Joseph PieriniCISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV

PCI for Pen Testers

•Joseph Pierini– Vice President of Technical Services

– Security Assessor – Penetration Tester

– CISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV

– Payment Software Company (PSC)

WHO AM I?

PSC, Inc.

• The PCI DSS originally began as five different programs:

– Visa Card Information Security Program

– MasterCard Site Data Protection

– American Express Data Security Operating Policy

– Discover Information and Compliance

– JCB Data Security Program.

WHAT IS PCI?

• Version 1.0 December 2004

• Version 1.1 September 2006

• Version 1.2 October 2008

• Version 1.2.1 August 2009

• Version 2.0 January 2011

• Version 3.0 November 2013

• Version 3.1 April 2015

• Version 3.2 April 2016

• Version 3.2.1 May 2018

PCI VERSIONS

PAYMENT CARD INDUSTRY SECURITY STANDARDS COUNCIL

• Overseeing the development of PCI standards

• Certifying products and companies capable of fulfilling the Scanning requirements, called Approved Scanning Vendors ASVs)

• Training and certifying companies (called Qualified Security Assessors or QSAs) and individuals (called Qualified Security Assessor Personnel or QSAPs) capable of fulfilling the Onsite Review requirements

WHO HAS TO BE PCI COMPLIANT?

• PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

– Merchants

– Service Providers

COMPLIANT WITH WHAT?

• Build And Maintain A Secure Network– Requirement 1: Install and maintain a

firewall configuration to protect cardholder data

– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data– Requirement 3: Protect stored cardholder

data– Requirement 4: Encrypt transmission of

cardholder data across open, public networks

• Maintain A Vulnerability Management Program– Requirement 5: Use and regularly update

anti-virus software– Requirement 6: Develop and maintain

secure systems and applications

• Implement Strong Access Control Measures– Requirement 7: Restrict access to

cardholder data by business need-to-know

– Requirement 8: Assign a unique ID to each person with computer access

– Requirement 9: Restrict physical access to cardholder data

• Regularly Monitor And Test Networks– Requirement 10: Track and monitor all

access to network resources and cardholder data

– Requirement 11: Regularly test security systems and processes

• Maintain An Information Security Policy– Requirement 12: Maintain a policy that

addresses information security

WHICH BITS DO WE CARE ABOUT?

• Requirements:

– 6.5: Address common coding vulnerabilities. (OWASP Top 10)

– 6.6: Review public-facing web applications.

– 11.2: Run internal and external network vulnerability scans.

– 11.3.x: Perform internal and external penetration testing.

HOW DO THEY SHOW COMPLIANCE?

• Level 1 Merchants:– Annual Report on Compliances ("ROC") by Qualified

Security Assessor ("QSA").– Quarterly network scan by Approved Scan Vendor ("ASV")

• Level 2 Merchants:– Annual Self Assessment Questionnaire ("SAQ”)– Quarterly network scan by ASV

• Level 3 Merchants:– Annual Self Assessment Questionnaire ("SAQ”)– Quarterly network scan by ASV

• Level 4 Merchants:– Annual SAQ recommended– Quarterly network scan by ASV if applicable– Compliance validation requirements set by acquirer

EVERYTHING’S FIXED THEN, RIGHT?

• 2006: TJX 45 Million customer credit and debit cards stolen.

• 2007: Fidelity National Information Services, 8.5 million payment cards.

• 2008/2009: Heartland, 130 million credit cards.

• 2010: Genesco Inc, number unknown.

• 2011: Citibank, affecting 360,000 credit card holders.

• 2012: Global Payments 1.5 million credit cards.

• 2013: Target, 40 million credit cards.

• 2014: Home Depot, 56 million credit cards.

• 2015: Excellus Blue Cross Blue Shield, ten million credit cards.

• 2016: Madison Square Garden, number unknown.

• 2017: Equifax, 200,000 credit cards.

• 2018: Orbitz, 880,000 payment cards

IF YOU THINK PCI IS CRAP:

You’re doing it wrong.

CHALLENGES

• It wasn’t the Client’s idea.

• Not all Pen Testers know what they’re doing.

• PCI can be really expensive.

• There’s a lot to cover.

• There aren’t very clear instructions.

HOW ARE WE SUPPOSED TO PEN TEST?

• PCI Data Security Standard: Testing Procedures and Guidance

• 2017 Penetration Testing Guidance

• ASV Program Guide

• Guidance for PCI DSS Scoping and Segmentation

PCI DSS: TESTING PROCEDURES AND GUIDANCE

• “…simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment.”

• Include:

– The CDE and connected systems.

– Exploit identified vulnerabilities.

– Per a defined methodology.

– At least annually.

– After any significant changes to the environment.

PEN TESTING GUIDANCE

• September 2017:

– Difference between a vulnerability scan and a penetration test.

– Black box vs Grey box testing.

– Qualifications of a penetration tester.

– Requirement for 3rd party pen test methodologies.

– Consideration for social engineering.

– Report content guidelines.

– Scoping suggestions.

ASV PROGRAM GUIDE

• February 2017

– Vulnerability severity levels based on the NVD and CVSS Scoring

– Automatic failures

– Common severity language

• To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.

• Systems that connect to a system in the CDE are in scope.

• Connections from third-party entities need to be identified to determine inclusion for PCI DSS scope.

• All segmentation controls must also be penetration tested.

