Penetration Testing mailing list archives
RE: The goal of pentest by PCI DSS?
From: "Gary Everekyan" <Gary.Everekyan () consumerinfo com>
Date: Mon, 5 Oct 2009 09:04:04 -0700
Generally all of PCI is related to PAN data. If you can manage the scope to be specific to that with your QSA than you are on the right track. (Critical) If you follow your example and lets say that you gain access to the DB than your encryption controls should suffice as secondary temporal controls for that threat vector. This does not mean that you can just let it be. You have on average 30 days to fix that until your next external scan which should also show the vulnerability or exposure to that vector. Secondly the purpose of any pen test is to identify logical unintended access vectors at all levels including social Eng. Generally you should act on the findings by applying some risk methodology to evaluate the probability or likelihood of the event with severity in mind. How the business will react to it is a different question all together. They can accept it transfer it or mitigate it( hence you will need authority resource and budget) Your last comment about social engineering, absolutely should be part of the Pen test. (PCI is very vague on this and they will rely on the (12)policy and enforcement sections to manage it.) HTH Regards, Gary Everekyan CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Taras Sent: Sunday, October 04, 2009 11:42 AM To: pen-test () securityfocus com Subject: The goal of pentest by PCI DSS? Hello, all! There is requirement 11.3 in PCI DSS [0]: "... Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub- network added to the environment, or a web server added to the environment). ... "
From "Information Supplement: Payment Card Industry Data Security
Standard (PCI DSS) Requirement 11.3 Penetration Testing" [1]: " ... The scope of penetration testing is the cardholder data environment and all systems and networks connected to it. ... The penetration tests should attempt to exploit vulnerabilities and weaknesses throughout the cardholder data environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved. .. " Does this mean that the main aim of pentester by PCI DSS is cardholder data? Or simply aim is to gain access (exploit vulnerabilities) to as much systems in CDE as possible? I asked about this because we can gain access to for example Oracle DB and do not try to search PANs in it. Or we can gain access to some users workstation and do not try to search cardholder data in file system. One more question. Do you use social engineering in pentests by PCI DSS? Thanks for answers! [0] https://www.pcisecuritystandards.org/security_standards/download.html?id =pci_dss_v1-2.pdf [1] https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_test ing.pdf -- Taras ---- "Software is like sex: it's better when it's free." - Linus Torvalds ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- The goal of pentest by PCI DSS? Taras (Oct 04)
- RE: The goal of pentest by PCI DSS? Victor Langåssve (Oct 05)
- Re: The goal of pentest by PCI DSS? Mohamed Farid (Oct 05)
- RE: The goal of pentest by PCI DSS? Victor Langåssve (Oct 06)
- RE: The goal of pentest by PCI DSS? Philip Cox (Oct 05)
- Re: The goal of pentest by PCI DSS? Jerome Athias (Oct 05)
- Re: The goal of pentest by PCI DSS? David M. Zendzian (Oct 05)
- RE: The goal of pentest by PCI DSS? Gary Everekyan (Oct 05)
- RE: The goal of pentest by PCI DSS? Taras (Oct 27)