Test Your Cyber Defenses
Penetration tests are intended to exploit weaknesses in the architecture of your IT network and are essential to determine the degree in which a malicious attacker can gain unauthorized access to your company’s assets. Vulnerability scans look for known vulnerabilities in your systems and may report potential exposures.
At Drummond, our experts conduct penetration tests separate from your quarterly vulnerability scanning requirements and adhere to industry-accepted penetration testing methods. The penetration test must identify ways to exploit vulnerabilities circumvent or defeat the security features of system components.
Per the PCI SSC Information Supplement: Penetration Testing Guidance, the goals of penetration testing include how to:
- Determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data
- Confirm the applicable controls required by PCI DSS – scope, vulnerability management, methodology and segmentation – are in place
Black-, White- or Grey-box Assessments
There are three types of penetration tests: black-box, white-box, and grey-box:
- Black-box Assessment: A client provides no information prior to the start of testing
- White-box Assessment: The entity may provide the penetration tester with full and complete details of the network and applications
- Grey-box Assessment: The entity may provide partial details of the target systems
PCI DSS penetration tests are typically performed as either white-box or grey-box assessments. These types of assessments tend to yield higher levels of accurate results and provide a more comprehensive test of the security posture of the environment than a pure black-box assessment. Performing a black-box assessment – when the entity provides no details of the target systems prior to the start of the test – may require more time, money and resources for the deliverables to meet the requirements of PCI DSS.