Читать книгу CompTIA PenTest+ Certification For Dummies - Glen E. Clarke - Страница 72

Conducting Compliance-based Assessments

Оглавление

If the organization for which you are performing a penetration test is conducting a pentest to be in compliance with industry regulations, you may need to meet strict requirements when performing the assessment. It is important as a penetration tester to become familiar with the requirements of a compliance-based assessment. Know that the requirements are different in every industry, as they depend on the laws or regulations that govern each industry. Following are examples of industry-specific laws or regulations an organization must follow based on the industry the organization operates in:

 Health Insurance Portability and Accountability Act (HIPAA), which controls the handling of health records.

 Family Educational Rights and Privacy Act (FERPA), which allows parents access to educational records of their child.

 Payment Card Industry Data Security Standard (PCI DSS), which secures debit and credit card information.

Following are some limitations and caveats to keep in mind with regard to compliance-based assessments:

 Rules to complete the assessment: Each regulation or standard has strict rules on how the penetration test is to be performed and what to look for in the assessment. For example, the PCI DSS includes strict requirements on the use of firewalls to restrict communication with data-holder equipment, and encryption requirements for transferring credit card data across public networks.

 Password policies: To be compliant, an organization may have to follow strict requirements on passwords and password policies. For example, you may need to assess the company’s password policy and ensure that the company employees use strong passwords, change passwords frequently, and cannot use a password they used previously.

 Data isolation: Due to laws or regulations you may need to ensure that certain types of data are separated from other types of data. For example, with PCI DSS, a company must ensure that credit and debit card data is isolated from the rest of the company data. As another example, in a bring-your-own-device (BYOD) environment, you may need to ensure that mobile devices partition personal data from business data so that business data can be remotely wiped if needed.

 Key management: You may need to assess the use and storage of encryption keys as well as assess the company’s backup policies or the archival of encryption keys to allow recovery of sensitive data.

 Limitations: You may need to assess for limitations placed on resources such as systems, devices, and data. For example, there may be strict limitations on certain types of systems not being accessible from the Internet.

 Limited network access: You may need to ensure that the network is segmented to allow control of a specific type of system that can only access a particular network segment. For example, with PCI DSS, the credit card processing system must be on a separate network segment than regular company systems.

 Limited storage access: You may need to assess that the company is controlling access to data and that one specified person has access to sensitive data. Again, looking at PCI DSS, the pentester would validate that access to card data is limited and protected.

It is important to stress that there are clearly defined objectives based on regulations. For example, if the organization is processing credit cards, the organization must be compliant with PCI DSS by following the objectives and requirements set by PCI DSS. (You can view the Requirements and Security Assessment Procedures document at https://www.pcisecuritystandards.org/document_library.)

CompTIA PenTest+ Certification For Dummies

Подняться наверх