Vulnerability scanning. Mention those two words, and your IT operations staff usually shudders. Conversely, your IT audit/security staff usually start doing a happy dance (I think those guys are sadists, like Steve Martin in Little Shop of Horrors.) Love it or hate it, vulnerability scanning is required by many compliance regimens. The PCI DSS states that you have to perform vulnerability scanning quarterly, and from both an external and internal perspective. If you follow the letter of the PCI law, that’s at least eight scans a year. I would like to posit that if you’re really doing PCI vulnerability scanning correctly, it’s more like a minimum of 12 scans each year, with 16 being the better number.

Where do I get that number, you ask? Well, it all depends on where you are scanning from…

External scanning is pretty straight-forward: you scan from a location external to your public IPs and see what vulnerabilities show up. There are vulnerability scanning services that can do this for you. The trick here is to white list the scan source IP(s) on any devices that may actively modify or deny traffic. Examples of these devices are intrusion prevention systems, some load balancers, denial-of-service prevention proxies, etc. PCI DSS 11.2 requires at least quarterly external scans, so that’s four scans each year.

Internal scanning is a bit more difficult. PCI DSS 11.2 requires at least quarterly internal scans as well, but you very likely have more than one internal network segment. If you have PCI data, I believe you have at least three segments: a DMZ, a CDE (cardholder data environment), and your internal business operations network. So when you scan the CDE, which segment should you scan from, the CDE, the DMZ, or the business network? The answer is: Yes.

If you scan from the CDE, you will see a lot of vulnerabilities that are exploitable only from the CDE network, since you (should) have firewalls in place that severely limit traffic inbound to the CDE. That’s four scans each year.

If you scan from the DMZ, you may see a lot fewer vulnerabilities, but you’re probably going to be missing some easy-to-fix stuff in the CDE that should be remediated just in case an attacker does manage to make it inside the CDE. Scanning from the DMZ is another four scans each year.

If you scan the CDE from the business network you will be seeing even fewer vulnerabilities (since you are going through a firewall at the DMZ< ->business network and CDE< ->DMZ boundaries). But let’s be honest: your users are your weakest link, and as they go about their merry way during the business day surfing the web (when they should be working), they will visit a few off-color sites (or even legitimate sites that have been hacked) that exploit their browsers, drop some malware on their computer, and give an attacker a foothold on the business network. Clearly you need to know what the threat landscape is on the CDE from the business network because USERS ARE STUPID. Four more scans each year.

That puts us at sixteen scans. Maybe you choose to short-change yourself and not scan from the local CDE network, which knocks four scans off the count, but if you’re already doing 12 scans, is performing four fewer scans really worth not having an accurate picture of the CDE’s threat landscape? I would say it’s not.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

In True’s experience as a QSA advising merchants with PCI compliance, one point of confusion seems to always surface – when are merchants required to use a Payment Application Data Security Standard (PA-DSS) validated POS application?

First, it is important to understand that the Payment Card Industry Data Security Standard (PCI-DSS) and PA-DSS are completely separate standards. Assessors do not validate or require PA-DSS when validating PCI-DSS.  All applicable PCI-DSS controls must always be evaluated regardless of the POS validation status. Utilizing a PA-DSS application allows merchants to ensure that the application was designed to meet the PCI security requirements.

Our role as a QSA is not to challenge or verify an application’s PA-DSS validation, but rather assess the merchant’s implementation of the application and its environment.  QSAs should be encouraging clients to use a PA-DSS validated application whenever possible to receive security benefits and satisfy card brand requirements, described next.

When to use a PA-DSS is actually mandated directly by the individual card brands. Currently, only VISA publicly mandates PA-DSS for its merchants; however, MasterCard plans to require starting July of 2012.  The information below lists the current requirement for each card brand.  Merchants should verify with their acquirer or card brand as to their unique PA-DSS requirements.

VISA

• Mandated effective 1 July 2010
• Mandate Reference

MasterCard

• Mandated effective 1 July 2012
• Mandate Reference

Discover

• Strongly recommends

American Express

• Merchants should contact American Express directly to verify requirements

JCB

• Merchants should contact JCB directly to verify requirement

I hope this explanation clears up any confusion.  If you have any questions related to this topic or have other topics that you would like to see addressed by experts on True Insight, please post a reply or send us an email.

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

Twitter - More Posts

With the current US economy downturn, cyber crime is increasing at an alarming rate. Let’s face it – data loss can quickly become a public relations nightmare for any business. Solid Core conducted a survey [solidcore.com] of 201 IT and compliance professionals and found that more than half of the respondents admitted their organization either experienced or did not know if they had experienced a compliance control deficiency in the last year.

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, released the 2008 Annual Report on the number of Internet crime complaints received. This report [ic3.gov] was made available on March 31, 2009.

The 2008 Annual Report states that complaints of online crime hit a record high in 2008. The Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss totaled roughly around $931 dollars.

Now more than ever, it’s extremely critical for everyone to do their part and be vigilant when it comes to network and enterprise security. Still, with the recent gains in the stock market, I’m hopeful this trend will become more positive.

Nathaniel James

Website - More Posts

Walt Conway has some interesting commentary [treasuryinstitute.org] on the recently released Verizon data breach report [verizonbusiness.com].

All the valuable PCI compliance insight aside, I found the statistics on the prevalence and value of targeted attacks to be especially interesting.  We are frequently engaged to perform social engineering exercises for our clients, primarily to help them stress the importance of security policies, procedures, and communication to their employees.

While our generic email campaigns typically fool a few of the overly curious or too-quick-to-click crowd, the more informed (targeted) phishing campaigns are overwhelming effective to the point that we often need to reassure our clients that the world is not ending.  Unfortunately, this report highlights the fact that targeted attacks are not just elements of security company sales talk.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.