make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Common ASV Vulnerability Scan Misconfigurations

01/24/2017  |  By: Stewart Fey, Director of Technical Services

Share

Social Logo Social Logo Social Logo Social Logo

In today’s security environment, conducting accurate PCI Assessments are an important part of an overall security strategy. I have been looking more closely at the approved scanning vendor (ASV) scans per requirement 11.2 and have noticed that many users are not configuring the scans correctly. It’s a long story on how this came to light (this is not a new requirement), but the short version is that organizations should be configuring their ASV scans to scan all known URLs, not just the IP address ranges. 

How to Fix ASV Scan Configuration to Include All Known URLs

In Qualys, which many companies use for their ASV scanning, there is a PCI wizard that instructs each entity to do this. I would encourage organizations to review their existing processes right now, and if your existing process does not include inputting all URLs / domain names, etc. as required in the ASV program guide (see below), that you do this now and rerun your most recent scan.

Additionally, it may be helpful to periodically refresh one's memory on certain PCI requirements.  I would encourage everyone to read the entire ASV Program Guide, but for brevity I have copied over the section that includes the specific guidance regarding URLs starting on page 12. https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf

Scan Customers Provide Internet-facing IP Addresses and Domains

In addition to providing all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into applications for the entire in-scope infrastructure. This includes, but is not limited to:

  • Domains for all web-servers
  • Domains for mail servers
  • Domains used in name-based virtual hosting
  • Web-server URLs to "hidden" directories that cannot be reached by crawling the website from the home page
  • Any other public-facing domains or domain aliases

Making this slight alteration in your formatting will result in a smoother and more accurate scan ensuring a more effective and productive assessment.

For more information, contact Stewart Fey by email or call 615-309-2479.

To learn more about reducing the cost of PCI compliance regulations, download our free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. PCI_CTA