PCI-DSS 3.0 Brings New Penetrating Testing Requirements, Explains Rhino Security Labs
Seattle, WA (PRWEB) December 12, 2013 -- Rhino Security Labs, a leading authority in penetration testing services, realizes that the rollout of new PCI-DSS 3.0 requirements increases the responsibilities of business owners and management. With PCI standards being implemented to protect consumers, and rightfully so, it often adds to the workload of businesses to maintain compliance. Rhino Security Labs shares the latest vulnerabilities to assess as a result of PCI-DSS 3.0.
The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary infosec standard for organizations that handle payment card information, including debit, credit, 'e-purse', and POS cards. It was founded by the Payment Card Industry Security Standards Council (PCI-SSC), which consists of the 5 major credit card companies around the world.
As a managed security service provider, Rhino Security Lab's penetration testing services will not just ensure you are PCI compliant, but they will identify and test for practical attacks that are outside PCI’s required scope. Rhino Security Labs does not simply provide "compliance checkbox" assessments. In addition to PCI penetration testing, they offer a range of managed security services for clients which require it.
New PCI-DSS penetration testing requirements and methodology for penetration testing includes the following:
- Industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Testing to validate any segmentation and scope-reduction controls
- Review and consideration of threats and vulnerabilities experienced in the last 12 months
- Retention of penetration testing results and remediation activities results
These standards will take effect on January 1, 2014, but the PCI-SSC will allow vendors until January 1, 2015 to meet the new requirements.
Rhino Security Labs recognizes the inherent flaw of any standardized security standard is that no two company networks are identical. Automated scanning fails to uncover all security flaws, just as out-of-the-box security solutions often fail to cover all vulnerabilities. While becoming PCI compliant is highly recommended, it should not be the ultimate goal of your security policy.
For instance, PCI standards only apply to the enterprise networks that contain credit card data. Most companies have several segmented networks, separated by firewalls, to keep sensitive data inaccessible to non-authorized employees. However, Rhino Security Labs recommends testing from multiple internal networks to assess the firewall configurations and better protect against cross-network attacks.
Another attack vector PCI fails to cover is related to password reuse. Every security application needs to be configured, and thus requires authentication. While dual-factor authentication is becoming more popular with enterprises, servers and appliances are often overlooked during implementation. More alarmingly, studies suggest that up to 73% of users apply the same passwords to multiple accounts. Through social engineering, trojans, or common malware, a hacker can easily acquire the password of a system administrator, and try the reused password on the cardholder data environment (CDE), which is likely to be the same.
Rhino Security Labs' Principal Consultant, Benjamin Caudill, comments. "This type of attack is very possible, as we've done so multiple times during social engineering engagements." He continues. "After we've compromised an internal server and domain accounts, all we have to do is cross-check the discovered passwords with those in the CDE domain." In closing on this vulnerability, Benjamin adds the following: "Within a few hours, I'm administrating your CDE, and your entire credit card database is just sitting there waiting for me." While network pentesting is in scope for the CDE, there's no PCI requirement that addresses physical vulnerabilities. Social engineering testing and physical penetration testing are assessments that Rhino Security Labs frequently performs for companies. It is relatively straightforward to gain physical access to systems directly, bypassing all digital security measures in place. However, PCI does not require physical security, social engineering, or wireless penetration testing, leaving many vulnerabilities undiscovered.
Rhino Security Labs supports PCI penetration testing and compliance, but does not think security policy ends with compliance. PCI standards do nothing to address the issues mentioned above, nor do they encourage additional testing for overlooked vulnerabilities. Particularly for large organizations with data and reputation to lose, a dedicated, sophisticated attacker could find a compromise worth their time. For those companies, more robust penetration testing should be incorporated into compliance.
Rhino Security Labs offers vulnerability assessments for businesses across the globe. To schedule a consultation visit RhinoSecurityLabs.com or call 1-888-944-8679.
Benjamin Caudill, Rhino Security Labs, http://www.rhinosecuritylabs.com, +1 8889448679, [email protected]
Share this article