Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PCI-DSS Plugins For Nessus

Tenable’s Research Group has released three new beta plugins to all ProfessionalFeed and Security Center users that automate the process of preparing a PCI-DSS audit. The three new plugins available are:

  • PCI DSS compliance: tests requirements
  • PCI DSS compliance: passed
  • PCI DSS compliance

These plugins evaluate the results of your scan and the actual configuration of your scanner to determine if the target server could be PCI compliant. The plugins don’t perform actual scanning – they just look at the results from other plugins.

Tenable chose to audit and report on the actual scan configuration so that Nessus users can still perform basic scans and get actionable results. This helps them understand if they have some glaring vulnerabilities that need to be fixed without performing a full audit, which can include onerous tasks such as full UDP and TCP port scans.

Configuring a Scan

A system will only be reported as being seemingly PCI-DSS compliant if the scan is compliant. PCI-DSS requires many different types of thorough testing. The PCI-DSS plugins report that your scan was not configured correctly if any of the following settings are not invoked:

  • Enable all plugins
  • Enable “thorough tests”
  • Enable “experimental scripts”
  • Enable TCP scanning of all 65535 ports

If these scan settings are not invoked, plugin 33931 will report the required settings. If this plugin reports anything, it will also prevent Nessus from actually designating a machine as being seemingly “PCI” compliant.

Scansettingsfailsmall

When configuring a port scan, please keep in mind that the credentialed method enables you to enumerate all ports, as well their listening processes, without actually scanning for all ports on the network. PCI-DSS requires that an audit of a web server be performed without any filtering. If there is no filtering between Nessus and the audited server, there is no reason to perform a full port scan. 

One last point for configuring port scans – if you want to use the credentialed scanning options, be sure to disable the network scan options. If you don’t, Nessus does not report anything  extra and the scans will only take longer. Tenable also provides a UDP port scanner for Nessus. This plugin is available for download from the Tenable Support Portal.

The PCI plugins are located under the Policy Compliance Nessus family as shown below:


Scansettings

To invoke the PCI-DSS compliance analysis, under the “Advanced” tab of your Nessus scan policy, there is a “PCI-DSS compliance” option with a single checkbox. Enabling this scan preference tells the three PCI plugins to perform their analysis as shown below:

Enablepci

Analyzing the Results

PCI-DSS audits will generally fail for three classes of items:

  • Detection of any vulnerability with a CVSS score greater than or equal to 4
  • Detection of any Cross Site Scripting or SQL Injection vulnerabilities
  • Older versions and mis-configured SSL encryption

Because of the logic of our plugins, a scanned system will be in one of four states:

  1. It should be ready to obtain PCI-DSS compliance.
  2. The scan was good and we found information saying we were not compliant.
  3. The scan was bad and we still found information saying we were not compliant.
  4. The scan was bad and we didn’t find any information to prove we weren’t compliant.

Below is an example results output for plugin 33929:

Pciresults

The output shows the specific vulnerability IDs that determined that the system was not compliant. 

Enterprise PCI Auditing

Tenable has many different solutions that can help with PCI reporting and auditing requirements on an enterprise level. The following general PCI requirements can be easily managed, monitored and reported on with Tenable solutions:

  • PCI Requirement 1 – Nessus, the Passive Vulnerability Scanner and the Log Correlation Engine can be used to monitor firewalls access control lists, activity and configurations.
  • PCI Requirement 2 – Nessus and the Passive Vulnerability Scanner audit for hundreds of default vendor settings as well as best practice system configurations.
  • PCI Requirement 3 – Nessus and the Passive Vulnerability Scanner can audit systems for data containing credit card or customer information. 
  • PCI Requirement 4 – Nessus and the Passive Vulnerability Scanner can identify all SSL daemons and many different types of encrypted protocols.
  • PCI Requirement 5 – Nessus can identify the running anti-virus solution and also identify if it has been disabled, mis-configured or has out-of-date signatures.
  • PCI Requirement 6 – The Security Center is the premier tool to manage scanning data, patch audit data, configuration data and passively obtained network data. With the Security Center it is trivial to schedule scans, identify changes that impact PCI, find vulnerabilities older than 30 days and report on compliant and non-compliant systems.
  • PCI Requirement 7 - The Log Correlation Engine can be used to analyze audit trails from servers to identify access to systems with cardholder data.
  • PCI Requirement 8 – Nessus can be used to audit configuration settings required by PCI. Tenable offers several “audit” policies for Nessus which can be used to audit AIX, Solaris, Windows, FreeBSD, HP-UX and other operating systems.
  • PCI Requirement 10 - The combination of the Security Center, Nessus, Passive Vulnerabiltiy Scanner and the Log Correlation Engine allows for tracking of all access to network resources and systems with cardholder data.
  • PCI Requirement 11 - Nessus and the Passive Vulnerabiltiy Scanner can be used to regularly test systems for security issues and correct configurations. If the Log Correlation Engine is also deployed, it can be used to log the vulnerability scanning activity to prove that systems are being audited.

For More Information

During the beta period, customers are encouraged to provide feedback to Tenable by emailing us at [email protected]. Support for scanning with these plugins is not currently available in the Security Center, but Nessus results can be manually imported.

The following blog entries will be of interest to anyone who uses Nessus or the Security Center to monitor a network for compliance and security issues:

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.