PCI Vulnerability Scanning - External and Internal Views
September 21, 2011 | POSTED BY BRETT EDGAR IN SECURITY, PCI
Vulnerability scanning. Mention those two words, and your IT operations staff usually shudders. Conversely, your IT audit/security staff usually start doing a happy dance (I think those guys are sadists, like Steve Martin in Little Shop of Horrors
.) Love it or hate it, vulnerability scanning is required by many compliance regimens. The PCI DSS states that you have to perform vulnerability scanning quarterly, and from both an external and internal perspective. If you follow the letter of the PCI law, that's at least eight scans a year. I would like to posit that if you're really doing PCI vulnerability scanning correctly, it's more like a minimum of 12 scans each year, with 16 being the better number.
Where do I get that number, you ask? Well, it all depends on where you are scanning from...
External scanning is pretty straight-forward: you scan from a location external to your public IPs and see what vulnerabilities show up. There are vulnerability scanning services that can do this for you. The trick here is to white list the scan source IP(s) on any devices that may actively modify or deny traffic. Examples of these devices are intrusion prevention systems, some load balancers, denial-of-service prevention proxies, etc. PCI DSS 11.2 requires at least quarterly external scans, so that's four scans each year.
Internal scanning is a bit more difficult. PCI DSS 11.2 requires at least quarterly internal scans as well, but you very likely have more than one internal network segment. If you have PCI data, I believe you have at least three segments: a DMZ, a CDE (cardholder data environment), and your internal business operations network. So when you scan the CDE, which segment should you scan from, the CDE, the DMZ, or the business network? The answer is: Yes.
If you scan from the CDE, you will see a lot of vulnerabilities that are exploitable only from the CDE network, since you (should) have firewalls in place that severely limit traffic inbound to the CDE. That's four scans each year.
If you scan from the DMZ, you may see a lot fewer vulnerabilities, but you're probably going to be missing some easy-to-fix stuff in the CDE that should be remediated just in case an attacker does manage to make it inside the CDE. Scanning from the DMZ is another four scans each year.
If you scan the CDE from the business network you will be seeing even fewer vulnerabilities (since you are going through a firewall at the DMZ< ->business network and CDE< ->DMZ boundaries). But let's be honest: your users are your weakest link, and as they go about their merry way during the business day surfing the web (when they should be working), they will visit a few off-color sites (or even legitimate sites that have been hacked) that exploit their browsers, drop some malware on their computer, and give an attacker a foothold on the business network. Clearly you need to know what the threat landscape is on the CDE from the business network because USERS ARE STUPID. Four more scans each year.
That puts us at sixteen scans. Maybe you choose to short-change yourself and not scan from the local CDE network, which knocks four scans off the count, but if you're already doing 12 scans, is performing four fewer scans really worth not having an accurate picture of the CDE's threat landscape? I would say it's not.