I got an interesting email right before I ran off on vacation from Mark on a PCI issue he blogged about:
13. Arrangements must be made to configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not possible, the scan should be originated in a location that prevents IDS/IPS interference. snip… I understand what the intention of this requirement is. If your IPS is blacklisting the scanner IP’s then ASVs don’t get a full assessment because they are a loud and proud scan rather than a targeted attack… However, blindly accepting the originating IP of the scanner leaves the hosts vulnerable to various attacks. Attackers can simply reference various public websites to see what IP addresses they need to use to bypass those detective or preventive controls.
I figured no assessor would ask their client to open up big holes just to do a scan, but lo and behold, after a little bit of research it turns out this is surprisingly common. Back to email:
It came up when I was told by my ASV “Authorized scanning vendor” that I had to do exclude their IPs. They also provided me with the list of IP’s to exclude. Both [redacted] and [redacted] have told me I needed to do bypass the IDS. When I asked about the exposure they were creating, both told me that their “other customers” do this and it isn’t a problem for them.
If your ASV can’t perform a scan/test without having you turn off your IDS/IPS, it might be time to look for a new one. Especially if their source IPs are easy to figure out.
For the record, “everyone else does it” is the dumbest freaking reason in the book. Remember the whole jumping off a bridge thing your mom taught you?
Reader interactions
10 Replies to “How To Tell If Your PCI Scanning Vendor Is Dangerous”
We are having the ASV scan in our network, we are able to scan all the network except the relay server in DMZ.
It is showing the tiny packet fragmentation, tcp sync flood while scanning the IP of the relay server.
This leads to the down of internet traffic of both the ISP in the network(even we are scanning from one of the ISP)
Can any one suggest regarding this.
I’‘m about as big an information-centric wonk as you’‘ll find, and I still don’‘t think we’‘re close to pulling firewalls.
Many of the tools we have only exist because we can’‘t nail our processes down and behave consistently.
I’‘m doing a speech this month on Information-centric Security and I really start it off by trashing (the concept of) Firewalls etc.
However, as much koolade as I have drunk over the last few weeks I still can’‘t get with the idea of removing the Firewall totally.
The only time I would say “you don’‘t need a Firewall” is when you are absolutely sure of exactly what ports you have open on every single one of your devices at all times.
Or when your Internet link is down.
IDS is as good as the person who is watching it 24/7. (If the answer to that is “no-one” then it serves no purpose.) IPS is the same with the added benefit of an “automatic someone” to watch the traffic.
While I agree with LonerVamp that a scan must be done in depth (see my comment above) I feel much more secure with a person on my site doing the scan.
One thing that I haven’‘t been too strict about in the past but I can see myself being very strict about in the future is knowing what happens to the data that is collected.
[…] groups emerging quality assurance efforts will make sure this kind of stuff doesn’t happen. http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/ Link to […]
@lonervamp (and dre)
Conceptually I agree- IPS and *most* of our security technology doesn’‘t offer a fraction of the value it claims. Ideally secure code, configuration, and basic network/system design are a much better approach.
But I also struggle with the reality of the complexity of our environments, lack of political influence, and, to be blunt, lack of education and knowledge of many practitioners. Sure, I get to skip AV, IPS, and a host of other things, but due to a mix of compliance, religion time, and other factors plenty of people are stuck with them.
That doesn’‘t mean we should excuse it, but it does mean we should be more understanding of those that use the tools. And, to be honest, I’‘ve talked with plenty of clients that get a lot of value out of stuff we might not appreciate- the ones that configure it properly, have good processes around it, and find that it really reduces risk.
Oh, how to respond to anything…post on my blog, or make long posts here? I’‘ll do both! Hopefully I can stay under the length of Dre’s comments. 😉 Wait, did I see “masturbation” in there somewhere when I skimmed through the first time? O_o
Oh, and read to the bottom where I bring SCADA into this. 😉
There are a few points I want to address:
1) Turning off things like IPS for vendor scanning.
2) The futility of things like IPS/WAF
3) When is a vulnerability something I care about?
