Tuesday, July 14, 2009

On Scanning

This post is about PCI DSS and vulnerability scanning.  What can be simpler than that? :-)

Well, the illustrious Branden Williams reminds us that even the simplest, clearest, most painstakingly defined part of PCI DSS can cause .. you know … trouble. Since his post is so good, I’d quote more and comment less.

First, a quick and useful reminder:

“Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external”

External scans are well-defined, internal scans are left to the discretion of merchant’s security team. The latter does NOT make them any less mandatory though.

Then Branden asks a perfectly reasonable question:

“In more than half of the PCI assessments we [=his team at VeriSign] did in 2008, Requirement 11.2 came up as an initial gap. If it's just scanning, why can't we get it right?”

And, yes, he has an answer. The first part of the answer makes me embarrassed to even mention it here; in fact, I feel ashamed of being part of the same humanity with folks who do it… Namely:

“Reason the First: You scanned, but you forgot to obtain CLEAN scans for every quarter. Remember, the testing procedure for Requirement 11.2 states that QSAs must "Verify that the scan process includes rescans until passing results are obtained." Just scanning is not enough, you have to scan, patch, and re-scan until you have a clean scan”

No, neither Branden nor I are joking; stuff like that really happens: “It mandates scanning? So, we are going to scan! Is there anything else?” He then explains it further, with YouTube video illustrations, of course :-) And now the second part:

“Reason the Second: You scanned externally, but forgot to scan INTERNALLY.”

So, please call me the f*cking broken record (modern version: a corrupted MP3 file? :-)), but:

Internal network scanning is just as mandatory as external, as per PCI DSS.

Internal network scanning is just as mandatory as external, as per PCI DSS.

Internal network scanning is just as mandatory as external, as per PCI DSS.

Internal network scanning is just as mandatory as external, as per PCI DSS.

Internal network scanning is just as mandatory as external, as per PCI DSS.

Did I mention … oh, never mind! In any case, read his whole post here.

P.S. Today was the day I really didn’t want to write about PCI since I realized that even though PCI DSS is definitely NOT the reason for scams, there are PCI-related scams out there nonetheless. And that makes me sad. Whether it is about “free PCI compliancy” or “guaranteed PCI compliance for $4.75/month”, such things are NOT the whole story – they are the exceptions and not the rule. I still believe that PCI DSS is a strong positive force for security; maybe the strongest we ever had so far.

Dr Anton Chuvakin