One of the key tenets of a good cybersecurity program is using security in layers and including automated tools to assess defense status. Automated tools are the only way to deal with the huge variety of network infrastructure components involved in our modern information environments.
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants and service providers to conduct quarterly (and after any significant change) internal and external vulnerability scans.
Related Reading: Am I Ready for a PCI ROC?
The PCI Security Standards Council (PCI SSC) defines a vulnerability scan is a combination of automated or manual tools, techniques, and/or methods run against external and internal network devices and servers. A vulnerability scan is designed to expose potential weaknesses that could be found and exploited by malicious individuals.
External vulnerability scans must be completed by a PCI DSS Approved Scanning Vendor (ASV). Avertium conducts those scans every day for a multitude of clients.
In the industry we know that there are two types of vulnerability scans; unauthenticated (external) and authenticated (internal).
An unauthenticated vulnerability scan identifies weaknesses accessible without logging in as an authorized user to get perspective from an outside view. Unauthenticated scans result in a large number of false positives because they cannot provide detailed information about the operating systems and installed software being evaluated. This type of scan is frequently used by the very threat actors that we are working to keep out of our environments.
Authenticated scans directly access the network using administrative credentials to authorize the tool to look at low-level data such as services and configurations.
The internal scans can be conducted by any qualified person and no organization can consider themselves to have a good cybersecurity program if they do not perform internal vulnerability scans.
Related Reading: 5 Steps to Recovering from a Failed ROC
Running these scans and interpreting the results isn’t as easy as it sounds. The automated or manual tools and techniques required to perform a vulnerability scan are highly complex and must be tuned to a specific environment. Only persons who have been trained in using those tools can be considered qualified persons. These professionals must also be independent of the components being evaluated to maintain objectivity. For example, a firewall administrator should not be responsible for scanning the firewalls even though they are generally the most knowledgeable firewall person in the organization.
So how do you find that qualified vulnerability scanning person? The traits to look for are curious, smart, creative, incisive, passionate about cybersecurity, techy people who are great communicators, detail-oriented, and have social engineering skills.
These are the characteristics that will allow your vulnerability scanner to tinker with configuration settings and code as they work to ensure that your entire environment is being fully tested and to work with the teams that are charged with eliminating the vulnerabilities as well as fulfill PCI DSS Requirement 11.2.
The tuning part of the process is the most important. No two infrastructures are identical. The vulnerability tools and methodology must be tuned to the specific environment. Attention to detail is crucial.
The scanner must be able to think like an attacker to be able to evaluate which findings represent true vulnerabilities and which are just noise on the line – aka false positives. The smallest change in configuration settings can turn a false positive into an exploitable attack vector.
Vulnerability scanning spans a wide spectrum of technology to detect and classify system weaknesses in computers, networks, and endpoints. By detecting system compromises such as missing patches and outdated protocols, certificates, and services, a vulnerability scan not only checks the box for PCI compliance, it creates a valuable avenue for improving your organization’s cybersecurity.
Automating PCI DSS Requirement 11.2 using vulnerability scanning is the best way for a merchant or service provider to effectively and efficiently fulfill the mandate and improve its security posture.
Don’t spin your wheels trying to manually fulfill PCI DSS Requirement 11.2. Reach out to start the conversation.
Dea Ann Farley is a compliance consultant with Avertium's PCI Compliance practice, helping Avertium customers to apply more rigor in achieving and maintaining PCI DSS compliance.
