The goal of pentest by PCI DSS?

Hello, all!

There is requirement 11.3 in PCI DSS [0]: "...
Perform external and internal penetration testing at least once a year
and after any significant infrastructure or application upgrade or
modification (such as an operating system upgrade, a sub-
network added to the environment, or a web server added to the
environment).
...
"

From "Information Supplement: Payment Card Industry Data Security
Standard (PCI DSS) Requirement 11.3 Penetration Testing" [1]:

"
...
The scope of penetration testing is the cardholder data environment and
all systems and networks connected to it.
...
The penetration tests should attempt to exploit vulnerabilities and
weaknesses throughout the cardholder data environment, attempting to
penetrate both at the network level and key applications. The
goal of penetration testing is to determine if unauthorized access to
key systems and files can be achieved.
..
"
Does this mean that the main aim of pentester by PCI DSS is cardholder
data?  Or simply aim is to gain access (exploit vulnerabilities) to as
much systems in CDE as possible? I asked about this because we can gain
access to for example Oracle DB and do not try to search PANs in it.
Or we can gain access to some users workstation and do not try to search
cardholder data in file system.

One more question. Do you use social engineering in pentests by PCI DSS?

Thanks for answers!

[0]
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
[1]
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

--
Taras
----
"Software is like sex: it's better when it's free." - Linus Torvalds

Yes, The goal is the CDE from both an internal and an external approach.

Yes, Social engineering tests should be performed.


/Victor Langåssve, QSA


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Taras
Sent: den 4 oktober 2009 20:42
To: pen-test@...
Subject: The goal of pentest by PCI DSS?

Hello, all!

There is requirement 11.3 in PCI DSS [0]: "...
Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub- network added to the environment, or a web server added to the environment).
...
"

From "Information Supplement: Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 Penetration Testing" [1]:

"
...
The scope of penetration testing is the cardholder data environment and all systems and networks connected to it.
...
The penetration tests should attempt to exploit vulnerabilities and weaknesses throughout the cardholder data environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved.
..
"
Does this mean that the main aim of pentester by PCI DSS is cardholder data?  Or simply aim is to gain access (exploit vulnerabilities) to as much systems in CDE as possible? I asked about this because we can gain access to for example Oracle DB and do not try to search PANs in it.
Or we can gain access to some users workstation and do not try to search cardholder data in file system.

One more question. Do you use social engineering in pentests by PCI DSS?

Thanks for answers!

[0]
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
[1]
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

--
Taras
----
"Software is like sex: it's better when it's free." - Linus Torvalds


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Dear Taras :

The PCI DSS is only focusing on the Credit Card information - if you can
gain access to the card holder data scope but you can't get any data
from it - then you will pass the requirement.
The Main point is to not risk the information in the scope which
concentrate on the sensitive information of the card holder data ...

No - The Pen Test shouldn't contain social engineering - but of course
there is no problem to have it too ...

Thanks ,,,
Mohamed Farid ,,,

Taras wrote:
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Le dimanche 04 octobre 2009 à 22:41 +0400, Taras a écrit :

> Does this mean that the main aim of pentester by PCI DSS is cardholder
> data?  Or simply aim is to gain access (exploit vulnerabilities) to as
> much systems in CDE as possible? I asked about this because we can gain
> access to for example Oracle DB and do not try to search PANs in it.
> Or we can gain access to some users workstation and do not try to search
> cardholder data in file system.

(Should be a good question to ask to (my friend? :p) A. Gironda)
For me, (after assuming that "Security is a process, not a product.",
Bruce Schneier), security should be transversal
(http://en.wikipedia.org/wiki/Transversal_line ).

>
> One more question. Do you use social engineering in pentests by PCI DSS?

A secretary allways love chocolate ;p
If it's a man, well... you should have some nice pictures in your
pocket ;)

>
> Thanks for answers!
>
> [0]
> https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
> [1]
> https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf
>

/JA


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Yes to all of the above.  First and foremost is can you gain access to
cardholder data.  Second (and just as important) is can any systems
within the cardholder environment be compromised.

And as for social engineering, it doesn't specifically state that, but
if you can get a customer to work on that then they will be better
rewarded knowing what risks they really have.

David

Taras wrote:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Taras,

My $.02

> Does this mean that the main aim of pentester by PCI DSS is cardholder
> data?

Yes. When it gets down to it, the PCI DSS is all about protecting cardholder
data.

> Or simply aim is to gain access (exploit vulnerabilities) to as
> much systems in CDE as possible?

