Two core phases of
Penetration Testing
Smedjegatan 2c | SE-131 54 Nacka | Sweden | +46 (0)8 535 24 100 | www.24solutions.com
Two core phases of
Penetration Testing
Penetration testing can be broken down in to two core phases: scanning and exploiting.
Simply put: know what you’re dealing with; then push the red “fire” button and unleash hell.
This also applies to any PCI-related pentest being carried out against the infrastructure layer
of an entity under assessment.
Scanning phase
PCI and penetration testing
The main goal of the scanning phase is to learn more about
the target environment and find openings by directly interacting with any detected target system and/or network
component. As a positive side-effect, scanning might lead
to identifying further items that were not included in the PCI
scope of the target environment.
Several types of scans are performed during this phase,
including but not limited to:
A very important aspect
in PCI-related penetration
testing is that out of the
total set of issues that would
result from the whole testing
campaign, only a specific subset will most likely have an
impact on compliance.
PCI DSS is all about securing cardholder data. This
means that, regardless of
how critical an issue might
be, any relevant findings are
subject to further “filtering”
criteria where only possible
direct and indirect impacts
on card data confidentiality is
considered relevant for compliance. Basically, unless Confidentiality of cardholder data
is directly or indirectly in jeopardy, Availability and Integrity
generally don’t determine any impact on compliance on their
own.
The PCI DSS standard defines a security baseline for any
organization that processes, transmits, or stores cardholder
data. Being compliant involves satisfying the requirements;
it does not mean that the organization’s business is exhaustively and thoroughly secure and all related security objectives
are met.
» Network sweeping: aims at identifying which hosts that are actually live by sending packets to all network addresses in a specific target range
» Port scanning: once live hosts have been detected, this phase discerns potential openings in all target machines by looking for listening TCP and/or UDP ports
» OS fingerprinting: aims at determining the target operating system type based on network behavior
» Service detection: attempts to determine both the version and type of service which is presumably bound to the listening port
» Vulnerability scanning: a crucial part of the scanning process, since it measures whether, based on the above, the target machines COULD be affected by one of the thou-
sands of potential vulnerabilities, including but not limited to misconfigurations or unpatched services
Exploitation phase
The main aim of the exploitation phase is to demonstrate the
actual presence of exploitable vulnerabilities as detected in
the previous core phase, with special focus on the ones that
could expose card data that can be compromised. During this
phase the tester tries to actively gain access by circumventing
security measures that are in place, expand access and elevate the level of privilege obtained. This is normally achieved
through:
» Searching for proof of concept code in the tester’s repository
» Searching for exploit code from publicly available sources
» Development of own tools/scripts
» Using tools, scripts, exploit and/or proof of concept code against the target to gain as many points of unauthorized access as possible
About 24 Solutions
24 Solutions specializes in security, high availability and compliance. Our solutions provide functions that store, protect,
manage and make our customers’ data available at all times,
either in our own data centers or in the cloud. 24 Solutions
has a cutting-edge PCI DSS certified platform and is also
an independent PCI QSA and PA-QSA company – a unique
combination.
24 Solutions protects millions of card transactions yearly.
Our clients include some of Sweden’s largest players in the
payment industry. They rely on us to keep their data safe and
their IT operations up and running, so that they can focus on
their core business.
24 Solutions was founded in 2001 and is located in Stockholm.
A successful exploitation phase eventually offers proof that
vulnerabilities are actually there to harm, helping to identify
the relevant threat scenarios that may directly or indirectly
affect cardholder data and, thus, PCI compliance.
Smedjegatan 2c | SE-131 54 Nacka | Sweden | +46 (0)8 535 24 100 | www.24solutions.com