1) I agree with turning things like your security controls off for scans. First of all, I’‘d want to know what is underneath those controls. Hell, I’‘d like to do a scan with them off and another with them on so I can fill in those comment boxes for coutnermeasures implemented! But really, I find little qualm about making exceptions for scans if that gives me some valuable information. The caveat would be that those exceptions are documented, surgical, and time-limited.
Let’s say you’‘re a security professional. Someone asks you to evaluate their system. You want as much visibility as possible to make a proper assessment. The same holds true for doctors, lawyers, physical security agents, baseball coaches. They all need deep access to maybe even your darkest secrets, otherwise their job is impeded. And I do find value in giving experts those deep secrets.
I would disagree that an external scan is really all about what an attacker sees, especially since a) I don’‘t give a shit about who scans me or how often (ok, there is some value there, but not enough to interrupt my gaming sessions) and b) I can’‘t predict what an attacker wants to see. Sure, I want to know how limited a view an attacker can get of my systems, but does that actually guarantee anything? It just guarantees I’‘ll waste my time and/or miss something on the periphery.
2) I agree with the above sentiments about IPS/WAFs, etc. They mean well, and when someone is dedicated to making them work and babysitting them, I think they have value. But let’s face it, people don’‘t babysit them. I am in charge of my company’s IPS devices, but god knows I only look at the logs once in a blue moon. It pains me, but…such is the problem with not being dedicated solely to security. So, is that really giving me added value? Not really. In fact, most of the value I afford it is with the logging and detecting, not the preventing.
Dre and others are correct. We have far more important and “easier” things to worry about than deeply inspecting our DMZ traffic. I wish we could worry about that stuff, but there are far bigger issues leading to compromises and bad press. (Then again, this is a natural extension of the resistence people have to us fixing their bigger issues, so we fall back into what we do control without violent pushback…the network and traffic.)
3) (Hopefully Rothman approves my comment on his post today on this topic!) The bottomline is that I care about vulns that are underneath my security controls. I want to know that my controls are not just wasted, and I want to know when I have some soft internal parts that need to be specifically protected. I also want to know them so that I can make proper remediation decisions and evaluate hypotheticals properly. If I have server B that is internal but has a vulnerability, I want to know that in case someone in control of server G can laterally attack it once inside my network. Sure, it might be game-over already, but ultimately at some point I have to answer the question of, “How far did attacker G get, or where could he have gotten?”
I don’‘t want to be the one to stand in front of my boss and explain that I didn’‘t know about vuln X in server B just because I made what is now a bad assumption about the risk of server B.
I think SCADA can be a poster-child to this idea. 🙂
The key term everyone misses is ‘‘cause interference’‘
If its an IDS, then it passively monitors, and causes no interference to the ASV scan.
If its an IPS, set it to monitor but not block from the ASV source IPs.
There is still alerting and risk monitoring capability in place, the ASV results are not distorted/interfered with by the IDS (or configured IPS), and everyone’s happy.
Nor has anyone really mentioned most pentesting companies regards IPS as attack connectors, not effective attack blockers nor that most IPS purchases end up sitting in monitor mode, NOT active blocking mode.
just one humble opinion.
lyalc
The key term everyone misses is ‘‘cause interference’‘
If its an IDS, then it passively monitors, and causes no interference to the ASV scan.
If its and IPS, set it to monitor but not b
I was basically saying that my experience with vendors offering scanning services is that they just don’‘t do much. The level of testing they do does not rise above the normal noise on the Internet. Monkey enter IP address(es). monkey push start button. monkey save output. I’‘m not talking about the full breadth of PCI compliance, i.e. on-site stuff, although that can suffer from the same zombie auditor issue. The scans don’‘t prove your secure and neither does the rest of PCI. IMHO, compliance just validates that your not grossly insecure. Which, as has been said, is a fine start.
Adrian is absolutely correct – PCI is a good start.
It is also possible to game the system and get PCI compliance without being secure.
The question you have to ask yourself (punk) is whether you want to be secure and prove it or be insecure and be “compliant”.
If you just want to be compliant without being secure then you may as well get Matt’s poo-flinging monkey. Alternatively find someone who really understands Information Security and can do a site visit.