Penetration Testing & Malware

Question 1

What is penetration testing in payments?

Answer 1

Penetration testing is a simulated cyberattack performed by qualified security professionals to test the security of payment-related systems and ensure attackers cannot access:

• Cardholder data
• payment tokens
• authentication credentials
• Payment APIs
• Payment routing logic
• POS environments
• Merchant/platform infrastructure

Question 2

What is the goal of penetration testing?

Answer 2

To discover vulnerabilities before real attackers exploit them.

Question 3

What does pen testing cover in payments?

Answer 3

• Payment pages & checkout flows
• Payment APIs & SDKs
• Tokenization systems
• Mobile payments & wallets
• Card-present systems
• Cloud infrastructure for payment systems

Question 4

Regarding PCI DSS, which organization levels are required to conduct penetration testing?

Answer 4

• Level 1 merchants
• All service-providers
• Any entity completing SAQ D

Question 5

In payments, what environments should pen testing be conducted in?

Answer 5

• Internal environments
• External environments
• Application-level
• Network-level

All testing must simulate real-world attackers.

Question 6

In payments, who performs pen testing?

Answer 6

• Qualified internal teams
• external penetration testers

Question 7

In payments, what are the requirements that penetration testers must have in order to be considered acceptable to conduct the penetration testing?

Answer 7

• Testers must be independent of the systems tested
• Certified testers preferred
• Experienced with payment security

Some companies use ASVs (Approved Scanning Vendors) for vulnerability scans and separate pen testers for full penetration testing.

Question 8

List out the steps taken to complete penetration testing on a payments platform.

Answer 8

1. Scope & plan the effort
2. Gather as much information as possible
3. Conduct threat modeling
4. Conduct a vulnerability analysis
5. Exploit the system
6. Escalate privilege and conduct lateral movement
7. Create exploitation analysis
8. Conduct a cleanup of the testing effort
9. Create a formal report
10. Conduct remediation and retesting

Question 9

In payments, explain the scoping and planning process of penetration testing.

Answer 9

• Identify systems in PCI scope
• Define testing boundaries
• Confirm in-scope payment flows
• Establish rules of engagement
• Set testing windows and communication protocols

Question 10

In payments, what is the goal of the scoping and planning process of penetration testing?

Answer 10

Create a clear testing roadmap and avoid operational disruptions.

Question 11

In penetration testing for payments, what is involved in the information gathering process?

Answer 11

• Enumerating APIs (identifying valid & accessible endpoints)
• Reviewing payment forms and JavaScript
• mapping tokenization flows
• Discovering network ranges
• Identifying 3rd party services
• Understanding authentication models

Question 12

In the information gathering stage of penetration testing for payments, what is the goal of this step?

Answer 12

Understand the architecture from an attacker’s perspective

Question 13

In payment penetration testing, what is threat modeling?

Answer 13

Threat modeling is identifying the most relevant attack vectors based on payment flows.

Question 14

In payment penetration testing, what is the goal of threat modeling?

Answer 14

Prioritize realistic attacks against payment systems

Question 15

In payment penetration testing, what is a vulnerability analysis?

Answer 15

This analysis involves testers using automated and manual techniques to identify weaknesses.

Question 16

In payment penetration testing, what is the goal of vulnerability analysis?

Answer 16

To build a vulnerability list to exploit

Question 17

In payment penetration testing, what is exploitation?

Answer 17

This is actively attempting to break into systems.

Question 18

In payment penetration testing, what is the goal of exploitation?

Answer 18

To demonstrate what an attacker could do, especially with payment data or tokens.

Question 19

In payment penetration testing, what is privilege escalation and lateral movement?

Answer 19

If an exploitation succeeds, testers will try to move deeper within the system. They will attempt to:

• Access the token vaults
• Access administrative payment APIs
• Access logs containing sensitive data
• Access payment processor credentials
• Access the cardholder data environment

Question 20

In payment penetration testing, what is the goal of privilege escalation and lateral movement?

Answer 20

To identify the blast radius of a breach

Question 21

In payment penetration testing, what is the post-exploitation analysis?

Answer 21

This is when the tester collects evidence of what was accessed or what could have been accessed.

Question 22

In payment penetration testing, what is the goal of post-exploitation analysis?

Answer 22

To understand the business impact of a compromise.

Question 23

In payment penetration testing, what is the cleanup process?

Answer 23

The cleanup process is when the tester removes any sign they were in the environment such as:
- test accounts
- payloads
- scripts
- injected data
- temporary credentials

Question 24

In payment penetration testing, what is the goal of the cleanup process?

Answer 24

To leave no residual impact on production systems

Question 25

In payment penetration testing, what is the reporting process?

