We have arrived at the 11th installment of our 12 part series, The Road Map to PCI. As the end of the road approaches for this series don’t be too sad, our conversations will shift to address the new 3.0 PCI standards which go into effect January of 2015.
Before we get ahead of ourselves, this month we look at Requirement 11: Regularly Test Security Systems and Processes. Nearly every question in Requirement 11 is focused on ensuring the integrity of your network through vulnerability scans.
Why Are Scans Required?
When a payment application is connected to the internet, which indicates transactions are being transmitted over your network, vulnerability scans are required to ensure the security of your network. Vulnerability scans essentially provide a report card on your network’s integrity, informing you of any vulnerability and the necessary resolution to address the exposures found.
What Does Each Scan Do?
There are three types of scans:
1. Unauthorized Wireless Access Point: data thieves have been known to surreptitiously install wireless routers or other network devices and then sit undetected in a nearby parking lot, for example, and collect network data from the comfort of their car. This scan ensures there are no additional access points to your network which your team might be unaware of. This is an important security step which PCI-DSS requires on a quarterly basis at a minimum.
2. External: this scans look at the outside of your network and ensures there are no obvious holes in your network security; reminiscent of making sure your garage door is shut to ensure your house is not vulnerable. It essentially ensures that all the necessary windows and doors on your house (your network) are closed and locked.
3. Internal: this scan ensures that everything is in order within your network, including users’ access rights. Continuing with the house analogy, this means making sure that items are in the right rooms where they belong. If something should be locked in a safe, it ensures its access is only available by the proper users.
Scan Results Are In, Now What?
Once scans are complete you can take action and address any discovered vulnerabilities. If the results of your Unauthorized Wireless Access Point Scan returns with a new or unrecognized access point, it should be disabled until you know why it is there. Talk to your team and follow the Incident Response Plan you have in place to identify why the access point exists or to remove it entirely.
Your External Scan results will let you know which “doors and windows” need to reinforced to provide the extra security your network may require. Have your IT team jump in and help make adjustments to your firewall and network defenses to address any identified vulnerabilities.
Internal Scan results will assist in tightening access between various points within your network. This helps protect you from unauthorized access which could result in total access to your network. Your IT team should be able to fix these without issue. However, if you or your team has trouble resolving your scan vulnerabilities feel free to reach out to us or contact your Qualified Security Assessor and/or Approved Scanning Vendor for assistance.
Have you found any handy tips or tricks for fixing vulnerabilities with a limited IT staff that you want to share with other like-minded nonprofits? How are you doing with your scans? Let us know in the comments below!