Enhancing Cloud Application Security: OWASP 2024 Guide for Developers
The Open Worldwide Application Security Project (OWASP) is an essential resource for developers, particularly those working with cloud-based systems....
4 min read
Halli Goodman : Apr 11, 2018 10:07:00 PM
Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.
Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective. PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI.
Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE). While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks.
By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.
Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems, processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings.
There are three main strategies used to approach penetration testing:
The tester is provided full disclosure of the environment prior to commencement.
The tester is provided partial disclosure prior to commencement.
The tester is provided minimal knowledge of the environment prior to attack.
Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises.
The objectives will not only cover the scope and methods employed, but will guide how results are reported. For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience.
PCI DSS requires entities to complete penetration and segmentation tests as follows:
Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.
For more information on penetration testing, see:
The Open Worldwide Application Security Project (OWASP) is an essential resource for developers, particularly those working with cloud-based systems....
Security Standards (PCI DSS) are vital in establishing baseline security measures for financial industry professionals who face challenges...
If you're subject to PCI DSS you need to understand "The ENTITY". We aren't talking about a horror movie. Instead we are talking about something...