Penetration Testing
The purpose of penetration testing is to footprint, enumerate and potentially exploit vulnerabilities in web application(s) and network infrastructure using automated tools and manual mechanisms, above and beyond what simple automated scanning tools can achieve.
PCI Application and Network Layer Penetration Testing
Network and application penetration tests are different from vulnerability scans in that penetration tests are more manual. They attempt to actually exploit some of the vulnerabilities identified in scans, and follow practices used by hackers to take advantage of weak security systems or processes.
It is important to note, that the only procedures required for compliance with PCI 11.3 are the application layer and network layer assessments.
PCI Web Application Security Testing
PCI DSS Requirement 6.6 is intended to address common threats to cardholder data and ensure that input to web applications from untrusted environments is inspected “top to bottom.”
Manual and tools based testing per PCIDSS §6.6 for web facing application security is included in the Application-layer and Network-layer penetration testing.
Wireless (Wi-Fi) Vulnerabilities
The objective in this test is to achieve penetration of any wireless access points and technology in use. This includes a search for and evaluation of both rogue and authorized access points.
Carrier and PBX Vulnerabilities
The objective in this test is to scan agreed upon phone number range(s) for potential incoming dial-in or PBX access. (Referred to as War dial testing).
Social Engineering Vulnerabilities
Utilizing social engineering procedures, the objective is to test the human factor components of a specific security condition. These tests require identification of a specific target or target system that could be compromised if an authorized employee knowingly or unknowingly granted access to the intruder.
Contact us for more information
|
