1 2 3 Previous Next 33 Posts tagged with the pci tag

The out-of-band release of Qualys PCI Compliance that adds support for PCI DSS 3.1 is out! The primary intention of this release is to address SSL and TLS encryption issues that have evolved recently. Effective immediately merchants are prohibited from implementing new technologies that rely on SSL or early TLS. SSL and early TLS cannot be used in any way as standalone security control after June 30, 2016. So basically merchants have about 14 months to remove SSL and early TLS from their environments. ‘Early TLS’ is TLS version 1.0 and in some cases 1.1 depending on where it’s used and how it’s implemented.

 

New Detection

With this new release of Qualys PCI Compliance, Qualys QID 38606 will detect the presence of SSL v3 on affected systems and will start failing PCI compliance scans after June 30, 2016, as previously announced. Additionally, Qualys has revised the solution sections of SSL/TLS-related vulnerabilities to suggest solutions where TLS v1.1+ is preferred.

 

In prior scan reports, it is already possible to identify the existence of SSL v2 through QID 38139, and it's possible to identify the existence of SSL v3 from a combination of different QIDs. But having this new single QID to identify SSL v3 simplifies identification for administrators and increases their visibility into SSL versions in their systems.

 

PCI DSS 3.1 Changes

The following sections from PCI DSS 3.1 were changed:

 

Section 2.2.3:

 

This section outlines that effective immediately for new implementations SSL or early TLS should not be used.  SSL and/or early TLS must not be introduced into environments where they don’t already exist.

 

For existing implementations, SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.  POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

 

Section 2.3:

All non-console administrative access should be encrypted. For web-based management and other non-console administrative access use SSH, VPN or later versions of TLS.

 

Section 4.1:

Transmission of cardholder data should be safeguarded with later versions of TLS, IPSEC, SSH or similar. And that SSL/early TLS will not be considered as strong cryptography after June 30, 2016.

Comply with PCI DSS 3.0 using Mandate-Based Reporting in Qualys Policy Compliance

 

We are excited to announce an ‘out-of-box’, ready-to-use mandate-based policy for PCI DSS 3.0 consisting of security checks which automate assessment of ‘In-scope’ PCI assets. This policy will greatly simplify the process merchants have to go through to validate PCI compliance for a key set of technical controls that need to be validated across a wide set of different technologies. Qualys Policy Compliance can now automatically scan for all these PCI controls and provide you a detailed report that you can use to demonstrate ongoing compliance.

 

This new mandate-based policy provides:

  • A comprehensive set of controls based on industry accepted standards such as CIS, NIST, as well as vendor recommended guidelines such as Microsoft SCM, IBM Hardening guidelines for AIX, Websphere, etc.
  • Coverage of all of the  ‘technical secure configuration assessment’ requirements
  • Coverage of the new/evolving requirements of PCI DSS 3.0 –
    • 8.2.3 – Deeper assessment for managing password strength and complexity
    • 10.2.5 – Audit use of and changes to identification and authentication mechanisms
    • 10.2.6 – Assessing initiation, stopping or pausing of the audit logs
    • 6.5.10 – Assessing common security vulnerabilities PCI DSS is applicable to and recommends security for all 'In-Scope' PCI assets.

 

We provide support not just for different operating systems and databases but also web servers and network devices.  Qualys provides coverage for many common enterprise technologies such as:

  • Windows 7 & 8, Windows Server 2008, Windows Server 2012
  • Linux: SUSE Linux 11, openSUSE 11.x, Red Hat Linux 6, Cent OS 6
  • Unix: Solaris 11, HPUX 11.iv3,  AIX 6 & 7
  • VMware ESXi 5.x
  • Databases: Oracle 11g, IBM DB2 9.x, SYBASE ASE 15, SQL Server 2008 and 2012
  • Web Servers: Apache HTTPD 2.2, IBM HTTP Server 7.x, IIS 7.x and VMware vFabric Web Server 5.x
  • Network Devices: CISCO iOS 15, CISCO ASA 8.x and Juniper JunOS 10.x/11.x
  • Application Servers: IBM Websphere Application Server 7.x

 

 

What Are Some of the Key Changes in PCI DSS 3.0?

 

PCI DSS has recently been updated to version 3.0 and consists of 12 requirements that specify how information must be held and protected and includes requirements in areas such as network security, encrypting cardholder data, restricting access to information and maintaining information security.  For more information; see the PCI DSS 3.0 documentation on the PCI Security Standards website.

