Penetration Testing and PCI DSS 3.1. Erik Winkler, ControlCase

Similar documents
PCI DSS v3.0 Vulnerability & Penetration Testing

Payment Card Industry (PCI) Penetration Testing Standard

Checklist for Vulnerability Assessment

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Using Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes

Four Keys to Preparing for a PCI DSS 3.0 Assessment

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Technology Innovation Programme

Document No.: VCSATSP Vulnerability and Penetration Testing Policy Revision: 7.0

Using Skybox Solutions to Achieve PCI Compliance

PCI DSS 3.1 and the Impact on Wi-Fi Security

Network Segmentation

March

Thoughts on PCI DSS 3.0. September, 2014

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

How To Protect Your Data From Being Stolen

PCI DSS Overview and Solutions. Anwar McEntee

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Reducing Application Vulnerabilities by Security Engineering

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Payment Card Industry (PCI) Data Security Standard

PCI Requirements Coverage Summary Table

Penetration Testing Services. Demonstrate Real-World Risk

Penetration Testing in Romania

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

NERC CIP VERSION 5 COMPLIANCE

!!!!!!!!!!!!!!!!!!!!!!

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

PCI Requirements Coverage Summary Table

PCI Compliance 3.1. About Us

Continuous compliance through good governance

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

PCI v2.0 Compliance for Wireless LAN

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Best Practices for PCI DSS V3.0 Network Security Compliance

Passing PCI Compliance How to Address the Application Security Mandates

New PCI Standards Enhance Security of Cardholder Data

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Closing Wireless Loopholes for PCI Compliance and Security

QUESTIONS & RESPONSES #2

Put into test the security of an environment and qualify its resistance to a certain level of attack.

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

SECURITY. Risk & Compliance Services

Intro to Firewalls. Summary

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

PCI Compliance Top 10 Questions and Answers

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

FedRAMP Penetration Test Guidance. Version 1.0.1

Achieving Compliance with the PCI Data Security Standard

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Critical Controls for Cyber Security.

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Introduction to network penetration testing

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Open PCI DSS Scoping Toolkit. Open Scoping Framework Group

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI Compliance. Top 10 Questions & Answers

HOW SECURE IS YOUR PAYMENT CARD DATA?

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

About Effective Penetration Testing Methodology

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Transcription:

Penetration Testing and PCI DSS 3.1 Erik Winkler, ControlCase ControlCase Annual Conference Orlando, Florida 2015

Agenda What is a Penetration Test? Why is it important? What should we include in the test? What s new in PCI DSS 3.1 How the methodology is defined? Is a segmentation test different than a pen test? Pre-requisites for segmentation Case Study Best Practices to pass a segmentation pen test

What is a Penetration Test? A method of evaluating the security of a computer system, network or application by simulating an attack by a malicious hacker. Involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. Carried out from the position of a potential attacker, and involves an active exploitation of security vulnerabilities. Performed from outside the external security perimeter or internal to the internal security perimeter.

Why is it important? To determine whether and how a malicious user can gain unauthorized access to assets and eventually sensitive data To confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation, required in PCI DSS are in place.

What should we include in the test? Entire CDE perimeter Any critical systems that may impact the security of the CDE External perimeter (public-facing attack surfaces) Internal perimeter of the CDE (LAN-LAN attack surfaces) Validate segmentation and scope-reduction controls

What s new in PCI DSS 3.1 11.3.4 - CDE Segmentation Verification Applicable if segmentation is used to isolate CDE from other networks Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems Must provide tester documentation of segmentation technologies Testing against CDE systems from outside CDE Testing against out-of-scope systems within the CDE

How the methodology is defined? Based on the best practices from Open-Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP) and NIST SP800-115 Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies retention of penetration testing results and remediation activities results

What is the difference between tests? Penetration Testing Mandatory as per the requirement 11.3 Can be done on Application and Network Layer as well Done from inside of CDE network Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Segmentation Penetration Testing Applicable only if segmentation is in place Can be done on Network Layer only as a start point Done from outside of CDE network Validate any segmentation and scopereduction controls

Pre-requisites for segmentation Detailed network diagram showing CDE and Non-CDE segments Network Zone/VLAN information for CDE and Non-CDE Ability to move a source system from one network/vlan to other in case of multiple Non-CDE segments No changes are required w.r.t configuration on the network devices

Case Study For Retail Merchant

Example Store Network Diagram CDE POS Server POS 1 POS 2 VPN to Corporate (non-cde) Firewall 2 Store # POS Network Card Data Environment (CDE) 192.168.0.0/24 ISP Public IP 224.X.X.75 Firewall 1 Store # General Network (non-cde) 10.0.0.0/24 Workstation CCTV Server Wireless AP

Example Corporate Network Diagram

Description of Access Description of Access The table below outlines the access from all non-cde networks into the CDE. Source Network (Non CDE) Destination Network (CDE) Access Corporate General User Network Store POS Network None Segmented Corporate IT Management Network Store POS Network SSH to POS server Store General Network Store POS Network None Segmented The success criteria for the penetration test were defined as getting access to the CDE environment and accessing cardholder data. Based on the defined scope, the following different attack scenarios can be evaluated: External attacker without knowledge of the environment Internal attacker with no CDE access (guest, contractor, etc.) in the store/corporate general network

Segmentation PT Result Segmentation Failed If we note that firewall #2 (CDE firewall) is configured to allow unrestricted access (any ports and services) from the store/corporate General Network (10.0.0.0/24) into the store POS Network (192.168.0.0/24). Segmentation Passed If there is no access detected for any of the ports and services from the store General Network (10.0.0.0/24) into the store POS Network (192.168.0.0/24). In short, if the access is as per the table mentioned in earlier slide.

Best Practices to Pass Segmentation PT Rule-set review shall be done to verify the rules against the business requirements. All unused rules shall be removed All ACLs shall be configured in a way that they do not allow access to Non-CDE to CDE and vice versa. All changes in network shall be done through change management process only by following Network segmentation policy and procedure. If Non-CDE segments have access into the CDE, either the organization needs to restrict that access or a full network-layer penetration test should be performed to characterize the access.

Questions?

Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information