pc i exercises
DESCRIPTION
PCI exerciseTRANSCRIPT
PCI Compliance Training Labs
2
All Material contained herein is the Intellectual Property of Qualys and cannot be reproduced in any way, or stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the express written consent of Qualys, Inc.
Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is prohibited.
1
Introduction
The purpose of this class is to familiarize you with the functionality of the QualysGuard PCI interface. The primary focus will be on the 11.2.2 requirement of the PCI Data Security Standard (DSS).
PCI Compliance is an operational task. In order to properly manage this task, the following steps have been outlined as best practices for use with QualysGuard PCI.
Here is the outline of what you will be reviewing in the lab today:
1. Obtain a Trial account – You will create your own trial account in the lab. You will use this account to walk through the process for the 11.2.2 requirement.
2. Set up IP assets - Configure your IP addresses within the user interface, so they can be scanned for PCI compliance.
3. Map (Discover) the network – Discover devices within the environment and verify the QualysGuard scanners can reach the public, external IP addresses you’ll be scanning for compliance.
4. Scan the network – Scan your network for vulnerabilities and review which ones you will need to fix to be compliant.
5. Remediate any necessary risks – Patch/resolve the failing vulnerabilities for the IP addresses which are part of your Cardholder Data Environment (CDE).
6. Submit False Positives
7. Report on scans – Build your reports, which will include an Executive and Technical Report.
8. Submit Attestation to ASV
9. Submit Report to Acquiring Bank
Maintaining the ongoing progress of PCI Compliance is necessary for business and security purposes. In order to process credit cards, you must be PCI Compliant. The process repeats itself every 90 days. The QualysGuard PCI application will require a scan within 30 days of the report submission.
The labs within this workbook are based on the best practices outlined above, and each lab builds on the last.
2
Planning Qualys PCI Compliance Deployment
Section Outline
Introduction
Qualys and Internal Scanning
Qualys and External Scanning
Geographical Considerations
Architectural / Network Considerations
Process Considerations
Staffing Considerations
Introduction
While many of you will have already deployed QualysGuard Vulnerability Management or QualysGuard PCI in an enterprise environment, there are still deployment considerations that can be useful as your deployment scales to meet the needs of the enterprise. QualysGuard can help with your compliance initiative in various locations of the PCI Data Security Standard. This particular class will focus on the external 11.2.2 requirement.
Qualys and Internal Scanning
While this class will focus on the external requirement, there are other parts of the DSS where Qualys can help you with compliance. The 11.2.1 requirement of the DSS requires the scanning for vulnerabilities on the internal Cardholder Data Environment (CDE).
The 6.1 requirement of the DSS now requires you to resolve all internal vulnerabilities classified as “High”. Combined with the 11.2.1 requirement, it specifies the Scan Customer must rescan internally until all vulnerabilities labeled as “High” are resolved.
This process differs, however, from the 11.2.2 requirement because there is no attestation process needed.
You can use the QualysGuard Vulnerability Management application and a QualysGuard Scanner Appliance you’ve installed in your environment to help you meet the 11.2.1 requirement of the DSS.
Qualys and External Scanning
The external scanning requirement of the DSS has a unique process. It involves several different parties working together to achieve a common goal: PCI Compliance. To fully understand the requirement, you need to understand the parties involved.
Payment Brands – The payment brands (ex. Visa, MasterCard, etc) is the entity enforcing the overall PCI standard.
Acquiring Bank (Acquirer) – The bank that processes the credit card payments for the merchant.
Approved Scanning Vendor (ASV) – A company approved by the PCI Security Standards Council allowing it to perform external scans for the 11.2.2 requirement.
3
Scan Customer – The merchant or service provider required to be compliant. The Scan Customer will use the scan solution provided by the ASV to meet the 11.2.2 requirement for compliance.
Qualys (and some Qualys Partners) is an Approved Scanning Vendor (ASV). As a Scan Customer, you will use the service provided by the ASV to scan your environment for vulnerabilities. The QualysGuard PCI interface allows you to go through the entire process for this 11.2.2 requirement.