This too. If you can compromise a system in the CDE, then combinatorial
efforts may give access to CHD.

> I asked about this because we can gain
> access to for example Oracle DB and do not try to search PANs in it.
> Or we can gain access to some users workstation and do not try to
> search cardholder data in file system.

So it seems that you are asking "Do I go depth first, or breadth first" in
the PCI-DSS pen-test? If that is the question, then there is no PCI guidance
on that. They'd say "do both". I tend to do a 40/60 split: breadth, depth.

> One more question. Do you use social engineering in pentests by PCI DSS?

You are supposed to (it is explicitly stated in the supplement), but I bet
most do not.

Phil


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Generally all of PCI is related to PAN data. If you can manage the scope
to be specific to that with your QSA than you are on the right track.
(Critical)
If you follow your example and lets say that you gain access to the DB
than your encryption controls should suffice as secondary temporal
controls for that threat vector.
This does not mean that you can just let it be. You have on average 30
days to fix that until your next external scan which should also show
the vulnerability  or exposure to that vector.

Secondly the purpose of any pen test is to identify logical unintended
access vectors at all levels including social Eng. Generally you should
act on the findings by applying some risk methodology to evaluate the
probability or likelihood of the event with severity in mind. How the
business will react to it is a different question all together. They can
accept it transfer it or mitigate it( hence you will need authority
resource and budget)

Your last comment about social engineering, absolutely should be part of
the Pen test. (PCI is very vague on this and they will rely on the
(12)policy and enforcement sections to manage it.)
HTH

Regards,
Gary Everekyan
CISSP, CISM, CHS-III, ISSAP, ISSPCS, ITILp, CGEIT, MCSE, MCT

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Taras
Sent: Sunday, October 04, 2009 11:42 AM
To: pen-test@...
Subject: The goal of pentest by PCI DSS?

Hello, all!

There is requirement 11.3 in PCI DSS [0]: "...
Perform external and internal penetration testing at least once a year
and after any significant infrastructure or application upgrade or
modification (such as an operating system upgrade, a sub- network added
to the environment, or a web server added to the environment).
...
"

From "Information Supplement: Payment Card Industry Data Security
Standard (PCI DSS) Requirement 11.3 Penetration Testing" [1]:

"
...
The scope of penetration testing is the cardholder data environment and
all systems and networks connected to it.
...
The penetration tests should attempt to exploit vulnerabilities and
weaknesses throughout the cardholder data environment, attempting to
penetrate both at the network level and key applications. The goal of
penetration testing is to determine if unauthorized access to key
systems and files can be achieved.
..
"
Does this mean that the main aim of pentester by PCI DSS is cardholder
data?  Or simply aim is to gain access (exploit vulnerabilities) to as
much systems in CDE as possible? I asked about this because we can gain
access to for example Oracle DB and do not try to search PANs in it.
Or we can gain access to some users workstation and do not try to search
cardholder data in file system.

One more question. Do you use social engineering in pentests by PCI DSS?

Thanks for answers!

[0]
https://www.pcisecuritystandards.org/security_standards/download.html?id
=pci_dss_v1-2.pdf
[1]
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_test
ing.pdf

--
Taras
----
"Software is like sex: it's better when it's free." - Linus Torvalds

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

>No - The Pen Test shouldn't contain social engineering - but of course
>there is no problem to have it too ...

>Thanks ,,,
>Mohamed Farid ,,,

That is wrong!

"Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications..."

To be able to fully test different controls and processes a social engineering test should be performed according to last statement. This is not something that will fail you today (I have not seen a single RoC that have failed a company because of a non-existent social engineering test yet) but there is two different worlds between "validating" PCI DSS and to be compliant. What is your goal?


/Victor Langåssve, QSA


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hello, all again!

Sorry for late answer.
I simply want to sum points of view in this discussion.

1. Card holder data (CHD) is main aim of pentest by PCI DSS.
2. Access to the key systems in card holder environment (CDE) is second
aim.
3. Social engineering must be performed. From "Information Supplement:
Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3
Penetration Testing":

"
...
Consider including all of these penetration-testing techniques (as well
as others) in the methodology, such as social engineering and the
exploitation of exposed vulnerabilities,
access controls on key systems and files, web-facing applications,
custom applications, and wireless connections.
...

"

Thanks all for answers!

--
Taras - OSCP, OSWP
----
"Software is like sex: it's better when it's free." - Linus Torvalds