Client:
We have a Cloud based, virtual data center that we access and manage using a 2-factor, on-demand VPN to a remote jump-box from anywhere in the world. As a result, our corporate network and admin machines are considered out-of-scope for PCI. Do we still need to do an internal penetration test?
Answer:
Our experience is that these tests are limited and quick, however they must be done. While it’s true that in this case the in-scope systems could just as easily be administered from a Starbucks, the administrator’s workstation in a Starbucks cannot easily be compromised by exploiting other systems in the coffee shop, whereas in the corporate network the administrator's system is often joined to a domain and can be affected by other systems in the domain. The environment where users routinely access in scope systems will present an attacker with a unique opportunity to steal those credentials or manipulate that traffic. Such an opportunity would not be afforded to an attacker in a Starbucks. The interrelationship of systems inside the corporate network creates a unique set a threat vectors that must be tested.
So for PCI Pen Testing, a corporate network is defined as having a common network connect AND localized common resources such as file shares and authentication mechanisms.
No comments:
Post a Comment
Thanks for adding to the conversation. I'll update your post shortly.