Skip to main content

Penetration Testing
as a Service

Penetration Testing for PCI-DSS, HIPAA & SOC 2 Compliance.

CyberHunter offers penetration testing as a service for PCI-DSS, HIPAA and SOC 2 Audits. Choosing the right pen testing service partner will provide your organization with continuity, lower costs and an expert partner with familiarity of your environment and applications.

LEARN MOREGET A QUOTE

What Is Pen Testing as a Service?

Quite frequently, we at CyberHunter get asked whether we offer penetration testing as a service. Typically these requests are being made when an organization is looking to achieve a certified compliance rating for a relevant industry standard, or they are about to face an audit that requires evidence of security controls testing. Three of the most common compliance-driven requests that CyberHunter receives are in the following areas:

PCI-DSS Compliance Penetration Testing
HIPAA Compliance Penetration Testing
SOC 2 Compliance Penetration Testing

What Type of Pen Test Do You Need?

Penetration Testing for PCI-DSS Compliance

Penetration Test for HIPAA Compliance

Penetration Test for SOC 2 Compliance

Penetration Testing for PCI-DSS Compliance

PCI-DSS 3.2 compliance is a requirement for the Payment Card Industry (i.e. credit card processors). However, different rules apply depending on if you are considered a Merchant or a Service Provider.

A PCI Merchant is defined this way:
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

A PCI Service Provider is defined this way:
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.

A company that is BOTH Merchant and Service Provider is defined this way:
Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

Understanding whether or not your company is considered a Service Provider is extremely important. Obviously if you process, store or transmit cardholder data, you fall into the category of Service Provider. Additionally if you provide managed security services such as firewalls to protect and segment a Cardholder Data Environment (CDE) which contains things like Point of Sale systems and other back-office systems, then you are also very likely a Service Provider. Other examples of organizations that fall into this category are hosting companies, co-location providers, back office service companies, and billing account management companies.
So, what does this mean for PCI Service Providers?

Service Providers are required to have an ANNUAL penetration test that “thoroughly addresses the security of the environment”, including a test of the CDE segmentation controls. Six months after the annual penetration test, another penetration test (reduced in scope) must be performed that is solely focused on CDE segmentation controls (i.e. connectivity between in-scope and out-of-scope networks).

The six month clock starts after the initial test is completed.
Remediation of high severity exploitable vulnerabilities should be completed within 60 days in the case of segmentation issues. They must be immediately re-tested when ready.

So, what does this mean for PCI Merchants?

Merchants must understand who their Service Providers are and ensure that they have proper agreements with them. The agreements should call out the specific PCI-DSS requirements that a Service Provider needs to meet (e.g. 11.2, 11.3, 11.3.4.1, etc.).

Penetration Test for HIPAA Compliance

The HIPAA Security Rule requires that certain organizations dealing in Electronic Protected Health Information (EPHI) perform a risk analysis which, effectively, requires these covered entities to test their security controls. Two significant and important methods for testing security controls (i.e. per Administrative Safeguards – 4.8 Evaluation (§ 164.308(a)(8))) are vulnerability scanning and penetration testing as described in the security control assessment procedures found in NIST SP 800-53A, Guide for Assessing theSecurity Controls in Federal Information Systems.

Without having conducted these operational measurements, it is possible that an auditor or administrative law judge could render a judgment against a covered entity.

The HIPAA Security Rule specifically focuses on the safeguarding of EPHI. Although the Federal Information Security Management Act (FISMA) applies to all federal agencies and all information types, only a subset of agencies is subject to the HIPAA Security Rule based on their functions and use of EPHI. All HIPAA covered entities must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:

  • Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
  • Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Healthcare Clearinghouses— A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa.
  • Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.

What does this mean for Pen Testing Service requirements?

Covered entities falling under a HIPAA compliance requirement must perform “ongoing evaluation” of technical and non-technical aspects of the security program. In terms of penetration testing frequency, this has been generally interpreted to be annual testing at a minimum.

Penetration Test for SOC 2 Compliance

Organizations that fall into the category of Technology Service Providers are called upon to become SOC 2 compliant. In order to achieve this compliance, they must pass an audit that covers five main security principles (known as the Trust Service Principles – TSP). These are checks against controls that assess security, availability, integrity, confidentiality and privacy.

SOC 2 audits have two main types (SOC 2 Type I and SOC 2 Type II). Roughly speaking, a Type I audit is a documentation and design review, whereas a Type II audit is a test of the effectiveness of the designed controls. Penetration testing would fall into the category of a security controls effectiveness test. But is it required? Technically speaking, there are no specific criteria in SOC 2 that mandates having a penetration test.

However, SOC 2 Common Criteria (Security) CC4.1 (COSO Principle 16) states:

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

So basically, a penetration test not be required IF the organization can demonstrate that another security assessment of equivalent coverage and thoroughness is done regularly (e.g. HIPAA Security and Privacy Assessments). Additionally, like many standards, interpretation from auditor to auditor can vary. As such, it is quite possible (and in the opinion of CyberHunter, quite likely) that an auditor will feel uncomfortable issuing a SOC 2 report for any organization unwilling to perform a penetration test. Obviously, if this happens you need to find a new auditing company or get the penetration testing done. In either case, we strongly recommend penetration testing as part of this exercise.

What does this mean for Pen Testing Service requirements?

If you do not have an equivalent security assessment (not just a vulnerability scan) being performed regularly, an entity seeking to obtain a SOC 2 report should conduct a penetration test every 6 to 12 months.

Why Penetration Testing as a Service is Important

CyberHunter offers penetration testing as a service for PCI-DSS, HIPAA and SOC 2 Audits. Ultimately, choosing a pen testing provider as a service partner will provide you with such benefits as:

  • Tester continuity. We will come to know your environment and specific needs.
  • Lower costs for subsequent tests. Familiarity with the environment and applications allow for a more efficient and thorough test at each subsequent point.
  • Overall, a pen testing service partner like CyberHunter will provide you with the confidence and expert opinion to help guide you through these processes.
BE PROACTIVE.

Trust in a network device is very temporary. Be proactive and ensure you scan, test and hunt on a regular basis.

TRUST NOTHING.

Security teams should NEVER trust an endpoint or server until it can be PROVEN to be trusted.

MALWARE CAN GET IN.

Companies need to prepare and be ready to respond to advanced persistent threats.

Cyber Security & Pen Test Consultants in Canada, the US and the Caribbean