Geographical Considerations
With most enterprises existing in multiple locations, geographic considerations need to be included in the deployment design. Time zone challenges, manned and unmanned facilities do play a role in the deployment.
The 11.2.2 requirement of the PCI DSS requires those publically accessible IP addresses of your Cardholder Data Environment (CDE) to be scanned for vulnerabilities. The QualysGuard Cloud Platform allows you to scan those IP addresses (wherever they are in the world) with no additional software or equipment to maintain.
Architectural and Network Considerations
After any geographical considerations are taken into account, the next step needs to be determining the best deployment for a given geographical location, based on architectural and network requirements.
Here are some considerations you might need to take into account when scanning a network for PCI Compliance.
1. How many segments will need to be scanned?
a. How many hosts are on each segment?
b. Can you segment hosts off the network that don’t need to be scanned to reduce the scope for PCI Compliance?
2. Are there internal and external segments that need to be scanned? For PCI compliance (DSS 11.2.2), the bank requires a report on all externally facing devices. For PCI compliance (DSS 11.2.1), merchants are required to scan internally, but no report submission is typically required for internal devices.
3. Are VLANs being used?
Understanding the architectural foundation of the network is paramount to understanding the needs of your enterprise.
Process Considerations
Process Considerations must also be considered. These are the QualysGuard PCI processes you will refine over time, but to start, there needs to be a general understanding of the need.
1. What are the sizes of the proposed scanning windows? Depending on the policies within your enterprise, there may be a specific amount of time during which devices can be scanned.
2. How often will you need to scan your externally facing devices? Every 90 days or every quarter you are required to send a passing report to your bank. As a best practice,
4
Qualys recommends you scan at least every 30 days to ensure remediation of any found vulnerabilities. You will also want to allow time to submission of false positive requests.
3. What are the remediation windows for the hosts? Another process to take into consideration is the remediation time frames an enterprise may have. Those vulnerabilities which impact private data may have to be remediated in a very small time frame.
5
Using Qualys PCI Compliance Application
Set up a Trial Account
Navigate to the QualysGuard PCI Trial page: http://www.qualys.com/forms/trials/pci_compliance/
Ensure you follow the instructions below, when filling out the form for your Trial Account. Use the illustration above as an example.
1. Type your First and Last Name.
2. Enter your personal or work e-mail address (marketing materials will be suppressed from the address you provide). Do NOT use any e-mail address that has already been used to create a PCI account.
3. For Company, use QualysTraining followed by an underscore character, and your e-mail address (QualysTraining_yourEmailAddress.com). Your Qualys Instructor will use this company name to locate your account, and provide additional privileges.
4. Enter any Job Title you like (the word “Other” is acceptable).
5. Enter any Phone number you like (i.e., does not have to be an actual phone number).
6
6. As a special adjustment for TRAINING accounts, change the country to “Antarctica.”
7. Choose any number for Company Size.
8. Click the “Create Account” button.
Please notify your Qualys Instructor, once you have clicked the “Create Account” button. Once your account has been located, your instructor will update your account with additional privileges.
Logging In
Prerequisites/System Requirements
Tip: QualysGuard download/verification windows sometimes are obstructed by browser pop-up blockers. Enable/whitelist pop-up windows from the qualys.com domain.
1. You will receive an email message with your trial account information. Click the one-time link in this email to obtain your login info - credentials and login URL.
2. The link in the email sent to your email account will have you open your browser and navigate to the login URL:
3. Fill in your login credentials and click “Login.”
Essential: QualysGuard PCI account (created
above)
Modern Browser: Firefox 3, IE7, Safari
v3
Java Browser Plug-in
Useful: For PDF Reports: Adobe Acrobat
Reader or comparable
For ZIP Archives: An un-zipping
program
7
4. To use this tool you must agree to the Service User Agreement. Click “I agree”.
Organization/Navigation and Menus
Navigation: Home Menu
1. View the home page and the navigation menu on the left. Click on Network and see your choices under it.
2. Also find the Quick Answers section, which will help get you started.
3. In the upper right hand corner is your login, merchant name, and help section. Open up the Help menu for further investigation on any question you might have.
