Download - Qualys Webex 24 June 2008
1
Using Qualys to manage risks in vulnerability scanning and patch and
configuration management.
Vladimir Jirasek
DSG International plc
1
2
Content
About DSG International
DSGi PCI DSS requirements
Patch management standard
Qualys in facts
Feedback, issues and challenges
2
3
DSG International plc
DSG international is one of Europe's leading specialist electrical retailers.
We have more than 1,300 stores and on-line stores, spanning 28 countries and employing 40,000 people. More than 100 million customers shop in-store and on-line with us every year.
Grown by investing in Europe’s largest electrical retailers
We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop
4
PCI DSS defines 4 levels of merchants
4
# of transactions Review by Vulnerability scan
Level 1 over 6m in any channel QSAASV (e.g. Qualys)
Level 2 1m - 6m in any channel self questionnaireASV (e.g. Qualys)
Level 320k-1m online transactions
self questionnaire ASV (e.g. Qualys)
Level 4less then 20k online or up-to 1m in any channel
self questionnaire (not mandatory)
ASV (e.g. Qualys) (not mandatory)
source: http://www.pcistandard.com/merchantlevels.html
5
DSGi’s PCI DSS project
• Programme started in Q2 2007• Gap analysis identified some control weaknesses
– No system to fulfil requirements of PCI DSS v1.1: – 11.2 - external and internal vulnerability scanning– 6.6 - web application scanning– 2.2 - system hardening/configuration
• DSGi’s requirements for the system: – Approved Scaning Vendor (ASV) certified by PCI SSC– Software as a Service - no HW or SW to maintain– Minimum admin overhead– Scales to large international implementations– Easy to use with out of the box PCI DSS reports– Internal scanning managed via the same interface– Clear roadmap for compliance checking and web application
scanning
5
6
System classification for patch management and risk management
Internet
Internal network
Head office
DMZ
POS server
mainframe
eBusiness VPN GW
Critical
Important
High
Medium
Low
acquirersetlement
5 24 hours 5 days 14 days 20 days 40 days
4 5 days 10 days 20 days 1 month 2 months
3 10 days 20 days 1 month 2 months 3 months
2 6 months* Next release*
Next release
Next release
No fix
1 no fix* no fix* no fix no fix No fix
Network or Host IPS may lower the level by 2
Store network
7
Authenticated scan proved to address false positives and increased visibility of issues
7
Non authenticated scan can only reveal a limited number vulnerabilities without breaking into the system
Authenticated scan has a lower number of false positives and gives better picture of the patch and configuration status of a system
Authenticated scan
Normal scan
134
804
8
DSG’s Qualys implementation facts
• Started in February 2008• 1200 IP addresses - of which 150 external• 7 Business units• 17 Qualys appliances• External and internal scans weekly - over 300 scans in 4
months• Daily maps of external IPs and DMZs• Two Qualys managers• Reader/Scanner accounts of IT administrators and 3rd parties• Testing the Compliance module• Preparing to test the Web application scanning module in Q3
088
9
Overall feedback is positive
IT teams now see Qualys as useful tool-set rather than something for security managers to beat them up (which we do anyway :)
Even diligent IT managers were surprised what Qualys found on their systems while they had believed their systems had been properly patched
Reports for PCI DSS are well structured and understand by PCI DSS team
Modular architecture of Qualys could help us utilise future functionality improvements easily (compliance and web application scanning)
9
10
Contact details
Vladimir Jirasek
Information security & compliance manager
DSG International plc
10