RE: Business justification for pentesting

From: Vic N (vic778_at_hotmail.com)
Date: 09/05/05

  • Next message: Michael Gargiullo: "RE: Oracle TNS Listener"
    To: pen-test@securityfocus.com
    Date: Sun, 04 Sep 2005 18:13:00 -0700
    
    

    I neverr said a pen test was going to address every PCI requirement, I'm not
    sure how you are reading that into my response. It is but one requirement of
    the PCI specification. There are many requirements for a tier one
    merchant/service provider. The original question was about justifying a
    pen-test.

    >
    >Hi
    >
    >Further to this... I would like to know how 11.5 of the PCI is going to
    >be completed using a Pen Test.
    >
    >11.5 Deploy file integrity monitoring to alert personnel to
    >unauthorized modification of critical system or content files, and
    >perform critical file comparisons at least daily (or more frequently if
    >the process can be automated).
    >
    >The verification process needs to:
    >11.5 Verify the use of file integrity monitoring products by observing
    >system settings and monitored files, as well as reviewing results from
    >monitoring activities.
    >
    >Further.. External Pen Testing alone is not acceptable
    >
    >11.2 Run internal and external network vulnerability scans at least
    >quarterly and after any significant change in the network (e.g., new
    >system component installations, changes in network topology, firewall
    >rule modifications, product upgrades).
    >
    >I would love to see any Pen test which could blindly test #8.5.12...
    >
    >8.5.12 Do not allow an individual to submit a new password that is the
    >same as any of the last four passwords he or she has used.
    >
    >And the list goes on and on.
    >
    >The issue is WHY is there a pen test? For this we look at point 11.4
    >(directly after 11.3)
    >
    >The requirements are;
    >11.4 Use network intrusion detection systems, host-based intrusion
    >detection systems, and/or intrusion prevention systems to monitor all
    >network traffic and alert personnel to suspected compromises. Keep all
    >intrusion detection and prevention engines up-to-date.
    >
    >And the Summary Test procedure is;
    >11.4 Observe the use of network intrusion detection and/or prevention
    >software on the network. Confirm IDS and/or IPS is in place to monitor
    >and alert personnel of suspected compromises. Examine IDS/IPS
    >configurations and confirm IDS/IPS devices are configured, maintained,
    >and updated per vendor instructions to ensure optimal protection.
    >
    >Basically the Pen Test is an additional layer of verification on the
    >other 46 pages worth of requirements and tests, and it is not even a
    >quarter of one of the pages.
    >
    >11.2a in fact states a single test is not adequate;
    >
    >11.2.a Inspect output from the most recent four quarters of network,
    >host, and application vulnerability scans to verify that periodic
    >security testing of the devices within the cardholder environment
    >occurs. Confirm the scan process includes rescans until "clean" results
    >are obtained.
    >
    >Clean results being "The results of each scan satisfy the PCI Security
    >Scanning Procedures (e.g., no urgent, critical, or high
    >vulnerabilities."
    >
    >Craig
    >
    >PS I know the PCI Security Audit Procedures intimately as BDO is on the
    >list of authorised/approved auditors and I have a copy and have
    >published papers on this topic.
    >
    >
    >-----Original Message-----
    >From: Vic N [mailto:vic778@hotmail.com]
    >Sent: 3 September 2005 8:10
    >To: pen-test@securityfocus.com
    >Subject: RE: Business justification for pentesting
    >
    >11.3 of the PCI 1.0 applies to tier 1 merchants (per a Visa-approved
    >auditor). A comprehensive onsite review can include a pen-test
    >component, and hence, meet the annual requirement, but the onsite
    >assessment is not a pen-test perse. Additionally, a pen-test is
    >required after any major changes to the environment.
    >
    >Test procedures from this requirement (PCI 1.0 spec):
    >
    >"Obtain results from the most recent penetration test to verify that
    >penetration testing is performed at least annually and after any
    >significant changes to the environment. Confirm that any noted
    >vulnerabilities were corrected."
    >
    >Vic
    >
    >
    >
    > >
    > >This is for a small visa processing site where a full audit is not
    > >required.
    > >
    > >This can not be used as a blanket statement. For larger PCI clients and
    >
    > >issuers, an onsite audit (which is extremely detailed if done
    > >correctly) must be completed
    > >
    > >Craig
    > >
    > >-----Original Message-----
    > >From: Vic N [mailto:vic778@hotmail.com]
    > >Sent: 1 September 2005 9:04
    > >To: sectraq@gmail.com; pen-test@securityfocus.com
    > >Subject: RE: Business justification for pentesting
    > >
    > >For Visa / MC PCI 1.0 specification (requirement 11.3), an annual pen
    > >test of network infrastructure and applications must take place once a
    > >year w/remediation.
    > >
    > >www.visa.com/cisp (see PCI data security standard)
    > >
    > > >hi all,
    > > >
    > > >a few classic question that i would appriciate any answers for.
    > > >1- i would like to briefly know how to quantify information assets.
    > > >In other words, i hear a pentester say: if a hacker breaks in ur
    > > >network, u will loose up to 40000$ for example. how can he come up
    > > >with such
    > >figures?
    > > >
    > > >2- are there any other means to justify pentesting for management
    > > >except for $$$?
    > > >
    > > >3- are there any official statistics, figures etc. for justifying
    > > >pentesting. ther more official it is the better.
    > > >
    > > >4- any other information you guys might find helpful in justifying a
    > > >pentest would be appriciated.
    > > >
    > > >thnx in advance for ur help.
    > > >
    > > >T.N
    > > >
    > >
    > >
    > >
    > >-----------------------------------------------------------------------
    > >-
    > >------
    > >Audit your website security with Acunetix Web Vulnerability Scanner:
    > >
    > >Hackers are concentrating their efforts on attacking applications on
    > >your website. Up to 75% of cyber attacks are launched on shopping
    > >carts, forms, login pages, dynamic content etc. Firewalls, SSL and
    > >locked-down servers are futile against web application hacking. Check
    > >your website for vulnerabilities to SQL injection, Cross site scripting
    >
    > >and other web attacks before hackers do!
    > >Download Trial at:
    > >
    > >http://www.securityfocus.com/sponsor/pen-test_050831
    > >-----------------------------------------------------------------------
    > >-
    > >-------
    > >
    >
    >
    >
    >------------------------------------------------------------------------
    >------
    >Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    >Hackers are concentrating their efforts on attacking applications on
    >your website. Up to 75% of cyber attacks are launched on shopping carts,
    >forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
    >servers are futile against web application hacking. Check your website
    >for vulnerabilities to SQL injection, Cross site scripting and other web
    >attacks before hackers do!
    >Download Trial at:
    >
    >http://www.securityfocus.com/sponsor/pen-test_050831
    >------------------------------------------------------------------------
    >-------
    >