8
Exercises (5 Minutes)
Goal: Familiarize yourself with Account Settings.
Why? To get started, we need to understand our Account Settings and the IP Assets we will scan.
How? Click on “Account” on the left.
1. Go to Account > Settings
Here is where you will find information about your company, primary contact information, acquiring bank, and account information.
2. Choose Edit under Bank Information. Scroll to the bottom of the page, and fill in “Bank of Qualys” under “Other Banks” and click “Save”.
This bank will get your PCI Compliance report when you submit the report. Normally, you would select your Acquiring Bank. This step is required in order for you to submit the report to your Acquirer.
3. View your subscription information so you know how many IP’s you can scan.
9
The page within “Settings” gives you all your account information. You can find the following:
IPs purchased
IPs in account
Web Applications Purchased
Web Applications in account
Scan Customer (Merchant) information
Primary Contact information
Bank information
Add IP addresses to your subscription
Goal: Ensure the account has IP assets.
Why? In order to scan your environment and ultimately submit a report for PCI compliance, you need to first add IP assets to your account.
How? Navigate to Account Settings and use the IP Wizard.
4. Navigate to Account > IP Assets.
5. Click on “Walk me through Wizard.” The PCI Council requires you to enter all of your IPs and domains considered in-scope.
The “scope” for the 11.2.2 requirement is any part of your network that is in, or has a path to, your CDE.
6. Click “Next” and then “Add new IPs.” Add the following IP range:
64.39.106.242-64.39.106.244 It is very important to enter these addresses correctly! Please note within this lab you only have permission to scan this block of IP addresses.
7. Click “Next” through domains.
8. Notice the Wizard asks you whether there are load balancers in your environment.
In this case, we are not using any Load Balancers. In your actual environment, you’ll need to ensure the Load Balancers are configured correctly.
9. Click “No” for Load Balancers, and then “Next.”
You’ll also need to ensure you are white listing the Qualys scanners on your IPS systems. The list includes the following IPs.
64.39.96.0/20 (64.39.96.1-64.39.111.254)
10. Click “Finish” to close the Wizard.
10
Network Discovery Section Outline
Discovery Overview
Launching a Discovery Scan
Viewing Discovery Results
Discovery Overview
Discovery Scans find host devices, their operating systems, and where they live in the network. They discover those hosts configured with an IP address using TCP “SYN” and UDP port scans. ICMP (ping) is also used during the Discovery Scan. The Discovery Scan is a good first step in conducting your assessment because you can verify whether the host is accessible from the external scanners before launching a full vulnerability scan.
Launching A Map
Discovery can be an initial task in QualysGuard PCI. It will allow us to see what devices we have in our environment.
1. Navigate to the “Network,” and select “Discovery.”
2. Select “New Scan”
11
3. In the “Title” field, type in “Discovery Scan 1.”
Leave the bandwidth setting at Medium. You can change the bandwidth settings for the scan to speed up for slow down the scan.
4. Click on “Select IPs.”
5. Highlight your block of IPs, and select “Expand.” Select all of the IPs in your block of IPs, and click “Add.” Click “Close” to close the pop-up window.
6. Launch your Discovery Scan by pressing “OK.”
View Discovery Scan List
If you navigate back to Network > Discovery, you can see the history of your Discovery Scans. You’ll be able to view the scan results after the scan completes.
Actions:
This will tell you the details of the Scan. It will give the scan settings and the IPs.
If you want to view the results of the scan, you can click on the magnifying glass.
