PCI (Payment Card Industry Security Standard)_Req 11.3

PCI (Payment Card Industry Security Standard)

Regularly test security systems and processes

Req 11.3

11.3 Implement a methodology for penetration testing that includes the following: – Is based on industry-accepted penetration testing approaches (for example NIST SP800-115) – Includes coverage for the entire CDE perimeter and critical systems – Includes testing from both inside and outside the network – Includes testing to validate any segmentation and scope-reduction controls – Defines application-layer penetration tests to include at a minimum the vulnerabilities listed in Requirement 6.5 – Defines network-layer penetration tests to include components that support network functions as well as operating systems – Includes review and consideration of threats and vulnerabilities experienced in the last 12 months – Specifies retention of penetration testing results and remediation activities results.

The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. A penetration test differs from a vulnerability scan as a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities the penetration tester will often gain enough knowledge about the system to identify possible security gaps. Penetration testing is generally a highly manual process. While some automated tools may be used the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example if the tester finds a means to gain access to an application server they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment. Penetration testing techniques will be different for different organizations and the type depth and complexity of the testing will depend on the specific environment and the organization’s risk assessment.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video