• No results found

PCI-DSS Penetration Testing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "PCI-DSS Penetration Testing"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

Adam Goslin, Co-Founder

High Bit Security

May 10, 2011

(2)

• High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)

• High Bit will identify where your organization stands against the PCI-DSS standards (GAP analysis), provide remediation advice, guide your team through the process, coordinate with your chosen Qualified Security Assessor, participate in your onsite audit to ease your mind, assist with any remediation items from the onsite audit

• High Bit has an ongoing PCI Compliance management solution to mitigate surprises on next year audit

• High Bit provides cost effective Penetration Testing - external or internal testing against network and/or application layers

• High Bit’s manual Penetration Testing is performed by security engineers that hold industry recognized certifications

(3)

A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for

vulnerabilities, and produces a report. This report will contain false positives and require interpretation.

External vulnerability scanning (from outside your network) is required for PCI-DSS, and must be performed by an Approved Scan Vendor (ASV). High Bit Security can perform your

scanning requirements through one of our partners. Internal vulnerability scanning can be done by a qualified

internal or 3rd party source. If you already have a firm doing

Penetration Testing, they should be able to handle for you.

(4)

This is a security engagement performed by highly skilled

security engineers (all of High Bit Security engineers hold at least one industry recognized certification, and have a

background in multiple development languages), against the network and/or application layer – externally or internally.

Vulnerability scanning is included with all penetration tests from High Bit Security, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers. The High Bit Security team advises our clients of what we found, where we found it and specifics surrounding how to fix it.

(5)

Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Since vulnerability scans leverage preconfigured pattern

recognition, there are many aspects of a system that cannot be tested completely (or at all). Penetration testing provides coverage for serious security faults that scanners are

incapable of testing

Ultimately, the difference between a vulnerability scan and a full penetration test is that security engineers think, analyze,

track, follow up and judge and scanners do not. Reliance on

scans alone will almost certainly lead to an insecure posture.

Why do Penetration Testing if already

Vulnerability Scanning?

(6)

• Testing the network layer (firewalls, web servers, email servers, FTP

servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers);

wireless systems; internal workstations, printers, fax machines; WAR dialing phone numbers, virtual environments including cloud, internet enabled devices, and more. We have tested law enforcement systems, state and municipal government systems, and private sector systems ranging from online gaming to financial institutions.

• With thousands of hours of experience, we have performed single engagements covering more than 4000 IP addresses and other

engagements with thousands of web pages covering multiple systems.

(7)

• Penetration Testing engagements are required by many

compliance requirements (such as the Payment Card Industry Data Security Standard)

• Penetration Testing greatly improves your security posture • Penetration Testing should be performed regularly (at least

annually), due to the constant addition / removal of hardware in your environment, code releases, patching requirements, manual environment modifications

(8)

• Penetration Testing is performed against multiple layers of your environment:

– Network Layer – Performed against the network layer of your environment (web servers, file servers, firewalls, routers, email

servers). This layer is evaluated for vulnerabilities and configuration issues, with all results validated by a security engineer

– Application Layer – Performed against applications (primarily web

applications) looking for application layer vulnerabilities, logical faults, and web server configuration issues.

• External Penetration Testing: testing is performed from outside your environment (similar to a hacker)

• Internal Penetration Testing: testing is performed from inside your environment (similar to a hacker that has breached the outer defenses)

(9)

• 30 minute consultation for scope gathering: the goal of scope gathering is to clearly understand the requirements of the

engagement so we’re quoting exactly what is required • Proposal generated; contract approval

• Scheduling of the engagement

• Testing performed between testing windows • Finding reports generated and delivered

• Post testing consultation (if required)

• Customer corrects open issues, requests remediation testing • Open issues are checked again to ensure they’re corrected

(10)

• Finding Reports

– Type of issue that was discovered – Detailed description of issue type

– Specific examples of where the issue was found

– Specific instructions on how to fix the issue. As appropriate, these include:

• Screenshots • Code samples

• Sample scripts that can be used by internal staff for issue validation

• These reports are of such a detailed nature, in most cases, remediation starts immediately.

(11)

• Final Report

– This report contains all of the individual finding reports

– Also contains a summary of all testing results, whether the testing yielded finding reports or not

– The results of the full report should be reviewed in detail, specifically as it relates to the appropriate configuration of your environment. The objective is to leave open only that which is required, so this review is a good time to validate your business requirements against the detailed information contained in a final report.

(12)

• Remediation Testing Report

– This report will provide detailed specifics around the testing, and provide a designation against each of the finding reports, indicating whether each issue is corrected

– In the event an issue requires further work, we will provide (as appropriate) details

about the remediation testing results, including screenshots, scripts, and descriptions of findings through the remediation testing

– Once all issues have been corrected, the remediation testing report will reflect accordingly, and can be used as proof to an auditor of successful testing completion

(13)

• Customer facing reports available? Yes – once all items are remediated, we will provide a sanitized customer facing letter indicating the results of the testing engagement

• Samples reports available? Yes – please send us an email either through the website or directly.

• We have questions that were not answered…

– Feel free to contact us at any time – we’d be happy to help

– Go to www.HighBitSecurity.comtomorrow, and we’re loading a FAQ page that should answer the vast majority of questions we’ve come across

(14)

PCI Compliance: Overview and First Steps to Success

PCI Compliance: Detailed Requirements

Walkthrough

PCI Compliance: Penetration Testing and Enhancing

Security for Networks and Applications

(15)

Free consultations for PCI DSS compliance Free consultations for Penetration Testing

High Bit Security Adam Goslin - Founder Cell: 248-388-4328

Email: [email protected]

References

Download now ( PDF - 15 Page - 186.63 KB )

Related documents

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches occurring in the long run..

Cronfa - Swansea University Open Access Repository

This allowed us to exhibit wellfounded induction as a special case of strictly positive induction and, in turn, to give a new presentation of the Archimedean property for real

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

 Vulnerability Management and Penetration Testing  Patch and Configuration Management and Compliance  Application Security Testing  Vulnerability Management and

INFORMATION SECURITY TESTING

 Our team of consultants are all Information Security experts in the field of Digital Forensic, Penetration Testing and Vulnerability Scanning, PCI DSS Compliance Auditing,

PCI DSS and Penetration Testing

One key point which must be borne in mind is that, for external testing, the organisation must allow the pentester through their perimeter security measures in order for

Penetration Testing and Vulnerability Scanning

• The work performed • Security vulnerabilities discovered • Recommendations to improve network security • Includes. • The technical details of the findings • An

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Coverage for Entire CDE & Critical Systems • Difficult to scope a penetration test. • Merchant & QSA (if possible) define scope • Pen test team works with

Course Title: Penetration Testing: Communication Media Testing, 1st Edition

Penetration Testing: Communication Media Testing covers Wireless Network Penetration Testing, Advanced Wireless Testing, VoIP Penetration Testing, VPN Penetration Testing,