A whitepaper containing important clarifications made in the PCI Council’s penetration test informational supplement. 
By: Gary GloverTo ensure minimal confusion with new PCI DSS penetration test requirements (Requirement 11.3), the PCI Council released a much-needed penetration test informational supplement in March 2015.Download the whitepaper for a detailed analysis, or read on for a quick overview of the newest changes and additional guidance to PCI DSS penetration test requirements.
Use industry-accepted approachesNow, an industry-recognized methodology must be used when conducting a penetration test (e.g., NIST 800-115, OWASP Testing Guide, etc.).Include critical systems in the penetration testIn PCI 3.0, penetration testers are not supposed to neglect the critical systems in a merchant’s environment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.Continue external and internal penetration testsThe definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did.
Provide authentication in application-layer and network-layer penetration testingOne of the clarifications detailed in this section is that penetration testers need to conduct an authenticated pen test. This means the customer must provide the penetration tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly.Start testing network segmentationSegmentation checks are new penetration tests that make sure merchants have segmented their network correctly. 
Review of past vulnerabilities and threatsThis brand new requirement explains that both merchants and penetration testers are responsible for reviewing a merchant’s past vulnerabilities.ConclusionFor more information and details on the newest requirements, I encourage you to familiarize yourself with the informational supplement recently released by the PCI Council and download our whitepaper.Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.
A whitepaper containing important clarifications made in the PCI Council’s penetration test informational supplement. Pentesting vs Vulnerability Scanning: What’s the Difference?
Two very different ways to test your systems for vulnerabilities.
|
| By: Gary Glover |
Penetration testing and vulnerability scanning are often confused for the same service. And, business owners sometimes purchase one when they really need the other.
A vulnerability scan is an automated, high-level test that looks for and potential vulnerabilities. A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system. Both types of testing can be performed on systems exposed to the Internet or only exposed on your internal network.
This post will dive deeper into the differences between the two tests.
What is a vulnerability scan?
Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses. These scans are typically automated and give a first look into what vulnerabilities are present and could possibly be exploited.
High-quality vulnerability scans can search for over 50,000 vulnerabilities and are required by some cyber security mandates (PCI DSS, FFIEC, and GLBA, etc.) but regardless of requirements, this type of scanning is a mainstay of cybersecurity threat prevention for any company wanting to protect their digital data.
Vulnerability scans can be instigated manually or scheduled on an automated basis, and will complete in as little as several minutes, to as long as several hours. These scans should be conducted at a minimum on all systems exposed to the Internet (for example, web servers, mail servers, etc. living in a DMZ). To be thorough they should also be conducted on all systems exposed on your internal network to detect vulnerabilities that could be exploited by data thieves if they happen to get past your edge defenses.
Vulnerability scans are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. It’s up to the business owner or his/her IT staff to patch weaknesses on a prioritized basis or confirm that a discovered vulnerability is a false positive, then rerun the scan.
To ensure the most important vulnerabilities are being scanned for, vulnerability scans should be conducted by a skilled team or well-known vulnerability scanning company. In the case of PCI DSS compliance you must use a PCI Approved Scanning Vendor, or ASV.
See Also: Spotting Vulnerabilities – Is Vulnerability Scanning Antiquated?
Reporting
After scan completion, a report will generate. Typically, vulnerability scans generate an extensive list of vulnerabilities found and references for further research on the vulnerability. Some even offer directions on how to fix the problem.
The report identifies any identified weaknesses, but sometimes includes false positives. A false positive is when a scan identifies a threat that’s not real. Sifting through real vulnerabilities and false positives can be a chore, especially if many are falsely identified.
Benefits of a vulnerability scan
- Quick, high-level look at possible vulnerabilities
- Very affordable (~$100 per IP, per year, depending on the scan vendor)
- Automatic (can be automated to run weekly, monthly, quarterly, etc.)
- Takes minutes
Limitations of a vulnerability scan
- False positives
- Businesses must manually check each vulnerability before testing again
- Does not confirm that a vulnerability is possible to exploit
See Also: Picking Your Vulnerability Scanner: The Questions You Should Ask
What is a penetration test?
A penetration test simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities. Actual analysts, often called ethical hackers, try to prove that vulnerabilities can be exploited. Using methods like password cracking, buffer overflow, and SQL injection, they attempt to compromise and extract data from a network.
Follow for more data security articles like this
Penetration testing of both external and internal systems is a very effective approach to finding vulnerabilities that need to be removed and is considered an essential element of any good security program. This type of testing is required as per PCI DSS, FFIEC, and GLBA regulations.
The cost of a penetration test can run between $5,000 to over $70,000, but it depends on how many IPs are tested and the size of tested web applications. Learn more about the cost of penetration testing.
The main aspect that differentiates penetration testing from vulnerability scanning is the live human element. There is no such thing as an automated penetration test. True penetration tests are conducted by real people.
