The Value of Quarterly Internal Vulnerability Scans

Performing Internal Vulnerability Scans on a Quarterly Interval 
PCI Requirement 11.2.1 requires quarterly internal vulnerability scans, performed by qualified personnel. Vulnerability scanning is an automated process designed to highlight issues on a wide range of systems at regular intervals. You will be scanning all assets within the scope of your CDE in AWS. Once completed, vulnerabilities need to be ranked according to your established risk ranking system. Any vulnerabilities ranked as “high risk” need to be remediated before your next quarterly scan. 

AWS customers can carry out security assessments against their AWS infrastructure without prior approval for eight services. For more information, learn about vulnerability assessment and management in AWS Marketplace

In the PCI Data Security Standard, you’ll find Requirement 11.2.1, which governs the implementation of internal vulnerability scanning. You’ll first want to establish what the scope of your cardholder data environment is. You’ll determine what assets constitute your CDE as well as any systems that are connected to your CDE. You’ll want to scan all of those assets on a quarterly basis in order to meet this requirement. 

You’ll find vulnerability scanning solutions in the AWS Marketplace as well as other open source solutions that can meet this requirement. You have to have rankings in your findings so that you know that anything considered “high” has to be remediated before your next scan. One of the things that we get questioned a lot about for this requirement is, “Do I have to have a clean scan? We’re constantly updating things. We’re constantly remediating findings, so is it possible to comply with this without ever having a clean scan?” You can do this. In a lot of environments, you’ll run a scan and you’ll have some findings that talk about being high and you’ll remediate those things. By the time you run the next scan, what you’re trying to prove is that you have remediated those findings, but by that time, you might have some new findings. Then, the clock starts over again for you to remediate those. You can’t have these “high” findings last from scan to scan. You need to be shown to be remediating those items, even though new findings might be found from scan to scan. You want to be able to prove that you’re doing this at least every 90 days. 

Also, don’t confuse this with the requirement for implementing critical patches within 30 days, because if you run a scan and you find that you are missing a critical security update to a Windows or a Linux host, you have to have those things remediated within 30 days. You can’t wait 90 days before the next scan. If you have any questions about implementing a scanning solution and complying with this requirement for quarterly vulnerability scans, please reach out to us today. We’d be glad to help. 

Related Videos