 

The effective date of version 3.0 of the standard was January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to show compliance with the new standard.  In total, PCI DSS has 6 domains, 12 requirements, and 200 detailed sub-requirements.

 

 

RequirementHighlights
PCI Compliance CyclePCI DSS is no longer a once-a-year auditing activity but needs to be a continuous day-to-day practice.
Requirement 10.2.5Audit use of and changes to identification and authentication mechanisms.
Requirement 10.2.6Assess/restrict stopping or pausing of the audit logs.
Requirement 11.1.xCreate inventory of authorized wireless access points and scan for unauthorized wireless devices.
Requirement 11.3Implement a methodology for penetration testing.
Requirement 2.4Maintain an inventory of system components in scope for PCI DSS.
Requirement 5.1.2For systems not commonly affected by malware, evaluate them for malware threats.
Requirement 5.3Evaluate that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered.
Requirement 6.5.10Assess coding practices to protect against broken authentication and session management.
Requirement 8.2.3Deeper assessment for managing password strength and complexity.
Requirement 9.9Protect devices that capture payment card data from tampering and substitution.
Requirement 12.8.5Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

 

 

Additional Support by Qualys for PCI DSS 3.0

 

In addition to the the mandate based reporting following Qualys products also provide support to meet other PCI DSS requirements:

  • Qualys Policy Compliance (PC) helps in the assessment of secure configuration and hardening requirements for ‘in-scope’ assets/technologies.
  • Vulnerability Management (VM) helps in complying with the requirements of scanning for internal and external network vulnerabilities.
  • Web Application Firewall (WAF) helps in detecting and preventing web-based attacks.

 

These requirements make PCI a more practical, continuous and on-going process, requiring additional depth in the assessments, while covering all ‘in-scope’ technologies which store/transmit data.  This broadens coverage of security domains as well, including security for web and application servers, penetration testing, security configuration and change assessment, identification and authentication mechanisms, etc.

 

 

More Information

Get a free trial of Qualys Policy Compliance or contact your TAM today!

Qualys regularly upgrades the QualysGuard Cloud Platforms for capacity expansion and maintenance purposes.

 

We are now ready for a maintenance that will allow Qualys to apply database and network enhancements which will affect the Malware Detection Service on the EU Platform and other Qualys services, as detailed below.

 

This upgrade will happen on May 29, 2014 and requires a 12-hour downtime starting at 9:00 PM CEST (19:00 UTC) and ending at 9:00 AM CEST the next day (07:00 UTC the next day).

 

 

Please note that the following QualysGuard services on the EU Platform will be impacted during this maintenance window:

 

  • QualysGuard Malware Detection Service (MDS) -- Scanning services will be unavailable.  Web UI should be unaffected.

 

The following additional Qualys services will also be impacted and unavailable during this maintenance window:

 

  • QualysGuard PCI Compliance (PCI)
  • Qualys FreeScan

 

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 (US and Canada) or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France).

 

We thank you for your continued support and look forward to your feedback.

qg2.qualys.com

Qualys regularly upgrades the QualysGuard Cloud Platforms for capacity expansion and maintenance purposes.

 

We are now ready for a maintenance that will allow Qualys to apply database and network enhancements which will affect the Malware Detection Service on US Platform 2 and several other Qualys services, as detailed below.

 

This upgrade will happen on May 29, 2014 and requires a 12-hour downtime starting at 12:00 PM PDT (19:00 UTC) and ending at 12:00 AM PDT the next day (07:00 UTC the next day).

 

 

Please note that the following QualysGuard services on US Platform 2 will be impacted during this maintenance window:

 

  • QualysGuard Malware Detection Service (MDS) -- Scanning services will be unavailable.  Web UI should be unaffected.
  • QualysGuard Web Application Firewall (WAF) -- Web UI will remain up.  Deployed sensor appliances will continue to inspect and protect web traffic using their currently-active policies.  Collected inspection data and events may be delayed in displaying on the platform.  Requested policy changes may be delayed in deploying to sensor appliances.

 

The following additional Qualys services will also be impacted and unavailable during this maintenance window:

 

  • QualysGuard PCI Compliance (PCI)
  • Qualys FreeScan

 

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 (US and Canada) or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France).

 

We thank you for your continued support and look forward to your feedback.

qg2.qualys.com

Qualys regularly upgrades the QualysGuard Cloud Platforms for capacity expansion and maintenance purposes.

