RE: The goal of pentest by PCI DSS?

["Philip Cox" <phil.cox () systemexperts com>]

Taras,

My $.02

> Does this mean that the main aim of pentester by PCI DSS is cardholder
> data?

Yes. When it gets down to it, the PCI DSS is all about protecting cardholder
data.

> Or simply aim is to gain access (exploit vulnerabilities) to as
> much systems in CDE as possible?

This too. If you can compromise a system in the CDE, then combinatorial
efforts may give access to CHD.

> I asked about this because we can gain
> access to for example Oracle DB and do not try to search PANs in it.
> Or we can gain access to some users workstation and do not try to
> search cardholder data in file system.

So it seems that you are asking "Do I go depth first, or breadth first" in
the PCI-DSS pen-test? If that is the question, then there is no PCI guidance
on that. They'd say "do both". I tend to do a 40/60 split: breadth, depth.

> One more question. Do you use social engineering in pentests by PCI DSS?

You are supposed to (it is explicitly stated in the supplement), but I bet
most do not.

Phil


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------