Kevin Beaver's Security Blog

A resource to help with PCI DSS 3.0’s penetration testing methodology requirements

PCI DSS has been getting a lot of buzz lately and the latest version 3.0 will continue gaining momentum until the many small and medium-sized businesses get their arms around the new requirements. Of particular interest is the updated requirement 11.3 (below) which is much more prescriptive on how to find the actual security flaws that matter.

I’ve always believe that you can’t secure what you don’t acknowledge…PCI DSS 3.0 now mandates a formal methodology for security testing that:

• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical systems
• Testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.

These updates are no doubt an evolution of the realization that many people were simply performing basic vulnerability scans of network hosts or hiring fly-by-night “pen-testers” to seek out one or two easy wins in the cardholder data environment rather than performing a more in-depth security assessment that looks at everything that matters.

I suspect many people (especially those working in SMBs with limited resources) will migrate towards the NIST standard similar to how many people have jumped on the “cybersecurity” bandwagon. There’s also the resourceful Open Source Security Testing Methodology Manual (OSSTMM) that’s been around quite some time.

The important thing you need to know is that none of these standards will be a best-fit, end all be all solution for your organization. Similar to exercise and diet programs for individuals and strategic corporate plans for businesses, every person/organization has their own unique needs when it comes to information security testing. The interesting thing to be in many of these standards, and just general popular belief, is that open source tools are all you need to perform an effective security assessment. I’ve said time and again, in all but a handful of scenarios, you’re going to get what you pay for with your security testing tools. Outside of the awesome Metasploit tool and a few mostly forgettable others I’ve used over the years, I’ve yet to find any open source tool that works a fraction as well as the commercial alternatives.

With PCI DSS 3.0, or whatever requirement, your information security test tools and methodologies will absolutely define your testing outcomes and ultimately your business risks. Before going down yet another confusing path in the name of security and compliance, everything you need to know to get started – and darn near master – your penetration testing is outlined in my book Hacking For Dummies…I hope this helps and best of luck: