Penetration Testing

PCI DSS Requirement 11.3 states:
11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

Network and application penetration tests are different from vulnerability scans in that penetration tests are more manual, attempt to actually exploit some of the vulnerabilities identified in scans, and follow practices used by hackers to take advantage of weak security systems or processes.

Before applications, network devices, and systems are released into production, they should be hardened and secured using security best practices (per requirement 2.2). Vulnerability scans and penetration tests will expose any remaining vulnerabilities that could later be found and exploited by hackers.

Halock will assemble a "Red Team" of ethical hackers in order to analyze and attempt to exploit vulnerabilities to gain access to cardholder data assets. Halock's ethical hacking team (Red Team) will test Internet-facing systems as well as key systems on the internal network using any appropriate means at their disposal.

Your organization will provide Halock with physical access to the locations indicated in the scope section below to scan for wireless networks. Using both wireless network sniffing and onsite physical inspection, Halock will attempt to identify rogue wireless networks and access points. The objective of this review is to identify the wireless access points broadcasting from within your organization's offices and determine the security of the devices.

Sometimes referred to as Penetration Testing, Ethical Hacking is performed in conjunction with vulnerability scanning. Halock's "Red Team" of ethical hackers perform an in-depth analysis of identified potential high risk vulnerabilities associated with your organization's systems. The primary objective of this testing is to gain access to sensitive data assets within the environment as a practical demonstration of what a malicious individual could accomplish.

Ethical Hacking targets both system and application weaknesses alike. An application that links corporate information and resources to the Web gives hackers a new potential entry-point into your organization. In the race to develop online services, these Web applications have often been deployed with minimal attention to security risks, with the result that most corporate sites are surprisingly vulnerable to hacking or industrial espionage. The following layers are the core focus of ethical hacking:

User Interface Code - This is the code used to display the interface to a user. Using web standards such as HTML, Javascript, CSS, DHTML.

Web Server Software - This supports physical communication between the user’s browser and application written by a third party.

Front-end Systems - The Front-end System interfaces directly with the User Interface Code, the O.S., and the Backend Systems. Under normal circumstances a user will not interface directly with this layer; however, the data that the user passes to the User Interface Code will be passed through the Front-end System.

Backend Systems - The Backend Systems are the real driving piece of any Web application. The business needs drive the development of the Backend Systems such as authentication directories and databases and the resulting code provides the business function, such as facilitating online transactions.

Infrastructure - The underlying infrastructure of an application includes the switches, routers, firewalls, and load balancers that facilitate the flow of information between connected systems.