Comments on: Vulnerability Scanning and Penetration Testing

By: PCIGuru

PCIGuru — Thu, 23 May 2013 11:36:57 +0000

“Clean” scanning results are all in the eye of the beholder.

When you indicate you have a clean scan, do you have NO vulnerabilities identified (my definition of “clean”)? Or, do you have vulnerabilities with a CVSS of less than 4 in your scanning reports? If you have vulnerabilities present in your reports, then it all depends on what those vulnerabilities are. I have been in situations where there were a lot of “low” rated vulnerabilities that allowed me using Metasploit to still penetration the systems.

That said, I have seen instances where the remaining vulnerabilities could not result in a penetration and have agreed that penetration testing is not necessary. In those instances, we created a compensating control to comply with requirement 11.3.

By: Hunter

Hunter — Thu, 23 May 2013 06:59:41 +0000

HI,

I have a query with regards to vulnerability scanning and penetration testing. How important is it to conduct PT if my scan results are clean?

Where I’m coming from is, in my understanding, vulnerability scanning is one part of the PT activity, right? If so, I perform internal and external vulnerability scans for all my systems in scope of PCI and I maintain clean scan reports for these systems every 3 months, would I still have to conduct PT activity?

By: PCIGuru

PCIGuru — Thu, 10 Jan 2013 19:47:26 +0000

Yes, internal vulnerability scanning is a vulnerability scan of the internal portion of the cardholder data environment (CDE). That would include infrastructure such as firewalls, routers, switches, load balancers, etc. that are on the inside as well as servers, workstations, etc. Essentially, any device that is in the CDE or has connectivity to the CDE needs to be vulnerability scanned at least quarterly. However, if you read the requirements, you must also re-scan if you have any critical (5), severe (4) or high (3) vulnerabilities found. In the end, the PCI DSS basically has you vulnerability scanning monthly to meet the requirements.

Authenticated scans are perfect as they typically reduce the amount of false positive results, but they are not required by the PCI DSS.

A key mistake that we see made is who does the vulnerability scanning in the organization. The PCI DSS requires that the person doing the vulnerability scanning is qualified (i.e., CISSP, CISM, CEH, etc.) and that they are segregated from the people/equipment they are testing (i.e., you cannot be testing your own work). Yet we still encounter network administrators scanning the equipment they maintain.

By: Gene Shapiro

Gene Shapiro — Thu, 10 Jan 2013 18:14:02 +0000

Internal Vulnerability Scanning Requirements

I am new to PCI and looking at what needs to be done to implement it. I have read the PCI 2 requirements and I see the need to do internal vulnerabilty scans per 11.2.1. My assumption is that this is a vulnerability scan from inside the organization thus internal. Is this correct? And when I do these vulnerability scans are they with authentication to the device or purely from an unauthenticated perspective of the internal network components involved with PCI?

By: Orville

Orville — Wed, 19 Dec 2012 12:59:03 +0000

Hi! I’ve been reading your website for a long time now and finally got the courage to go ahead and give you a shout out from Humble Tx! Just wanted to tell you keep up the excellent work!

By: agrandadventureandnotapennymore.Com

agrandadventureandnotapennymore.Com — Wed, 19 Dec 2012 04:42:43 +0000

This particular posting Vulnerability Scanning and Penetration Testing � PCI Guru, possesses truly
great advice and I actually learned exactly what I was hoping for.
Thanks.

By: NRS

NRS — Thu, 22 Mar 2012 19:42:24 +0000

Hi! we use corporate desktops / laptops as a virtual terminal to process exception based credit card data that we get over the phone. We have installed HIPS so logically separate them and to protect them against any future vulnerabilities. Now do we still need to scan them using the Qulays tool to identify existing vulnerabilities on the PC?

By: PCIGuru

PCIGuru — Wed, 14 Mar 2012 18:17:03 +0000

Yes, you have 30 days to remediate the failing vulnerabilities and then you must have your ASV perform a rescan proving that all of the failing vulnerabilities have been remediated. Since an amount of time will have passed since the original scan, it is possible that new failing vulnerabilities will creep into the rescan’s results. So be prepared to fix those new issues as well if they turn up.

By: NRS

NRS — Tue, 13 Mar 2012 20:14:37 +0000

Hello again. We just completed our external vulnerability scan. The question is – do we need to remediate vulnerability rated as a PCI failure under Potential Vulnerabilities section?

By: PCIGuru

PCIGuru — Thu, 23 Feb 2012 13:21:29 +0000

That is not my decision. That decision can only be made by your acquiring bank. I think you have a reasonable case for doing the SAQ C, but that is just my opinion.