 

We are now ready for a maintenance that will allow Qualys to apply database and network enhancements which will affect the Malware Detection Service on the EU Platform and several other Qualys services, as detailed below.

 

This upgrade will happen on March 6, 2014 and requires a 12-hour downtime starting at 12:00 PM Pacific (20:00 UTC) and ending at 0:00 AM Pacific next day (8:00 AM UTC next day).

 

Please note that the following QualysGuard services on the EU Platform will be impacted during this maintenance window:

 

  • scanning activity for QualysGuard Malware Detection Service (web UI should be unaffected)

 

The following additional Qualys services will also be impacted and unavailable during this maintenance window:

 

  • QualysGuard PCI Compliance
  • Qualys FreeScan
  • Qualys BrowserCheck
  • Qualys business web sites

 

Any scans scheduled to begin during the downtime will start immediately following the scheduled downtime. Customers are advised to make sure that the restart of scheduled scans after the downtime does not interfere with normal network operations.

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 (US and Canada) or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France).

 

We thank you for your continued support and look forward to your feedback.

qg2.qualys.com

Qualys regularly upgrades the QualysGuard Cloud Platforms for capacity expansion and maintenance purposes.

 

We are now ready for a maintenance that will allow Qualys to apply database and network enhancements which will affect the Malware Detection Service on US Platform 2 and several other Qualys services, as detailed below.

 

This upgrade will happen on March 6, 2014 and requires a 12-hour downtime starting at 12:00 PM Pacific (20:00 UTC) and ending at 0:00 AM Pacific next day (8:00 AM UTC next day).

 

Please note that the following QualysGuard services on US Platform 2 will be impacted during this maintenance window:

 

  • scanning activity for QualysGuard Malware Detection Service (web UI should be unaffected)

 

The following additional Qualys services will also be impacted and unavailable during this maintenance window:

 

  • QualysGuard PCI Compliance
  • Qualys FreeScan
  • Qualys BrowserCheck
  • Qualys business web sites

 

Any scans scheduled to begin during the downtime will start immediately following the scheduled downtime. Customers are advised to make sure that the restart of scheduled scans after the downtime does not interfere with normal network operations.

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 (US and Canada) or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France).

 

We thank you for your continued support and look forward to your feedback.

qg2.qualys.com

Update: (March 7, 2014 3:41 am PDT) We have completed the maintenance and services are restored.

 


 

 

Qualys regularly upgrades the QualysGuard Cloud Platforms for capacity expansion and maintenance purposes.

 

We are now ready for a maintenance that will allow Qualys to apply database and network enhancements which will affect the QualysGuard US Platform 1 and several other Qualys services, as detailed below.

 

This upgrade will happen on March 6, 2014 and requires a 12-hour downtime starting at 12:00 PM Pacific (20:00 UTC) and ending at 0:00 AM Pacific next day (8:00 AM UTC next day).

 

Please note that none of the QualysGuard applications on US Platform 1 will be available during this maintenance window.  This includes:

 

  • QualysGuard Vulnerability Management
  • QualysGuard Policy Compliance
  • QualysGuard Wep Application Scanning
  • QualysGuard Malware Detection Service
  • QualysGuard Asset Management, including Dynamic Asset Tagging
  • scans running on QualysGuard External scanners (scans running on customer appliances will not be impacted)

 

The following Qualys services will also be impacted and unavailable during this maintenance window:

 

  • QualysGuard PCI Compliance
  • Qualys FreeScan
  • Qualys BrowserCheck
  • Qualys business web sites

 

Any scans scheduled to begin during the downtime will start immediately following the scheduled downtime. Customers are advised to make sure that the restart of scheduled scans after the downtime does not interfere with normal network operations.

 

If your account has been enabled with New Scanner Services, your running QualysGuard VM, PC, and WAS scans using deployed scanner appliances (but not the External scanners, as noted above) will not be impacted by this downtime and the results will be processed after the service is returned.

 

If your account has not been enabled with the New Scanner Services, then any scans running at the start of the scheduled downtime will be canceled.

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 (US and Canada) or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France).

 

We thank you for your continued support and look forward to your feedback.

qg2.qualys.com

Qualys is performing a maintenance with downtime to QualysGuard PCI in the US datacenter on Tuesday March 5, 2013 starting at 18:00 UTC and ending at 22:00 UTC.