Viewing Discovery Results
7. View the discovery results by clicking its view icon.
8. If you click on “Details” directly underneath the title of the scan, you’ll also see the information on the scan.
9. Click on the “Details” listed below “Total Hosts.” (You will only have three Total Hosts).
10. What is the DNS name for device 64.39.106.243? _____________
11. How did we discover device 64.39.106.244? _____________
12. Were any of the devices found New Hosts? _____________
12
Network Scanning Section Outline
Prelude
Launch a Scan
Scan Results
Vulnerabilities
Submit False Positives
Prelude
So far, you have launched a Discovery Scan to see what was in our network. However, you don’t learn about any vulnerabilities on your hosts systems using a Discovery Scan. In order to find the vulnerabilities you need to fix to be PCI Compliant, you need to launch a Network Scan.
Launch a scan
1. Navigate to the Network > New Scan.
2. Enter your Title, and Select all the IP addresses in the subscription (you will use the 3 IP address you entered earlier).
13
3. Press “OK” to launch your Scan.
As you can see, launching a PCI scan is relatively easy. There is no spot to modify your scan settings, as the PCI Security Standards Council dictates the scan requirements to the Approved Scanning Vendor.
Scan Results List The “Scan Results” screen lists running, finished, and canceled scans. You can also cancel running scans from here.
Actions:
Cancel a running scan.
Re-run a scan using the same parameters.
View a scan.
Download the scan results.
View vulnerabilities found during the scan.
Obtain information about the scan such as what IPs were scanned, the date of the scan, and bandwidth.
Scan Results
4. Click the “Scan Results” on the left to see the scan’s results. Then download your results into a
PDF by clicking .
14
5. How many LOW vulnerabilities were in your network? _________
6. How many combined MEDIUM and HIGH vulnerabilities were there? _________
7. Did any of the devices pass for PCI Compliance? ________
8. How long did the scan take? ________
Rescan
To perform a new scan with the same options as a previous scan, you can click on the Rescan icon to the
left of the status column:
QualysGuard will attempt to use the same details and choose a new title with the current date. You don’t have to do this for the purposes of this lab.
Vulnerabilities
Within QualysGuard PCI, the application looks for vulnerabilities in your environment that tell you whether the device is compliant or non-compliant based on requirements defined in the DSS. There are exceptions to the CVSS scoring system, where a vulnerability below a score of 4.0 could cause a Fail. Qualys takes the guesswork out of the equation, by marking vulnerabilities causing a fail with a “FAIL” label. In most cases, if the vulnerability has either a confirmed or a potential severity level of HIGH or MEDIUM, it causes a Fail.
1. Now go back to the QualysGuard PCI. Navigate to “Vulnerabilities.” (Network > Vulnerabilities)
The Vulnerabilities page is where you go to find all of the issues you need to resolve in order to be PCI Compliant for the 11.2.2 requirement. You can sort by vulnerability title, IP address, or Severity level.
Up at the top of the document you have other ways to filter. If you want to see the vulnerabilities for one IP address, you can plug that IP address into the “Search by IP address” field.
15
You can sort by potential and confirmed vulnerability, and their different severity levels. You can also take a look at pending false positives.
2. Step 2. Click on filter results, and type in SSH.
You can also search on QID (the numeric identifier Qualys gives to each vulnerability it tracks), or you can display only the vulnerabilities that cause a failed report. Remove SSH from the filter field.
3. Search on QID 86737. What devices have this vulnerability? ___________
4. How would one fix this vulnerability? _________
5. Will this particular vulnerability cause us to fail PCI Compliance? _________
6. What is the CVSS base and CVSS temporal score for this vulnerability? ________
Submit a False Positive It is possible there will be an occasion where Qualys reports a vulnerability you feel doesn’t apply to a particular host. The False Positive process should be started after you’ve remediated all that you can remediate. You can submit an exception that will be considered a “false positive.” If the particular false positive you submit is approved, it will NOT cause a PCI fail for 90 days. All false positives must be resubmitted
16
every quarter as per the PCI Data Security Standard. If the false positive is rejected, you must resolve the vulnerability and confirm the fix worked with another scan. Once the false positive is approved, it will also be removed from the most recent Scan Results Report. The vulnerability for the host will also be removed from the vulnerability list for the appropriate host. When you submit your PCI report to your bank, both the technical and executive reports will be submitted.
