PCI-DSS Penetration Testing



Similar documents
Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Reducing Application Vulnerabilities by Security Engineering

PCI DSS Reporting WHITEPAPER

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

PCI 3.0 Making Payment Security Business As Usual

IT Security & Compliance. On Time. On Budget. On Demand.

How To Test For Security On A Network Without Being Hacked

Two Approaches to PCI-DSS Compliance

Vulnerability Management

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Enterprise Computing Solutions

Client Security Risk Assessment Questionnaire

BRAND-NAME is What COUNTS!!!

How To Protect Your Data From Being Stolen

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

NETWORK PENETRATION TESTING

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

THE TOP 4 CONTROLS.

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

PCI Vulnerability Validation Report

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Enterprise-Grade Security from the Cloud

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

PCI Compliance. Top 10 Questions & Answers

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Compliance Updates

PCI DSS v3.0 Vulnerability & Penetration Testing

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

PCI Compliance Top 10 Questions and Answers

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Avoiding the Top 5 Vulnerability Management Mistakes

Passing PCI Compliance How to Address the Application Security Mandates

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

OFFICE OF CORPORATE CREDIT UNIONS Risk Reporting for Corporate IT Networks.. Risk Assessment Reporting in Corporate Credit Unions

CONTENTS. PCI DSS Compliance Guide

Is your business prepared for Cyber Risks in 2016

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Payment Card Industry (PCI) Data Security Standard

Adyen PCI DSS 3.0 Compliance Guide

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

Hackers are here. Where are you?

Making your web application. White paper - August secure

Vendor Questions and Answers

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Payment Card Industry Data Security Standard

Security Management. Keeping the IT Security Administrator Busy

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Your Compliance Classification Level and What it Means

Critical Controls for Cyber Security.

Keeping your data yours

Payment Card Industry - Achieving PCI Compliance Steps Steps

HOW SECURE IS YOUR PAYMENT CARD DATA?

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

SANS Top 20 Critical Controls for Effective Cyber Defense

Keeping your data yours

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

What is Penetration Testing?

Using Free Tools To Test Web Application Security

Goals. Understanding security testing

PCI Security Compliance

PCI Compliance for Cloud Applications

Integrated Threat & Security Management.

Total Protection for Compliance: Unified IT Policy Auditing

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Payment Card Industry Compliance Overview

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

PCI DSS. Payment Card Industry Data Security Standard.

Best Practices for PCI DSS V3.0 Network Security Compliance

An Introduction to Network Vulnerability Testing

Enabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal

The Seven Deadly Myths of Software Security Busting the Myths

RISK IDENTIFY SECURITY RISKS SERVICE CORE

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Keeping watch over your best business interests.

HP Application Security Center

Information Security Services

CloudCheck Compliance Certification Program

PCI DSS and SSC what are these?

Keeping your data yours.

Sample Vulnerability Management Policy

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

PCI Compliance in Multi-Site Retail Environments

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Pervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements

Transcription:

PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011

About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance) High Bit will identify where your organization stands against the PCI-DSS standards (GAP analysis), provide remediation advice, guide your team through the process, coordinate with your chosen Qualified Security Assessor, participate in your onsite audit to ease your mind, assist with any remediation items from the onsite audit High Bit has an ongoing PCI Compliance management solution to mitigate surprises on next year audit High Bit provides cost effective Penetration Testing - external or internal testing against network and/or application layers High Bit s manual Penetration Testing is performed by security engineers that hold industry recognized certifications

Vulnerability Scanning A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for vulnerabilities, and produces a report. This report will contain false positives and require interpretation. External vulnerability scanning (from outside your network) is required for PCI-DSS, and must be performed by an Approved Scan Vendor (ASV). High Bit Security can perform your scanning requirements through one of our partners. Internal vulnerability scanning can be done by a qualified internal or 3 rd party source. If you already have a firm doing Penetration Testing, they should be able to handle for you.

Penetration Testing - Overview This is a security engagement performed by highly skilled security engineers (all of High Bit Security engineers hold at least one industry recognized certification, and have a background in multiple development languages), against the network and/or application layer externally or internally. Vulnerability scanning is included with all penetration tests from High Bit Security, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers. The High Bit Security team advises our clients of what we found, where we found it and specifics surrounding how to fix it.

