Being a responsible corporate citizen and member of the local community is at the core of Control Gap’s daily operations. We believe in making work a rewarding experience by incorporating fun team events within our corporate culture, and supporting cause-related and local organizations.

Blog

WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 0, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 1871 [post_author] => 9 [post_date] => 2018-10-04 12:44:11 [post_date_gmt] => 2018-10-04 12:44:11 [post_content] => In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below:

September's Breach

The most recent breach announcement came late last week and the exposure lasted over 13 months: As the new week dawned we began to get more information as Facebook rushed to comply with GDPR notification requirements: More information emerges about the impact, remediation, and GDPR as the week goes on:

Other Recent Issues

Even without the breach Facebook has had other security and privacy issues come to light: A few very recent developments that would normally be positive are likely being completely drowned out by the bad news:

Facebook's Annus Horribilis

Facebook is still dealing with the fallout from previous troubles. In fact  2018 has been a terrible year: [post_title] => Social Network Spiraling - Everything Going On with Facebook Up Until Now [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => social-network-spiraling-everything-going-on-with-facebook-up-until-now [to_ping] => [pinged] => https://controlgap.com/blog/cambridge-analytica-facebook-scandal/ https://business.financialpost.com/pmn/business-pmn/child-experts-file-ftc-complaint-against-facebook-kids-app [post_modified] => 2018-10-15 14:04:06 [post_modified_gmt] => 2018-10-15 14:04:06 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1871 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1566 [post_author] => 2 [post_date] => 2018-09-12 13:36:50 [post_date_gmt] => 2018-09-12 13:36:50 [post_content] =>

PCI Rules Aren't the Only Ones You Need to Comply With

Most organizations concerned with payment compliance are focused on the PCI Data Security Standard (DSS), but PCI is only part of the story. Every card brand and payment association has their own operating rules and regulations that also need to be followed. Many of these rules and regulations fly below the radar of most people and organizations. However, sometimes these rule changes have far reaching impacts. These rule changes most commonly impact card Issuers, Acquirers, and Processors.  These organizations need to understand, evaluate, and implement new requirements. In many cases,  the changes are nearly transparent to merchants and cardholders. This article looks at a few recent of the requirements that will impact merchants and cardholders.

October's Mandates

Visa is introducing a number of changes starting this October that will affect all merchants that take mail order and telephone (MOTO) transactions. This currently affects Canadian merchants but will also expand to other markets. Specifically, the rule changes when you need to include (or not include) the CVV2 security codes when processing transactions.  Failure to follow the new rules may result in declined transactions. For many merchants this will mean changes inside call centers and mail order operations. For example:
  • For call centers, existing systems may not allow for collection of CVV2. This will require changes to support CVV2 collection and could increase your scope, compliance footprint, and costs.
  • For mail order, the collection of CVV2 will be prohibited. This may require changes to forms and systems.
  • And in both cases, your systems will need to provide more information about the type of transaction being processed. This may also require system changes.
If you are looking for more information on any of these additional requirements, we've provided some links for further reading below. We recommend that you reach out to your acquirer or assessor for assistance in understanding how this regulation will affect you. Or you can give us a call, we’d be happy to help.

Further Reading

Visa Canada

Visa International

General PCI Guidance

    [post_title] => If You Take Credit Cards By Phone or Mail - You Need to Read About Visa's October Mandate [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => if-you-take-credit-cards-by-phone-or-mail-you-need-to-read-about-visas-october-mandate [to_ping] => [pinged] => https://controlgap.com/blog/call-centers-pci-compliance/ [post_modified] => 2018-09-12 13:36:50 [post_modified_gmt] => 2018-09-12 13:36:50 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1566 [menu_order] => 18 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1420 [post_author] => 7 [post_date] => 2018-04-11 11:25:21 [post_date_gmt] => 2018-04-11 11:25:21 [post_content] => Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.

What Is Penetration Testing?

Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective.  PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI. Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE).  While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks. By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.

The Process

Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems,  processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings. There are three main strategies used to approach penetration testing:

White-Box Testing

The tester is provided full disclosure of the environment prior to commencement.

Advantages:

  • Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
  • Time and cost effective way to address the in depth surveillance and research used by this type of attack

Disadvantages:

  • Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved

Grey-Box Testing

The tester is provided partial disclosure prior to commencement.

Advantages:

  • Helps balance the advantages and disadvantages of white and black box methods
  • Can provide very convincing demonstrations of vulnerabilities

Disadvantages:

  • Difficulties can be experienced when determining the exact level of knowledge to provide
  • Reporting can be a challenge if your audience (e.g. management) believes too much was shared

Black-Box Testing

The tester is provided minimal knowledge of the environment prior to attack.

