Skip to Main Content

Tech>ProtectFrom time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question. Here's a recent dialogue regarding Payment Card Industry compliance:

It begins with a reader question:

I am looking to be Payment Card Industry Compliant for our community college. I have been reading the rules and regulations of PCI and realize that you have to have an internal network penetration and application penetration test. As well as you need a file system monitoring software.

And my answer:

You are correct; you need to have internal scans, penetration tests and file monitoring for your cardholder data environment. There is a wide spectrum of ways you can solve these issues, from outsourcing these functions to doing them in house. Each has their benefits and drawbacks. It is important to remember that for the internal scans and penetration tests you do not need a PCI Approved Scanning Vendor, you only need a PCI ASV for external scans.

The important thing to remember about internal vulnerability scans is that simply running the scans occasionally is not the same as having a vulnerability management system, which is an actual process for finding and remediating vulnerabilities. Therefore, I would recommend that any solution you look at helps you to set up a process, not simply run vulnerability scans. For the internal vulnerability scans you can hire a group to set up, monitor and maintain the internal scan remotely, or you can purchase equipment and have your staff monitor and maintain the scans. Qualys has a great book on this called “Vulnerability Management for Dummies”. You can download it free from their site.

Rapid7, nCircle, Qualys and Nessus have the ability to setup a vulnerability management process, some better than others. Each one of them has different licensing. For example, Qualys licenses by IP address while Nessus licenses by scanner. Qualys out of the box has everything you need to setup a vulnerability management process while Nessus requires an additional service, Security Center, to be purchased beyond the scanner license for vulnerability management.

If your environment has all Windows systems you can use Microsoft Baseline Security Analyzer, a free Microsoft tool for scanning. In addition to looking for vulnerabilities, MBSA also looks for excessive administrator accounts, simple passwords and open file shares. The down side is it looks for missing patches not vulnerabilities and it creates reports per system. If you have 10 systems you have 10 reports. They are in XML format, so you could do some custom code to compile the report into a single report or dashboard. The question then is do you have staff to support the customization.

For the penetration testing there are no specific requirements on how to conduct the penetration test, so in theory, you could get an appliance that has built in tools like Metasploit, Core Impact or SAINT. These tools have out-of-the-box penetration tests and automated tools. You could purchase these tools and have your staff run them or outsource this function.

Outsourcing the penetration testing function is what most organizations do. Typically, you would need to have some sophisticated engineers who have been trained on penetration testing on staff in order to conduct penetration testing. The skill set is typically expense to maintain on staff just for the purpose of conducting annual penetration tests. However, the most cost effective solution is to share the expertise with other organizations. For example, having all of the community colleges pay a portion of a single penetration testing team that is set up to rotate from college to college would be the most cost effective solution, as opposed to outsourcing this function.

For file monitoring there are a number of out-of-the-box products available, such as TripWire, Solid Core, LogRhythm, nCircle and NNT, to name a few. The important thing to remember about File Integrity Monitoring is reporting. You want alerts with low false positives; otherwise, you will get lots of alerts that are just noise, causing you to miss something important to investigate.

Windows on a 64 bit platform has some file integrity built-in, however I have not seen a paper on how to set it up for PCI compliance. There may be something out there for that.

If you need help with these solutions, I can help you implement or even assist you in selecting solutions that meet your needs. I can also assist with the internal scanning. Feel free to give me a call if you have any questions.<>