How to approach penetration testing of a ATM OS that was upgraded from Windows XP to Windows 7? From what I gather, the testing flow should be as follows:
- Architectural Review
- Pentesting OS and Application
- Physical Audit
For the current requirement, I am focusing on the second item. Typically, I'd scan the machine and look for service/port that a specific service is using, then run an application specific exploit. I am planning to follow PCI ATM Security Guidelines (PDF), section 4.2 Security of Basic Software and section 4.4 ATM Application Management.
Could I take a different, faster approach for an ATM whose OS was upgraded from Windows XP to Windows 7, if it was already penetration tested while running Windows XP?