication from merchant to pen tester Pen tester must know of current vulnerabilities seen in the industry over the past 12 months Possible effects on the tested environment (ex.: recent SSL issues) Helps define tests conducted

36 Results and Remediation Reporting Emphasis on good record keeping Merchant should: Get comprehensive report from pen test team Keep good records of all remediation efforts Store records for each testing cycle

37 SAQ Pen Test Requirement Summary SAQ A SAQ A-EP SAQ B SAQ B-IP n/a n/a n/a SAQ C SAQ CVT SAQ D SAQ P2PE n/a n/a External Pen Test Internal Pen Test Segmentation Check

38 Pen Testing Informational Supplement Released March 2015 Significant update to 2008 guidance Topics covered: Term definitions, tester qualifications, methodology details, reporting guidelines Case study and scoping examples Answers questions about 3.0

39 3.0 Pen Test Requirements

40 IMPACT TO UNIVERSITIES

41 Biggest Impacts Bar raised on VA scan and pen testing SAQ A merchant may be A-EP this year: VA scan, pen test, etc. Move to A using simple redirect IP terminals now SAQ B-IP not SAQ C

42 Biggest Impacts SAQ C merchants need pen test to check proper segmentation Usually simple Could mean testing from a lot of out of scope zones

43 Questions? Gary Glover