 

Impacted Services:

  • PCI User Interface will not be available during the maintenance (https://pci.qualys.com)
  • PCI scans scheduled to start during the maintenance will start once the service is restored

 

Not Impacted Services:

  • PCI scans launched and running before the maintenance window should not be impacted and the results will be available once the service is restored. If you see any discrepancy in your scan results, please contact Qualys support
  • QualysGuard VM, PC, WAS, Portal on the EU datacenter will continue to function normally (https://qualysguard.qualys.eu and https://portal.qualys.eu)

 

We appreciate your patience and if you have any further questions regarding this maintenance, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 in the US and Canada, +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France) for International.

 

We thank you for your continued support and look forward for your feedback.

Qualys is performing a maintenance with downtime to QualysGuard PCI and QualysGuard Portal infrastructures in the US datacenter on Tuesday March 5, 2013 starting at 10:00 AM PST (18:00 UTC) and ending at 2:00 PM PST (22:00 UTC).

 

Impacted Services:

  • PCI User Interface will not be available during the maintenance (https://pci.qualys.com)
  • PCI scans scheduled to start during the maintenance will start once the service is restored
  • Saved reporting functions on Portal (download/view saved reports) for WAS and MDS. Other functions will remain available, including interactive reports (https://portal.qualys.com)

 

Not Impacted Services:

 

We appreciate your patience and if you have any further questions regarding this maintenance, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 in the US and Canada, +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France) for International.

 

We thank you for your continued support and look forward for your feedback.

Qualys will be performing an emergency database maintenance to the QualysGuard PCI infrastructure on Sunday September 16, 2012 starting at 17:00 UTC and ending at 20:00 PM UTC.

 

List of Impacted Services:

 

List of Not Impacted Services:

  • PCI scans launched and running before the maintenance window should not be impacted and the results will be available once the service is restored. If you see any discrepancy in your scan results, please contact Qualys support.
  • All other QualysGuard services, including QualysGuard VM, PC, WAS, MDS and Portal (https://qualysguard.qualys.[com|eu] and https://portal.qualys.[com|eu]) WILL NOT BE IMPACTED by this maintenance.

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 in the US and Canada, +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France) for International.

 

We thank you for your continued support and look forward for your feedback.

Qualys will be performing an emergency database maintenance to the QualysGuard PCI infrastructure on Sunday September 16, 2012 starting at 10:00 AM PDT (17:00 UTC) and ending at 1:00 PM PDT (20:00 PM UTC).

 

List of Impacted Services:

 

List of Not Impacted Services:

  • PCI scans launched and running before the maintenance window should not be impacted and the results will be available once the service is restored. If you see any discrepancy in your scan results, please contact Qualys support.
  • All other QualysGuard services, including QualysGuard VM, PC, WAS, MDS and Portal (https://qualysguard.qualys.[com|eu] and https://portal.qualys.[com|eu]) WILL NOT BE IMPACTED by this maintenance.

 

We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at support@qualys.com or +1 (866) 801 6161 in the US and Canada, +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France) for International.

 

We thank you for your continued support and look forward for your feedback.

Your PCI 11.2 Checklist and Toolbox

 

Merchants are getting ready for the upcoming changes to the internal scanning requirements for PCI compliance.  This blog post provides a checklist on what you should have ready and will review some of the tools Qualys provides for these requirements.

 

There are four core areas to focus on in preparation for your compliance to PCI 11.2, taking into account the changes from PCI 6.2 regarding risk ranking of vulnerabilities.

 

  1. Your documented PCI scope (cardholder dataenvironment)
  2. Your documented risk ranking process
  3. Your scanning tools
  4. Your scan reports

 

Merchants will need to complete each of these elements to be prepared to pass PCI compliance.

 

1. Your documented PCI scope (cardholder data environment)

 

All PCI requirements revolve around a cross-section of assets in your IT infrastructure that is directly involved in storage, processing, or transmitting payment card information. These IT assets are known as the cardholder data environment (CDE), and are the focus areas of the PCI DSS requirements.

 

These assets can exist in internal or external (public) networks and may be subject to different requirements based on what role they play in payment processing. These assets can be servers, routers, switches, workstations, databases, virtual machines or web applications; PCI refers to these assets as system components.

 

QualysGuard provides a capability to tag assets under management.  The screenshot below shows an example of PCI scope being defined within the QualysGuard Asset Tagging module.  It provides the ability to group internal assets (for 11.2.1), external assets (for 11.2.2), and both internal and external assets together (for 11.2.3).

