If your organization handles customer financial and personal information, you know you need to regularly scan your servers and outward-facing applications to ensure this data is protected from hackers. The Payment Card Industry Data Security Standard (PCI-DSS) has been created to guide IT organizations, but staying in compliance with these guidelines is a huge undertaking. A number of vendors have stepped up with a series of scanning tools to help verify PCI compliance, and PCI has dozens of scanning vendors on its approved list. The hardest part will be picking one that works well for your situation. Many of these programs require you to download some software, but a growing number of vendors are delivering Web-based scanning services.
I evaluated one such solution, version 5 of the Web scanning service from Qualys called QualysGuard PCI Compliance. There was nothing to download, and getting started took a matter of minutes once I set up my account. Everything is handled with a Web browser-based control panel that I found easy to navigate and operate.
Qualys has a long history of security scanning-the company offers a free browser security scanning service to detect aging plug-ins and Java versions, for example. The PCI compliance service is a great asset to any organization that is trying to keep its customer data out of the hands of identity thieves and other ne’er-do-wells.
QualysGuard PCI Compliance is sold through an annual subscription that starts with three external IP addresses for $495, with additional IPs at $15-$25 each. Web applications scanning goes for an additional $500 per year for the first app, with additional apps at $99 per year. For more information, go here.
Testing QualysGuard
At setup time, the service asked me for information about the IP addresses of the public-facing servers I wished to scan for potential vulnerabilities. There is a wizard that can walk you through this discovery process to ensure that you have included all of your necessary servers that handle financial and personal data and that your load balancers and other network infrastructure are configured correctly.
Once the service completes its scans, users can browse the scans with the Web control panel and see which servers are vulnerable to particular exploits. I was able to filter these results based on a variety of parameters, including the level of severity and if any actually fail PCI standards. Clicking on a particular entry in the results brings up a small window with links to more information in the Bugtraq and federal Homeland Security’s Common Vulnerabilities and Exposures databases, along with any links to download the latest patches and other tasks needed to remediate the problems detected. In some cases, I found that certain links didn’t quite match up with the right entries in these databases; however, it is still a great start on fixing any problems.
General compliance scans of servers happen within a matter of seconds, but the Web applications scans take longer, depending on the complexity of the hosts involved and whether you reduce the bandwidth demands of the scanner to avoid congestion errors in your reports. The sample e-commerce storefront scan I used for testing took between two and 12 hours to complete.
These Web app reports are available as an extra-priced option. This is a new module added to this version, to meet part of the PCI requirements part 6.6 that demands organizations monitor their outward-facing Web applications for exploits such as cross-site scripting and SQL injection attacks. Given that these exploits are still quite common (look at what happened to Twitter when it upgraded to a new series of servers in September), it is worth spending some time in this area to ensure that your servers are up to snuff.
Reports are not displayed in the Web console but are PDFs that have to be individually downloaded – one report for each server and Web app. The reports go into lots of details and include snippets of your HTML code to show you where you have gone astray.
Some of these reports can be daunting to say the least: A scan of a simple WordPress Web server produced 15 pages, of which only one or two had violations that needed attention, and one of a sample e-commerce server ran on for 22 pages. The sample reports of the network vulnerabilities were a bit easier to parse and understand.
Part of the PCI compliance process is an annual self-assessment questionnaire. The Qualys service includes a wizard, which picks the most appropriate type of PCI questionnaire required, and then walks you through the process, giving you the opportunity to answer the hundreds of questions for the survey and whether you are in fact in compliance with the suggested data security practices. This is a huge undertaking under the best of circumstances, but it is a nice addition to the scanning service.
Once you have collected your reports and implemented the various remediations, you can automatically submit your compliance status directly to your acquiring merchant bank to produce your documentation.
You can protect your user access to the Qualys scanning service with Verisign’s Identity Protection two-factor tokens, which is a nice touch given the level of detail that is available from these reports and how much damage they could cause if they fell into the wrong hands. Verisign provides a smartphone-based software token that can be used on iPhone, Android and Blackberry models so no additional hardware is required.