EPISODE I: A New Scan
“The target area is only two meters wide. It’s a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system. A precise hit will start a chain reaction which should destroy the station. Only a precise hit will set off a chain reaction. The shaft is ray-shielded, so you’ll have to use proton torpedoes.”- General Dodonna, a good guy in Star Wars
“May PCI Compliance Be With You”
If you are a Star Wars fan, you already know exactly what General Dodonna was talking about. And you also know what price the Bothans paid for him to come by that information.
For those of you who are unfamiliar with Star Wars, the good general was talking about the only known vulnerability in the most powerful, most heavily defended, “thought-to-be-indestructible” weapon the universe has ever seen- the Empire’s Death Star.
The Death Star was essentially a man-made moon with enough firepower to blow entire planets to smithereens. The bad guys could fly this ultimate weapon of mass destruction around the galaxy with impunity. Blowing up peaceful planets and rebel bases at will. Its defenses were, after all, impenetrable. It was so well designed that it was invulnerable to attack.
“Any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained. This station is now the ultimate power in the universe!”- Admiral Motti, a bad guy in Star Wars
Boy would Admiral Motti come to regret that statement later in the movie. Unbeknownst to its owners, and despite their hubris, the Death Star had been built with a single, devastating vulnerability. It was a weakness, that when exploited, would lead to the destruction of the weapon. In an instant, years of the Empire’s hard work and $852 quadrillion from its piggy bank, would go down the drain. A well placed shot by the story’s youthful protagonist, Luke Skywalker, turned the ultimate power in the universe into space dust.
And it was all because no one took the time to scan the Death Star plans (and, arguably the data center on Scarif) for vulnerabilities. Yeah. Really. Not one risk averse person to be found in the whole of the Empire.
If only the Empire had been PCI compliant. They would have known about the vulnerability and had plenty of time to patch it up. The quarterly PCI mandated scans would have saved the Death Star.
By now you are probably asking yourself, “Seriously? What does any of this have to do with my business and PCI compliance?” Let me bring it into focus for you.
You and your company are the Empire. However, you are the good guys in this story. You are on the light side. The Death Star is your business that took years to build. Your defenses, such as firewalls and antivirus, are protecting your customer data, your bank accounts, your intellectual property and ultimately your brand. Like the Empire, you think that you are protected against attack, and are totally unaware of the vulnerabilities inherent in the technology deployed by your company. To top things off, like the Empire, your company is probably not PCI compliant.
And who is the youthful protagonist looking to exploit the vulnerabilities on your network and systems? Well, that would be the hackers. Hackers know your vulnerabilities before you do (and many Bothans didn’t have to pay with their lives for the information). They also have the tools and the time to exploit them. Unlike Red 6, these bad guys will know how to get around your defenses, unscathed. Firewalls and antivirus software won’t stop them.
Your Thermal Exhaust Points (aka your vulnerabilities) are your unpatched servers, the outdated operating systems on those old laptops, the 3 different versions of the word processing software your company uses, the low-cost router on your network, the easy to crack passwords your employees use, your internet connected refrigerator, and the game your daughter installed on your mobile phone.
If you are like most small businesses, your network and systems provide many open doors for the bad guys to walk right in and take what they want.
So, what can you do?
Find and remediate your vulnerabilities. That’s where PCI DSS compliance comes in. PCI DSS v3.2, Requirement 11.2 to be exact.
PCI DSS stands for “Payment Card Industry Data Security Standard”. Version 3.2 is the current, enforceable standard as of the date that this blog is being written.
And The Requirement Says…
Requirement 11.2 says:
“Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).” (PCI DSS Requirements and Security Assessment Procedures v3.2, p.98)
Actually, 11.2 says more than that. For example, compliance requires a “passing” scan. And to be honest, fulfilling the requirements mandated in 11.2 only will not make you 100% PCI compliant. But, performing those scans is a step towards compliance and provides a straightforward way to make your network and systems less likely to be compromised.
The take home point that I want you to understand is that, unless you are performing quarterly internal and external vulnerability scans 1) you are not PCI compliant and 2) you are opening yourself up to fines, fees, lost customers, lost revenue and no help from your insurance if you are breached.
What is a vulnerability scan?