Answer 25

It is a formal penetration testing report that is produced. It includes: - Executive summary - Identified vulnerabilities - Risk ratings - Proof of exploitation - Detailed remediation guidance - Evidence of PCI requirement

Question 26

True or False, PCI QSAs do not review penetration testing reports during their annual audit.

Answer 26

False, PCI QSA auditors review the penetration report during their annual audits.

Question 27

In payment penetration testing, what is the remediation and retesting process?

Answer 27

This is when the entity must resolve the vulnerability and may undergo: - retesting - verifying controls are corrected - updating documentation

Question 28

In payment penetration testing, how soon should critical vulnerabilities be remediated?

Answer 28

30 days

Question 29

For payment platforms, how often should penetration testing be conducted?

Answer 29

- Annually for Level 1 merchants - Annually for service providers - Annually for any entity completing a SAQ D. - After any significant change - Every 6 months for segmented environments that isolate cardholder data.

Question 30

In payment platform penetration testing, PCI DSS states that new penetration tests must be conducted when a significant change was made. What qualifies as a significant change?

Answer 30

- Launching a new payment flow - Deploying new payment APIs - Major code releases - Changes to tokenization logic - Updates to infrastructure or cloud environments - Introducing new payment connectors or gateways - Firewall or network architecture changes - Adding or modifying cardholder data environments

Question 31

What is the purpose of segmentation penetration testing for PCI DSS?

Answer 31

The penetration test validates the segmentation controls actually work and prevent access to the cardholder data environment (CDE)

Question 32

How are penetration testing and vulnerability assessments different from each other?

Answer 32

- Vulnerability Assessment = Find Weaknesses - Penetration Testing = Exploit Weaknesses (ethical hacking)

Question 33

What is the purpose of a vulnerability assessment scan?

Answer 33

- Detect missing patches - Identify misconfigurations - Find known exploitable CVSs (common vulnerabilities & exposures) - Provide a security baseline

Question 34

What is a vulnerability assessment?

Answer 34

A non-intrusive scan performed with automated tools to identify known security weaknesses.

Question 35

Who performs vulnerability assessment scans?

Answer 35

- ASVs (approved scanning vendors) for external scans - Internal security teams for internal scans

Question 36

How does a vulnerability assessment scan work?

Answer 36

- It does not exploit the application or platform - Uses automated tools (Qualys, Rapid7, Nessus) - Produces a list of vulnerabilities with severity ratings

Question 37

What is an objective method in penetration testing?

Answer 37

The objective method is a structured approach where the penetration test is guided by specific security objectives and not by random or purely exploratory hacking.

Question 38

What is OS fingerprinting?

Answer 38

The process of identifying the operating system running on a remote device or server by analyzing how it responds to network traffic. It is a standard technique used in penetration testing and vulnerability assessment scans.

Question 39

What is banner grabbing?

Answer 39

A reconnaissance technique used in cybersecurity and penetration testing to gather information about a system or service by retrieving the "banner". The banner is a small text message or metadata that servers often send when you connect to them.

Question 40

In banner grabbing, what does the banner reveal?

Answer 40

- software name - version number - operating system - service type - supported protocols - configuration details These clues help attackers identify potential vulnerabilities.

Question 41

What is white-box testing?

Answer 41

A method where the tester has full access to internal code, logic, and architecture. It enables the tester to deeply evaluate the software behavior, logic flaws, and security vulnerabilities.

Question 42

What is grey-box testing?

Answer 42

Grey-box testing is a hybrid method where testers have partial internal knowledge (like APIs docs or architecture info) to simulate a privileged attacker and uncover vulnerabilities more effectively than black-box testing.

Question 43

What is black-box testing?

Answer 43

Black-box testing evaluates a system from the outside with no internal knowledge, simulating a real attacker to find vulnerabilities in external-facing applications and systems.

Question 44

What are the 3 penetration testing strategies?

Answer 44

1. White-box testing 2. Grey-box testing 3. Black-box testing

Question 45

True or False? PCI DSS requires all 3 forms of testing strategies? (White-box, Grey-box, Black-box)

Answer 45

False, PCI DSS does not dictate what type of testing should be conducted by entities. The most common type of testing is: - Black-box testing for external penetration testers. - Grey-box testing for internal penetration testers.

Question 46

True or False? PCI DSS requires two independent methods of PCI scanning (Internal & External scanning)

Answer 46

True

Question 47

True or False? The average cost of a data breach is $4.88 million as of 2024.

Answer 47

True

Question 48

True or False? Every minute, approximately 4 companies fall victim to ransomware attacks.

Answer 48

True