If any part of your business network is connected to the Internet, then the information your business handles is within the reach of hackers and cybercriminals. For this reason, the Payment Card Industry Data Security Standard (PCI DDS) requires that your IT network undergo a penetration test. Because the network penetration test is, at minimum, an annual event and because it involves a human resource, you want to be sure that the vendor you’re hiring is well worth its salt.

Selecting the appropriate penetration testing vendor involves asking the right questions to properly vet the security testing tools, methods and experts they employ:

Question 1

1. How does the penetration test differ from other types of security testing – such as a vulnerability assessment? Although you will already know the answer to this question, it should still be asked to ensure that the prospective vendor can articulate the differences which make penetration testing unique. Beware of any vendor that uses the words “penetration” and “scans” interchangeably, or claims that their penetration testing process is fully automated.

Question 2

2. What is your process for performing the penetration test? Penetration testing methods and techniques often differ slightly from organization to organization, but some core activities are common across all penetration tests. Even if they do not use a defined methodology, the vendor should be able to provide a straightforward outline of the steps involved and which tools are used at each step in the process.

Question 3

3. Do your testers hold industry standard certifications? It’s important to know that the individuals conducting your test are knowledgeable and remain up-to-date on security trends. Find out which certifications are held by the team. There are a variety of certifications which demonstrate knowledge in information security and technology in general, but penetration testers often hold certifications such as CEH, CISSP, GPEN and GWAPT. Keep an eye out for skills-based certifications such as the OSCP, which are becoming highly prized in the information security community.

Question 4

4. How will you protect my data during and after testing? Find out how the tester will secure your data during the test and throughout delivery. If devices will be shipped to your location or testers will be visiting with laptops, ensure that disk-based encryption is being used to protect data obtained during the test. When it’s time to deliver the final report, your tester should also offer a secure method for its delivery. Confidential data, including test reports, should never be sent via email; secure FTPs or secure file-sharing sites that use SSL should be employed.

Question 5

5. How will you ensure the availability of my systems and services while the test is taking place? Because penetration tests are actual attacks against your systems, it is impossible to guarantee uptime or availability of services throughout the test. However, most testers have some idea of whether or not a particular attack will bring down your system or “hang” a service. (You can also assist your tester by alerting them to any legacy or otherwise less-than-robust systems on your network.) The ideal penetration testing vendor will work closely with you to address operational concerns and monitor progress throughout the process.


PCI-DSS v3.0 Excel Cheat Sheet

Author: Martin Voelk
March 13, 2015

The new PCI-DSS v3.0 requirements will come into force in summer 2015 and we have already heard from many customer that it causes some of them some concerns. There is actually nothing to be worried about. It’s a very structural approach and the aim is to make things easier rather than harder.

A few very important changes have been introduced, especially around Penetration Testing and Segmentation Auditing requirements.

Here you can download a PCI-DSS v3.0 excel cheat sheet: