Subscribe to our Resources Blog RSS feed to stay up-to-date on latest news.
As a Network Security Consultant and QSA, I frequently review internal scanning practices and approaches during network vulnerability scanning engagements and PCI assessments. There are a number of common mistakes with scanners that almost always lead to compliance gaps and unmanaged risk. Avoiding these mistakes is relatively simple.
The following tips are intended to help verify internal scanning systems are effective, do not contain obvious compliance gaps and remain free of avoidable unmanaged risks.
1. Include all in-scope system components and their subnets as scan targets. Failure to scan all in-scope systems is the most common compliance gap.
2. Include all IPs on the in-scope system components as a scan target.
3. Verify host discovery is adequately detecting assets. To do this, alter TCP ping and other discovery settings as necessary to ensure the detection is complete. Periodically, audit the inventory manually to verify assets are not being missed.
4. Scan all 65K TCP ports and as many UDP ports as are known to commonly exist within the standard configuration of the systems begin scanned.
5. Remediate all vulnerabilities with CVSS Base scores of 4.0 or higher.
6. Review any false-positive supporting evidence and related close/ignore tickets at least quarterly, and track all changes using your organization’s change control process.
7. Re-run scans after technical remediation, and retain clean quarterly internal scan report summaries and technical reports for submission to your QSA.
8. Remember, scans are NOT penetration tests! Network and application layer penetration testing must be conducted at least annually. High-risk findings must be remediated, and successful completion of the fixes must be verified. Also, while the topic is being visited, ALWAYS finalize the formal definition of scope beforehand. If you fail to include all assets in the penetration tests, it invalidates the report.
9. Make sure external scans are completed by an Approved Scan Vendor (ASV). Passing results must be attested to by the ASV at least once a quarter.
While all of the information in this post has relevance to compliance, successful efforts to execute internal scans have to start somewhere. Focus on avoiding the most common compliance gaps first. Then, as your process matures, begin addressing the other items below to begin fully leveraging your internal scanning and eliminating previously unmanaged risks.
1. Utilize hardened, purpose-built appliances for scanning. Or, harden scanning servers, then disable firewall rules in place for the scanner when scanning is not taking place.
2. Ensure scanning systems are configured based upon a documented system configuration standard that addresses common PCI requirements (for risk management).
3. Synchronize time on scanner systems, and include them in centralized log collection processes. Is a scan or an attack coming from your scanner if no scan is running?
4. Ensure scan results are able to demonstrate removal of unnecessary protocols and services.
5. Manually review all assigned IP’s on every targeted in-scope system during initial setup of scans for the component and after significant changes.
6. Scan all 65535 TCP ports in a safe manner.
7. Consider all 65535 UDP ports. Establish processes to ensure open UDP ports are not missed by comparing periodic system configuration reviews to documented baselines.
8. Scan all IP protocols - not just TCP and UDP. Frequently, services on systems have IP protocol layer IP stack bindings (ESP, AH, GRE, etc.). These listeners are just as likely to contain vulnerabilities as TCP- and UDP-based listeners.
9. Verify IPv6 is disabled on all targeted in-scope system components, or ensure IPv6 is completely addressed in the scanning methodology used.
10. Audit scanner traffic with host and network IDS/IDP systems, but NEVER block scanner traffic, which results in false-negatives. Consider constructing the alert structure so it is able to factor in the scanning schedule. Note: Many SIEM solutions are able to provide favorable logic to achieve the proper balance between scanning and alerting.
11. Set up full administrative privileges on the targeted in-scope systems for use by the scanners. Setting up full privileges on targeted systems ensures full transparency.
12. Fully document the internal scanning compliance report generation process to ensure there is no confusion about what is or is not included in each report type that’s generated.
13. Identify the root cause inside the vulnerability management process and system configuration standards, and remediate those as well. Once the vulnerability management process is shored up, our clients are amazed at how many vulnerabilities they are able to find and remediate on their own that a scanning solution would normally miss. This is an example where the sum is greater than the parts.
Every year countless entities are breached, and the statistics behind their breach are compiled into breach analysis reports distributed throughout the industry. It’s quite common for the root cause of a breach to link to a vulnerability that’s easily detected by a properly configured internal scanner.
Unfortunately, many times the scanners simply weren’t scanning everything in the cardholder data environment, or were not properly configured inside the breached entity.
This article is not intended to be an end-all reference on internal and external scanning. Following the guidance provided will increase the likelihood of compliant scanning-related processes compared to approaching scanning blindly. However, there are no guarantees.
Every environment is slightly different, and your individual mileage may vary.
This article is not intended to help remediate the vulnerabilities identified by scanners. Sometimes forensics teams find a smoking gun - scan reports that show the issue was identified well before the entity was breached. Even the most accurate vulnerability scan data will not help an organization if they do not act upon it. Note: The longer a risk goes un-remediated, the more likely a breach is to occur.
Stan Hoffman from the PCI Compliance Practice at Fishnet Security and Michael Guhl from Fishnet Security’s Approved Scan Vendor (ASV) Practice contributed information for this article.