 

pci-asset-tagging-ii.jpg

 

This allows you to maintain documentation of your CDE directly, and to drive your scanning directly from your scope definition.

 

2. Your documented risk ranking process

 

This is the primary requirement associated with the June 30th deadline; this is the reference that should allow someone to reproduce your risk rankings for specific vulnerabilities.

 

The requirement references industry best practices, among other details, to consider in developing your risk ranking.  It may help you to quickly adopt a common industry best practice and adapt it to your own environment.  Two examples are the Qualys severity rating system, which is the default rating as per the security research team at Qualys; or, the PCI ASV Program Guide, which includes a rating system used by scanning vendors to complete external scanning. QualysGuard is used by 50 of the Forbes Global 100, and spans all market verticals; it qualifies as an industry best practice.  Additionally, the QualysGuard platform is used by the majority of PCI Approved Scanning Vendors  and already delivers rankings within the PCI ASV Program Guide practices.

 

The core rules of your risk rankings should take into account CVSS Base Scores, available from nearly all security intelligence feeds.  These scores are also the base system used within the PCI ASV Program Guide.  Your process should also account for system components in your cardholder data environment and vendor-provided criticality rankings, such as the Microsoft patch ranking system if your CDE includes Windows-based system components.

 

The process should include documentation that details the sources of security information you follow, how frequently you review the feeds, and how you respond to new information in the feeds.  QualysGuard provides daily updates to the vulnerability knowledgebase and now offers a Zero-Day Analyzer service, which leverages data from the iDefense security intelligence feed.

 

zda-info.jpg

3. Your scanning tools


After you have your scope clearly defined and you have your process for ranking vulnerabilities documented, you will need to be able to run vulnerability scans. This includes internal VM scans, external VM scans, PCI ASV scans (external), internal web application scans and external web application scans. It is thefindings in these scans that will map against your risk ranking process and allow you to produce the necessary scan reports.

 

You will need to be able to configure your scanning tools to check for “high” vulnerabilities, which will allow you to allocate resources to fix and resolve these issues as part of the normal vulnerability management program and workflow within your environment.

 

QualysGuard VM, QualysGuard WAS and QualysGuard PCI all work together seamlessly to provide each of these scans capabilities against the same group of assets that represent your PCI scope or CDE.

 

scan-by-tag.jpg

 

4. Your scan reports

 

You will want to produce reports for your internal PCI scope, as defined in #1 of this checklist, both quarterly and after any significant changes.  If you have regular releases or updates to your IT infrastructure, you will want to have scan reports from those updates and upgrades. Quarterly scan reports need to be spaced apart by 90 days.  In all cases, these reports need to show that there are no “high” vulnerabilities detected by your scanning tools.

 

Each report for the significant change events will also need to include external PCI scope. QualysGuard VM makes it easy to include both internal and external assets in the same report.  QualysGuard VM also provides a direct link to your QualysGuard PCI merchant account for automation of your PCI ASV scan requirements.

 

pci-account-link.jpg

QualysGuard WAS allows you to quickly meet your production web application scanning requirement (PCI 6.6) as well as internal web application scanning as part of your software development lifecycle (SDLC), by scanning your applications in development and in test. 

 

If you follow these guidelines you will be well prepared to perform and maintain the required controls for PCI 11.2.

pci-logo.gifMerchants subject to Payment Card Industry Data Security Standard (PCI DSS) rules are often blindsided by DSS changes, arrival of new payment technologies, and newly emerging business context. In addition, many organizations still narrowly focus on annual PCI assessment instead of on running an ongoing compliance program. This article will provide insight on the updated PCI DSS requirement, highlighting the need for internal vulnerability scanning ("perform quarterly internal vulnerability scans"), which was less visible in previous versions.

 

Whether you are facing PCI compliance or if you have been PCI compliant in the past, you may already know what it means to have a passing external scan; it means that a PCI Approved Scanning Vendor (ASV) will perform a vulnerability assessment of your public IP address space according to the guidelines issued by the PCI Security Standards Council (SSC) in the ASV Program Guide. Typically, it also means that your public IP address space does not contain any vulnerabilities with a CVSS score of 4.0 or higher, or that you have compensating controls in place to mitigate any vulnerabilities in your public IP address space.

