Internal and External Vulnerability Scanning
PCI requires that internal (Req. 11.2.1) and external (Req. 11.2.2) vulnerability scanning are carried out at least quarterly and after significant changes.
Your external vulnerability scanning must be carried out using an Approved Scanning Vendor. Make sure that you check that your vendor is on the list of ASVs on the PCI website.
Internal vulnerability scanning does not have to be carried out by an ASV, but many of the ASVs offer both internal and external scanning tools which can make the process easier than running multiple tools.
Scans and Re-Scans
The first thing you should do is make sure that you are scanning everything that needs to be scanned.
For external scanning, this means scanning any external interface that has the ability to affect the security of your in-scope environment. This means that aside from scanning the IP address for your payment page (or redirect page, etc.), you should may also need to be including things such as:
- VPN connections
- Externally accessible management services
- VoIP services
- Mail servers
We often see that supporting services get missed in external vulnerability scans.
For internal vulnerability scans, you need to ensure that they cover all of your in-scope environment including the CDE, your management zones, and potentially even workstations that are in-scope.
It’s not enough to just scan your environment once per quarter though. You need to make sure that you achieve a passing scan each quarter. You also need to be able to show that you are running (and passing) internal and external vulnerability scans after any significant changes.
What is a Passing Scan?
The PCI SSC has two FAQs that are useful to read:
For external scans, make sure that there is a process to get an attested scan each time you run the scan (at least quarterly). We recommend that scans are run monthly in case vulnerabilities are identified that need to be fixed. This gives you the longest possible timeframe to fix the vulnerabilities and still get a passing scan with in the quarter (90 days).
For internal vulnerability scans, the scanning process does not include an attestation process. So you need to make sure that as part of the scans, all the “High” and “Critical” vulnerabilities are addressed as well as vulnerabilities that do not result in an automatic failure. There may also be other vulnerabilities that you as an organisation want to address but that do not fall into either of these categories.
With internal vulnerability scans, the process of managing “false positives” is managed internally and you need to ensure that any false positives are recorded and actioned so that when your QSA reviews the results, they understand the findings (especially if there are vulnerabilities present which result in a failed internal vulnerability scan).
PCI does understand though that sometimes it may take multiple vulnerability scans to get a passing scan. Therefore, they set out clear guidance in FAQ 1152 for what is needed to meet the quarterly scan requirement:
- Scans of all in-scope systems were performed for each quarterly period, and all in-scope systems are covered by the entity’s scan-remediate-rescan processes.
- Rescans were performed as necessary, and show that vulnerabilities identified in the initial quarterly scans have been remediated, for all affected systems, as part of the quarterly process.
- The entity has processes in place to remediate currently identified vulnerabilities.
- Repeated failing scans are not the result of poor remediation practices resulting in previously identified vulnerabilities not being properly addressed.
The last bullet point is probably one of the most important ones. A vulnerability should not be present on your scans quarter after quarter showing the same failing vulnerability on the same server as this would in most cases indicate a poor remediation processes.
What Happens if I Miss a Quarterly Scan?
The biggest question is always: what happens if a scan is missed or the requirements for a passing scan are not met? If your QSA is not able to get evidence of four passing scans in the last year, they will not be able to mark this requirement as in-place. In the worst case scenario, this could mean that you could be non-compliant for several quarters while the requirement for passing scans is met.
This is why it is important to ensure that you:
- Schedule and automatically run scans more frequently than quarterly.
- Regularly review the findings of these scans
- Have a clear remediation process in place
- Regularly perform re-scans until the failing vulnerabilities are fixed.
Remember, always scan-remediate-rescan!