Payment Card Industry (PCI) Penetration Testing Standard



Similar documents
Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

PCI DSS v3.0 Vulnerability & Penetration Testing

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Checklist for Vulnerability Assessment

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Transitioning from PCI DSS 2.0 to 3.1

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

PCI Requirements Coverage Summary Table

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Penetration Testing Services. Demonstrate Real-World Risk

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Using Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes

EA-ISP-012-Network Management Policy

Four Keys to Preparing for a PCI DSS 3.0 Assessment

Payment Card Industry (PCI) Data Security Standard

PCI Requirements Coverage Summary Table

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Using Skybox Solutions to Achieve PCI Compliance

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

New PCI Standards Enhance Security of Cardholder Data

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

How To Protect A Web Application From Attack From A Trusted Environment

March

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

How To Test For Security On A Network Without Being Hacked

How To Protect Your Data From Being Stolen

!!!!!!!!!!!!!!!!!!!!!!

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

ASV Scan Report Attestation of Scan Compliance

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Penetration Testing. Presented by

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Closing Wireless Loopholes for PCI Compliance and Security

Continuous compliance through good governance

Information Technology Security Review April 16, 2012

Patch and Vulnerability Management Program

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Best Practices for PCI DSS V3.0 Network Security Compliance

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Course Title Penetration Testing: Procedures & Methodologies

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Course Title: Penetration Testing: Network & Perimeter Testing

PENETRATION TESTING GUIDE. 1

Becoming PCI Compliant

Document No.: VCSATSP Vulnerability and Penetration Testing Policy Revision: 7.0

PCI Compliance Considerations

National Cybersecurity Assessment and Technical Services: Capability Brief. Presented by: Sean McAfee Updated: May 5, 2014

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Compliance 3.1. About Us

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Compliance Overview

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Passing PCI Compliance How to Address the Application Security Mandates

PCI DSS Overview and Solutions. Anwar McEntee

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

PCI DSS 3.1 and the Impact on Wi-Fi Security

Payment Card Industry Data Security Standard

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Give Vendors Access to the Data They Need NOT Access to Your Network

16+ PCI COMPLIANCE SOLUTIONS. Providing a High-Level Review of Your Company s PCI Obligations OVERVIEW. Our Team

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI DSS. Payment Card Industry Data Security Standard.

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Overcoming PCI Compliance Challenges

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Transcription:

Payment Card Industry (PCI) Penetration Testing Standard Issued Date: 14 May 2015 Effective Date: 14 May 2015 Purpose This standard outlines penetration-testing requirements for the university's Payment Card Industry (PCI) cardholder data environment (CDE). It also establishes a penetration-testing methodology to meet annual PCI compliance efforts. Scope This standard applies to: University Information Security Office (UISO), PCI Merchants in scope for penetrations tests, and The university s CDE. Definitions In the context of this document, the following terms are used as indicated here: Application-layer testing Testing that typically includes web sites, web applications, thick clients, or other applications. Cardholder data environment Areas of a computer system network that possesses cardholder data (or sensitive authentication data) and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Critical systems Systems involved in the processing or protection of cardholder data. Internal Testing The internal perimeter of the CDE from the perspective of any out-of-scope LAN segment. External Testing The exposed perimeter of the CDE and critical systems connected or accessible to public network infrastructures. Network-layer testing Testing that usually includes external and internal testing of networks (LANS/VLANS), between interconnected systems, wireless networks, and social engineering. Penetration test - A test methodology where assessors attempt to circumvent the security features of an information system.

Penetration Test Requirements External and Internal penetration tests must be: Performed annually and after any significant infrastructure or application changes to the environment; Conducted according to NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment and PCI's "Information Supplement: Penetration Testing Guidance"; and Performed by qualified personnel approved by the UISO; Penetration tests must: Include the entire CDE and critical systems; Confirm segmentation and scope reduction controls; Include network and application layer* tests; *Application layer pen tests must include checks detailed in the most current Open Web Application Security Project (OWASP) Top 10. Penetration Tester Requirements Testers must describe the qualifications and experience that make them qualified to perform pen tests. Testers must detail how they achieve organizational independence. Tested Organization Requirements The organization must provide the UISO with: A network diagram depicting all network segments in scope for the test; Cardholder data flow diagram; A list of all expected services and ports exposed at the CDE perimeter; Details of how authorized users access the CDE; and A list of all network segments that have been isolated from the CDE to reduce scope. The organization must correct all exploitable vulnerabilities identified during the test and request a retest to confirm the vulnerability no longer exists. Retention Period The UISO and the tested organization must keep final reports along with remediation activity results for three years.

Appendix A Penetration Test Process Overview A penetration test is an evaluation that simulates real-world attacks in an effort to improve understanding of the system, uncover weaknesses, and enhance security measures. Methodology The UISO follows the testing processes described in NIST Special Publications 800-115 Technical Guide to Information Security Testing and Assessment. Phases There are four phases of penetration testing: Planning, Discovery, Attack, and Reporting. Planning The following sections highlight essential activities in the planning phase. Scope The organization being assessed is responsible for defining the scope. During the scoping process, the organization should provide the tester: A network diagram depicting all network segments in scope; Cardholder data flow diagram; A list of all expected services and ports exposed at the CDE perimeter; Details of how authorized users access the CDE; and A list of all network segments that have been isolated from the CDE to reduce scope. The pen test lead can provide the organization guidance on which assets to include. For PCI penetration tests, the test's scope must include the entire CDE and any critical systems. Rules of Engagement Before testing begins, it is important to document how the test will be performed. The rules of engagement (ROE) capture this description and ensure the organization understands what to expect. Additionally, the ROE authorizes the test and grants the tester approval to begin testing. ROE Contents A ROE will include items, such as: A time window for testing; Identification of systems that have known issues with automated scanning;

