The topic of ASV scanning came up as usual at the 2014 PCI Community Meeting. The questions all seemed to revolve around how to obtain a passing scan. What the Council representatives suggested is that multiple scans can be put together to create a passing scan. Unfortunately, what the Council keeps suggesting as the solution is impossible to implement and here is why.
In a typical environment, an ASV customer logs onto their account with the ASV and schedules their ASV scans of their PCI in-scope assets. The customer may also add or subtract the number of IP addresses that are scanned as the scope of their external environment may change. Depending on a number of factors, there may be one scan or multiple scans. The vulnerability scans are executed on the schedule and the results are returned to the customer.
If there are false positive results or results the customer does not agree, they can apply back to the ASV to have those results removed. If there are actual vulnerabilities, the customer can contact the ASV with how they have mitigated the vulnerabilities and the ASV can either accept those mitigates and give the customer a passing scan or allow the results to stand.
So where are the problems?
Whether or not the Council acted on facts that cheating was occurring or anecdotal evidence is unknown. But because of the potential for cheating by customers, the Council mandated a number of years ago that ASVs lock down their scanning solutions so that customers cannot modify anything regarding testing other than the IP addresses involved. The ASV Program Guide v2.0 on page 11, states:
“However, only an authorized ASV employee is permitted to configure any settings (for example, modify or disable any vulnerability checks, assign severity levels, alter scan parameters, etc), or modify the output of the scan. Additionally, the ASV scan solution must not provide the ability for anyone other than an authorized ASV employee to alter or edit any reports, or reinterpret any results.”
So right off the bat, the Council’s recommendation of “putting together multiple reports” is not as easily accomplished based on their earlier directives. That is because it will require the ASV’s customer to get the ASV to agree to put together multiple reports so that they can achieve a passing scan. That implies that the ASV’s solution will even accommodate that request, but then the ASV needs to be agreeable to even do that task. Based on the Council’s concerns regarding manipulation of scanning results and the threat of the Council putting ASVs in remediation, I do not believe the ASVs will be agreeable to combining reports as that would clearly be manipulating results to achieve a passing scan.
But it gets worse. As a lot of people have experienced, they can scan one day and get a passing scan and then scan a day or even hours later and get a failing scan. The reason this happens is that the vulnerability scanning vendors are adding vulnerabilities to their signature sets as soon as they can, sometimes even before vendors have a patch. As a result, it is very easy to encounter different results from scan to scan including failing due to a vulnerability that does not yet have a solution or the vendor only just provided a patch.
But if that is not enough, it gets even worse. Statistically, the odds of getting a passing scan are nearly impossible and gets even worse if you are only doing quarterly scanning. A review of the National Vulnerability Database (NVD) shows that 94% of vulnerabilities from 2002 to 2014 have a common vulnerability scoring system (CVSS) score of 4.0 or greater. That means that it is almost impossible to obtain a passing vulnerability scan, particularly if you are only scanning quarterly, when vulnerabilities are announced almost daily and vendors such as Microsoft are coming out monthly with patches. Those of you scanning monthly can attest that even on a 30 day schedule, a passing scan is nearly impossible to get.
For an organization that has only one Web site, this situation is likely not a problem. But when organizations have multiple Web sites which a lot of organizations large and small have, you are really struggling in some cases to get passing scans.
But let us add insult to injury. A lot of organizations have their eCommerce environments running on multiple platforms such as Oracle eCommerce or IBM Websphere. In those examples, this situation becomes a nightmare.
Platforms such as those from Oracle and IBM may run on Windows or Linux, but Oracle and IBM do not allow the customer to patch those underlying OSes as they choose. These vendors ship quarterly, semi-annually or on some other schedule, a full update that patches not only their eCommerce frameworks, but also the underlying OS. The vendors test the full compatibility of their updates to ensure that the update will not break their frameworks. In today’s 24x7x365 world, these vendors can run into serious issues if eCommerce sites begin to not function due to an update. However, that also means there is the possibility that critical patches may be left out of an update due to compatibility and stability reasons. As a result, it is not surprising that in some updates, vulnerabilities may still be present both those that are new and those that have been around for a while.
But if Oracle and IBM are not patching on 30 day schedules, that means there is a high likelihood that the scans will not be passing. This means that the customer must go to their ASV with compensating controls (CCW) to mitigate these vulnerabilities to obtain passing scans.
The bottom line is that the deck is stacked against an organization obtaining a passing scan. While the Council and the card brands do not recognize this, the rest of the world sure has come to that determination.
In Part 2, I will discuss the whole ASV approach and how I believe the drive to be the cheapest has turned the ASV process into a mess.