PCI 3.0 and penetration testing

PCI 3.0 and Penetration Testing Requirements

Contents

• Who am I ?• Introduction• New requirements for PCI 3.0• Common web application vulnerabilities • Common infrastructure vulnerabilities• How to pass a PCI 3.0 penetration test• Any questions?

Who am I ?

Marcus Dempsey• IT security consultant for TeraByte IT• Certified Ethical Hacker (C|EH)• Computer Hacking Forensics Investigator (C|HFI)• Over 24 years of IT experience – development, infrastructure, management and security

TeraByte IT

• A North East based penetration testing company who works for the client and not against them.• Specialises in penetration testing web applications and internal / external infrastructure.• Can be found at: https://terabyteit.co.uk

Introduction

• This is a talk about how to help your company pass PCI 3.0 compliance• What are the new requirements for PCI 3.0 ?• Discuss the common threats and vulnerabilities which are found in testing• Discuss how you can pass a PCI vulnerability assessment

New requirements for PCI 3.0

• https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf - Released in November 2013• After July 2015, you can only be audited against PCI 3.0 requirements• Summary of changes from 2.0 to 3.0 -

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf• Additional web application testing required• Additional penetration testing methodology required• Segregation of services

• Not as scary as you may think• Remember, think security first! Before doing anything else

Additional web application testing

Requirement 6.5 requires the following:

6.5.1: Injection flaws6.5.2: Buffer Overflow6.5.3: Insecure cryptographic storage6.5.4: Insecure communications6.5.5: Improper error handling6.5.6: All risk vulnerabilities6.5.7: Cross Site Scripting (XSS)6.5.8: Improper Access Control6.5.9: Cross-side request forgery (CSRF)6.5.10: Broken authentication and session management

Additional penetration testing methodology

The penetration testing methodology should include the following:

• Include coverage of all systems including CDE and critical systems• Testing should be performed both inside and outside of the network• Testing should verify any segregation of networks• Testing against any issues found in last report should be verified• Include a report detailing any vulnerabilities and threats that have been found• Report specified remediation information for any threats found

Segregation of services to be verified

• This is applicable if CDE is used to isolate from other areas of the infrastructure• Demonstrates that segregation of services is used and operational within daily use• Need to document any systems that are “out of scope” of testing• Provide testing company with documentation of segregation technologies used• Testing of CDE systems from outside• Testing against out of scope systems from within CDE

* https://www.paloaltonetworks.com/

Common web application vulnerabilities

• Check out the OWASP top 10 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

• A1: Injection• A2: Broken Authentication and Session Management• A3: Cross Site Scripting (XSS)• A9: Using components with known vulnerabilities• A10: Unvalidated redirects and forwards

Common infrastructure vulnerabilities

• Apply the use of base host hardening – disable any unused services, uninstall unused apps…• Don’t use default credentials on anything (change as soon as possible)• Ensure everything is updated regularly (OS software, 3rd party, firmware, drivers…)• Don’t use weak SSL ciphers (SHA1, DES, MD5 etc..)• Windows OS - Use SMB Signing - https://support.microsoft.com/en-us/kb/887429• Don’t allow Null sessions -

https://social.technet.microsoft.com/Forums/windowsserver/en-US/841523db-8c4b-43a0-9f28-be7270f92e2b/disable-server-2008-null-sessions?forum=winservergen

• Don’t forget about those old servers that no one knows about !!

How to pass a PCI 3.0 penetration test

• Ensure you have your security policies in place• Ensure your documentation is up to scratch• Make sure everything is patched and up to date• Make sure all your infrastructure is hardened against best practices (disable unused services..)• Make sure your auditing and logging services are working and reporting correctly• Clearly document and scope your PCI requirements• Ensure that your assessment scope is correct – you'll be held responsible, not the tester!

• Check the PCI 3.0 requirements guide again - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Any Questions ?

Thank You !!

Email: marcus@terabyteit.co.ukWeb: https://terabyteit.co.ukBlog: https://terabyteit.co.uk/blog