PCI PENETRATION TESTING

The PCI DSS (Payment Card Industry Data Security Standard) for some organisations mandates the
need for both regular vulnerability assessment (by means of using an Approved Scanning Vendor aka
PCI ASV scan) and penetration testing. However, there is a very significant difference between the
two approaches;

Vulnerability Assessment this is essentially a battery of clever, usually automated tests or security
testing tool exercises that look for (generally) known lists of vulnerabilities. However, whilst they do
reduce risk by providing excellent coverage they are prone to false positives and do not replace the
intuition and creativity of a penetration testing consultant; hence the need for a periodic pen test /
penetration test
Penetration Testing this term refers to the use of a penetration testing consultant who will undertake
testing using experience, strong intuition, guidance from standards such as OWASP (Open Web
Application Security Project please see www.OWASP.org), a mixture of best-of-breed vulnerability
assessment, penetration testing and other security testing tools, together with bespoke scripts and
other clever in-house written applications. A penetration testing team will also provide very
customised guidance in the form of both a technical and business-driven report which makes for a
living document against which remediation activities may be driven by the client and PCI QSA
consultant during a PCI DSS audit. Please see our PCI testing for further details.
APPLICATION PENETRATION TESTING: TECHNOLOGIES

Applications written in many different technologies. The applications are assessed and tested against
conventional security issues such as;
1.
2.
3.
4.
5.

Cross-Site Scripting,
SQL Injection,
Cross-Site Request Forgery,
File Include,
Direct Object Reference etc.

as well as business logic bypass issues to assess any risk to unauthorised access to information (i.e.
rather than testing from the front door, what can be seen laterally within an application with genuine
but possibly stolen credentials?).

Types of Penetration Tests

Network services test: This is one of the most common types of penetration tests, and
involves finding target systems on the network, searching for openings in their base operating
systems and available network services, and then exploiting them remotely. Some of these
network service penetration tests take place remotely across the Internet, targeting the
organizations perimeter networks. Others are launched locally, from the targets own

business facilities, to assess the security of their internal network or the DMZ from within,
seeing what kinds of vulnerabilities an internal user could learn.
Client-side test: This kind of penetration test is intended to find vulnerabilities in and exploit
client-side software, such as web browsers, media players, document editing programs, etc.
Web application test: These penetration tests look for security vulnerabilities in the webbased applications and programs deployed and installed on the target environment.
Types:
Functionality, Roles, User Privileges, Nature of information processed by the application.
Remote dial-up war dial: These penetration tests look for modems in a target environment,
and normally involve password guessing or brute forcing to login to systems connected to
discovered modems.
Wireless security test: These penetration tests involve discovering a targets physical
environment to find unauthorized wireless access points or authorized wireless access points
with security weaknesses.
Social engineering test: This type of penetration test involves attempting to make a user into
revealing sensitive information such as a password or any other sensitive data. These tests are
often conducted over the phone, targeting selected help desks, users or employees, evaluating
processes, procedures, and user awareness.
Database penetration testing: Database penetration testing is often an extremely overlooked
component of an organisations security and hence the possibly the most vulnerable. And of course,
the database is also the location in which vast and rich amounts of data may reside. Analyse the
security of the database from a number of perspectives including;

Attacks coming from internal users (authenticated and un-authenticated access)

Security of the data within the database (e.g. encryption/hashing techniques used for storing
sensitive data)

Database hardening and security

Penetration Testing Framework

The Penetration Testing Framework by Toggmeister and Lee Lawson is one of the best free
penetration testing methodologies. Penetration Testing Framework gives a step-by-step
walkthrough of different aspects of a network penetration test, such as usage of special tools,

including links for each of the penetration testing tool) and the commands that are used in
each of the tool.
Penetration Testing Framework walks its viewer through several methods, step by step
guide, covering reconnaissance, scanning, social engineering, exploitation, enumeration of
target systems, and more.
A number of sections in the Penetration Testing Framework focus on specific technology,
such as Voice over IP (VoIP), AS/400 machines security, wireless LAN (WLAN)
assessments, and Bluetooth security analysis. Penetration Testing Framework also has a
section on analysing Cisco routers and similar devices.
Penetration Testing Framework Summary:
Written by Toggmeister and Lee Lawson
Heavily focused on network penetration tests
Detailed, with specific tools and commands for penetration testing
Step by step guide and links for tools
Includes Reconnaissance, Scanning, Probing, Social Engineering, Enumeration,
Exploitation and many more.
Includes sections on VoIP, AS/400, WLAN, Bluetooth and Cisco