1、 ASC X9, Inc. 2018 - All rights reserved American National Standard for Financial Services ANSI X9.1112018 Penetration Testing within the Financial Services Industry Accredited Standards Committee X9, Incorporated Financial Industry Standards Date Approved: February 28, 2018 American National Standa
2、rds Institute American National Standards, Technical Reports and Guides developed through the Accredited Standards Committee X9, Inc., are copyrighted. Copying these documents for personal or commercial use outside X9 membership agreements is prohibited without express written permission of the Accr
3、edited Standards Committee X9, Inc. For additional information please contact ASC X9, Inc., 275 West Street, Suite 107, Annapolis, MD 21401. ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved ii Contents Page Foreword . v Introduction . vi 1 Scope 15 2 Normative References 17 3 Terms and Defin
4、itions 17 4 Symbols and Abbreviated Terms 19 5 Significance of Penetration Test Activity . 20 5.1 Broad Description . 20 5.2 Penetration Testing as a Component of Risk Identification and Assessment . 20 5.3 Limitations of Penetration Testing 22 5.3.1 Introduction . 22 5.3.2 Time 22 5.3.3 Testing Sco
5、pe / Availability of Target . 22 5.3.4 Target Selection 22 5.3.5 Tester Qualifications . 23 5.3.6 Penetration Testing Period and Meaning of Results . 23 6 Penetration Testing Framework 24 6.1 Introduction / Overview 24 6.2 Test Activities 25 6.2.1 Specification of Penetration Test 25 6.2.2 Engagemen
6、t Guidelines . 25 6.2.3 Penetration Test Activity 25 6.2.4 Engagement Reporting. 25 6.2.5 Remediation . 26 7 Specification of Penetration Test 26 7.1 Introduction . 26 7.2 Penetration Testing Parameters 27 7.2.1 TOE Selection 27 7.2.2 Logical Location of Tester . 28 7.2.3 Tester Prior Knowledge 30 7
7、.2.4 Test Intrusiveness . 33 7.2.5 TOE System Status . 34 7.2.6 Target Response Team Level of Awareness 35 7.3 Penetration Test Levels 36 8 Engagement Considerations . 37 8.1 Introduction . 37 8.2 Mutual Non-Disclosure Agreement . 37 8.3 Engagement Detailed Scope of Work Specifically Defining Activi
8、ties . 38 8.3.1 Overview 38 8.3.2 Rules of Engagement . 38 8.3.3 Roles and Responsibilities 42 8.3.4 Disclaimer 42 8.3.5 Authorization/Confirmation Agreement (use of IPs and Timeframe) 43 8.3.6 Technical Points of Contact . 43 8.4 Terms and Conditions and other Legal Aspects . 43 9 Penetration Test
9、Activity 45 9.1 Test Introduction . 45 ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved iii 9.2 Passive Discovery . 46 9.2.1 Passive Discovery Introduction 46 9.2.2 Public Information Gathering 46 9.2.3 Customer Provided Information 46 9.3 Active Discovery . 46 9.3.1 Active Discovery Introdu
10、ction . 46 9.3.2 System Scanning 47 9.3.3 Application Centric Information Gathering 48 9.3.4 Customized Application / Source Code Review 48 9.3.5 Traffic Monitoring 48 9.3.6 Evasion Testing . 48 9.3.7 Social Engineering 48 9.3.8 Physical Intrusion . 48 9.4 Attack Planning . 49 9.4.1 Overview 49 9.4.
