The Tenable Cloud Platform and its integrated apps can simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Tenable Scanner Appliance is an option with the their Cloud Platforms. With the Tenable Scanner Appliance, you can easily assess internal network devices, systems and web applications.
In this Blog Post, we will focus more on the Tenable platform.
Related Post:
PCI DSS v3.0 Scanning Requirements
Vulnerability scans can be automated or manual, but they should always be performed by qualified individuals who are reasonably independent of the system components being scanned.
PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.
Quartely INTERNAL Vulnerabibility scans via ASV:
PCI Requirement 11.2.1 states, “Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.” Remember the risk ranking system you created for PCI Requirement 6.1? This comes back into play for PCI Requirement 11.2.1. This risk ranking system gives you the ability to identify, prioritize, and address high risk vulnerabilities more quickly and reduce the likelihood that they will be exploited. The vulnerabilities that you find from vulnerability scans will also be useful information for your risk ranking system.
PCI Requirement 11.2.1 says that you have to perform quarterly vulnerability scans within your environment. These scans that are performed need to be done by somebody that has organizational independence and knows what they are doing because they have been trained on how to perform these scans. When you run these scans, it is likely that you are going to identify vulnerabilities. What we expect is that you feed that information back into PCI Requirement 6.1, which is your vulnerability identification and risk-ranking program. Where you have identified a vulnerability, you have risk-ranked it, and it is high in your environment, so we expect you to take corrective actions to fix that and address those vulnerabilities before the next scan.
Quartely EXTERNAL Vulnerabibility scans via ASV:
PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Approved Scanning Vendor
To comply with PCI Requirement 11.2.2, you must use a PCI SSC Approved Scanning Vendor (ASV). An ASV is defined as, “An organization with a set of security services and tools (‘ASV scan solution’) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.”
The second component of PCI Requirement 11.2.2 is quarterly external vulnerability scans. External networks are at such a great risk of being compromised, which is why quarterly external vulnerability scans, and rescans as needed, are vital to scanning programs.
During an assessment, your assessor will follow these testing procedures:
- Examine your four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12-month period.
- Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met.
- Review the scan reports to verify that the scans were completed by an ASV.
Per PCI DSS v3.0 requirement 11.2.2, merchants are required to perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV). Every part of cardholder data system components needs to be scanned. Using the PCI module you can meet the external network scans requirement.
PCI Requirement 11.2.2 is very similar in nature to PCI Requirement 11.2.1, but PCI Requirement 11.2.2 requires that you perform external vulnerability scans. Where PCI Requirement 11.2.1 allowed an internal qualified resource to perform that activity, PCI Requirement 11.2.2 is a little different there: you must use an ASV to perform that activity on your behalf. KirkpatrickPrice would be happy to help you with that service, and we provide that service for many of our clients. There are many other organizations that can do that as well.
Nevertheless, effectively anything with the CVSS sore of 4.0 or higher needs to be addressed within that quarterly timeframe. Understand that a lot of organizations might miss a scan or forget to do it for whatever reason, and then ask us to help them define a compensating control. We’ll talk about compensating controls later, but understand that this is one of those controls that is very difficult to define, especially defining a compensating control for a failure in your program. So, understand that it is different if you identify vulnerabilities versus forgetting to scan—those are really two different conversations. Your assessor in both of these cases, for PCI Requirement 11.2.1 and PCI Requirement 11.2.2, is going to be asking for evidence of your quarterly scan and then any remediation scans that you have done to demonstrate that any vulnerabilities identified have been fixed.
Scans of public-facing web applications and review detected vulnerabilities
Per PCI DSS v3.0 requirement 6.6, merchants are required to perform scans of public-facing web
applications and review detected vulnerabilities. Using the PCI module you can meet the web
application scans requirement. Note that web application scanning is available when this option is
turned on for your subscription. Please contact your Account Manager or our Support Team if you
would like to use this option.
Other related PCI Controls
PCI DSS 3.1
– About 394 Controls
– Six Control Objectives
– 12 Subject Areas
The sub-requirements of Requirement 11 include:
PCI Requirement 11.1 – Identify rogue wireless devices that may have been placed in your environment, at least quarterly. You must keep a list of what is authorized so you can define what isn’t authorized. Physical inspection is the best way to meet this objective.
PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.
PCI Requirement 11.3 – You must perform a penetration test at least annually and after any time a significant change is made. It must be performed by a qualified individual, cover internal and external, cover the application and network layers, validate if the segmentation is effective, and keep the results of the test and remediation for your audit.
PCI Requirement 11.4 – Install an IPS ISD at the perimeter and at critical locations within the CDE. It needs to be configured and maintained according to the manufacturer standards. It can also be host-based IPS IDS.
PCI Requirement 11.5 – Install a File Integrity Monitoring (FIM) Solution, which needs to monitor critical files and needs to run analysis at least weekly and follow-up on any expectations.
