Information about http://download.coresecurity.com/corporate/attachments/CORE_IMPACT_for_PCI.pdf
CORE IMPACT …
Tags: anti virus, basic security, best practices, card acceptance, card providers, commerce organizations, cybercrime, data security, debit card, incident response, intrusion detection, mandate, pci standard, penetration, prevention systems, response programs, security measures, security patches, tempting target, transaction volume,Pages: 2
Language: english
Created: Wed Oct 31 15:29:06 2007
Display cached document
Page 1
Page 2
CORE IMPACT
and the PCI Standard
THE PCI STANDARD: A MANDATE FOR CARDHOLDER SECURITY
It's no secret that cardholder data presents a tempting target for cybercrime. That's why the major credit and
debit card providers have established the Payment Card Industry (PCI) Data Security Standard, which applies to all
Meet the penetration
merchants and service providers that store, process or transmit cardholder data.
testing requirement
The PCI Standard mandates basic security best practices that include implementing and ensuring the effectiveness - and more ...
of defenses and procedures including firewalls, anti-virus applications, security patches, intrusion detection and
prevention systems (IPS and IDS), and end-user awareness and incident-response programs. PCI Requirement 11.3:
Perform penetration testing
Security testing for PCI validation and compliance at least once a year and after
any significant infrastructure
The PCI Standard requires the same set of security measures for all merchants and service providers, regardless or application upgrade or
of transaction volume or card acceptance channel (e.g., in-store vs. e-commerce). Organizations must not only modification ...
implement these measures but also validate that they are working effectively to achieve PCI compliance.
Testing your security
infrastructure and policies
Using CORE IMPACT to test your security measures is one of the easiest things you can do to comply with and
with CORE IMPACT allows
validate multiple PCI requirements. IMPACT enables you to run regular, controlled and safe data breach attempts
you to directly comply with
against your security infrastructure, while testing your end users against social engineering attacks. As a result, you Requirement 11.3 while
can quickly and easily demonstrate whether your security defenses and response plans are in-place and working validating compliance with
properly as mandated by the PCI Standard. a number of additional PCI
mandates (see table).
CORE IMPACT ensures compliance with the following mandates:
Requirement 1.1.1 With CORE IMPACT, you can stay on top of potential security exposures created
Establish a formal process for testing by new network connections and changes to firewalls and other defensive
network connections and changes to infrastructure. The product's Rapid Penetration Test capabilities incorporate
the firewall. industry-standard best practices into a repeatable methodology for testing the
security of evolving network and end-user systems.
Requirement 2.2 CORE IMPACT is continually updated with the latest Commercial-Grade Exploits
Assure that system configuration designed to safely test your organization's exposure to newly discovered
standards address security vulnerabilities in operating systems and services. Each exploit tests as many
vulnerabilities and are consistent target OS configurations and methods of attack as possible. You can also test
with industry-accepted system live cardholder systems with confidence, since exploits are designed to prevent
hardening standards. service disruptions or alert you when disruptions could occur.
Requirement 5.1.1 You can test the effectiveness of your entire security infrastructure, including
Ensure that anti-virus programs are anti-virus programs and other PCI-mandated applications, with CORE IMPACT. In
capable of detecting, removing, and addition, the product makes it easy to tune security applications by testing them
protecting against malicious software. against specific attacks and generating reports that help you identify necessary
patches and configuration issues. IMPACT also documents each test with audit
Requirement 5.2 trails that you can compare against those from security applications to determine
Ensure that all anti-virus mechanisms if attacks are being detected as expected.
are current, actively running, and
capable of generating audit logs.
Requirement 6.1 CORE IMPACT gives you confidence in the integrity and effectiveness of
Ensure that all system components all patches. After installing a patch, you can test its effectiveness by using
and software have the latest vendor- CORE IMPACT to safely execute the attack that the patch was designed to
supplied security patches. stop. In addition, you can ensure that customer data remains protected by
re-testing your entire network for new vulnerabilities potentially exposed by
Requirement 6.3.1
the patch.
Test all security patches and system
and software configuration changes.
COPYRIGHT © 2007 CORE SECURITY TECHNOLOGIES
Requirement 11.1 CORE IMPACT is the only product that enables you to determine if attackers can actually exploit network
Test security controls, limitations, vulnerabilities or trick end-users into exposing their systems. By automating previously manual and expensive
network connections, and processes, IMPACT considerably shortens the testing process and reclaims the cost of hiring outside consultants or
restrictions annually to assure developing custom exploits in-house. The product also documents each test in a variety of reports that assist with
the ability to adequately identify auditing and compliance validation.
and to stop any unauthorized
access attempts.
Requirement 11.2 Scanning applications can provide a key component to the vulnerability management process by providing an
Run internal and external network understanding of your organization's potential vulnerabilities. Penetration testing with CORE IMPACT builds on this
vulnerability scans at least process by identifying which vulnerabilities are real and determining if and how they can be exploited. Test results
quarterly and after any significant are presented in IMPACT's PCI Vulnerability Validation report, which can help you prioritize remediation efforts,
change in the network. effectively allocate security resources, and satisfy auditing requirements.
Requirement 11.3 Using CORE IMPACT provides direct compliance with the network-layer penetration testing section of this
Perform penetration testing requirement. By regularly testing your security posture with IMPACT, you can stay ahead of the latest threats and
at least once a year and after validate your compliance with other PCI mandates. This simplifies the compliance process, whether you need to
any significant infrastructure complete the PCI Self-Assessment Questionnaire or prepare for an external audit by a Qualified Security Assessor.
or application upgrade or
modification ... *The PCI Standard allows you to perform in-house penetration testing, regardless of your merchant or service
provider level.
Requirement 11.4 While intrusion detection and prevention systems can detect and block unwanted network traffic, they require
Use network intrusion detection ongoing, custom configuration and regular updates (e.g., new attack signatures) to be effective. CORE IMPACT
systems, host-based intrusion allows you to test the effectiveness of these defensive technologies and gives you the information you need to
detection systems, and intrusion configure them to properly detect and protect against the latest threats.
prevention systems ... Keep
all intrusion detection and
prevention engines up-to-date.
Requirement 12.9.2 In addition to emulating external network threats, CORE IMPACT enables you to safely target end users with
Implement an incident response phishing, spear phishing and other social engineering attacks. You can simulate a full range of data incidents and
plan and test it annually. evaluate how defensive infrastructure, employees and contractors react. The product's client-side reports provide a
full audit trail of each end-user test, including phishing emails sent, exploits launched, test results, and details about
compromised users and their systems.
Learn More
Want to learn more about security testing and the PCI compliance? Please visit our website ...
http://www.coresecurity.com/PCI
... where you'll find useful downloads and links including:
· a business case template that you can use for your own security testing purchase justification
· on-demand webcasts with security testing experts and customers real-world PCI experience
· the latest rules and deadlines from the PCI Standards Board, Visa, MasterCard and American Express
Headquarters
41 Farnsworth St.
Boston, MA 02210
Ph: (617) 399-6980
Fax: (617) 399-6987
www.coresecurity.com © 2007 Core Security Technologies and CORE IMPACT are trademarks of CORE SDI, Inc. All other brands and products are trademarks of their respective holders.