11、2 Threat Modeling 49 9.5 Attacks . 49 9.5.1 Attack Introduction . 49 9.5.2 Logical Attack 50 9.5.3 Physical Attack 50 9.5.4 Procedural Attack . 50 9.6 Post-Exploitation . 51 10 Reporting . 52 10.1 Delivery 52 10.2 Recommended Content 52 10.2.1 Executive Summary 52 10.2.2 Tester Profile and Qualifica
12、tions . 52 10.2.3 Test Objectives and Scope 52 10.2.4 Limitations of the Penetration Test . 53 10.2.5 Test Details 53 10.2.6 Test Results/Findings . 53 10.2.7 Industry Baseline Analysis 54 10.2.8 Remediation . 54 10.3 Other Recommendations . 55 11 Penetration Testing Support Activities . 56 11.1 Int
13、roduction . 56 11.2 Know Your Tools . 56 (informative) Attack Examples 57 A.1 Introduction . 57 A.2 Network Attacks 57 A.3 Web Application Attacks 57 A.4 Software Flaws 57 ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved iv Figures Figure 1 Security Evaluation Process 20 Figure 2 Security Ev
14、aluation and System Development Life Cycle . 21 Figure 3 Penetration Test Framework - Client Perspective . 24 Figure 4 Tester Logical Location for TOE Within Internal Network 28 Figure 5 Tester Logical Location for TOE Within DMZ 29 Figure 6 Tester Logical Location for a TOE with Related Component 3
15、0 Figure 7 Penetration Test Methodology . 45 Tables Table 1 TOE Examples 27 Table 2 Penetration Testing and Tester Knowledge 32 Table 3 Penetration Test Level of Intrusiveness 34 Table 4 TOE Status 35 Table 5 Response Team Awareness . 35 Table 6 Penetration Testing Levels . 36 Table 7 Public Informa
16、tion Gathering Techniques . 46 ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved v Foreword Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Conse
17、nsus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and ob
18、jections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or usi
19、ng products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpr
20、etation of an American National Standard in the name of the American National Standards Institute. Requests for interpretation should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or wi
21、thdrawn at any time. The procedures of the American National Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards 2
22、75 West Street, Suite 107 Annapolis, MD 21401 USA X9 Online http:/www.x9.org Copyright 2018 ASC X9, Inc. All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in the
23、 United States of America. ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved vi Introduction Penetration testing attempts to gather information about a network system and its associated security controls through a non-malicious attempt to circumvent, subvert, or defeat the Security Controls p
24、rotecting the information assets of a company or other organization. The purpose of such testing is to discover and report vulnerabilities and misconfigurations in the design or implementation of such controls, so that flaws can be corrected, risks evaluated accurately, and the organizations overall
25、 security posture strengthened. Penetration (pen) tests have become standard practice for many financial service organizations including financial institutions, payment processors and merchants. Further, pen tests are often a requirement for state bank examiners and industry practices such as the Pa
26、yment Card Industry (PCI) Data Security Standards (DSS). However, pen testing today often yields varying results due to differences in the level and scope of testing, reporting detail, quality of service, and professional standards of those organizations providing the penetration testing service. Fo
27、r penetration test results to be consistent, comparable, actionable, and provide tactical and strategic benefit to financial service organizations, it is imperative that accepted rules of engagement be followed and that penetration testing processes be based on defined practices, processes, and proc
28、edures. The goals and intended results of this standard are as follows: To provide a standard specification of penetration testing, its appropriate application, value, and limitations. To specify standards for conducting penetration testing to produce results which are industry consistent, comparabl
29、e, repeatable, actionable, traceable, and useful to the organization under evaluation. To provide common terms to facilitate communication pertaining to penetration testing and documentation of penetration test results, including a model format. To define parameters that decision makers can use to s
30、pecify a penetration test. To provide financial organizations and penetration testers with guidelines for selecting and engaging penetration testing services. Financial service organizations can benefit from this standard by understanding the rules of engagement for specifying, negotiating and accep
31、ting a penetration test with a penetration test service provider. Likewise penetration test service providers can benefit from this standard by following the rules of engagement for proposing, negotiating and providing a penetration test with a financial services organization. Further, third parties
32、 such as security assessors, auditors and bank examiners can benefit from this standard by relying on the rules of engagement for reviewing, interpreting and accepting penetration test reports. The financial services industry overall will benefit as a whole from this standard with a consistent, comp
33、arable and actionable penetration tests, results and reports. Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, M
34、D 21401 USA. This Standard was processed and registered for submittal to ANSI by the Accredited Standards Committee on Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval. ANSI X9.111-2018 ASC X9, Inc. 2018 - All
35、 rights reserved vii At the time this Standard was published, the X9 committee had the following members: Roy DeCicco, X9 Chair Angela Hendershott, X9 Vice Chair Steve Stevens, Executive Director Janet Busch, Program Manager Organization Represented Representative ACI Worldwide . Doug Grote American
36、 Bankers Association . Diane Poole American Express Company. David Moore Bank of America . Daniel Welch Bank of New York Mellon . Arthur Sutton Blackhawk Network Anthony Redondo Bloomberg LP . Corby Dear Capital One Marie LaQuerre Citigroup, Inc. . Karla McKenna CLS Bank . Ram Komarraju Conexxus, In
37、c. . Gray Taylor CUSIP Service Bureau Gerard Faulkner Delap LLP. Andrea Beatty Delap LLP Darlene Kargel Deluxe Corporation . Angela Hendershott Diebold Nixdorf . Bruce Chapa Discover Financial Services Michelle Zhang Dover Fueling Solutions . Bradford Loewy eCurrency David Wen Federal Reserve Bank .