A plan for communicating any issues encountered during the engagement; A listing of security controls that would detect or prevent testing; and Signatures of the authorizing parties. Scan Interference The rules of engagement must address "scan interference." Scan interference often occurs when an active control, such as an intrusion prevention system, blocks or interferes with the test. The penetration test must be allowed to perform activities, such as scanning, without interference from active protection systems. Review the section titled Scan Interference in PCI s Approved Scanning Vendors Program Guide for more detail on active protection systems. Review of past threats and vulnerabilities PCI DSS Requirement 11.3 requires a review and consideration of historical threats. The test lead will review vulnerabilities identified in the entity s environment within the past 12 months. The tester will also obtain if available: Prior penetration test reports; Previously issued PCI compliance documentation, such as Reports on Compliance; and Current vulnerability scan test results. Discovery The discovery phase of penetration testing includes two parts. The first part is the start of actual testing, and covers information gathering and scanning. The second part of the discovery phase is vulnerability analysis, which involves comparing the services, applications, and operating systems of scanned hosts against vulnerability databases and the testers knowledge of vulnerabilities. During this phase, the tester will document all identified open network ports and services from both the external and internal perspectives. Attack Executing an attack is at the heart of any penetration test. In the attack phase, the tester will attempt to exploit identified vulnerabilities. The following figure represents the individual steps of the attack phase.

Internal Testing The scope of the internal penetration test is the internal perimeter of the CDE from the perspective of any out-of-scope LAN segment that has access to a unique type of attack on the CDE perimeter. External Testing The scope of an external penetration test is the exposed perimeter of the CDE and critical systems connected or accessible to public network infrastructures. An external test should assess any unique access to the scope from the public networks, including services that have access restricted to individual external IP addresses. Both internal and external testing must include application-layer and network-layer assessments. External penetration tests must also include remote access vectors such as dialup and VPN connections. Segmentation If the organization has segmentation controls, the tester will confirm these controls are operational. The tester will perform these checks from any non-cde environment that the organization intended to be completely segmented from the CDE perimeter. Application Layer Testing Application layer testing applies to any software written by or specifically for the organization that is part of the CDE is subject to both an application and network-layer penetration test. It is common for an environment to host a web application that was not specifically coded for the organization such as commercial web-mail interfaces, document-sharing tools, and network-device administrative interfaces. In these instances, the web application does not typically need an application-layer pen test as the entity is not responsible for the source code of this type of software. Instead, the tester should perform a network-layer test and ensure the software was implemented, configured, and is currently being maintained in a secure manner (disabling or uninstalling unused services, blocking unused ports, applying current updates, etc.).

*If a payment application has been PA-DSS validated, the application s functionality does not need to be tested as part of the entity s PCI DSS compliance validation. However, the implementation of the application does need to be tested. This includes both the operating system and any exposed services, but not the payment application s functionality (e.g., authentication, key management, transaction processing, etc.) since this was validated as part of the PA-DSS application validation. Application layer testing requirements The tester will evaluate applications against the Open Web Application Security Project (OWASP) Top 10. The tester will also perform testing from the perspective of the defined roles of the application. Social Engineering PCI DSS does not require the use of social-engineering techniques. However, the tester can incorporate it into the penetration testing methodology and ROE. Reporting Upon completion of the analysis, the tester will generate a report that identifies system, network, and organizational vulnerabilities along with recommended mitigation actions. The report will list: A summary listing of items that need remediation and retesting, and A detailed listing of items that need remediation and retesting. The tester will also describe attempts to exploit the identified vulnerability and clearly state the potential result/risk that each potential exploit may pose to the environment. Cleaning up the Environment Post-Penetration Test After testing there may be tasks the tester or customer needs to perform to restore the target environment (i.e., update/removal of test accounts or database entries added or modified during testing, uninstall of test tools or other artifacts, restoring active protection-system settings, and/or other activities the tester may not have permissions to perform, etc.). The tester will provide directions on how clean up should be performed and how to verify security controls have been restored. Remediation The organization should take steps to remediate any exploitable vulnerability within a reasonable period after the original test. When the organization has completed these steps, the tester should perform a retest to validate the newly implemented controls mitigate the original risk.

Appendix B Example Penetration Test Report Outline Organization Information Contact Information Credentials and qualifications of analysts Description of how the individuals are organizationally independent of the management of the environment being tested Dates the engagement was performed Date the report was issued Executive Summary Summarizes testing performed Summarizes results of testing Summarizes steps for remediation Statement of Scope A detailed definition of the scope of the network and systems tested as part of the engagement Clarification of CDE vs. non-cde systems or segments that are considered during the test. Identification of critical systems in or out of the CDE and explanation of why they are included in the test as targets. Statement of Methodology A description of the methodology used and how it meets industry best practices, such as NIST. Statement of Limitations Document any restrictions imposed on testing such as designated testing hours, bandwidth restrictions, or special testing requirements for legacy systems. Testing Narrative Provide details as to the testing methodology and how testing progressed. For example, if the environment did not have any active services, explain what testing was performed to verify restricted access. Document any issues encountered during testing (e.g., interference was encountered as a result of active protection systems blocking traffic). Segmentation Test Results Summarize the testing performed to validate segmentation controls if used to reduce the scope of PCI DSS.

Findings Description of finding Risk ranking/severity of each vulnerability Targets affected References (e.g. CVE or BID) Tools Used Information gathering, scanning, and exploitation tools are used during the test. Revision History Author Date Test Comments Jeremy Parrott 10 April 2015 Initial Draft Kyle S. Brown 23 April 2015 Formatting Jeremy Parrott 5 May 2015 Updates based on comments

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information