 

Internal Vulnerability Assessment

Beginning June 30th of this year, the PCI SSC is going to require that you also show proof of passing an internal vulnerability assessment. This requirement is detailed in the PCI DSS Requirement #11.2.1/11.2.3, which describes the testing procedures for internal vulnerability assessments. The key aspects of these assessments are that they must be completed quarterly, and after any significant change; the assessments must also be performed by qualified internal or external resources. Lastly, the assessments must document a “passing result.”

 

pci11.2.png

To obtain passing results, the PCI DSS references that “all ‘High’ vulnerabilities defined in PCI DSS Requirement #6.2 are resolved.”  The basic requirements are that you are able to perform a vulnerability assessment of your internal IP address space and that you are able to show that your environment does not have any “High” vulnerabilities, which is the subtle change from prior standards.

 

The purpose of PCI DSS Requirement #6.2 is to define the process by which you identify vulnerabilities that are to be considered “High,”“Medium,” and ”Low.” Specifically, PCI DSS Requirement #6.2 states: “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.” The requirement also includes notes describing how risk rankings should take into consideration industry best practices and other criteria unique to your own environment; this can include CVSS base scores, vendor-supplied patch rankings, and the criticality of the underlying system components themselves.

 

The key aspect of PCI Requirement #6.2 is that you have a list of vulnerabilities that you (and your organization) have ranked according to your own process. Then you need to leverage these risk rankings in your vulnerability assessment against your internal IP address space. This will allow you to produce a report that shows a passing scan against your internal scope based on the risk rankings of vulnerabilities you have specified.

 

Quarterly Internal Scans

This brings us back to the requirement for internal scanning. It is important to remember that you need to perform these scans quarterly and after any significant change to your environment. This will mean that you will want to make sure that however you are assigning risk rankings and using risk rankings in concert with your vulnerability assessment tool, it is simple and repeatable. The ability to automatically produce an internal assessment report quarterly and after any change is a critical component of maintaining your PCI compliance.

 

It is also critical to review your PCI scope, which defines what IP addresses (both internal and external), are involved in the delivery of your payment card infrastructure. You will want to make sure that you can represent this scope in your vulnerability assessment tools to reduce the manual work that can be involved managing scope changes and reporting.

 

pci-for-dummies-2.pngStructured Approach

In conclusion, having a structured approach for dealing with PCI DSS changes, involving relevant stakeholders, evaluating their impact, and planning controls to close the gaps, should be adopted by security teams. This will help make any security program resilient to environmental and regulatory changes and ensure that the organization can maintain PCI compliance.

A new release of QualysGuard®, Version 6.24, will be available in production on Tuesday, January 31, 2012. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PST (20:00 GMT) and 6 PM PST (02:00 AM GMT next day).

 

QualysGuard 6.24 includes several enhancements including Virtual Scanners general availability and enhancements to Policy Compliance, API and platform capabilities:

 

QualysGuard Virtual Scanner Availability:

 

QualysGuard 6.24 includes the full release of the QualysGuard Virtual Scanner Appliance.  The consultant version is easily deployed onto VMware (Workstation, Fusion, Player), Oracle VirtualBox, and other virtualization platforms, with a user console wizard allowing for a quick initial setup.  Also available is an enterprise version provided as a packaged VMware vApp that can be effortlessly deployed into VMware vSphere and vCloud environments, requiring no direct console access to the virtual appliance itself. 

 

QualysGuard Virtual Scanner Appliances are available to licensed customers for direct download from their QualysGuard account.  For more on licensing, please contact your Qualys Technical Account Manager.  For details on provisioning the virtual appliance,  please refer to the appropriate user guide in the online help and follow the Qualys Community at https://community.qualys.com.

 

QualysGuard Enhancements:

  • Thycotic Server Integration: QualysGuard 6.24 includes integration with Thycotic Secret Server for authentication against Windows and UNIX assets, permitting customers to keep all authentication credentials used for scanning within their network perimeter.

secret server.jpg

 

  • OS CPE Support: QualysGuard 6.24 allows customers to display operating system information in Common Platform Enumeration (CPE) format, allowing for easier correlation and integration with products supporting that standard.

    cpe.jpg

 

 

 

QualysGuard Policy Compliance Enhancements:

 

  • Host Statistics in Policy Report: The Policy Report includes a new section called Host Statistics which includes a list of hosts in the policy with the percentage of control instances that passed on each host.

