April 7, 2015
Download our ungated guide to high-quality penetration testing.
This post highlights a major turning point in the industry: the move from vague "check-the-box" audits to a rigorous, standardized methodology for penetration testing.
I've broken this down into sections that emphasize the "then vs. now" aspect, making it perfect for a professional security blog.
In March 2015, the PCI Council released their Information Supplement for Penetration Testing Guidance. This is a fantastic move; previous guidelines were centered simply on the completion of penetration tests, leaving the actual methodology up to the individual auditor.
With this guidance, we now have a clear definition of what qualifies as a penetration test in the eyes of the Council. While I encourage everyone to read the full document, I’d like to focus on a few key highlights that are particularly impactful for organizational security.
In Section 2.2, scope is explained in depth. Traditionally, the Cardholder Data Environment (CDE) has been the primary focus for testers. At NetWorks Group, we have long educated clients on the need to expand testing to include systems that could impact the CDE, even if they aren't part of it. We are now fortunate enough to have this spelled out in official guidance:
“To be considered out of scope for PCI DSS, a system component must be isolated (segmented) from the CDE, such that even if the out of scope system component was compromised it could not impact the security of the CDE.”
This is great news for the community. If we identify a threat residing in an adjacent network (like a user network), we can now target it as part of a PCI penetration test. For the client, this provides a much more realistic picture of the risks adjacent networks pose to your sensitive cardholder data.
Section 4.2.5 covers post-exploitation, a process NetWorks Group has long incorporated into our methodology. This refers to the actions taken after the initial compromise of a system.
We often encounter environments where previous penetration tests stopped at the device itself. Without evaluating the value of that device inside the environment or how it relates to the CDE, the test is incomplete. The new guidance ensures that testers look at the "big picture" of a breach.
The PCI Council included very helpful charts to help businesses distinguish between vulnerability scans and penetration tests (Section 2.1).
We frequently assist organizations that have received what looks like a vulnerability report when they actually paid for a full penetration test. This section helps clarify those differences so you know exactly what service you are receiving.
Finally, Section 5.4 helps organizations evaluate the reports they receive from vendors. As a penetration tester, the “deliverable” is the most important part of our business. It must contain relevant information that helps you assess risk.
This new section gives those receiving reports a "yardstick" to measure quality. It forces vendors to provide the depth of information that auditors (and security teams) actually need to improve their posture.
This is a great step forward for PCI guidance. These changes raise the bar for the entire industry, forcing companies to provide the high-quality, rigorous penetration tests that merchants have needed for a long time.
Security news, tips, webinars, and more straight to your inbox.