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: Michael Gargiullo: "RE: Oracle TNS Listener"

    Relevant Pages

    • RE: Business justification for pentesting
      ... Run internal and external network vulnerability scans at least ... I would love to see any Pen test which could blindly test #8.5.12... ... Clean results being "The results of each scan satisfy the PCI Security ... >Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • RE: [lists] Re: What to spend on a pentest
      ... When I have asked in the course of performing pen tests for pci audits either our contracts or visa has said go only to the point of penetrating, ... for those able to get full authorization to do a full pen test what usually motivates that level of commitment? ... The PCI standard does require a business obtain quarterly vulnerability ... You'll notice the annual pen-test requirement in 11.3 doesn't specify that ...
      (Pen-Test)
    • RE: Vulnerability Assessment vs. PenTest
      ... The only difference between a Vulnerability Assessment and a Penetration ... Test is the fact that a Pen test will verify that the vulnerabilities ... Concerned about Web Application Security? ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)
    • RE: Email Pen-testing
      ... For me a vulnerability scan has much more value ... to most companies than a pen test. ... context of the network as a whole. ... >> If the company is ok with social engineering in the pen test, ...
      (Pen-Test)
    • RE: Vulnerability Assessment vs. PenTest
      ... Subject: Vulnerability Assessment vs. PenTest ... The value proposition of a pen test is an understanding of whether the ... Download FREE whitepaper on how a managed service can help ...
      (Pen-Test)