In this Advisory, we'll explain security vulnerability scans, why we do them, what they do, and how they fall short of ensuring security for your e-commerce site:
Vulnerability scanning is the primary method by which the Payment Card Industry determines the security of websites for level 3 and level 4 merchants. Since the advent of the Payment Card Industry Data Security Standard (PCI DSS), vulnerability scanning is required for any business that takes payment in the form of a credit card number over the web. If you are doing business online and you are not undergoing vulnerability scans, your business is not PCI compliant.
Vulnerability scans must be conducted by a 3rd party that has been certified by the Payment Card Industry as a Qualified Security Assessor (QSA). QSAs include Ambiron TrustWave, SecurityMetrics and ScanAlert. E-business Coach is currently working with both SecurityMetrics and ScanAlert. A full list of QSAs can be found at the official PCI site here.
A vulnerability scan is an automated procedure that investigates your website and looks for weaknesses. Vulnerability scans actually resemble an attack on your website. Both a scan and an attack begin with an investigative phase during which an attempt is made to find flaws in your website security that can be exploited. The resemblance between scans and attacks ends after the investigative phase. A real attacker would exploit any weaknesses found during the investigation to break into your web server, steal from your clients, destroy your data and damage your reputation. In contrast, a QSA conducting a scan of your site will report any vulnerabilities found so that they can be corrected and your website security can be strengthened. You might find it useful to think of QSA's as the building inspectors of the website world.
A vulnerability scan is actually a bundle of probes - each probe examines a different element of your website. Collectively, this bundle of probes examines your website from the network architecture to the underlying server software to the website application. A vulnerability scan generally contains probes that perform the following functions:
-
portscan - this probe checks for open ports and active protocols and webservices. For example,
this portscan will discover that we are using port 22 and SFTP (we use this for the Mail Order Manager (MOM) Connector
module and /misc directory access). Using port 22 & SFTP are OK by the PCI standards.
- examination of server software - this probe checks to find out what operating system your webserver is running and what version of the operating system is currently in use. It compares its findings with a database of vulnerabilities that spans many operating systems and many versions of those systems.
- examination of application software - This probe checks for commonly installed web applications and known potential weaknesses in each application. This probe is relatively unimportant to us because we are not using widespread and common software for our application. We are using a unique aplication, the Total Blue System that we have created from the ground up. The Total Blue System does not appear on the radar of any known vulnerability scan.
Vulnerability scans operate in the absence of complete knowledge about a website. A scan only 'knows' information that a server discloses to the outside world. A scan does not have the full picture that the system administrator gains by examining the system from within. For instance, a scan may know what operating system a server is using, but not what patches have been applied to the OS.
In the absence of complete knowledge, a scan operates by making educated guesses. If the scan 'thinks' that a vulnerability might exist but doesn't have enough information to be sure, it errs on the side of caution and reports a vulnerability. The guesswork of scanning engines makes it inevitable that vulnerabilities will be reported where in fact no vulnerability exist. This is the 'False Positive' problem.
False positive resolution means proving the non-existence of a
vulnerability to the QSA that conducted the scan. False Positive resolution is tedious and time
consuming but it is a necessary evil if one is to pass vulnerability scans and be PCI compliant. Ask your account manager what kind of assistance is available from E-business Coach to resolve false positives resulting from vulnerability scans so you can get a passing score.
Vulnerability scanning gives only an overview of the security of your website. It allows the PCI standards council to quickly and cheaply examine websites and see if the website administrators have left the proverbial barn door open. Is the system administrator competent in maintaining the server? Is the website openly flaunting the security best practices outlined in the PCI DSS? Is the website wide open to attack? Vulnerability scanning can answer these kinds of questions.
However, vulnerability scanning is not a silver bullet. It is not a comprehensive audit of your website's real security. It is possible to pass a vulnerability scan and still have weaknesses that allow your website to broken into. Real security must continue beyond vulnerability scans.
Comments