In this Blog Post, we will focus more on the Tenable platform.
PCI DSS v3.0 Scanning Requirements
Vulnerability scans can be automated or manual, but they should always be performed by qualified individuals who are reasonably independent of the system components being scanned.
PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.
Quartely INTERNAL Vulnerabibility scans via ASV:
Quartely EXTERNAL Vulnerabibility scans via ASV:
To comply with PCI Requirement 11.2.2, you must use a PCI SSC Approved Scanning Vendor (ASV). An ASV is defined as, “An organization with a set of security services and tools (‘ASV scan solution’) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.”
The second component of PCI Requirement 11.2.2 is quarterly external vulnerability scans. External networks are at such a great risk of being compromised, which is why quarterly external vulnerability scans, and rescans as needed, are vital to scanning programs.
During an assessment, your assessor will follow these testing procedures:
- Examine your four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.
- Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met.
- Review the scan reports to verify that the scans were completed by an ASV.
PCI Requirement 11.2.2 is very similar in nature to PCI Requirement 11.2.1, but PCI Requirement 11.2.2 requires that you perform external vulnerability scans. Where PCI Requirement 11.2.1 allowed an internal qualified resource to perform that activity, PCI Requirement 11.2.2 is a little different there: you must use an ASV to perform that activity on your behalf. KirkpatrickPrice would be happy to help you with that service, and we provide that service for many of our clients. There are many other organizations that can do that as well.
Nevertheless, effectively anything with the CVSS sore of 4.0 or higher needs to be addressed within that quarterly timeframe. Understand that a lot of organizations might miss a scan or forget to do it for whatever reason, and then ask us to help them define a compensating control. We’ll talk about compensating controls later, but understand that this is one of those controls that is very difficult to define, especially defining a compensating control for a failure in your program. So, understand that it is different if you identify vulnerabilities versus forgetting to scan—those are really two different conversations. Your assessor in both of these cases, for PCI Requirement 11.2.1 and PCI Requirement 11.2.2, is going to be asking for evidence of your quarterly scan and then any remediation scans that you have done to demonstrate that any vulnerabilities identified have been fixed.
Scans of public-facing web applications and review detected vulnerabilities
Per PCI DSS v3.0 requirement 6.6, merchants are required to perform scans of public-facing webapplications and review detected vulnerabilities. Using the PCI module you can meet the web
application scans requirement. Note that web application scanning is available when this option is
turned on for your subscription. Please contact your Account Manager or our Support Team if you
would like to use this option.
Other related PCI Controls
PCI DSS 3.1
- About 394 Controls
- Six Control Objectives
- 12 Subject Areas
PCI Requirement 11 - PCI Readiness Series | PCI Webinars (kirkpatrickprice.com)
The sub-requirements of Requirement 11 include:
PCI Requirement 11.1 – Identify rogue wireless devices that may have been placed in your environment, at least quarterly. You must keep a list of what is authorized so you can define what isn’t authorized. Physical inspection is the best way to meet this objective.
PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.
PCI Requirement 11.3 – You must perform a penetration test at least annually and after any time a significant change is made. It must be performed by a qualified individual, cover internal and external, cover the application and network layers, validate if the segmentation is effective, and keep the results of the test and remediation for your audit.
PCI Requirement 11.4 – Install an IPS ISD at the perimeter and at critical locations within the CDE. It needs to be configured and maintained according to the manufacturer standards. It can also be host-based IPS IDS.
PCI Requirement 11.5 – Install a File Integrity Monitoring (FIM) Solution, which needs to monitor critical files and needs to run analysis at least weekly and follow-up on any expectations.
Nessus PCI Scan
Tenable Vulnerability Management Portal PCI Scan
Internal PCI Network Scan
This template creates scans that may be used to satisfy internal (PCI DSS 11.2.1) scanning requirements for ongoing vulnerability management programs that satisfy PCI compliance requirements. These scans may be used for ongoing vulnerability management and to perform rescans until passing or clean results are achieved. Credentials can optionally be provided to enumerate missing patches and client-side vulnerabilities. Note: while the PCI DSS requires you to provide evidence of passing or "clean" scans on at least a quarterly basis, you are also required to perform scans after any significant changes to your network (PCI DSS 11.2.3).
