What is Penetration Testing?

They key component of PCI Requirement 11.3 is penetration testing. Who can perform the testing? What’s involved? When should it be performed? PCI Requirement 11.3 outlines the qualities of an effective penetration testing methodology, which include:

• Based on industry-accepted penetration testing approaches
• Includes coverage for the entire cardholder data environment perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.

You may be wondering how penetration testing is different than vulnerability scanning. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Penetration testing is generally a highly manual, active process, where the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. The intent of penetration testing is to simulate real-world attacks against your environment so that you can identify any potential vulnerabilities and see how far an attacker would be able to enter into your environment.

PCI Requirement 11.3 requires that you have a penetration test done. There are several requirements within this that talk about methodologies, using competent staff, who can do it, and how it is performed. At the end of the day, though, the intent behind this particular event is to recreate real-world attacks against your environment, so that we can identify any vulnerabilities that might be exposed to the environment.

Part of PCI Requirement 11.3 is that you have a documented methodology. This methodology is something that your assessor is going to be asking for. It is a document that is your methodology about how to perform a penetration test in your environment. If you outsource your penetration testing to a third party, and you tell your assessor that you use company X’s penetration testing methodology, that is insufficient. The processes that this should go through is defining a methodology that says, “When you perform a penetration test in my environment, this is how we expect it to be done. These are the merits by which we conduct our tests, these are the things that we do, and this is what we consider a successful test.” When you go to your penetration testers, you are to provide that methodology to them, and they are supposed to create a statement of work based on that. They are also supposed to execute the test based on your penetration testing methodology.

If you have questions about the penetration testing methodology, KirkpatrickPrice has a template that we can provide you to help you put that together. Please feel free to get ahold of your assessor and they’ll be happy to help you out with that document.

Significant Changes in Your Cardholder Data Environment

PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a vulnerability scan. A significant change could be something like new system component installations, changes in network topology, firewall rule modifications, or product upgrades, but what constitutes a significant change depends on the configuration of your environment. A good baseline for what constitutes a significant change may be if the change could allow access to cardholder data or impact the security of the cardholder data environment.

The PCI DSS explains, “Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change. All system components affected by the change will need to be scanned.”

To verify compliance with PCI Requirement 11.2.3, an assessor will examine your change control documentation and compare it to your vulnerability scan reports, and also validate that your scans were performed by qualified individuals.

PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a scan. This particular scan can be run by an internal resource, but they do have to have some organizational independence and must know what they’re doing. For example, it can be an ASV that is performing that, but it does not have to be.

What the assessors are going to be doing, or what they should be doing, is going back and asking for a series of change controls. Subsequent to that, they should be asking for the subsequent scan that represents that changes that you have made and that they did not introduce any vulnerabilities into your environment. PCI Requirement 11.2.3 is not based on quarters, it may be based on an event.

What is an ASV?

To comply with PCI Requirement 11.2.2, you must use a PCI SSC Approved Scanning Vendor (ASV). An ASV is defined as, “An organization with a set of security services and tools (‘ASV scan solution’) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.”

The second component of PCI Requirement 11.2.2 is quarterly external vulnerability scans. External networks are at such a great risk of being compromised, which is why quarterly external vulnerability scans, and rescans as needed, are vital to scanning programs.

During an assessment, your assessor will follow these testing procedures:

• Examine your four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.
• Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met.
• Review the scan reports to verify that the scans were completed by an ASV.

PCI Requirement 11.2.2 is very similar in nature to PCI Requirement 11.2.1, but PCI Requirement 11.2.2 requires that you perform external vulnerability scans. Where PCI Requirement 11.2.1 allowed an internal qualified resource to perform that activity, PCI Requirement 11.2.2 is a little different there: you must use an ASV to perform that activity on your behalf. KirkpatrickPrice would be happy to help you with that service, and we provide that service for many of our clients. There are many other organizations that can do that as well.

Nevertheless, effectively anything with the CVSS sore of 4.0 or higher needs to be addressed within that quarterly timeframe. Understand that a lot of organizations might miss a scan or forget to do it for whatever reason, and then ask us to help them define a compensating control. We’ll talk about compensating controls later, but understand that this is one of those controls that is very difficult to define, especially defining a compensating control for a failure in your program. So, understand that it is different if you identify vulnerabilities versus forgetting to scan—those are really two different conversations. Your assessor in both of these cases, for PCI Requirement 11.2.1 and PCI Requirement 11.2.2, is going to be asking for evidence of your quarterly scan and then any remediation scans that you have done to demonstrate that any vulnerabilities identified have been fixed.

Vulnerabilities and Your Risk Ranking System

PCI Requirement 11.2.1 states, “Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.” Remember the risk ranking system you created for PCI Requirement 6.1? This comes back into play for PCI Requirement 11.2.1. This risk ranking system gives you the ability to identify, prioritize, and address high risk vulnerabilities more quickly and reduce the likelihood that they will be exploited. The vulnerabilities that you find from vulnerability scans will also be useful information for your risk ranking system.

Vulnerability scans can be automated or manual, but they should always be performed by qualified individuals who are reasonably independent of the system components being scanned.

PCI Requirement 11.2.1 says that you have to perform quarterly vulnerability scans within your environment. These scans that are performed need to be done by somebody that has organizational independence and knows what they are doing because they have been trained on how to perform these scans. When you run these scans, it is likely that you are going to identify vulnerabilities. What we expect is that you feed that information back into PCI Requirement 6.1, which is your vulnerability identification and risk-ranking program. Where you have identified a vulnerability, you have risk-ranked it, and it is high in your environment, so we expect you to take corrective actions to fix that and address those vulnerabilities before the next scan.

Running Network Vulnerability Scans

PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant change in the network. It’s crucial that vulnerability scans are performed by qualified personnel. Vulnerability scans are a combination of automated or manual tools and techniques ran against external and internal network devices and servers and are designed to expose potential vulnerabilities that could be exploited by attackers.

PCI Requirement 11.2 has three sub-requirements, including:

• 11.2.1: Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify that all high risk vulnerabilities are resolved in accordance with the organization’s vulnerability ranking, per PCI Requirement 6.1.
• 11.2.2: Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the PCI SSC. Perform rescans as needed, until passing scans are achieved.
• 11.2.3: Perform internal and external scans, and rescans as needed, after any significant change, such as after new system component installations, changes in network topology, firewall rule modifications, product upgrades, etc.

PCI Requirement 11.2 has several requirements around vulnerability identification, and from a high-level perspective, we are going to be performing internal and external scans. We are also going to be performing scans any time that we have made a change within the environment. We’ll talk about these in detail in the next set of requirements.