Penetration testers are well versed in:
- Black hat attack methodologies (e.g., remote access attacks, SQL injection)
- Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
- Web front-end technologies (e.g.,Javascript, HTML)
- Web application programming languages (e.g., Python, PHP)
- Web APIs (e.g., restful, SOAP)
- Network technologies (e.g, firewalls, IDS)
- Networking protocols (e.g., TCP/UDP, SSL)
- Operating systems (e.g., Linux, Windows)
- Scripting languages (e.g., python, pearl)
- Testing tools (e.g., Nessus, Metasploit)
In short, penetration testers provide a deep and detailed look into the data security of an organization.
Reporting
Typically, penetration test reports are long and contain a description of testing methodologies, attacks used, detailed findings, and suggestions for remediation.
Benefits of a penetration test
- Live, manual tests mean more accurate and thorough results
- Rules out false positives
- Usually performed annually or after a significant change
Limitations of a penetration test
- Time (1 day to 3 weeks)
- Cost ($5,000 to $70,000)
Which is better? A vulnerability scan or penetration test?
Both tests work together to validate optimal network security. Vulnerability scans are for weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough way to deeply examine your network security. Yes, penetration tests are expensive, but you are paying a professional to examine every nook and cranny of your business the way a real-world attacker would.
The difference is comparable to that between a fuzzy x-ray image and a clear, 3-D MRI. X-rays are great for small, quick problems (V/A scan) but an MRI (PenTest) is needed for deeper, more complicated problems. Get an MRI for your network.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Senior Vice President of Assessments at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.
How Much Does a Pentest Cost?
Ethical hacking is a great way to discover where your business security fails.
Ethical hacking is a great way to discover where your business security fails.Note: This post was originally published on April 15, 2015 and has been updated.
 |
| By: Gary Glover VP Security Assessments CISSP, CISA, QSA, PA-QSA |
Your company may have the technology in place to prevent data theft, but is it enough? How do you prove it? The most accurate way to know if you’re safe from a hacker is through live penetration testing, also called pen testing, or ethical hacking.
What is penetration testing?
To beat a hacker, you have to think like a hacker. Penetration test analysts analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors) just like a hacker would. Basically, they try to break into your company’s network to find security holes.
The Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 requires both an internal and external penetration test, so most companies regularly receive penetration tests to comply with that requirement. But penetration testing isn’t limited to the PCI DSS. Any company can request a penetration test whenever they wish to measure their business security.
The time it takes to conduct a pen test varies based on the size of a company’s network, the complexity of that network, and the individual penetration test staff members assigned. A small environment can be done in a few days, but a large environment can take several weeks.
Vulnerability scanning and penetration testing are different.
Some people mistakenly believe vulnerability scanning or antivirus scans are the same as a professional penetration test. Some companies even ‘penetration testing services’ when in fact, they only offer vulnerability scanning services. As a general rule, any ‘pen test’ that is listed for less than $4,000 is probably not a real penetration test.
An external vulnerability scan is an automated, affordable, high-level test that identifies known weaknesses in network structures. Some are able to identify more than 50,000 unique external weaknesses.
Here are the two biggest differences. A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network. A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify, then attempt to exploit those vulnerabilities to gain access to secure systems or stored sensitive data.
See the difference now?
Learn about SecurityMetrics’ vulnerability scanning services here.
What’s the cost of a pen test?
With any business service, cost varies quite a bit based on a set of variables. The following are the most common variables to affect the cost of penetration testing services:
- Complexity: the size and complexity of your environment and network devices are probably the biggest factors of your penetration test quote. A more complex environment requires more labour to virtually walk through the network and exposed web applications looking for every possible vulnerability.
- Methodology: each pen tester has a different way they conduct their penetration test. Some use more expensive tools than others, which could increase the price. But more expensive tools could reduce the time of your test, and produce higher quality results.
- Experience: pen testers with more experience will be more expensive. Just remember, you get what you pay for. Beware of pen testers that offer prices that are too good to be true. They probably aren’t doing a thorough job. I suggest looking for penetration testers with credentials behind their name like CISSP, GIAC, CEH, or OSCP.
- Onsite: most penetration tests can be done offsite, however; in rare cases that involve very large/complex environments, an onsite visit could be required to adequately test your business security. Onsite visits are also required if you request a physical security or social engineering penetration test.
- Remediation: some pen testers include remediation assistance and/or retesting in their price. Others provide test results and disappear.
Penetration tests are worth it, every time.
TweetLearn more about SecurityMetrics’ penetration testing.
With everything above accounted for, typically penetration tests start around $4,000 but can rise to well above $20,000.
No better way to test your security systems.
If you think that price is unreasonable, think of this: a hacker only needs one hole to get into your network and steal data. A pen tester works hard to find as many holes as possible that could allow you to be compromised. You are paying a professional team to manually look through the nooks and crannies of your business to determine what’s exploitable.
There is no better way to test the actual effectiveness of your security systems than borrowing the skills of an experienced penetration test team.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is VP of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.
Need help with securing your data? Talk to one of our consultants!