- General Settings:Avoid potential false alarms
- Disable CGI scanning
- Web Applications:
- Disable web application scanning
- General Settings:Avoid potential false alarms
- Enable CGI scanning
- Perform thorough tests
- Web Applications:Start crawling from "/"
- Crawl 1000 pages (max)
- Traverse 6 directories (max)
- Test for known vulnerabilities in commonly used web applications
- Perform each generic web app test for 10 minutes (max)
- Try all HTTP methods
- Attempt HTTP Parameter Pollution
PCI Quarterly External Scan
Report
Export report:
Export PDF - Custom Group by Plugin
Report sample pages:
Cloud Scanner IP Address Segments
https://docs.tenable.com/vulnerability-management/Content/Settings/Sensors/CloudSensors.htm
Sensor Group | Region | IPv4 Range | IPv6 Range |
---|---|---|---|
AP Tokyo Cloud Scanners, APAC Cloud Scanners | ap-northeast-1 | 13.115.104.128/25 35.73.219.128/25 | 2406:da14:e76:5b00::/56 |
AP Singapore Cloud Scanners, APAC Cloud Scanners | ap-southeast-1 | 13.213.79.0/24 18.139.204.0/25 54.255.254.0/26 | 2406:da18:844:7100::/56 |
AP Sydney Cloud Scanners, APAC Cloud Scanners | ap-southeast-2 | 13.210.1.64/26 3.106.118.128/25 3.26.100.0/24 | 2406:da1c:20f:2f00::/56 |
India Cloud Scanners, APAC Cloud Scanners | ap-south-1 | 3.108.37.0/24 | 2406:da1a:5b2:8500::/56 |
CA Central Cloud Scanners | ca-central-1 | 3.98.92.0/25 35.182.14.64/26 | 2600:1f11:622:3000::/56 |
Ireland Cloud Scanners, EMEA Cloud Scanners, EU Cloud Scanners | eu-west-1 | 3.251.224.0/24 | 2a05:d018:f53:4100::/56 |
UK London Cloud Scanners, UK Cloud Scanners, EMEA Cloud Scanners | eu-west-2 | 18.168.180.128/25 18.168.224.128/25 3.9.159.128/25 35.177.219.0/26 | 2a05:d01c:da5:e800::/56 |
EU Frankfurt Cloud Scanners, EMEA Cloud Scanners, EU Cloud Scanners | eu-central-1 | 18.194.95.64/26 3.124.123.128/25 3.67.7.128/25 54.93.254.128/26 | 2a05:d014:532:b00::/56 |
US Cloud Scanner, US East Cloud Scanners | us-east-1 | 34.201.223.128/25 44.192.244.0/24 44.206.3.0/24 54.175.125.192/26 | 2600:1f18:614c:8000::/56 |
US Cloud Scanner, US East Cloud Scanners | us-east-2 | 13.59.252.0/25 18.116.198.0/24 3.132.217.0/25 | 2600:1f16:8ca:e900::/56 |
US Cloud Scanner, US West Cloud Scanners | us-west-1 | 13.56.21.128/25 | |
US Cloud Scanner, US West Cloud Scanners | us-west-2 | 34.223.64.0/25 35.82.51.128/25 35.86.126.0/24 35.93.174.0/24 44.242.181.128/25 | 2600:1f14:141:7b00::/56 |
Brazil Cloud Scanners | sa-east-1 | 15.228.125.0/24 | 2600:1f1e:9a:ba00::/56 |
UAE Cloud Scanners, EMEA Cloud Scanners | me-central-1 | 51.112.93.0/24 | 2406:da17:524:dd00::/56 |
tenable.io | static | 162.159.129.83/32 162.159.130.83/32 162.159.140.26/32 172.66.0.26/32 | 2606:4700:7::a29f:8153/128 2606:4700:7::a29f:8253/128 2606:4700:7::1a/128 2a06:98c1:58::1a/128 |
No comments:
Post a Comment