PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your...
Transcript of PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your...
![Page 1: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/1.jpg)
Joseph PieriniCISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV
PCI for Pen Testers
![Page 2: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/2.jpg)
•Joseph Pierini– Vice President of Technical Services
– Security Assessor – Penetration Tester
– CISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV
– Payment Software Company (PSC)
WHO AM I?
PSC, Inc.
![Page 3: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/3.jpg)
• The PCI DSS originally began as five different programs:
– Visa Card Information Security Program
– MasterCard Site Data Protection
– American Express Data Security Operating Policy
– Discover Information and Compliance
– JCB Data Security Program.
WHAT IS PCI?
![Page 4: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/4.jpg)
• Version 1.0 December 2004
• Version 1.1 September 2006
• Version 1.2 October 2008
• Version 1.2.1 August 2009
• Version 2.0 January 2011
• Version 3.0 November 2013
• Version 3.1 April 2015
• Version 3.2 April 2016
• Version 3.2.1 May 2018
PCI VERSIONS
![Page 5: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/5.jpg)
PAYMENT CARD INDUSTRY SECURITY STANDARDS COUNCIL
• Overseeing the development of PCI standards
• Certifying products and companies capable of fulfilling the Scanning requirements, called Approved Scanning Vendors ASVs)
• Training and certifying companies (called Qualified Security Assessors or QSAs) and individuals (called Qualified Security Assessor Personnel or QSAPs) capable of fulfilling the Onsite Review requirements
![Page 6: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/6.jpg)
WHO HAS TO BE PCI COMPLIANT?
• PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
– Merchants
– Service Providers
![Page 7: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/7.jpg)
COMPLIANT WITH WHAT?
• Build And Maintain A Secure Network– Requirement 1: Install and maintain a
firewall configuration to protect cardholder data
– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data– Requirement 3: Protect stored cardholder
data– Requirement 4: Encrypt transmission of
cardholder data across open, public networks
• Maintain A Vulnerability Management Program– Requirement 5: Use and regularly update
anti-virus software– Requirement 6: Develop and maintain
secure systems and applications
• Implement Strong Access Control Measures– Requirement 7: Restrict access to
cardholder data by business need-to-know
– Requirement 8: Assign a unique ID to each person with computer access
– Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor And Test Networks– Requirement 10: Track and monitor all
access to network resources and cardholder data
– Requirement 11: Regularly test security systems and processes
• Maintain An Information Security Policy– Requirement 12: Maintain a policy that
addresses information security
![Page 8: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/8.jpg)
WHICH BITS DO WE CARE ABOUT?
• Requirements:
– 6.5: Address common coding vulnerabilities. (OWASP Top 10)
– 6.6: Review public-facing web applications.
– 11.2: Run internal and external network vulnerability scans.
– 11.3.x: Perform internal and external penetration testing.
![Page 9: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/9.jpg)
HOW DO THEY SHOW COMPLIANCE?
• Level 1 Merchants:– Annual Report on Compliances ("ROC") by Qualified
Security Assessor ("QSA").– Quarterly network scan by Approved Scan Vendor ("ASV")
• Level 2 Merchants:– Annual Self Assessment Questionnaire ("SAQ”)– Quarterly network scan by ASV
• Level 3 Merchants:– Annual Self Assessment Questionnaire ("SAQ”)– Quarterly network scan by ASV
• Level 4 Merchants:– Annual SAQ recommended– Quarterly network scan by ASV if applicable– Compliance validation requirements set by acquirer
![Page 10: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/10.jpg)
EVERYTHING’S FIXED THEN, RIGHT?
• 2006: TJX 45 Million customer credit and debit cards stolen.
• 2007: Fidelity National Information Services, 8.5 million payment cards.
• 2008/2009: Heartland, 130 million credit cards.
• 2010: Genesco Inc, number unknown.
• 2011: Citibank, affecting 360,000 credit card holders.
• 2012: Global Payments 1.5 million credit cards.
• 2013: Target, 40 million credit cards.
• 2014: Home Depot, 56 million credit cards.
• 2015: Excellus Blue Cross Blue Shield, ten million credit cards.
