PCI-DSS v3.2 will be in full-force this October. At that time, service providers will be required to complete penetration tests by an external third party twice a year. The term “service provider” leaves significant room for interpretation. Discuss PCI-DSS v3.2 with your QSA to determine how changes may impact your organization. Whether to be PCI compliant or for other reasons, it’s a good time to think about the value we get from penetration testing. A good penetration test is like a scythe that slices through beautiful wheat fields leaving them barren, exposed and teeming with rats. This is a good thing, and it should be embraced. Don’t fear the reaper. The penetration testing team should be a partner that illuminates priorities, focuses budget, and helps define the real issues in your system. Turn penetration tests from a burden to an exercise that amplifies your security program by addressing these issues:
You just wait until your Father gets home
Don’t threaten IT staff with test findings. Penetration testers are professionals. They will find a way in. You wouldn’t call a locksmith and then get angry when they opened a door, would you? Foster partnerships instead of using the report as a threat. Engineers and penetration testers should work together to understand where to focus security efforts. Make the test into a game where everyone wins by making the environment more secure.
Open your kimono
Don’t hide anything. Someone knows where the gremlins are. Work with the penetration testing team to evaluate fears. Address demons head on. Partner with the penetration tester to discover the full scope of problems. Leverage their findings to inform leaders of security risks. Sometimes it doesn’t matter how many times an organization hears an issue; it may only become a priority when an outsider presents it.
Microscoping
Scope reduction does no one any favors. You may get a clean report, but it won’t help your security posture. Penetration testers can help find the missed nooks and crannies criminals use to compromise systems.
Peak behind the curtain
Ask to speak to the wizard. Companies rarely ask to have findings presented. Many penetration testers love to share “how they did it” and how they could be stopped. Take advantage of their advice and apply it. Keep these tips in mind when planning your next penetration test. If you integrate these concepts, the reaper’s harvest will be a bounty you can use instead of a failed crop.
About the Author: Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, SOX, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. Ean also holds a CISSP certification. He can be found at: https://www.eanmeyer.com Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
