Network Penetration Testing 101
Learn about Network Penetration Testing.
QSA, PA-QSA, CISSP, CISA
The PCI SSC requires penetration tests whenever a business makes significant changes in their IT environment. For example, if you change from SSL to IPsec, or you introduce new network zones (new departments).
Whether you're building a network, or you're in your tenth year of PCI DSS certification, you'll need to pen test your network. Here's the info you need to get started:
What is a Network Penetration Test?Penetration testing in general is a type of "ethical certified hacking" during which a pen tester will attempt to enter and exploit your IT environments. There are a few types: Segmentation Checks, Application Penetration Tests, Wireless Penetration Tests, and Network Penetration Tests.
Segmentation Checks look for misconfigured firewalls. Application Penetration Tests find security issues that are due to application coding flaws. But when we pen test a network, we look for security issues in the design, implementation, and maintenance of servers, workstations, and network services.
SEE ALSO: Types of Penetration Testing; The What, The Why, and The How
Hackers will target anything that stores, processes or transmits credit card information or personal identifying information (PII). And if you're in the HIPAA realm, that includes protected health information (PHI). The location(s) at which you store this information are collectively known as the Cardholder Data Environment (CDE).
So, a Network Pen Test is mainly concerned with three areas:
- The Cardholder Data Environment (CDE): servers.
- The Corporate Zone: all employee devices.
- The Shared Services Area: supporting servers (logging, directory), IT admin.
What Will the Pen Tester Look For?Network Penetration Tests commonly find the following security issues: misconfigured software, firewalls, and operating systems; outdated software and operating systems; Insecure protocols; unnecessary exposures.
To discover these problems, a professional penetration tester will first scour and test the perimeters of all the zones and areas, look at access points between them, and try to travel between zones that are not meant to connect. Then, they’ll test critical systems. This includes any technology that is not directly connected to the CDE but, if compromised, could give access to an attacker.
SEE ALSO: Network Penetration Testing Webinar
A pen tester looks for potential stepping stones. For example, they might look into the shared services zone, which includes employee devices. If a hacker compromised an employee device, could they then pivot and access the CDE? Could they "up" their privileges?
There are five stages of a professional pen test:
- High-level overview: understand the environment to be tested
- Validate automated scans: look for indications of scan interference + eliminate false positives
- Identify Issues: Is the protocol secure? And, on a given service:
- Is the service still maintained?
- What are the recommended steps for securing the service?
- What are security issues that have been recently identified and patched?
- Are there common trends for how the service can be misconfigured?
- Are there service-specific scanners or scripts?
- Exploitation: Determine actual impact of an issue. Attempt to pivot and exploit the trust relationship between the compromised and other servers. Attempt to escalate privileges.
- Documentation: Record the results of the test in a deliverable. Include description of issues, targets affected and how exploiting the issues may affect the security of the organization. Provide risk rating and references for removing those risks.
How Long Does a Network Pen Test Take?It depends on your organization and its scope. For an average level 4 merchant, a network pen test should take 2-3 days. But for level 1 merchant who are processing millions of credit cards annually, could be a week or 2.
SEE ALSO: PCI Penetration Testing Data Sheet
Choosing a Penetration Test ProviderNot all pen testers are created equal. Some may advertise as professional pen tests but are basically glorified vulnerability scans. If you blindly trust, there’s a chance you’ll get shortchanged. So, it’s extremely important to engage with potential providers; talk to them and keep the dialogue honest. Pay attention to the questions they ask before quoting you. Do they understand--and can they cover--the scope and complexity of your IT environment? Find out whether they have specific experience or specialty in your type of network. Other questions to ask:
- Do they have certifications? And not only are they certified, can they translate the theory behind certifications into application?
- How long have they been pen testing? Look for a seasoned vet.
- What reports will the penetration tester provide? If you’re seeking PCI compliance, make sure you talk to your QSA to understand what reports they need and will accept.
Can I Do My Own Penetration Test?It's possible, but not recommended. A penetration tester should be an outside, neutral party. The person finding the issues should not be the person responsible for fixing them. Naturally, there can be blind spots and assumptions.
SEE ALSO: BambooHR Annual Penetration Test Case Study
Why Network Penetration Tests are So ImportantA pen test will give you a holistic view of what your security system truly looks like. Companies and merchants with poor security practices across their environment leave themselves vulnerable. If a company has an immature network with un-patched systems, it’s likely that the desktop systems are probably in a similar state.
Network pen tests are a necessary part of a healthy security culture. And, don’t forget other types of pen tests like segmentation checks, application penetration tests and wireless penetration tests. It helps to think of your pen tests and vulnerability scans as a way to cover as much of your environment as possible. Diversify your tests and scans for a more robust security practice. Repeating tests is okay, but trying a new type of test will add even more security.
At the end of the day, it’s not just cardholder information that a company needs to protect. It’s the company’s reputation. Whether it’s a small business or large corporation, hackers can deface websites, publicize sensitive info, or hold data ransom if and when they find an opportunity.
Schedule a penetration test here.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.