GUIDANCE FOR PCI DSS SCOPING AND SEGMENTATION

17PSC, Inc..

MY DEFINITION OF SCOPE

It’s not out of scope if it can be used

against you.

RULES OF ENGAGEMENT

“The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into

an environment.”

– No Denial of Service attacks.

– Handling risky or fragile infrastructure.

– Testing in Staging vs Production

– Where do you test from?

– When do you stop?

SUCCESS CRITERIA

• Possible success criteria may include:

– Direct observation of restricted services in the absence of expected access controls.

– Compromise of an intermediary device used by privileged users to access the CDE.

– Compromise of the Domain used by privileged users.

– Access to Source Code

• The success criteria will be different for every engagement and environment and should be established during the kick-off call prior to testing.

EXTERNAL PEN TESTS

• Follows a typical pen test approach.

• Most companies have no idea what they have.

• Compare scope to ASV scans.

• OSINT is your best friend.

• Try to expand scope as much as possible.

Discovery EnumeratioVulnerability ExploitationPost-Exploit

INTERNAL PEN TESTS

• Attack the privileged users, not the CDE.

• Auxiliary networks like VOIP, Climate Control, Printer.

• There is no such thing as a “Guest Network”.

• Automation is your best friend.

A WORD ABOUT SEGMENTATION TESTING

• The Information Supplement Penetration Testing Guidance Section 4.2.3 Segmentation:

– Performed by conducting tests used in the initial stages of a network penetration test.

– It should verify that all isolated LANs do not have access into the CDE.

– Sampling is OK.

– Service Providers = 2 X per year.

• Target all assets and networks defined as the CDE.

• Include all TCP & UDP ports that are considered “risky”, e.g., allowing network pivoting or remote code execution.

• Include VoIP, Wireless, Audio Visual and Environmental Control Networks in scanning when possible.

• Be prepared for it to take more time than expected.

HOW TO TEST

24PSC, Inc..

• Some connectivity may be required and permissible.

• Ensure non-risky open ports have a documented business justification.

• All remote access protocols must require multi-factor authentication (MFA).

• All web applications have been tested for vulnerabilities or functionality that allow the remote execution of command injection or scripts.

WHAT’S ALLOWED IN

25PSC, Inc..

• Private vs Public

• SaaS (Software as a service)– Vendor manages everything.

• PaaS (Platform as a service)– Client manages:

– Applications– Data

• IaaS (Infrastructure as a service)– Client manages:

– Applications– Data – Runtime– Middleware– Operating System

CLOUD TYPES

26PSC, Inc..

• AWS Vulnerability and Penetration Testing:– https://aws.amazon.com/security/penetration-testing/– https://aws.amazon.com/forms/penetration-testing-request?catalog=true&isauthcode=true

• Azure Vulnerability and Penetration Testing:– As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration tests against Azure

resources. – https://docs.microsoft.com/en-us/azure/security/azure-security-pen-testing– https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement

• Google Cloud Penetration Testing:– If you plan to evaluate the security of your Cloud Platform infrastructure with penetration testing, you are not

required to contact us to begin testing.– https://cloud.google.com/security/

• Oracle Cloud Scheduling Maintenance Requests for Penetration and Vulnerability Testing:– https://docs.oracle.com/en/cloud/get-started/subscriptions-cloud/mmocs/scheduling-maintenance-requests-

penetration-and-vulnerability-testing.html

• SAP– Requires account login:

– https://apps.support.sap.com/sap/support/knowledge/preview/en/2577930

• SalesForce– Please complete the following steps to schedule the assessment a minimum of 5 business days prior to

starting:– https://help.salesforce.com/articleView?id=000206497&type=1

GET PERMISSION FIRST

27PSC, Inc..

• Review the Client’s base image.

• Scope may be dynamic.

• OSINT: Google, GitHub, GitLab, BitBucket, SourceForge, Pastebin.

• Your Client may also have out of scope networks in the Cloud.

TESTING TIPS

28PSC, Inc..

• Scenario: Client has a Cloud based, virtual data center that they access and manage using a 2-factor, on-demand VPN to a remote jump-box from anywhere in the world. Do they still need to do an internal penetration test?

• Answer: Yes

• Why?: The environment where users routinely access in scope systems will present an attacker with a unique opportunity to steal those credentials or manipulate that traffic.

OUR CDE IS IN THE CLOUD

29PSC, Inc..

REPORTING

• Executive Summary

• Statement of Scope

• Statement of Methodology

• Statement of Limitations

• Testing Narrative

• Segmentation Test Results

• Findings

REPORTING THE FINDINGS.

• Findings

– Indication if the CDE could be exploited using the vulnerability

– Risk / Severity

– Targets Affected

– References (if available)– CVE, CWE, BID, OSBDB, etc.

– Vendor and/or Researcher

– Description

ISSUES WITH REMEDIATION

• Remediate everything in the attack chain.

• There is no risk acceptance in PCI.

• Plan for the Client to screw it up.

• Don’t deliver the report and walk away.

RETESTING

• Requirement 11.3.3: Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.

• Prove it:

– Direct Observation

– Review of Documents

Scoping Testing Reporting

• The Standard drives the engagement.

• Post-exploitation is required.

• It’s not about “us” against “them”.

• Do it correctly and this will be their best pen test ever.

IN SUMMARY

QUESTIONS?