Does your organization use segmentation to isolate your cardholder data environment from other networks? Penetration testing can be a tool to ensure that your segmentation controls are working. PCI Requirement 11.3.4 addresses this methodology. It states, “If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the cardholder data environment.”
The PCI Requirement 11.3.4 guidance explains, “The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the cardholder data environment, to confirm that they are not able to get through the segmentation controls to access the cardholder data environment.”
If your organization is using segmentation as a control or as a means to reduce the scope of your environment, their penetration test needs to include validation that the penetration testing took place to validate that whatever segmentation controls you have are effective and in place. For this test, we are looking for something within the documentation from the penetration test report that says that segmentation was tested and validated.
What To Do with Exploitable Vulnerabilities
The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected. PCI Requirement 11.3.3 states, “Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.”
During an assessment, you will provide your assessor with penetration testing results that verify that you found and implemented a solution to exploitable vulnerabilities, and you repeated testing to confirm this.
During the test, your penetration testers will identify any vulnerabilities. It is expected that you resolve those things. It is also required that you keep a copy of that original penetration test for your assessor to review. We’re also going to ask that you perform a retest to validate that after you have gone through your remediation that those particular items have been resolved. It is also required that you perform a secondary penetration test to make sure that any of those vulnerabilities that have been identified as part of that original penetration test have been appropriately resolved and are no longer a vulnerability within your environment.
Internal Penetration Testing
PCI Requirement 11.3.2 requires that organizations perform internal penetration testing at least annually and after any significant upgrade or modification. Internal penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
When determining what constitutes a significant change, the PCI DSS guidance states, “The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.”
PCI Requirement 11.3.2 is much the same to PCI Requirement 11.3.1. You need to perform an internal penetration test for your environment. We have already talked about internal and external tests, but these tests need to be performed by qualified, competent staff. The tests also need to be performed annually after any significant changes. Anything that was identified during that test needs to be resolved, and then retests will occur to validate that you have closed out those issues.
From an assessment perspective, we are looking at your penetration testing methodology. We are looking at the results of this, and we are making sure that you have done your internal and external tests. We are also making sure that those individuals who have done these tests are qualified to do so.
External Penetration Tests
PCI Requirement 11.3.1 requires that organizations perform external penetration testing at least annually and after any significant upgrade or modification. External penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
When determining what constitutes a significant change, the PCI Requirement 11.3.1 guidance states, “The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.”
When a penetration test is conducted, it needs to be conducted against your external environment and your internal environment. We are looking from the Internet, trying to get in and, typically from your corporate environment, try to get into the cardholder data environment as well. From an assessment perspective, we’re looking at the results of the penetration test and the subnets of those results. For example, we’re looking at where the test took place and the directions for where the attack happened.
What is Penetration Testing?
They key component of PCI Requirement 11.3 is penetration testing. Who can perform the testing? What’s involved? When should it be performed? PCI Requirement 11.3 outlines the qualities of an effective penetration testing methodology, which include:
Based on industry-accepted penetration testing approaches
Includes coverage for the entire cardholder data environment perimeter and critical systems
Includes testing from both inside and outside the network
Includes testing to validate any segmentation and scope-reduction controls
Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI Requirement 6.5
Defines network-layer penetration tests to include components that support network functions as well as operating systems
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
Specifies retention of penetration testing results and remediation activities results.
You may be wondering how penetration testing is different than vulnerability scanning. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Penetration testing is generally a highly manual, active process, where the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. The intent of penetration testing is to simulate real-world attacks against your environment so that you can identify any potential vulnerabilities and see how far an attacker would be able to enter into your environment.
PCI Requirement 11.3 requires that you have a penetration test done. There are several requirements within this that talk about methodologies, using competent staff, who can do it, and how it is performed. At the end of the day, though, the intent behind this particular event is to recreate real-world attacks against your environment, so that we can identify any vulnerabilities that might be exposed to the environment.
Part of PCI Requirement 11.3 is that you have a documented methodology. This methodology is something that your assessor is going to be asking for. It is a document that is your methodology about how to perform a penetration test in your environment. If you outsource your penetration testing to a third party, and you tell your assessor that you use company X’s penetration testing methodology, that is insufficient. The processes that this should go through is defining a methodology that says, “When you perform a penetration test in my environment, this is how we expect it to be done. These are the merits by which we conduct our tests, these are the things that we do, and this is what we consider a successful test.” When you go to your penetration testers, you are to provide that methodology to them, and they are supposed to create a statement of work based on that. They are also supposed to execute the test based on your penetration testing methodology.
If you have questions about the penetration testing methodology, KirkpatrickPrice has a template that we can provide you to help you put that together. Please feel free to get ahold of your assessor and they’ll be happy to help you out with that document.