If your organization handles customer financial and personal information, you know you need to regularly scan your servers and outward-facing applications to ensure this data is protected from hackers.
organization handles customer financial and personal information, you know you
need to regularly scan your servers and outward-facing applications to ensure
this data is protected from hackers. The Payment Card Industry Data Security
Standard (PCI-DSS) has
been created to guide IT organizations, but staying in compliance with these
guidelines is a huge undertaking. A number of vendors have stepped up with a
series of scanning tools to help verify PCI compliance, and PCI has dozens of scanning vendors on its approved list
. The hardest part will be picking one that
works well for your situation. Many of these programs require you to download
some software, but a growing number of vendors are delivering Web-based
evaluated one such solution, version 5 of the Web scanning service from Qualys
called QualysGuard PCI Compliance. There was nothing to download, and getting started
took a matter of minutes once I set up my account. Everything is handled with a
Web browser-based control panel that I found easy to navigate and operate.
has a long history of security scanning-the company offers a free browser
security scanning service to detect aging plug-ins and Java versions, for
example. The PCI compliance service is a great asset to any organization that
is trying to keep its customer data out of the hands of identity thieves and
PCI Compliance is sold through an annual subscription that starts with three
external IP addresses for $495, with additional IPs at $15-$25 each. Web
applications scanning goes for an additional $500 per year for the first app,
with additional apps at $99 per year. For more information, go here
setup time, the service asked me for information about the IP addresses of the
public-facing servers I wished to scan for potential vulnerabilities. There is
a wizard that can walk you through this discovery process to ensure that you
have included all of your necessary servers that handle financial and personal
data and that your load balancers and other network infrastructure are
the service completes its scans, users can browse the scans with the Web
control panel and see which servers are vulnerable to particular exploits. I
was able to filter these results based on a variety of parameters, including
the level of severity and if any actually fail PCI standards. Clicking on a
particular entry in the results brings up a small window with links to more
information in the Bugtraq and federal Homeland Security's Common
Vulnerabilities and Exposures databases, along with any links to download the
latest patches and other tasks needed to remediate the problems detected. In
some cases, I found that certain links didn't quite match up with the right entries
in these databases; however, it is still a great start on fixing any problems.
compliance scans of servers happen within a matter of seconds, but the Web
applications scans take longer, depending on the complexity of the hosts
involved and whether you reduce the bandwidth demands of the scanner to avoid
congestion errors in your reports. The sample e-commerce storefront scan I used
for testing took between two and 12 hours to complete.
Web app reports are available as an extra-priced option. This is a new module
added to this version, to meet part of the PCI requirements part 6.6 that
demands organizations monitor their outward-facing Web applications for
exploits such as cross-site scripting and SQL injection attacks. Given that
these exploits are still quite common (look at what happened to Twitter when it
upgraded to a new series of servers in September), it is worth spending some
time in this area to ensure that your servers are up to snuff.
are not displayed in the Web console but are PDFs that have to be individually
downloaded - one report for each server and Web app. The reports go into
lots of details and include snippets of your HTML code to show you where you
have gone astray.
these reports can be daunting to say the least: A scan of a simple Wordpress
Web server produced 15 pages, of which only one or two had violations that
needed attention, and one of a sample e-commerce server ran on for 22 pages.
The sample reports of the network vulnerabilities were a bit easier to parse
the PCI compliance process is an annual self-assessment questionnaire. The
Qualys service includes a wizard, which picks the most appropriate type of PCI
questionnaire required, and then walks you through the process, giving you the
opportunity to answer the hundreds of questions for the survey and whether you
are in fact in compliance with the suggested data security practices. This is a
huge undertaking under the best of circumstances, but it is a nice addition to
the scanning service.
you have collected your reports and implemented the various remediations, you
can automatically submit your compliance status directly to your acquiring
merchant bank to produce your documentation.
protect your user access to the Qualys scanning service with Verisign's
Identity Protection two-factor tokens, which is a nice touch given the level of
detail that is available from these reports and how much damage they could
cause if they fell into the wrong hands. Verisign provides a smartphone-based
software token that can be used on iPhone, Android and Blackberry models so no
additional hardware is required.