Advantages:

  • Effectively simulates common attack scenarios and attacks of opportunity
  • Allows entities to test their detection and response methods

Disadvantages:

  • Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed

Penetration Testing and PCI Compliance

Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises. The objectives will not only cover the scope and methods employed, but will guide how results are reported.  For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience. PCI DSS requires entities to complete penetration and segmentation tests as follows:
  • Following a methodology based on an industry accepted approach
  • Penetration tests annually and after any significant change
  • Coverage of the entire cardholder data environment perimeter and critical systems
  • Both network and application layer testing
  • Segmentation tests semi-annually  and after any significant change
  • Review of threats and vulnerabilities over the previous 12 months
  • Retention of records of testing and remediation

Segmentation Tests

Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.

Learn More

For more information on penetration testing, see: _______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => The 3 Approaches to Penetration Testing for PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => penetration-testing [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2018-04-24 19:57:39 [post_modified_gmt] => 2018-04-24 19:57:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1420 [menu_order] => 40 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 1871 [post_author] => 9 [post_date] => 2018-10-04 12:44:11 [post_date_gmt] => 2018-10-04 12:44:11 [post_content] => In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below:

September's Breach

The most recent breach announcement came late last week and the exposure lasted over 13 months: As the new week dawned we began to get more information as Facebook rushed to comply with GDPR notification requirements: More information emerges about the impact, remediation, and GDPR as the week goes on:

Other Recent Issues

Even without the breach Facebook has had other security and privacy issues come to light: A few very recent developments that would normally be positive are likely being completely drowned out by the bad news:

Facebook's Annus Horribilis

Facebook is still dealing with the fallout from previous troubles. In fact  2018 has been a terrible year: [post_title] => Social Network Spiraling - Everything Going On with Facebook Up Until Now [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => social-network-spiraling-everything-going-on-with-facebook-up-until-now [to_ping] => [pinged] => https://controlgap.com/blog/cambridge-analytica-facebook-scandal/ https://business.financialpost.com/pmn/business-pmn/child-experts-file-ftc-complaint-against-facebook-kids-app [post_modified] => 2018-10-15 14:04:06 [post_modified_gmt] => 2018-10-15 14:04:06 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1871 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 47 [max_num_pages] => 16 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0573d79d0a353cbc766661db59ba41a2 [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 0, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 1871 [post_author] => 9 [post_date] => 2018-10-04 12:44:11 [post_date_gmt] => 2018-10-04 12:44:11 [post_content] => In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below:

September's Breach

The most recent breach announcement came late last week and the exposure lasted over 13 months: As the new week dawned we began to get more information as Facebook rushed to comply with GDPR notification requirements: More information emerges about the impact, remediation, and GDPR as the week goes on:

Other Recent Issues

Even without the breach Facebook has had other security and privacy issues come to light: A few very recent developments that would normally be positive are likely being completely drowned out by the bad news:

Facebook's Annus Horribilis

Facebook is still dealing with the fallout from previous troubles. In fact  2018 has been a terrible year: [post_title] => Social Network Spiraling - Everything Going On with Facebook Up Until Now [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => social-network-spiraling-everything-going-on-with-facebook-up-until-now [to_ping] => [pinged] => https://controlgap.com/blog/cambridge-analytica-facebook-scandal/ https://business.financialpost.com/pmn/business-pmn/child-experts-file-ftc-complaint-against-facebook-kids-app [post_modified] => 2018-10-15 14:04:06 [post_modified_gmt] => 2018-10-15 14:04:06 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1871 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1566 [post_author] => 2 [post_date] => 2018-09-12 13:36:50 [post_date_gmt] => 2018-09-12 13:36:50 [post_content] =>

PCI Rules Aren't the Only Ones You Need to Comply With

Most organizations concerned with payment compliance are focused on the PCI Data Security Standard (DSS), but PCI is only part of the story. Every card brand and payment association has their own operating rules and regulations that also need to be followed. Many of these rules and regulations fly below the radar of most people and organizations. However, sometimes these rule changes have far reaching impacts. These rule changes most commonly impact card Issuers, Acquirers, and Processors.  These organizations need to understand, evaluate, and implement new requirements. In many cases,  the changes are nearly transparent to merchants and cardholders. This article looks at a few recent of the requirements that will impact merchants and cardholders.

October's Mandates

Visa is introducing a number of changes starting this October that will affect all merchants that take mail order and telephone (MOTO) transactions. This currently affects Canadian merchants but will also expand to other markets. Specifically, the rule changes when you need to include (or not include) the CVV2 security codes when processing transactions.  Failure to follow the new rules may result in declined transactions. For many merchants this will mean changes inside call centers and mail order operations. For example:
  • For call centers, existing systems may not allow for collection of CVV2. This will require changes to support CVV2 collection and could increase your scope, compliance footprint, and costs.
  • For mail order, the collection of CVV2 will be prohibited. This may require changes to forms and systems.
  • And in both cases, your systems will need to provide more information about the type of transaction being processed. This may also require system changes.
If you are looking for more information on any of these additional requirements, we've provided some links for further reading below. We recommend that you reach out to your acquirer or assessor for assistance in understanding how this regulation will affect you. Or you can give us a call, we’d be happy to help.

