What is network penetration testing? PCI DSS Requirement 11 calls for regular vulnerability scanning and penetration testing.
PCI DSS Requirement 11 calls for regular vulnerability scanning and penetration testing. Naturally, vulnerability scans and pen tests are sound security practices for any business—whether in the PCI/HIPPA realm or not. Regular scans will proactively identify vulnerabilities, and annual penetration tests will dive into the complexities of your network to find root causes and prescribe solutions.
The PCI SSC requires penetration tests whenever a business makes significant changes in their IT environment. For example, if you change from SSL to IPsec, or you introduce new network zones (new departments).
Whether you're building a network, or you're in your tenth year of PCI DSS certification, you'll need to pen test your network. Here's the info you need to get started.
Penetration testing in general is a type of "ethical certified hacking" during which a pen tester will attempt to enter and exploit your IT environments. There are a few types: Segmentation Checks, Application Penetration Tests, Wireless Penetration Tests, and Network Penetration Tests.
Segmentation Checks look for misconfigured firewalls. Application Penetration Tests find security issues that are due to application coding flaws. But when we pen test a network, we look for security issues in the design, implementation, and maintenance of servers, workstations, and network services.
See also: Types of Penetration Testing; The What, The Why, and The How
Hackers will target anything that stores, processes or transmits credit card information or personal identifying information (PII). And if you're in the HIPAA realm, that includes protected health information (PHI). The location(s) at which you store this information are collectively known as the Cardholder Data Environment (CDE).
So, a Network Pen Test is mainly concerned with three areas:
Network Penetration Tests commonly find the following security issues: misconfigured software, firewalls, and operating systems; outdated software and operating systems; Insecure protocols; unnecessary exposures.
To discover these problems, a professional penetration tester will first scour and test the perimeters of all the zones and areas, look at access points between them, and try to travel between zones that are not meant to connect. Then, they’ll test critical systems. This includes any technology that is not directly connected to the CDE but, if compromised, could give access to an attacker.
See also: Network Penetration Testing Webinar
A pen tester looks for potential stepping stones. For example, they might look into the shared services zone, which includes employee devices. If a hacker compromised an employee device, could they then pivot and access the CDE? Could they "up" their privileges?
There are five stages of a professional pen test:
It depends on your organization and its scope. For an average level 4 merchant, a network pen test should take 2-3 days. But for level 1 merchant who are processing millions of credit cards annually, could be a week or 2.
See also: PCI Penetration Testing Data Sheet
Not all pen testers are created equal. Some may advertise as professional pen tests but are basically glorified vulnerability scans. If you blindly trust, there’s a chance you’ll get shortchanged. So, it’s extremely important to engage with potential providers; talk to them and keep the dialogue honest. Pay attention to the questions they ask before quoting you. Do they understand--and can they cover--the scope and complexity of your IT environment? Find out whether they have specific experience or specialty in your type of network. Other questions to ask:
It's possible, but not recommended. A penetration tester should be an outside, neutral party. The person finding the issues should not be the person responsible for fixing them. Naturally, there can be blind spots and assumptions.
See also: BambooHR Annual Penetration Test Case Study
A pen test will give you a holistic view of what your security system truly looks like. Companies and merchants with poor security practices across their environment leave themselves vulnerable. If a company has an immature network with un-patched systems, it’s likely that the desktop systems are probably in a similar state.
Network pen tests are a necessary part of a healthy security culture. And, don’t forget other types of pen tests like segmentation checks, application penetration tests and wireless penetration tests. It helps to think of your pen tests and vulnerability scans as a way to cover as much of your environment as possible. Diversify your tests and scans for a more robust security practice. Repeating tests is okay, but trying a new type of test will add even more security.
At the end of the day, it’s not just cardholder information that a company needs to protect. It’s the company’s reputation. Whether it’s a small business or large corporation, hackers can deface websites, publicize sensitive info, or hold data ransom if and when they find an opportunity.
.svg)
