PCI (Payment Card Industry Security Standard)
Regularly test security systems and processes
Test 11.3
11.3 Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following: – Is based on industry-accepted penetration testing approaches (for example NIST SP800-115) – Includes coverage for the entire CDE perimeter and critical systems – Includes testing from both inside and outside the network – Includes testing to validate any segmentation and scope-reduction controls – Defines application-layer penetration tests to include at a minimum the vulnerabilities listed in Requirement 6.5 – Defines network-layer penetration tests to include components that support network functions as well as operating systems – Includes review and consideration of threats and vulnerabilities experienced in the last 12 months – Specifies retention of penetration testing results and remediation activities results.
The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. A penetration test differs from a vulnerability scan as a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities the penetration tester will often gain enough knowledge about the system to identify possible security gaps. Penetration testing is generally a highly manual process. While some automated tools may be used the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example if the tester finds a means to gain access to an application server they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment. Penetration testing techniques will be different for different organizations and the type depth and complexity of the testing will depend on the specific environment and the organization’s risk assessment.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!