PCI 3, Requirement 11: PCI Penetration Testing and Wireless Security Explained

Understanding and fulfilling PCI 11, Requirement 3 can be daunting, but NopSec is here to help you through it.

11.1 – Wireless Network Tests and Identification of Rogue Access Points

Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to: wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.

PCI requirement 11.1 requires the use of a test of wireless access points in an organization’s cardholder environment on a quarterly basis. This is to ensure that rogue wireless networks are not present.

11.1.1 – Inventory of Authorized Wireless Access Points

An organization will be required to have documented an inventory of authorized wireless access points and business justification for these access points. As part of a mature vulnerability management process, this can be achieved easily by combining this requirement with the requirement for detection of Rogue Access Points to manage the inventory easily and in an automated fashion.

Steps to satisfying Requirement 11.1

• Log the date and time of the quarterly assessment
• Document inventory of authorized wireless access points
• Document the tools and methodologies used by the assessment team or individual
• Maintain logs of any rogue access points that might have been detected
• Document incident response steps taken if the presence of rogue access points were detected

11.2 – Quarterly Internal and External Network Vulnerability Scans

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)

Internal scans do not require a PCI SSC Approved Scanning Vendor (ASV). External, however, must be performed by an ASV.

For vulnerabilities detected in these scans, the organization must rescan to verify the implementation of remediations against these vulnerabilities.

11.3 – Implement a Methodology for Penetration Testing

This requirement states the establishment of a penetration testing methodology. The methodology is to be based on industry-accepted penetration testing approaches. The PCI DSS 3 document specified NIST SP800-115 as an example. Other advanced penetration testing methodologies include:

• ISECOM OSSTM – Open Source Security Testing Methodology
• OISSG ISSAF – Information Systems Security Assessment Framework
• OWASP Testing Project for Web application testing
• Sandia National Laboratories IDART – Information Design Assurance Red Team Methodology
• NSA IAM – Information Security Assessment Methodology

Scope

The scope includes:

• Coverage for the entire Cardholder Data Environment (CDE) perimeter and critical systems
• Internal and External network testing
• Validation of network segmentation and scope-reduction controls
• Application-layer penetration tests
• Remediation and Retesting including review of discovered vulnerabilities

This best practice becomes a requirement of PCI DSS 3.0 starting June 30, 2015.

Sections 11.3.1 and 11.3.2 require that organizations perform annual penetration tests on their application and network layers including external and internal testing. These tests are to be carried out on at least an annual basis or when a significant change is made to the environment. Following best practices of regression testing, however, the individual responsible for ensuring PCI Compliance will have to designate what includes a ‘significant’ change.

This requirement mandates that an experienced penetration tester, not a part of the team managing the cardholder environment, carry out the test. This individual is not required to be a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV).

Section 11.3.3 requires that exploitable vulnerabilities discovered during penetration testing be remediated and that retesting be carried out to verify that the vulnerabilities have been remediated.

Section 11.3.4 requires that a penetration test be performed at least annually and after any changes to segmentation and scope-reduction controls around the CDE in the case that the network has been segmented to isolate the CDE from other networks. This is to verify that all segmentation methods are operational and effective in isolating all out-of-scope systems from in-scope systems.

Challenges

One of the key challenges is actually formulating a methodology or identifying an industry-accepted best practice. For segmentation testing, clear definitions of the scope have to be documented and implemented.

Since this practice becomes a requirement in June 2015, organizations will face the challenge of finding experienced penetration testers (either external or in-house) who would be able to schedule not only the initial tests but also be available for remediation and regression penetration tests.

How to Prepare

First, leading security initiatives with a mature vulnerability management process is the best way to begin. This enables an organization to not only define their scope better but also have less concerns at the end of a penetration test in terms of remediation. Compliance-driven security forces an organization to implement certain controls but in the age of multi-vector attacks via indirect channels, ensuring coverage over all business critical systems as opposed to CDE systems significantly lowers risk.

Also, staffing IT teams with more security professionals as well as promoting security awareness helps build a culture of proactive security.

Finally, implement vulnerability management platforms to make the process automated, scalable, and repeatable, while harnessing industry standard intelligence and analytics.