 

 

host statistics report.jpg

 

 

 

 

QualysGuard API Enhancements:

  • Final CVSS Score Added to Asset Data Report DTD: The final CVSS score calculated for each vulnerability detection now appears in the automatic asset data report DTD (asset_data_report.dtd) in the <CVSS_Final> element when the CVSS scoring feature is enabled for the user’s subscription.
  • New Share PCI Scan API: The new Share PCI Scan V2 API (/api/2.0/fo/scan/pci/) provides an automated way to share (export) finished PCI scans to PCI Merchant accounts and check the export status. PCI scans are vulnerability scans that were run with the option profile “Payment Card Industry (PCI) Options”.

 


 

Full release notes will be available to customers from within the Resources section of your QualysGuard account. To receive more information on QualysGuard 6.24, please visit the Qualys Community at https://community.qualys.com or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

A new release of QualysGuard®, Version 6.23, will be available in production on Thursday, December 15th 2011. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 20:00 GMT (12 PM PST) and 02:00 AM GMT next day (6 PM PST).

 

QualysGuard 6.23 includes the following enhancements to VM, Policy Compliance, API and platform capabilities:

QualysGuard Enhancements:

  • Oracle SID or Service Name Authentication: QualysGuard 6.23 introduces the ability to identify Oracle instances by either SID or Service Name, allowing customers to easily perform authenticated scanning of Oracle instances.
    Screen Shot 2011-11-23 at 7.03.06 AM.png
  • Remove IPs from Subscriptions: QualysGuard 6.23 allows users with Manager roles to remove IPs from their subscription without requiring interaction with Qualys Support, reducing the time and effort required to eliminate unneeded or invalid IPs from QualysGuard.
    Screen Shot 2011-11-23 at 7.03.54 AM.png
  • Additional New Scanner Service Icon: QualysGuard 6.23 adds an additional icon for the status of connectivity to New Scanner Services at the Qualys SOC. The addition of a Not Used icon helps clarify when connectivity issues require immediate action, or can be safely disregarded.
    Screen Shot 2011-11-23 at 7.04.41 AM.png

QualysGuard Vulnerability Management Enhancements:

  • Improved Report Trending Data: With QualysGuard 6.23, trending reports have been changed to provide more accurate remediation metrics. Reports will now include data for vulnerabilities that have been fixed in the timeframe specified in your scan report template, even if the detection occurred prior to that window.

QualysGuard Policy Compliance Enhancements:

  • Create Policy using a Golden Image: With QualysGuard 6.23, you can now create a policy by selecting a host to act as a “Golden Image” for the new policy. During policy creation, the scan results of the "Golden Image" are used to set the expected values in your new policy.

Golden Image.png

  • Policy Editor Improvements: QualysGuard 6.23 introduces several improvements to the Policy Editor including enhanced navigation using an outline, collapsible sections within the policy, and easier management of controls. The new policy editor also allows you to switch back to the classic policy editor.

Policy Editor.png

  • Deprecated Controls: To continually improve and simplify the technical controls used in Policy Compliance, QualysGuard 6.23 allows controls to be deprecated and replaced with new controls. Each deprecated control has one or more replacement controls. A new workflow is provided for replacing deprecated controls within your existing policies.

Control Deprecation.png

QualysGuard API Enhancements:

  • Vendor and Product Added to KnowledgeBase V2 API: QualysGuard 6.23 enhances the KnowledgeBase API v2 (api/2.0/fo/knowledge_base/vuln/?action=list) to include the new elements <VENDOR> and <PRODUCT>.
  • Deprecated Control Flag: With QualysGuard 6.23, the <DEPRECATED> flag has been added to the following DTD: Control List Output, Policy List Output, Posture Info Output.
  • Support for Service Name in Oracle Records: In QualysGuard 6.23 the Oracle Authentication API (/api/2.0/fo/auth/oracle/) now supports the servicename input parameter, and XML output includes the <SERVICENAME> element.
  • IPv6 Asset Management: QualysGuard 6.23 provides the new IPv6 Asset API (/api/2.0/fo/asset/ip/v4_v6) for Manager users to manage and scan IPv6 hosts using the API. Additionally, the Detection API (/api/2.0/fo/asset/host/vm/detection/) has been enhanced with the <IPV6> element to indicate the IPv6 address of hosts scanned.

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account. To receive more information on QualysGuard 6.23, please visit the Qualys Community at https://community.qualys.com or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.