38、 Mary Hughes First Data Corporation . Lisa Curry FIS . Stephen Gibson-Saxty Fiserv . Dan Otten FIX Protocol Ltd - FPL Jim Northey Futurex . Ryan Smith Gilbarco . Bruce Welch Harland Clarke John McCleary IBM Corporation Todd Arnold Ingenico . Rob Martin ISARA Corporation .Alexander Truskovsky ISITC L
39、isa Iagatta ITS, Inc. (SHAZAM Networks) Manish Nathwani J.P. Morgan Chase Roy DeCicco MagTek, Inc. Mimi Hart MasterCard Europe Sprl Mark Kamers NACHA The Electronic Payments Association . Priscilla Holland National Security Agency Paul Timmel Nautilus Hyosung . Joe Militello NCR Corporation . David
40、Norris Office of Financial Research, U.S. Treasury Department Thomas Brown Jr. PCI Security Standards Council Troy Leach RouteOne Chris Irving RouteOne Jenna Wolfe SWIFT/Pan Americas . Karin DeRidder SWIFT/Pan Americas Frank Vandriessche Symcor Inc. Debbi Fitzpatrick TECSEC Incorporated . Ed Scheidt
41、 ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved viii The Clearing House . Sharon Jablon U.S. Bank John King U.S. Commodity Futures Trading Commission (CFTC) Robert Stowsky USDA Food and Nutrition Service Kathy Ottobre Vantiv LLC John Hall VeriFone, Inc. . Dave Faoro Viewpointe Richard Luch
42、ak VISA Kim Wagner Wells Fargo Bank Mark Schaffer At the time this standard was approved, the X9F subcommittee on Data and Information Security had the following members: Dave Faoro, X9F Chair Steven Bowles, X9F Vice Chair Organization Represented Representative ACI Worldwide . Doug Grote ACI Worldw
43、ide . Dan Kinney ACI Worldwide Julie Samson American Bankers Association . Tom Judd American Express Company Gail Chapman American Express Company Farid Hatefi American Express Company. David Moore American Express Company. John Timar American Express Company. Kevin Welsh Bank of America Amanda Adam
44、s Bank of America . Peter Capraro Bank of America . Andi Coleman Bank of America . Lawrence LaBella Bank of America Will Robinson Bank of America . Michael Smith Bank of America . Daniel Welch BlackBerry Limited . Daniel Brown Blackhawk Network Vijay Bolina Blackhawk Network Anthony Redondo Bloomber
45、g LP Erik Anderson Bloomberg LP . Corby Dear Capital One Marie LaQuerre Capital One Johnny Lee Cipherithm Scott Spiker comForte 21 GmbH Thomas Gloerfeld comForte 21 GmbH Henning Horst Communications Security Establishment Jonathan Hammell Communications Security Establishment . David Smith Conexxus,
46、 Inc. Alan Thiemann CUSIP Service Bureau . Scott Preiss Delap LLP. Andrea Beatty Delap LLP David Buchanan Delap LLP Darlene Kargel Deluxe Corporation . Angela Hendershott Deluxe Corporation Margiore Romay Deluxe Corporation . Andy Vo Diebold Nixdorf . Christoph Bruecher Diebold Nixdorf . Andrea Caro
47、zzi ANSI X9.111-2018 ASC X9, Inc. 2018 - All rights reserved ix Diebold Nixdorf . Bruce Chapa Diebold Nixdorf Michael Nolte Diebold Nixdorf Michael Ott Diebold Nixdorf . Dave Phister Digicert . Tim Hollebeek Discover Financial Services . Cheryl Mish Discover Financial Services Diana Pauliks Discover
48、 Financial Services Jordan Schaefer Dover Fueling Solutions Steven Bowles Dover Fueling Solutions . Bradford Loewy eCurrency David Wen Federal Reserve Bank Patrick Adler Federal Reserve Bank . Guy Berg Federal Reserve Bank Marianne Crowe Federal Reserve Bank Amanda Dorphy Federal Reserve Bank . Mary
49、 Hughes Federal Reserve Bank Heather Hultquist Federal Reserve Bank . Janet LaFrence Federal Reserve Bank . Susan Pandy Federal Reserve Bank . Patti Ritter First Data Corporation . Lisa Curry First Data Corporation Kalli Davidson First National Bank of Omaha Sherry Rewolinski First National Bank of Omaha . Kristi White FIS Saman Amighi FIS . John Soares FIS . Sunny Wear Fiserv Bud Beattie Fiserv . Dan Otten Futurex . Ryan Smith Futurex . Tim Weston GEOBRIDGE Corporation Donna Gem GEOBRIDGE Corporation . Jason Way Gilbarco . Scott Tu