1. Find a failing vulnerability, and click on the checkbox next to it.
2. Click the “Review 1 False Positive” button.
3. Click the plus sign next to “Vulnerability Details” and “Results.”
It’s important to do your due diligence when you are submitting a false positive. When Qualys (the ASV) receives the false positive, it will review whether it’s valid.
4. Enter the following text: “Student Test Submission – Please auto reject.” Press “Submit False Positive Request.” Obviously, this is where you would normally put a reason to indicate the vulnerability is in fact a false positive.
5. Then click on “Home.”
17
6. Navigate to Network > False Positive History. Here you will see whether your False Positive was requested, approved, rejected, or expired. If you click on the information button, you can see all of the information pertaining to that particular false positive, and track where it is in the submission process. Below, you can see all of the possible statuses for a false positive.
18
Compliance Section Outline
Current Vulnerability Report
Generate Attestation Report
Submitted Reports Page
Executive Report
Technical Report
Current Vulnerability Report
You can pull a full report with all of the vulnerabilities in your environment and find what vulnerabilities are causing you to fail PCI Compliance. The report can be sent to the Operations team or those people responsible for remediation.
1. Navigate to Compliance > Compliance Status.
2. Click the checkbox next to 64.39.106.243 and 64.39.106.244.
3. Click “Download Report”.
The downloaded report tells you all about the current vulnerabilities on these two hosts. It will indicate a “fail” or a “pass” next to each vulnerability so you know which specific vulnerabilities need to be fixed for PCI Compliance.
4. How many vulnerabilities are there on 64.39.106.244? ________
5. Locate 105359 QID. What category is this type of vulnerability? ________
6. Why is it a failing vulnerability? _______
Generate Attestation Report
After you pull the report to see the vulnerabilities, you need to remediate all of the issues in you
environment that have a next to them. After the vulnerabilities are all resolved, and the false positives are approved, you can submit the passing report for attestation and then to the bank.
7. Navigate to Compliance > Compliance Status.
8. Click “Generate Report.”
19
The next thing that comes up is the Wizard that will walk you through submitting your report to your ASV. Your ASV will need to attest to your report before you can submit it to your bank for compliance purposes.
9. Click “Next,” and then click “Enter a single comment for all issues.” For the question, “Is the software securely implemented?” You can click “No.” Enter your comment, and click next.
10. Enter a single comment for all non-compliant IPs. Click “Next.” Then enter your name and your title.
Remember, you will need to agree that the scope of your scan is your responsibility, not that of the ASV. You must also take into account that the report you are submitting does not represent your overall compliance status.
11. Enter your submission title. For instance, “Q1 –PCI report.” Press Generate Report.
12. Once your report is generated, you can click “Next.” Then, click “Save for Later.” Here, you will see the status of your report. You have not yet submitted your report for Attestation. You can pull the information on the report, the Executive Report, and the Technical Report. You can also submit the report to your bank, which is the final step in the PCI Compliance process.
13. Click on the Executive and Technical Reports.
Both of these reports get submitted to your ASV when you click “Request Review.” The technical report can help with identifying vulnerabilities and assist with remediation if necessary. All vulnerabilities marked with a “FAIL” will need to be resolved for PCI Compliance.
Note the Status of your report and the Next Action of your report.
20
For the purposes of this lab, you will not submit the Attestation. However, you can see the status of each report. Currently, your report shows “Request Review.” If you were to click on that link, you’d be given a Wizard to submit the report for Attestation purposes. Once you receive the report back from your ASV (Qualys in this case), the report will show as “Attested.” You’d then submit to your acquiring bank by clicking “Submit.”
21
Open Services Report
The open services report is what you will use to meet the 1.1.6 PCI DSS requirement. You will be able to see the open services found on each device and classify them as authorized or unauthorized. The report is going to show you all the services, ports and protocols detected by your most recent scan.