• 2016: Madison Square Garden, number unknown.
• 2017: Equifax, 200,000 credit cards.
• 2018: Orbitz, 880,000 payment cards
![Page 11: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/11.jpg)
IF YOU THINK PCI IS CRAP:
You’re doing it wrong.
![Page 12: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/12.jpg)
CHALLENGES
• It wasn’t the Client’s idea.
• Not all Pen Testers know what they’re doing.
• PCI can be really expensive.
• There’s a lot to cover.
• There aren’t very clear instructions.
![Page 13: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/13.jpg)
HOW ARE WE SUPPOSED TO PEN TEST?
• PCI Data Security Standard: Testing Procedures and Guidance
• 2017 Penetration Testing Guidance
• ASV Program Guide
• Guidance for PCI DSS Scoping and Segmentation
![Page 14: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/14.jpg)
PCI DSS: TESTING PROCEDURES AND GUIDANCE
• “…simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment.”
• Include:
– The CDE and connected systems.
– Exploit identified vulnerabilities.
– Per a defined methodology.
– At least annually.
– After any significant changes to the environment.
![Page 15: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/15.jpg)
PEN TESTING GUIDANCE
• September 2017:
– Difference between a vulnerability scan and a penetration test.
– Black box vs Grey box testing.
– Qualifications of a penetration tester.
– Requirement for 3rd party pen test methodologies.
– Consideration for social engineering.
– Report content guidelines.
– Scoping suggestions.
![Page 16: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/16.jpg)
ASV PROGRAM GUIDE
• February 2017
– Vulnerability severity levels based on the NVD and CVSS Scoring
– Automatic failures
– Common severity language
![Page 17: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/17.jpg)
• To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.
• Systems that connect to a system in the CDE are in scope.
• Connections from third-party entities need to be identified to determine inclusion for PCI DSS scope.
• All segmentation controls must also be penetration tested.
GUIDANCE FOR PCI DSS SCOPING AND SEGMENTATION
17PSC, Inc..
![Page 18: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/18.jpg)
MY DEFINITION OF SCOPE
It’s not out of scope if it can be used
against you.
![Page 19: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/19.jpg)
RULES OF ENGAGEMENT
“The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into
an environment.”
– No Denial of Service attacks.
– Handling risky or fragile infrastructure.
– Testing in Staging vs Production
– Where do you test from?
– When do you stop?
![Page 20: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/20.jpg)
SUCCESS CRITERIA
• Possible success criteria may include:
– Direct observation of restricted services in the absence of expected access controls.
– Compromise of an intermediary device used by privileged users to access the CDE.
– Compromise of the Domain used by privileged users.
– Access to Source Code
• The success criteria will be different for every engagement and environment and should be established during the kick-off call prior to testing.
![Page 21: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/21.jpg)
EXTERNAL PEN TESTS
• Follows a typical pen test approach.
• Most companies have no idea what they have.
• Compare scope to ASV scans.
• OSINT is your best friend.
• Try to expand scope as much as possible.
Discovery EnumeratioVulnerability ExploitationPost-Exploit
![Page 22: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/22.jpg)
INTERNAL PEN TESTS
• Attack the privileged users, not the CDE.
• Auxiliary networks like VOIP, Climate Control, Printer.
• There is no such thing as a “Guest Network”.
• Automation is your best friend.
![Page 23: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/23.jpg)
A WORD ABOUT SEGMENTATION TESTING
• The Information Supplement Penetration Testing Guidance Section 4.2.3 Segmentation:
– Performed by conducting tests used in the initial stages of a network penetration test.
– It should verify that all isolated LANs do not have access into the CDE.
– Sampling is OK.
– Service Providers = 2 X per year.
![Page 24: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/24.jpg)
• Target all assets and networks defined as the CDE.
• Include all TCP & UDP ports that are considered “risky”, e.g., allowing network pivoting or remote code execution.
• Include VoIP, Wireless, Audio Visual and Environmental Control Networks in scanning when possible.
• Be prepared for it to take more time than expected.
HOW TO TEST
24PSC, Inc..
![Page 25: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/25.jpg)
• Some connectivity may be required and permissible.
