PCI Penetration Testing
A PCI penetration test refers to penetration testing that needs to be carried out for those companies who are required to be PCI DSS compliant and will be specific to an organisation’s Cardholder Data Environment (CDE). Penetration testing forms part of requirement 11.3 of the PCI DSS and for some organisations, PCI penetration testing is a mandatory requirement on a yearly basis.
7Safe has built up a very strong understanding of the PCI penetration testing requirements and also how organisations are compromised when access to the CDE is gained (please see our Security Investigations and Assessments team). Our penetration testing team and PCI consulting team (QSA) both fit into 7Safe’s Information Security Consulting delivery structure and thus work very closely together which we find is tremendously valuable to our customers. For example, during a PCI audit, our PCI consultants will know that the correct CDE scope for penetration testing will have been defined and that the correct series of tests and therefore controls will be in place
We also work for clients that source PCI consultancy elsewhere. Our detailed knowledge of the Standard serves our client well in that we can still correctly scope the CDE and therefore the scope of penetration testing.
During PCI penetration testing 7Safe’s consultants also deploy our 7Seec PAN (Primary Account Number) scanning tool to establish the presence of unencrypted / unprotected PANs which clearly are a breach of the PCI requirements. This adds incredible value in that we wish to ensure all efforts to protect the PAN are undertaken to avoid a PCI breach (and therefore the need for an (Qualified Forensic Investigator investigation).
Clearly the Standard also highlights the issues of secure code development and review which is a service that 7Safe’s penetration testing and application testing team provide.
Do you need to search for unencrypted credit card holder data on your live corporate server and desktop hard drives due to PCI compliance requirements? It is hard to know where to start.
That’s why 7Safe developed the 7seec unencrypted PAN search discovery service.
Our experienced PCI consultants use 7Safe’s own bespoke 7seec credit card scanning engine to find unencrypted cardholder data. The service is tailored to your requirements as we run scans across your systems, then use powerful post-scan filtering and the experience of our PCI experts to eradicate false positives to provide you with a valuable report.
We find credit card data at tremendous speed. The scanning technology we use is also “forensically sound” in that it does not alter data. This is because 7seec was designed from 7Safe’s work in credit card security breach investigations on behalf of Visa and Mastercard. 7Seec finds PANs (Primary Account Numbers based on the Luhn algorithm with false positive checking) and Track 1 & 2 data and utilises a list of valid card numbers.
Entire raw disk/Partitions/FileSystem (inc NTFS)/Folders/Individual Files/OS areas (files hidden from OS)/ Deleted file space/Restore Points/Alternate Data Streams/Locked Files/NTFS images (i.e. Forensic copies).
All text files as well as databases, Exchange databases (edb), MS Office files (Word, Excel, PPT- both new and old formats), Outlook PST email, WinZip32, uncompressed PDFs.
The 7seec service doesn’t alter document metadata & the service is used on many OS types including Windows, Mac, Solaris and other *NIX.
Although our consultants use the 7seec command line version, we have also developed a basic GUI for demonstration purposes, which can be seen in the short video below.
Database penetration testing is often an extremely overlooked component of an organisation’s security and hence the possibly the most vulnerable. And of course, the database is also the location in which vast and rich amounts of data may reside. 7safe’s database penetration testing consultants analyse the security of the database from a number of perspectives including;
- Attacks coming from internal users (authenticated and un-authenticated access)
- Security of the data within the database (e.g. encryption/hashing techniques used for storing sensitive data)
- Database hardening and security
Over the years and through our application security penetration testing programme, 7safe has developed extensive experience with the following database products:
- Microsoft SQL Server (all versions)
- Oracle Database (all versions and all platforms)
- MySQL Server (all versions and all platforms)
Oracle Database Security White Paper
7Safe’s Principal Security Consultant, Sumit “Sid” Siddharth, speaks to CEO Alan Phillips about hacking Oracle via web applications here. Our white paper “Hacking Oracle from the Web: Exploiting SQL Injection from Web Applications can be located here.