Note from the Editor: This blog is part 6 of a 10-part series entitled, “Everything you need to know about an Internal Penetration Test.” To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
Internal penetration testing is a specific flavor of penetration testing that takes place from within your organization’s network. It specifically emulates a malicious insider or an external attacker that gains a foothold on the network. While the concept is pretty straightforward, there are some nuances in meeting the Payment Card Industry Data Security Standard (PCI DSS) requirements. A PCI internal penetration test has special considerations for scoping and perspective that are important to understand. To ensure you’re not only maintaining a strong security posture but also properly meeting requirements. These issues impact any organization that takes credit cards for payments.
Scoping a PCI Internal Penetration Test
When it comes to PCI compliance, scoping a PCI internal penetration test can be pretty confusing. Do you test your whole environment? Do you only test systems that are in scope for PCI? In fact, the PCI Council has released specific penetration testing guidance to help clarify many of these issues. The PCI council explains that a PCI internal penetration test should include:
- The internal perimeter of the cardholder data environment (CDE)
- Critical systems on the internal network
- Application-layer and network-layer assessments
- If/when access to the CDE is obtained as a result of the testing, the scope should allow the tester to continue exploring/attacking systems within the CDE
- Consideration of the specific environment and the entity’s risk assessment
In cases where segmentation is not used and there isn’t a defined CDE, or the entire internal network is considered the CDE, focus the scope of testing on critical systems. The PCI DSS defines these critical systems as those that are involved in the “processing or protection of cardholder data.” They can include systems inside or outside of the CDE. Such as databases that store CHD, applications that process CHD, firewalls, intrusion detection/prevention systems (IDS/IPS), authentication servers, or even workstations used by administrators to support/manage the CDE. Your penetration testing partner or PCI consultant should be able to help you through the identification process.
Testing Perspective
Testing perspective is critical. Having the tester is inside or outside the CDE will result in different discoveries. Or, even on one particular network segment versus another. PCI guidance states that the goal of a PCI internal penetration test should be to gain access to the CDE. This means a tester should be outside of the CDE, and situated somewhere that mimics an internal employee as closely as possible. Normally, this decision is based on the segmentation configuration, but may even require a tester to move around to different network segments during testing.
How to Prepare
Like most penetration tests, the goal of a PCI internal penetration test is to get full coverage of the environment through proper scoping; assess all realistic risks to your environment and confirm you have effective security controls in place. The best way to achieve these results is by working closely and openly with your penetration testing team prior to starting the engagement and making sure you’re using penetration testers with PCI-related experience. Having outside sources help confirm/justify your organization’s scope to ensure your penetration test is really meeting the intent of requirements is crucial to maintaining compliance over time. To avoid rushing the scoping process, be sure to understand the security testing requirements and deadlines.
Contact us today to learn how SIG Cyber can help your institution get the most out of a PCI internal penetration test.
About the Author:
JR, Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
