PCI-DSS – Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011
About High Bit Security • High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance) • High Bit will identify where your organization stands against the PCI-DSS standards (GAP analysis), provide remediation advice, guide your team through the process, coordinate with your chosen Qualified Security Assessor, participate in your onsite audit to ease your mind, assist with any remediation items from the onsite audit High Bit has an ongoing PCI Compliance management solution to mitigate • surprises on next year audit • High Bit provides cost effective Penetration Testing - external or internal testing against network and/or application layers • High Bit’s manual Penetration Testing is performed by security engineers that hold industry recognized certifications
Vulnerability Scanning A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for vulnerabilities, and produces a report. This report will contain false positives and require interpretation. External vulnerability scanning (from outside your network) is required for PCI-DSS, and must be performed by an Approved Scan Vendor (ASV). High Bit Security can perform your scanning requirements through one of our partners. Internal vulnerability scanning can be done by a qualified internal or 3 rd party source. If you already have a firm doing Penetration Testing, they should be able to handle for you.
Penetration Testing - Overview This is a security engagement performed by highly skilled security engineers (all of High Bit Security engineers hold at least one industry recognized certification, and have a background in multiple development languages), against the network and/or application layer – externally or internally. Vulnerability scanning is included with all penetration tests from High Bit Security, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers. The High Bit Security team advises our clients of what we found, where we found it and specifics surrounding how to fix it.
Why do Penetration Testing if already Vulnerability Scanning? Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Since vulnerability scans leverage preconfigured pattern recognition, there are many aspects of a system that cannot be tested completely (or at all). Penetration testing provides coverage for serious security faults that scanners are incapable of testing Ultimately, the difference between a vulnerability scan and a full penetration test is that security engineers think, analyze, track, follow up and judge and scanners do not. Reliance on scans alone will almost certainly lead to an insecure posture.
Penetration Testing – Experience • Testing the network layer (firewalls, web servers, email servers, FTP servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers); wireless systems; internal workstations, printers, fax machines; WAR dialing phone numbers, virtual environments including cloud, internet enabled devices, and more. We have tested law enforcement systems, state and municipal government systems, and private sector systems ranging from online gaming to financial institutions. • With thousands of hours of experience, we have performed single engagements covering more than 4000 IP addresses and other engagements with thousands of web pages covering multiple systems.
Penetration Testing – Why Do It? • Penetration Testing engagements are required by many compliance requirements (such as the Payment Card Industry Data Security Standard) • Penetration Testing greatly improves your security posture • Penetration Testing should be performed regularly (at least annually), due to the constant addition / removal of hardware in your environment, code releases, patching requirements, manual environment modifications
Penetration Testing – Areas of Impact? • Penetration Testing is performed against multiple layers of your environment: – Network Layer – Performed against the network layer of your environment (web servers, file servers, firewalls, routers, email servers). This layer is evaluated for vulnerabilities and configuration issues, with all results validated by a security engineer – Application Layer – Performed against applications (primarily web applications) looking for application layer vulnerabilities, logical faults, and web server configuration issues. • External Penetration Testing: testing is performed from outside your environment (similar to a hacker) • Internal Penetration Testing: testing is performed from inside your environment (similar to a hacker that has breached the outer defenses)
Penetration Testing – Process? • 30 minute consultation for scope gathering: the goal of scope gathering is to clearly understand the requirements of the engagement so we’re quoting exactly what is required • Proposal generated; contract approval • Scheduling of the engagement • Testing performed between testing windows • Finding reports generated and delivered • Post testing consultation (if required) • Customer corrects open issues, requests remediation testing • Open issues are checked again to ensure they’re corrected
Penetration Testing – Finding Reports • Finding Reports – Type of issue that was discovered – Detailed description of issue type – Specific examples of where the issue was found – Specific instructions on how to fix the issue. As appropriate, these include: • Screenshots • Code samples • Sample scripts that can be used by internal staff for issue validation • These reports are of such a detailed nature, in most cases, remediation starts immediately.
Penetration Testing – Final Report • Final Report – This report contains all of the individual finding reports – Also contains a summary of all testing results, whether the testing yielded finding reports or not – The results of the full report should be reviewed in detail, specifically as it relates to the appropriate configuration of your environment. The objective is to leave open only that which is required, so this review is a good time to validate your business requirements against the detailed information contained in a final report.
Penetration Testing – Remediation Report • Remediation Testing Report – This report will provide detailed specifics around the testing, and provide a designation against each of the finding reports, indicating whether each issue is corrected – In the event an issue requires further work, we will provide (as appropriate) details about the remediation testing results, including screenshots, scripts, and descriptions of findings through the remediation testing Once all issues have been corrected, the remediation testing report will reflect – accordingly, and can be used as proof to an auditor of successful testing completion
Penetration Testing – Additional Items • Customer facing reports available? Yes – once all items are remediated, we will provide a sanitized customer facing letter indicating the results of the testing engagement • Samples reports available? Yes – please send us an email either through the website or directly. We have questions that were not answered… • – Feel free to contact us at any time – we’d be happy to help – Go to www.HighBitSecurity.com tomorrow, and we’re loading a FAQ page that should answer the vast majority of questions we’ve come across
PCI Compliance – Webinar Series • PCI Compliance: Overview and First Steps to Success • PCI Compliance: Detailed Requirements Walkthrough • PCI Compliance: Penetration Testing and Enhancing Security for Networks and Applications
PCI Compliance – Q&A Free consultations for PCI DSS compliance Free consultations for Penetration Testing High Bit Security Adam Goslin - Founder Cell: 248-388-4328 Email: agoslin@HighBitSecurity.com
Recommend
More recommend
