Why is Requirement 11.2 one of the most failed by merchants and service providers alike?

Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail.  Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake.

Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external.  Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally.  In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of their infrastructure thanks to good network segmentation.  From a risk & compliance perspective, that alone pays for any added cost associated with new equipment and maintenance.

So what’s the big deal?  I mean, seriously, how freaking hard is it to scan a few systems?  Isn’t that how security became mainstream in the first place?  Vulnerability scanning?1

Folderol_Follies_011, by basurablancaphoto

Folderol_Follies_011, by basurablancaphoto

The fact is, of all of the requirements in PCI, 11.2 is one that companies struggle with more than they care to admit.  In more than half of the PCI assessments we did in 2008, Requirement 11.2 came up as an initial gap.  If it’s just scanning, why can’t we get it right?

Two reasons.

Reason the First: You scanned, but you forgot to obtain CLEAN scans for every quarter.  Remember, the testing procedure for Requirement 11.2 states that QSAs must “Verify that the scan process includes rescans until passing results are obtained.”  Just scanning is not enough, you have to scan, patch, and re-scan until you have a clean scan2.  Most companies do well on their external scans; it’s the internal ones that trip them up.  The reasoning on why this occurs is usually something like, “Well, the firewall blocks that type of connection, so you can’t exploit it from the outside anyway.”

Sorry chief, that doesn’t cut it.

The hardest part for companies to deal with is managing the vulnerability lifecycle.  Companies must play all four parts of the vulnerability management quartet: Discover, Patch, Retest, and Close.  Companies tripped up by this requirement typically stop at the first or second part, leaving the rest unplayed.  Try listening to a song you know well, but instead of all of the instruments, imagine what it would sound like if played by only two instruments instead of four.

Vulnerability Management is exactly that, a management process that must oversee the tactical steps required to comply with 11.2.

A QSA will require four quarters of CLEAN scans!

Reason the Second: You scanned externally, but forgot to scan INTERNALLY.  Yep, strange as it is, this is actually as common as Reason the First.  Back in 2004 when I first started doing CISP assessments, companies faced with complying with the monthly scan requirement (at the time, Requirement 10.2) always found some geeky tech guy from their version of the Pit of Despair to do this work.  As a testament to how far information security has come in retail, guys like that are not relevant anymore.  That guy has gone on to earn an MBA and maybe is a manager or director now, or maybe he just left retail and went to a company more suited to his skillset.  Regardless, that guy left a gap that remains unfilled.

Expanding on the management problem described above, internal scans suffer the most.  Countless companies I have worked with put internal vulnerability management on the back burner and only focus on external security threats.  Remember the Armadillo Network Model?  Hard crunchy exterior, soft chewy middle?  Works great if you have no insider threat, and there is no chance someone might accidentally open up a vulnerable service through a mis-managed firewall change.

A QSA will require both internal AND external scans!

Don’t let your next PCI Review become a PCI COMPLIANCE FAIL because this critical periodic maintenance requirement was overlooked.

This post originally appeared on BrandenWilliams.com.

  1. Tongue in cheek of course! []
  2. How many times shall we put “scan” into a sentence? []