How Often Should You Run a Vulnerability Scan?
Like a check-up with the doctor or a visit to the dentist, vulnerability scans of your network are a small inconvenience that could help to identify or prevent a big problem.
If you’re responsible for organising scans at your contact centre, here’s the lowdown on keeping your systems healthy.
What’s the Difference Between an Internal and External Scan?
To be sure that a system is really secure, PCI DSS regulations require that both internal and external scans be conducted. To put it simply, external scans scan from the outside – looking for holes in your firewalls where hackers might be able to break in. Internal scans, on the other hand, work inside your firewalls – looking for any vulnerabilities in your network, such as manually uploaded malware or weaknesses that could be used by a hacker after a breach.
How Often Should We Be Running Scans?
Officially, scans should be carried out quarterly, but the PCI Security Standards Council does clarify this with an ‘at least’. In reality, the most secure systems run scans far more often, some even weekly or daily. Scanning as frequently as possible will make sure you’re on top of any vulnerabilities as soon as they crop up, potentially averting a disaster.
As well as the official quarterly scan, PCI DSS regulations also require complete internal and external scans after any significant changes to your network – such as new devices or upgrades – in order to ensure none of these have compromised your security.
Can We Run Scans Ourselves?
While both internal and external scans are conducted by computer programs, unfortunately, they can’t both be carried out in-house; the PCI DSS states that all external scans must be made by an Approved Scanning Vendor. Internal scans can be carried out by an employee, but they must be qualified and completely unrelated to your team members who are in charge of security.
What Should the Vulnerability Scan Cover?
Approved software vendors or ASVs will cover everything required for PCI DSS compliance, but a few key things to look out for are live system identification, service discovery, OS and service fingerprinting, coverage of all commonly used platforms, ability to perform a scan without interference from IDSs/IPSs, and accounting for load balancers. A scan must also never at any point be disruptive to your business, so DoS and buffer overflow attacks are not necessary.
Should We Keep Audit Trails?
Absolutely. When in doubt, document!
If you’re audited for PCI DSS compliance, your auditor will expect to see evidence of scans, results of scans, evidence of vulnerability correction, evidence that scanners were approved or qualified, and evidence that you ran scans after any significant changes. However, if you’re running scans more frequently than the recommended amount, you don’t necessarily need to document each one as rigorously – only documentation regarding the official quarterly scans will be required during an audit.