IT Security Compliance Myths

I've been collecting comments made to me by various Nessus users and Tenable customers about what it means to be compliant. This is by no means scientific, but I only put stuff on this list that I've heard more than once.

PCI requires full scans of all 65,000 Ports

There are several issues with this statement. First of all, there are actually 65535 potential port values and 131070 if you count both UDP and TCP protocols. Second, and more importantly, PCI doesn't say this anywhere. There are several places in the PCI standard that recommend scanning of both  port 80 and 443, but it doesn't say anywhere to do a full port scan.

Technically, performing a full scan of this nature is easy for one or two systems, but can be difficult for a larger enterprise network. If this is something you are interested in performing on a wide scale, I highly recommend considering distributed Nessus scanners or performing passive network monitoring.

I can't use Nessus for PCI/SDP audits

This is very misleading! Many managed security providers use this argument, even though their technology is based on Nessus. Mastercard's wording is also misleading since they refer to service providers as "vendors".

In actuality, for the more in-depth PCI/SDP audits, you can't "self audit" and need to use an outside service provider to do this. Mastercard keeps a list here.

So even though, you can't "self audit" yourself, if you want to be proactive, you can use the same technology the vendors are using. Many of these vendors purchase the Direct Feed for their Nessus scanners or use the Security Center for scheduling, reporting and configuration of compliance audits.

You can't be compliant and have Nessus detect "Holes"

The only compliance regulation I am aware of that specifically outlines which vulnerabilities are unacceptable is PCI. It defines levels 5 through 1 with levels 5 and 4 consisting of things like detected malware, trojans and backdoors.

If you read through what it means to run a network according to COBIT, ITIL, or NIST standards, none of them say you can't have vulnerabilities. They actually not only expect you to have vulnerabilities, but also expect you to manage them.

So if an auditor is saying that you have a serious vulnerability so you can't pass your audit, she might be really saying that it is your process for managing or detecting the vulnerability that is the issue,not the vulnerability itself.

I need to have a firewall and an IDS/IPS to be compliant

Some compliance regulations do indeed say that organizations are required to perform access control and to perform monitoring. Some do indeed say that "perimeter" control devices like a VPN or a firewall are required. Some do indeed say the word "intrusion detection". However, this doesn't necessarily mean to go and deploy NIDS or a firewall everywhere.

Access control and monitoring can be performed with many other technologies. There is nothing wrong in using a firewall or NIDS solutions to meet any compliance requirements, but what about centralized authentication, network access control (NAC), network anomaly detection, log analysis, using ACLs on perimeter routers and so on? 

Can we get a list of Nessus checks to test for compliance?

Tenable often gets questions like this from both new and long-time Nessus users. The reality is that compliance standards audit your IT processes, not your vulnerabilities. As such, you will likely find the Nessus 3 "compliance checks" found in the Direct Feed of much more use to you in your audits than any of the latest vulnerability checks. Specific vulnerability checks are ideal for testing against the SANS Top 20 list of common vulnerabilities or even some aspects of the PCI standard. However, to prove to an auditor that your IT controls and procedures are working, Nessus can be used to audit the configuration of specific hosts and assets.

I can't perform these audit's myself

Depending on the type of audit, this may be true. However, I usually hear this sort of comment as an "excuse" not to perform some sort of ongoing compliance, security or vulnerability monitoring.

For example, the NERC regulations require a vulnerability scan of all critical cyber assets once per year. If this is all you are doing, then your once-a-year scan may find many unexpected surprises. If you were doing more proactive scanning, or even continuous passive monitoring, you can detect compliance issues earlier when they may be easier (and less costly) to mitigate.

Many auditors will use Nessus as their vulnerability scanner, or a similar type of tool. Being able to run these sorts of scans before the auditors do may also give you an advantage or head start and avoid a repeat audit.

Realtime Compliance Paper and Webinars

If this sort of summary was useful, you might be interested in how Tenable's full product line relates towards PCI, SOX, FISMA, NERC and many other types of compliance audits. We've prepared an 80 page paper which "summarizes" each of these standards and shows how our vulnerability, configuration, log analysis and passive network monitoring technologies can be leveraged for "realtime" compliance monitoring. Please email us at [email protected] to request a copy of this paper.

Tenable also offers public webinars on these topics. The next few webinars cover vulnerability management, performing configuration audits with Nessus 3, SCADA network monitoring and network anomaly detection.