Why do Penetration Testing if already Vulnerability Scanning? Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Since vulnerability scans leverage preconfigured pattern recognition, there are many aspects of a system that cannot be tested completely (or at all). Penetration testing provides coverage for serious security faults that scanners are incapable of testing Ultimately, the difference between a vulnerability scan and a full penetration test is that security engineers think, analyze, track, follow up and judge and scanners do not. Reliance on scans alone will almost certainly lead to an insecure posture.

Penetration Testing Experience Testing the network layer (firewalls, web servers, email servers, FTP servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers); wireless systems; internal workstations, printers, fax machines; WAR dialing phone numbers, virtual environments including cloud, internet enabled devices, and more. We have tested law enforcement systems, state and municipal government systems, and private sector systems ranging from online gaming to financial institutions. With thousands of hours of experience, we have performed single engagements covering more than 4000 IP addresses and other engagements with thousands of web pages covering multiple systems.

Penetration Testing Why Do It? Penetration Testing engagements are required by many compliance requirements (such as the Payment Card Industry Data Security Standard) Penetration Testing greatly improves your security posture Penetration Testing should be performed regularly (at least annually), due to the constant addition / removal of hardware in your environment, code releases, patching requirements, manual environment modifications

Penetration Testing Areas of Impact? Penetration Testing is performed against multiple layers of your environment: Network Layer Performed against the network layer of your environment (web servers, file servers, firewalls, routers, email servers). This layer is evaluated for vulnerabilities and configuration issues, with all results validated by a security engineer Application Layer Performed against applications (primarily web applications) looking for application layer vulnerabilities, logical faults, and web server configuration issues. External Penetration Testing: testing is performed from outside your environment (similar to a hacker) Internal Penetration Testing: testing is performed from inside your environment (similar to a hacker that has breached the outer defenses)

Penetration Testing Process? 30 minute consultation for scope gathering: the goal of scope gathering is to clearly understand the requirements of the engagement so we re quoting exactly what is required Proposal generated; contract approval Scheduling of the engagement Testing performed between testing windows Finding reports generated and delivered Post testing consultation (if required) Customer corrects open issues, requests remediation testing Open issues are checked again to ensure they re corrected

Penetration Testing Finding Reports Finding Reports Type of issue that was discovered Detailed description of issue type Specific examples of where the issue was found Specific instructions on how to fix the issue. As appropriate, these include: Screenshots Code samples Sample scripts that can be used by internal staff for issue validation These reports are of such a detailed nature, in most cases, remediation starts immediately.

Penetration Testing Final Report Final Report This report contains all of the individual finding reports Also contains a summary of all testing results, whether the testing yielded finding reports or not The results of the full report should be reviewed in detail, specifically as it relates to the appropriate configuration of your environment. The objective is to leave open only that which is required, so this review is a good time to validate your business requirements against the detailed information contained in a final report.

Penetration Testing Remediation Report Remediation Testing Report This report will provide detailed specifics around the testing, and provide a designation against each of the finding reports, indicating whether each issue is corrected In the event an issue requires further work, we will provide (as appropriate) details about the remediation testing results, including screenshots, scripts, and descriptions of findings through the remediation testing Once all issues have been corrected, the remediation testing report will reflect accordingly, and can be used as proof to an auditor of successful testing completion

Penetration Testing Additional Items Customer facing reports available? Yes once all items are remediated, we will provide a sanitized customer facing letter indicating the results of the testing engagement Samples reports available? Yes please send us an email either through the website or directly. We have questions that were not answered Feel free to contact us at any time we d be happy to help Go to www.highbitsecurity.com tomorrow, and we re loading a FAQ page that should answer the vast majority of questions we ve come across

PCI Compliance Webinar Series PCI Compliance: Overview and First Steps to Success PCI Compliance: Detailed Requirements Walkthrough PCI Compliance: Penetration Testing and Enhancing Security for Networks and Applications

PCI Compliance Q&A Free consultations for PCI DSS compliance Free consultations for Penetration Testing High Bit Security Adam Goslin - Founder Cell: 248-388-4328 Email: agoslin@highbitsecurity.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information