• Ensure non-risky open ports have a documented business justification.
• All remote access protocols must require multi-factor authentication (MFA).
• All web applications have been tested for vulnerabilities or functionality that allow the remote execution of command injection or scripts.
WHAT’S ALLOWED IN
25PSC, Inc..
![Page 26: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/26.jpg)
• Private vs Public
• SaaS (Software as a service)– Vendor manages everything.
• PaaS (Platform as a service)– Client manages:
– Applications– Data
• IaaS (Infrastructure as a service)– Client manages:
– Applications– Data – Runtime– Middleware– Operating System
CLOUD TYPES
26PSC, Inc..
![Page 27: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/27.jpg)
• AWS Vulnerability and Penetration Testing:– https://aws.amazon.com/security/penetration-testing/– https://aws.amazon.com/forms/penetration-testing-request?catalog=true&isauthcode=true
• Azure Vulnerability and Penetration Testing:– As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration tests against Azure
resources. – https://docs.microsoft.com/en-us/azure/security/azure-security-pen-testing– https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
• Google Cloud Penetration Testing:– If you plan to evaluate the security of your Cloud Platform infrastructure with penetration testing, you are not
required to contact us to begin testing.– https://cloud.google.com/security/
• Oracle Cloud Scheduling Maintenance Requests for Penetration and Vulnerability Testing:– https://docs.oracle.com/en/cloud/get-started/subscriptions-cloud/mmocs/scheduling-maintenance-requests-
penetration-and-vulnerability-testing.html
• SAP– Requires account login:
– https://apps.support.sap.com/sap/support/knowledge/preview/en/2577930
• SalesForce– Please complete the following steps to schedule the assessment a minimum of 5 business days prior to
starting:– https://help.salesforce.com/articleView?id=000206497&type=1
GET PERMISSION FIRST
27PSC, Inc..
![Page 28: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/28.jpg)
• Review the Client’s base image.
• Scope may be dynamic.
• OSINT: Google, GitHub, GitLab, BitBucket, SourceForge, Pastebin.
• Your Client may also have out of scope networks in the Cloud.
TESTING TIPS
28PSC, Inc..
![Page 29: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/29.jpg)
• Scenario: Client has a Cloud based, virtual data center that they access and manage using a 2-factor, on-demand VPN to a remote jump-box from anywhere in the world. Do they still need to do an internal penetration test?
• Answer: Yes
• Why?: The environment where users routinely access in scope systems will present an attacker with a unique opportunity to steal those credentials or manipulate that traffic.
OUR CDE IS IN THE CLOUD
29PSC, Inc..
![Page 30: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/30.jpg)
REPORTING
• Executive Summary
• Statement of Scope
• Statement of Methodology
• Statement of Limitations
• Testing Narrative
• Segmentation Test Results
• Findings
![Page 31: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/31.jpg)
REPORTING THE FINDINGS.
• Findings
– Indication if the CDE could be exploited using the vulnerability
– Risk / Severity
– Targets Affected
– References (if available)– CVE, CWE, BID, OSBDB, etc.
– Vendor and/or Researcher
– Description
![Page 32: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/32.jpg)
ISSUES WITH REMEDIATION
• Remediate everything in the attack chain.
• There is no risk acceptance in PCI.
• Plan for the Client to screw it up.
• Don’t deliver the report and walk away.
![Page 33: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/33.jpg)
RETESTING
• Requirement 11.3.3: Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.
• Prove it:
– Direct Observation
– Review of Documents
Scoping Testing Reporting
![Page 34: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/34.jpg)
• The Standard drives the engagement.
• Post-exploitation is required.
• It’s not about “us” against “them”.
• Do it correctly and this will be their best pen test ever.
IN SUMMARY
![Page 35: PCI for Pen Testers - SecTor · PCI for Pen Testers ... BitBucket, SourceForge, Pastebin. •Your Client may also have out of scope networks in the Cloud. TESTING TIPS PSC, Inc..](https://reader036.fdocuments.us/reader036/viewer/2022070723/5f01fd617e708231d40207c6/html5/thumbnails/35.jpg)
QUESTIONS?