Your organization’s network perimeter needs to be scanned for vulnerabilities frequently to ensure that hackers aren’t given a free run to attack your web applications whenever they please. Not to scare you or anything, but ransomware damage costs exceeded $5 billion last year, which represents a 15 time increase over 2015 costs. Complying with Payment Card Industry Data Security Standards (PCI DSS) will keep your company from this tumultuous future of data breaches, but only if you stay on top of conducting your external vulnerability scans. The trouble with complying with PCI DSS is that most merchants that process, store or transmit cardholder data are unsure about how to go about the process and when to run the appropriate tests and scans.
Thankfully, the PCI Security Standards Council (SSC), or “the Council” for short, has taken a proactive approach towards educating merchants on the process of identifying vulnerabilities in their network and effectively remediating them. The cost-effective approach of external vulnerability scanning is one of the main compliance necessities for PCI DSS that is only to be carried out by an Approved Scanning Vendor (ASV). We look forward to providing you with a full spectrum understanding of how to initiate an external vulnerability scan with the help of an ASV and what to expect during the process.
External Vulnerability Scan
External vulnerability scanning is sometimes call “perimeter scanning” due to its intricate process of scoping the part of an organization’s external network infrastructure that can be immediately accessible by cyber attackers. These perimeter vulnerabilities must be identified and remediated ASAP to ensure that the organization follows all cybersecurity best practices and is out of harm’s way. The sophisticated phishing attacks and malware campaigns that hackers formulate can easily infiltrate perimeter defenses that are riddled with vulnerabilities and cause mayhem. Therefore, it’s increasingly important for companies to stop living in their little safe-zone bubbles inside their firewalls, and contemplate the possibilities of an external breach on their web applications.
External vulnerability scans look for holes in network firewalls(s) via an automatically administered computer program tied to an internet connection. Businesses operating in an internet-facing payment environment must have regular external vulnerability scans per PCI DSS reporting standards. How and when to carry out these external vulnerability scans is dictated by PCI DSS based on the number of credit card transactions that your organization deals with on a yearly basis. Here is the breakdown of the four (4) levels that your organization will fall under for meeting compliance standards with PCI DSS:
- Level 4: Fewer than 20,000 e-commerce transactions annually and all merchants across channel up to 1 million transactions annually.
- Level 3: 20,000 to 1 million transactions annually.
- Level 2: 1 million to 5,999,999 transactions annually.
- Level 1: More than 6 million transactions annually across all channels including e-commerce.
All four levels must submit to having annual security self-assessment and quarterly network scans completed by an Approved Scanning Vendor (ASV). Once your organization crosses the 6 million annual transactions threshold, it must submit to annual on-site PCI security assessments instead of self-assessing compliance. To get a better understanding of the requirements behind implementing an external vulnerability scan, let’s take a closer look at PCI DSS requirement 11.2 in the next subheading.
PCI DSS requirement 11.2 was created by the Council to assist merchants with spotting external security vulnerabilities within their business network and applications. Identifying these external vulnerabilities and quickly remediating them will help to protect the organization’s Cardholder Data Environment (CDE) against potential breaches. An entity’s CDE is defined by the Council as, “the people, processes and technologies that store, process or transmit cardholder data and Sensitive Authentication Data (SAD).” Essentially, the CDE is the environment that contains the organization’s cardholder data acceptance and processing systems.
This requirement calls for entities with any Internet-facing or externally accessible points of entry into the CDE to be scanned by an Approved Scanning Vendor (ASV) at least quarterly (every 90 days). The reason that the external vulnerability scans must be carried out by an ASV is because the Council considers external networks to be more susceptible to risk of compromise than internal networks. These scans must also take place after any significant changes to the organization’s network infrastructure. Examples of changes might include system component installations, changes in network topology, firewall rule modifications, or product upgrades.
Penetration Test vs. Vulnerability Scan
What some organizations find confusing is what differentiates an external vulnerability scan from a penetration (pen) test. Even though they are similar, they offer completely different results at completely different price points. Whereas penetration testing is extremely expensive costing upwards of $20,000 per scan, vulnerability scans can cost only a few hundred dollars each. Penetration testing requires exponentially more time to prepare, implement, and review while vulnerability scans are quick and semi-automated, thus making vulnerability scans a better candidate for use in quarterly scanning usage.
Both assessments are accurate, but pen tests bring extremely thorough results via the elimination of false positive vulnerabilities. Although these assessments have extremely different price points, they have similar goals. Vulnerability scans seek to find system weaknesses and fix them while the goal of pen tests is to explore the possibilities of the risk of a data breach on your organization’s current network infrastructure. The difference lies in the depth of the simulated attacks and what meaningful data can be obtained via the vulnerability assessment.
