Compliance Based Penetration Testing – You’re Doing it Wrong

What is a penetration Test? According to the National Institute of Standards and Technology (NIST) a penetration test is defined as the following:

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system. – NIST

This definition is a great example members of audit and compliance teams use when defining a penetration test.

Management processes identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies) and assess the state of compliance. Melding the two together does not make for a happy or successful marriage. This presentation will discuss the pitfalls of penetration tests conducted to meet compliance requirements. Also highlighted will be suggestions and methods to ensure a compliance based penetration test is more than just checking a box on a risk management questionnaire. The compliance regulation used as the example will be the Payment Card Industry Data Security Standard (PCI-DSS).

This presentation also focuses on how to properly conduct a Penetration Test. A proper test can be summed up by the following quote:

Successful penetration testers don’t just throw a bunch of hacks against an organization and regurgitate the output of their tools. Instead, they need to understand how these tools work in-depth, and conduct their test in a careful, professional manner. This course explains the inner workings of numerous tools and their use in effective network penetration testing and ethical hacking projects. – Ed Skoudis

As part of Cyber Security Awareness Day at Kennesaw State University I gave a presentation on this topic. The presentation can be found here