Tenable's sales and support groups continue to get the following type of question:
"I'm considering purchasing a scanning service from vendor XYZ and they claim to use Nessus. Are they certified by Tenable to perform PCI scanning audits?"
There are several points to consider when such a question is posed and this blog entry will attempt to discuss many of the nuances involved with this issue.
Products are not Certified for PCI Audits
There is no product solution available on the market today that can be purchased and used to perform accredited PCI vulnerability audits. There are services which can be procured to perform vulnerability audits and some of the technology these services use is available in the form of a product.
For an organization attempting to navigate the requirements of PCI, the differences between buying a service and the product based on that service may not seem great. For example, many scanning services include an appliance which is deployed on a customer's network which gives the feeling of a product.
If an organization governed by the PCI regulation does buy a product solution to perform PCI scanning, that organization will still be required to procure a 3rd party service to perform certified PCI vulnerability scanning. These services must be acquired from an Approved Scanning Vendor.
The benefit of buying a product that can perform realistic PCI audits is that when your official quarterly PCI scan is performed, you won't be surprised and you will have had a chance to fix issues before your audit occurs. Also, if your scanning service makes an error or has inaccurate results, being able to compare their results with your own can help expedite any incorrectly reported issues.
90% of the Certified PCI Services use Nessus
The PCI organization does list more than 130 service providers that are authorized to perform PCI scans. Of those on the list, almost 90% (the actual percentage was 87%) actively use the Tenable Security Center, Nessus Direct Feed or Nessus Registered Feed. We performed this analysis by cross-referencing the published list of PCI scanning vendors with Tenable's list of customers and registered Nessus users that update their vulnerability checks at least weekly.
Does this mean that if you use Nessus to scan for vulnerabilities, you are on the path to PCI compliance? The short answer is yes, but you still need to get a 3rd party to officially audit you.
Does this mean that any service who bases their vulnerability scans off of Nessus is qualified for PCI audits? Absolutely not. To be certified for PCI scanning, the organization must submit to a rigorous process which analyzes how scans are administered and performed and most importantly, presented to the customer.
Through our Direct Feed support for Nessus and product support for MSPs that use our Security Center to perform scan scheduling and reporting, Tenable is in a unique position to work with a wide variety of solution providers which are certified to perform PCI audits. No two solution providers have the same exact solution. Many of them have different procedures and policies for performing scans and communicating with their customers. For example, some prefer to accomplish discovery with multiple tools, including direct customer input, and then perform vulnerability scanning with Nessus while others perform their audits entirely with Nessus.
Although many organizations do use Nessus to perform PCI scanning, the regulation is not tool specific and is focused on the actual vulnerabilities, policies and procedures of the organization being audited.
Differences between in-house and Remote Scanning
There are also some very stark differences between remote PCI vulnerability assessments and what can be done with an in-house tool.
For example, section 8.5.9 of the PCI Audit Procedures document specifies that user passwords should be changed every 90 days. This sort of setting is something that can be audited with the Nessus Direct Feed and Tenable has even written specific PCI audit polices to look for this setting on UNIX and Windows operating systems. However, section 8.5.9 also gives MSPs some latitude in performing these audits and there are allowances for manual review of polices.
There are many more examples of this sort of discrepancy. Searching for the term "For Service Providers Only" in the audit guidelines will show many examples where a full internal PCI audit can be replaced with manual procedural reviews.
If such a review only occurs manually and quarterly, then when violations are found, fixing them implies not only changing the settings on various servers, but also changing the procedures and policies which allowed these lapses to occur in the first place. Performing in-house automated checks allows for early detection of compliance violations.
Another advantage of in-house scanning is that you may chose to perform a credentialed patch audit with Nessus. Patch audits are very accurate and work for Windows and UNIX operating systems. If your MSP or ASV is not using credentials to audit your systems, it is possible that their scans may be less accurate than ones with credentials. If this is the case, performing these scans in-house with credentials can help expedite any issues reported by your ASV that are not accurate.
Monitoring PCI Compliance with Nessus
No discussion of PCI Compliance issues is complete without considering the full ramifications of the regulation. Complying with the PCI is much more than keeping your many e-commerce systems free of critical vulnerabilities. It includes firewall reviews, searching for insecure wireless access points, hardening of your servers with strong auditing and account security, log analysis, patch auditing and much more.
Tenable offers the 'Real Time Compliance' paper which shows how Nessus, and other Tenable log analysis and network monitoring products, can be used to audit and monitor e-commerce systems for PCI compliance and violations. The paper also discusses other regulations and IT management procedures such as COBIT and ITIL. If you are interested in reading the comprehensive paper, please email us at [email protected].
Tenable also offers a 30 minute webinar which focuses on compliance monitoring. The webinar is free but requires registration and is available to watch on-demand here.