ASV Scanning Process
ASVs will search for various misconfigurations on hosts and outdated software operating via either an authenticated or unauthenticated scan process. Authenticated scans are those where the ASV has been given the appropriate login credentials beforehand, while an unauthenticated scan process does not use any login credentials during the scanning process. An authenticated external vulnerability scan can produce accurate results with fewer false positives and false negatives due to its scanning tools. Unauthenticated external vulnerability scans probe the organization’s networks looking for connections that can be breached from the outside. Following a successful connection with the network, the ASV can log into the target host network and produce quality reports and a list of defects for the company to improve upon.
During an external vulnerability scan, an ASV seeks out various security vulnerabilities that a hacker may potentially use to their advantage to gain access of the organization’s CDE. Through the deployment of scanning solutions that fulfil the requirements of the ASV Program Guide which is laid out by the Council, ASV’s use their scanning solutions to validate an entity’s adherence to the external scanning PCI DSS requirements. Prior to the ASV using their scan solution in the field, it must be tested by an ASV Validation Lab, approved by the Council, and added to the Council’s list of Approved ASV Scanning Vendors.
ASVs must also ensure that these scans do not penetrate, intentionally alter, or impact the normal operation of the entity’s CDE. ASVs are also required to scan all necessary network components that were defined by the entity that can be used to identify active components and services. This methodology is to ensure that the vulnerability scan does not veer out of scope after it has already been defined. Let’s look more into detail at the ASV’s role in the definition of the external vulnerability scan scope, the process of mitigating vulnerabilities, as well as how they confirm results with the Council.
Define the Scope of the Scan
To define the scope of the external vulnerability scan, the ASV must be provided with the necessary IP addresses and/or domain names of all Internet-facing systems to gain external access over the entity’s CDE and conduct an appropriate scan. The ASV must communicate with the entity what the scope of the scan is and whether it should be altered if components that were not disclosed to them by the entity were found during the scan. This is where proper network segmentation is of paramount importance to ensure that any external-facing components are excluded from the scope. In short, implementing network segmentation processes will allow the ASV to isolate system components that store, process, or transmit cardholder data from systems that do not. This allows the entity the ability to effectively control the scope of the scan at which point the ASV can attest that the components that were not scanned were not important to the goal of the scan itself.
Mitigate Vulnerabilities and Reporting
The process of mitigating vulnerabilities in the entity’s network entails pinpointing potential places in the IP address where network attacks could possibly be formulated. Following the scan, the ASV will prepare a report that confirms the location and nature of all potential vulnerabilities. This report will describe and diagnose each vulnerability while also providing the entity with the necessary guidance to fix or patch it. Each of these vulnerabilities are assigned a severity level with scores then being tabulated to determine if the entity passed the scan or not.
If an entity’s vulnerability is given a Common Vulnerability Scoring System (CVSS) score of 4.0 or higher, it is given a failing grade by the ASV. If an entity finds that they have a failing vulnerability, then they can either dispute the finding with the ASV or implement a solution to remediate the vulnerability during the scan. Entities must repeat an external vulnerability scan after receiving a failing grade on vulnerabilities that were not fixed during the scan itself to receive a passing grade.
Confirming Test Results with The Council
Following the entity’s receipt of a passing external vulnerability scan passing grade, an attestation of compliance (AOC) which includes all necessary information pertaining to the scan itself, the organization, as well as the ASV. The AOC showcases to the Council that the scan was performed in compliance with PCI DSS and carried out by an ASV that adhered to the ASV Program Guide. An AOC is also a validation by the organization that all information in the ASV scan report is a 100% accurate portrayal of the entity’s CDE. Following the validation of the AOC by the Council, the entity will be given a passing grade for meeting the scan validation requirements.
Protecting Against External Vulnerabilities
In the end, vulnerabilities can be hiding anywhere in an entity’s network. If code is being written by humans, there is invariably going to be human error involved, thus giving way to a certain percentage of vulnerabilities. When an organization takes a proactive stance to implement processes to find and mitigate these vulnerabilities quickly, the threat of a security breach decreases. Protecting your organization against web application and database platform exploitation calls for the use of automated profiling solutions that monitor the development of normal application and database usage. This ensures that the organizations can identify known malicious sources and decrease their attack vectors simultaneously.
The process of inspecting outbound traffic from applications and databases is also a valuable tactic for entities to keep sensitive authentication data (SAD) from leaking into the wrong hands. Entities must take the necessary steps to mitigate any external threats via the identification of possible zero-day attacks that could be exploited. Companies must also look identify the process of patching application vulnerabilities, blocking malicious users, and preventing data leaks to keep their network safe. Through maintaining a robust IT security department and implementing a layered defense methodology that includes building both proactive and reactive processes, entities can successfully fight to keep unauthorized users out of their network.
The most expensive component of a cyber-attack is information loss, which represents 43% of the costs behind a breach…yikes. Even though companies believe that many data breaches are caused via the negligence of their own internal staff, there is no denying that external threats are still something that should be taken seriously. Through maintaining compliance with PCI DSS requirements and understanding the eccentricities of the ASV process, your organization can also achieve a passing score on its next quarter’s external vulnerability scan. For more information on our cybersecurity solutions, please call RSI Security today.