A vulnerability scan is a test designed to detect weaknesses in computers, computer systems, devices, networks or applications. A vulnerability scan is designed to be automated and nonintrusive. It simply scans and provides a list of vulnerabilities for you to prioritize and remediate. Unlike a penetration test, a vulnerability scan doesn’t attempt to exploit the vulnerabilities it finds.
Internal vs External
As noted in 11.2, both internal and external scans need to performed quarterly.
An internal vulnerability scan operates on the private side (the non-Internet side) of your firewall to identify vulnerabilities on your company’s network(s). Specifically, PCI DSS 11.2.1 provides the scope for an internal scan:
“[It] refers to a vulnerability scan conducted from inside the logical network perimeter on all internal-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE).”
The CDE includes any computer, network or device that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component that directly connects to or supports this network. For most small companies, the CDE could encompass everything on its network- including printers, mobile devices and your firewall and cable modem.
PCI allows companies to perform their own Internal Scans (an Approved Scanning Vendor is not needed). There are some caveats that come with that privilege (eg, scans must be performed by qualified personnel), however. We’ll discuss those in a future blog.
Again, these scans need to be run quarterly at a minimum. They need to be rerun anytime there is a significant change in your environment as well. There is certainly no consensus on what constitutes a “significant change”. However, things such as adding a new server, updating application versions, applying patches, changing access rules, or adding a new switch should kick off a new scan.
All that you need to know right now is that we, at URS, have both the technology and expertise to perform those internal scans for you (or we can help you do it yourself). Contact us for more information.
An external vulnerability scan looks for weaknesses in your network’s perimeter, where outsiders can break in and attack your network. External facing resources are systems, devices, networks and services that are accessible from outside your company’s network. Some examples are your website, your email server, a DNS server, your firewall and your ISP’s modem.
External scans also have to be run quarterly at a minimum (and anytime there is a change). These scans are different from internal in that 11.2.2 states that an Approved Scanning Vendor must be used. In other words, you can’t perform external scans yourself. You can find a list of over 100 ASVs on the PCI website
Need an ASV? URS has partnered with several industry leading ASVs. Reach out to us for more information.
In addition to the need for an ASV and external facing targets, another difference between external and internal vulnerability scans is what the PCI DSS requires in terms of a “passing” scan. For external scans, all vulnerabilities rated “Medium”, “High” and “Critical” must be remediated; however, for internal vulnerability scans only “High” or “Critical” vulnerabilities have to be corrected in order to pass.
To wrap things up, remember these tips when it comes to Vulnerability Scans and PCI Compliance. As a merchant who takes credit cards, to be compliant with Requirement 11.2 you must:
- Perform quarterly Internal and External Vulnerability scans.
- Re-run scans anytime there is a significant change to your environment.
- External scans must be performed by an Approved Security Vendor.
- Scanning isn’t enough. You must take steps to remediate the vulnerabilities.
- There is much more to be done to become PCI compliant. Vulnerability scans are just one, very important piece of a PCI compliance program.
- URS can help! We have the tools and resources to fit every need and every budget.
Remember, a strong Cybersecurity Program is much more than just a firewall and antivirus. To be prepared for today’s threats, a layered defense (defense in depth), should be implemented by every company, regardless of size.
About Ultimate Risk Solutions
At URS, we have a layered solution for every need and any budget.
Highlights of our solution are:
- Helps you navigate the Cybersecurity maze.
- Budget friendly! Available as a low cost monthly subscription.
- Something for everyone! Subscription levels designed with small business in mind. Robust enough to scale to large enterprises.
- Does not require fulltime IT staff.
- Gives you peace of mind.
So how does it work? What does the subscription give you?
Depending on your subscription level, your 5 Steps may include:
- An “Always On” Unified Security Management system that safeguards your network, systems, users, and data
- Security Policies and Plans created via an easy to use Online Wizard
- Customizable Online Training
- Automated Hardware and Software Inventory Tool
- Automated Vulnerability Assessments
- A Breach Coach for when the bad guys get in
- Much more
To take a deeper look into our five steps click here.
Want to speak with one of our experts? Or are you ready to protect your assets now? Contact us at:
610.755.0728 or 800.55.HELPS