When Qualys detects the service, it will show up in your list as “Unreviewed.”
Now you will walk through the steps of marking a service as authorized.
1. Navigate to Network > Open Services Report. Here you will see all of your open services per host and you can download a report in PDF or CVS format for your devices.
2. Find the open services on 64.39.106.243. Click the check box next to the service running on port 139. Click the “Classify As” button.
You must determine whether this is a service that should be running in our environment. In this example case, you will approve this particular service.
3. Add the following comments: “This service is an approved service for this device in our environment.”
When doing this in your own environment, you can continue to mark these services accordingly. Note that you can change the classification right away. The service will enter your comments along with the date the comments were changed.
4. Click on “Authorized” next to the comment you just put into the interface.
5. Change the classification to unauthorized. Enter comments indicating this is no longer a supported service, and press “Submit.”
6. Click on your username under comments to view the comments. The most recent comments will be on top.
22
23
Web Application Scan
During the beginning of the day, you focused on Network scanning to meet the 11.2 DSS Section requirement. Next, you will take a look at Web Application Scanning which will enable individual web applications to be checked for vulnerabilities. This will satisfy DSS section 6.6. Web Application Scanning (WAS) is based on the premise that not only is a host vulnerable, but how an application is deployed can also be vulnerable. WAS crawls and checks links for vulnerabilities such as:
SQL Injection
Blind SQL injection
XSS
Sensitive Content leakage
In QualysGuard PCI WAS, the setup is pretty straightforward.
Navigate to Web Applications > New Scan
Create a Web Application Record
Select authentication (optional)
Launch Scan
Web Application Scan
1. Navigate to Web Applications > New Scan.
2. Title the Scan “Web App Scan 1.”
In order to run a Web Application Scan, you need first create a Web Application Record.
3. Click on “New” next to Application.
4. Type “Web Application Record.”
5. For the site, use https://demo6.sea.qualys.com. It is an application in the Qualys lab environment.
It is very important to enter this site information correctly. Please note within this lab you only have permission to scan this particular site (demo6.sea.qualys.com).
6. The port will be port 443 and we will use “/” as the starting URI. Press “Save.”
To perform an authenticated scan, you’ll need to create an authentication record.
7. Click on the “Edit” icon to set up an Authentication Record. Then, click “Add” to set up the record.
24
Title: Auth Record
You will use Form Authentication.
User Name: admin
Password: abc123
8. Save the Authentication Record. Save the Web Application Record.
You have built an application within QualysGuard along with its authentication record, which will allow the service to log in as an authenticated user.
9. Click “Scan” next to the application you just created.
10. Give the Scan a title.
11. Ensure your Application Record is selected as well as your Authentication Record. Select GET &POST for form submission.
Use the rest of the default settings in your scan, and click “OK” to launch the scan. Some time will need to pass before the scan finishes. When Qualys performs the crawl and vulnerability checks, it’s pulling down the whole FQDN and testing it.
12. Once the Scan completes, navigate to Web Applications > Scan Results. Download the report.
Did the scan find any SQL injection vulnerabilities? __________
What were there QIDs? _________
What is blind SQL injection? ___________
How might you resolve QID 150029? _________
If you want to edit this particular web application or its authentication record, you can do so by navigating to Account > Web Applications.
25
Contacting Support
Overview
Try as we may, inevitably, you will need to contact support. In order for us to properly, and efficiently troubleshoot issues, we will need information from you.
There are 3 ways to contact support:
The QualysGuard PCI Interface
Email to [email protected]
For Critical issues – call Support:
U.S. and Canada: +1.866.801.6161 24x7
Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7
UK: +44 1753 872102 24x7
With the QualysGuard PCI interface, you will have all the necessary information at your fingertips. From QualysGuard PCI on the left, click “Contact Support.”
26
Viewing Resources
Also, there is a user guide, PCI frequently asked questions, and PCI Council information. It’s located right under the Contact support section.