Tenable Vulnerability Management Portal PCI Scan
Tenable.io
Internal PCI Network Scan
This template creates scans that may be used to satisfy internal (PCI DSS 11.2.1) scanning requirements for ongoing vulnerability management programs that satisfy PCI compliance requirements. These scans may be used for ongoing vulnerability management and to perform rescans until passing or clean results are achieved. Credentials can optionally be provided to enumerate missing patches and client-side vulnerabilities. Note: while the PCI DSS requires you to provide evidence of passing or “clean” scans on at least a quarterly basis, you are also required to perform scans after any significant changes to your network (PCI DSS 11.2.3).
Two more page then external scan template:
Default:
- General Settings:Avoid potential false alarms
- Disable CGI scanning
- Web Applications:
- Disable web application scanning
Scan for all web vulnerabilities (Complex)
- General Settings:Avoid potential false alarms
- Enable CGI scanning
- Perform thorough tests
- Web Applications:Start crawling from “/”
- Crawl 1000 pages (max)
- Traverse 6 directories (max)
- Test for known vulnerabilities in commonly used web applications
- Perform each generic web app test for 10 minutes (max)
- Try all HTTP methods
- Attempt HTTP Parameter Pollution
Report:
PCI Quarterly External Scan
This policy MUST be used for scans submitted to Tenable (an Approved Scanning Vendor) to validate compliance with PCI DSS quarterly external scan requirements. Perform a scan with this policy, view the results in the “Scans” section, then click the “Submit for PCI” button when you feel ready.
Report
Export report:
Export PDF – Custom Group by Plugin
Report sample pages:
Cloud Scanner IP Address Segments
https://docs.tenable.com/vulnerability-management/Content/Settings/Sensors/CloudSensors.htm
Sensor Group | Region | IPv4 Range | IPv6 Range |
---|---|---|---|
AP Tokyo Cloud Scanners, APAC Cloud Scanners | ap-northeast-1 | 13.115.104.128/25 35.73.219.128/25 |
2406:da14:e76:5b00::/56 |
AP Singapore Cloud Scanners, APAC Cloud Scanners | ap-southeast-1 | 13.213.79.0/24 18.139.204.0/25 54.255.254.0/26 |
2406:da18:844:7100::/56 |
AP Sydney Cloud Scanners, APAC Cloud Scanners | ap-southeast-2 | 13.210.1.64/26 3.106.118.128/25 3.26.100.0/24 |
2406:da1c:20f:2f00::/56 |
India Cloud Scanners, APAC Cloud Scanners | ap-south-1 | 3.108.37.0/24 |
2406:da1a:5b2:8500::/56 |
CA Central Cloud Scanners | ca-central-1 | 3.98.92.0/25 35.182.14.64/26 |
2600:1f11:622:3000::/56 |
Ireland Cloud Scanners, EMEA Cloud Scanners, EU Cloud Scanners | eu-west-1 | 3.251.224.0/24 |
2a05:d018:f53:4100::/56 |
UK London Cloud Scanners, UK Cloud Scanners, EMEA Cloud Scanners | eu-west-2 | 18.168.180.128/25 18.168.224.128/25 3.9.159.128/25 35.177.219.0/26 |
2a05:d01c:da5:e800::/56 |
EU Frankfurt Cloud Scanners, EMEA Cloud Scanners, EU Cloud Scanners | eu-central-1 | 18.194.95.64/26 3.124.123.128/25 3.67.7.128/25 54.93.254.128/26 |
2a05:d014:532:b00::/56 |
US Cloud Scanner, US East Cloud Scanners | us-east-1 | 34.201.223.128/25 44.192.244.0/24 44.206.3.0/24 54.175.125.192/26 |
2600:1f18:614c:8000::/56 |
US Cloud Scanner, US East Cloud Scanners | us-east-2 | 13.59.252.0/25 18.116.198.0/24 3.132.217.0/25 |
2600:1f16:8ca:e900::/56 |
US Cloud Scanner, US West Cloud Scanners | us-west-1 | 13.56.21.128/25 |
|
US Cloud Scanner, US West Cloud Scanners | us-west-2 | 34.223.64.0/25 35.82.51.128/25 35.86.126.0/24 35.93.174.0/24 44.242.181.128/25 |
2600:1f14:141:7b00::/56 |
Brazil Cloud Scanners | sa-east-1 | 15.228.125.0/24 |
2600:1f1e:9a:ba00::/56 |
UAE Cloud Scanners, EMEA Cloud Scanners | me-central-1 | 51.112.93.0/24 |
2406:da17:524:dd00::/56 |
tenable.io | static | 162.159.129.83/32 162.159.130.83/32 162.159.140.26/32 172.66.0.26/32 |
2606:4700:7::a29f:8153/128 2606:4700:7::a29f:8253/128 2606:4700:7::1a/128 2a06:98c1:58::1a/128 |