Further Reading

Visa Canada

Visa International

General PCI Guidance

    [post_title] => If You Take Credit Cards By Phone or Mail - You Need to Read About Visa's October Mandate [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => if-you-take-credit-cards-by-phone-or-mail-you-need-to-read-about-visas-october-mandate [to_ping] => [pinged] => https://controlgap.com/blog/call-centers-pci-compliance/ [post_modified] => 2018-09-12 13:36:50 [post_modified_gmt] => 2018-09-12 13:36:50 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1566 [menu_order] => 18 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1420 [post_author] => 7 [post_date] => 2018-04-11 11:25:21 [post_date_gmt] => 2018-04-11 11:25:21 [post_content] => Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.

What Is Penetration Testing?

Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective.  PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI. Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE).  While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks. By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.

The Process

Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems,  processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings. There are three main strategies used to approach penetration testing:

White-Box Testing

The tester is provided full disclosure of the environment prior to commencement.

Advantages:

  • Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
  • Time and cost effective way to address the in depth surveillance and research used by this type of attack

Disadvantages:

  • Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved

Grey-Box Testing

The tester is provided partial disclosure prior to commencement.

Advantages:

  • Helps balance the advantages and disadvantages of white and black box methods
  • Can provide very convincing demonstrations of vulnerabilities

Disadvantages:

  • Difficulties can be experienced when determining the exact level of knowledge to provide
  • Reporting can be a challenge if your audience (e.g. management) believes too much was shared

Black-Box Testing

The tester is provided minimal knowledge of the environment prior to attack.

Advantages:

  • Effectively simulates common attack scenarios and attacks of opportunity
  • Allows entities to test their detection and response methods

Disadvantages:

  • Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed

Penetration Testing and PCI Compliance

Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises. The objectives will not only cover the scope and methods employed, but will guide how results are reported.  For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience. PCI DSS requires entities to complete penetration and segmentation tests as follows:
  • Following a methodology based on an industry accepted approach
  • Penetration tests annually and after any significant change
  • Coverage of the entire cardholder data environment perimeter and critical systems
  • Both network and application layer testing
  • Segmentation tests semi-annually  and after any significant change
  • Review of threats and vulnerabilities over the previous 12 months
  • Retention of records of testing and remediation

Segmentation Tests

Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.

Learn More

For more information on penetration testing, see: _______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => The 3 Approaches to Penetration Testing for PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => penetration-testing [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2018-04-24 19:57:39 [post_modified_gmt] => 2018-04-24 19:57:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1420 [menu_order] => 40 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 1871 [post_author] => 9 [post_date] => 2018-10-04 12:44:11 [post_date_gmt] => 2018-10-04 12:44:11 [post_content] => In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below:

September's Breach

The most recent breach announcement came late last week and the exposure lasted over 13 months: As the new week dawned we began to get more information as Facebook rushed to comply with GDPR notification requirements: More information emerges about the impact, remediation, and GDPR as the week goes on:

Other Recent Issues

Even without the breach Facebook has had other security and privacy issues come to light: A few very recent developments that would normally be positive are likely being completely drowned out by the bad news:

Facebook's Annus Horribilis

Facebook is still dealing with the fallout from previous troubles. In fact  2018 has been a terrible year: [post_title] => Social Network Spiraling - Everything Going On with Facebook Up Until Now [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => social-network-spiraling-everything-going-on-with-facebook-up-until-now [to_ping] => [pinged] => https://controlgap.com/blog/cambridge-analytica-facebook-scandal/ https://business.financialpost.com/pmn/business-pmn/child-experts-file-ftc-complaint-against-facebook-kids-app [post_modified] => 2018-10-15 14:04:06 [post_modified_gmt] => 2018-10-15 14:04:06 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1871 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 47 [max_num_pages] => 16 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0573d79d0a353cbc766661db59ba41a2 [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
Social Network Spiraling – Everything Going On with Facebook Up Until Now
October 4 2018

In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below: September’s Breach The most recent breach announcement came late last week and the exposure lasted over 13 months: User single-signon “access tokens” were exposed through the “view as” feature.  At least 53M users 

Read More
If You Take Credit Cards By Phone or Mail – You Need to Read About Visa’s October Mandate
September 12 2018

PCI Rules Aren’t the Only Ones You Need to Comply With Most organizations concerned with payment compliance are focused on the PCI Data Security Standard (DSS), but PCI is only part of the story. Every card brand and payment association has their own operating rules and regulations that also need to be followed. Many of

Read More
The 3 Approaches to Penetration Testing for PCI DSS
April 11 2018

Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what

Read More

e-newsletter

Want important PCI information delivered to you? Sign-up to our e-newsletter and be the first one to know about industry news and trend, offers and promotions.

×

Contact

×

PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!