Further, it’s important to note that a pen test is a snap shot in time and new vulnerabilities appear every day. Companies have to employ continuous monitoring throughout their information systems including in the database tier and be vigilant against attacks. For example, if a pen test was performed on a Monday, the organization may pass the pen test. But what if the next day, there’s an announcement of a new vulnerability in database servers that were previously considered secure? And the next week or next month another vulnerability is announced? This is a scenario that plays out on a regular basis.
Companies are constantly playing ‘catch up’ apply patches. Ongoing, regular pen testing is critical and has proven to be a highly accurate method in identifying information system vulnerabilities. To get the most out of a thorough pen test the system should be properly instrumented to log all activity at the network tier, web tier, and database tier. At the conclusion of the pen test the logs from these instruments can provide extremely valuable insight into the system vulnerabilities.
As with most policies and procedures however, there still may be issues that need resolving. Many organization feel that pen testing is an area open for ‘abuse’ – most likely due to the fact that there are no firmly adhered to rules for the pen testing procedure. It is possible for a pen tester to skirt the process.
The PCI DSS regulation has 12 mandatory requirements for stringently protective guidelines, built to preserve the safety and identity of cardholder data – and in particular, section 11.3 for example, gets to the heart of the pen test, which is quite different from the former sub-section requirements.
11.3 is technically not a new requirement. Previous versions of the PCI standard made assumptions merchants would always conduct legitimate pen tests. Unfortunately, 11.3 is an area of the PCI DSS regulation that has been excessively abused. Companies have previously cut corners on this requirement and many pen testers were know to conduct meaningless scans in place of real testing. The new 3.0 version of the PCI DSS regulation effectively ends this scenario and companies will be required to develop and adopt an official methodology for testing. However, some believe that V3.0 is still lacking with regards to the precise industry-accepted methodology for pen testing the merchant should implement.
The good news is that the PCI Council has continued to follow up on this issue and is forcing new measures be adopted by organizations around the world. PCI DSS 3.0 requires that organizations identify the scope of their card data environment and have a pen test conducted that proves the card data environment is truly segmented from the rest of their network and the open Internet.
With the new rules in place with V3.0, demand for pen testers is on the increase, which is probably a good thing. The new requirements should help stop the abuse, and foster policies for accurate pen testing. These new pen testing requirements are long overdue. Merchants need to take pen testing seriously and adopt the new requirements as soon as possible to ensure they’re prepared for their first PCI DSS 3.0 assessment this year.