PCI-DSS: Vulnerability Duration & Scan Frequency – Not Quarterly Scans.

Why Vulnerability Duration is the key metric in vulnerability management for high risk findings.

Some compliance standards (PCI-DSS) require quarterly scans of your external and internal networks that are “in scope” for your specific compliance related systems or networks.

Why Quarterly Scans?

Requiring quarterly vulnerability scans and remediation is an easy way to set a minimum standard for scanning and remediation of vulnerabilities. Quarterly scans should be considered a “low standard”, where continuous compliance and continuous vulnerability scanning are the widely accepted goal that companies should be working toward.

Why Not Quarterly Scans?

There are some fairly basic timing issues you run into requiring quarterly vulnerability scans and remediation that put an unreasonable burden on large companies while not truly improving security over other methods.

Scenario:

So the requirement is that you Scan AND Remediate vulnerabilities within a 90 day window. So what if it takes 2 weeks to run a scan on your several million IP addresses, and maybe another week or so to run your application scanning on 30 or 40 web applications and put together your list of findings.  You are now easily 30 days into your 90 day window.

Now you get the scan results, process the thousands of findings (because vulnerability scanners tell you everything from what ports are open to missing patches) to determine what truly needs to be worked on, and determine who needs to fix which findings. You are now easily 40 days into your 90 day window.

Next you communicate your findings to the folks that can actually resolve the findings and try to determine who is going to work with you and what they can plan to do, (because they always act like the findings are a surprise even though they have been getting them every 90 days for the past 3 years). This easily puts you 50 days into your 90 day window.

So no problem. We now have 40 days left out of 90 to

1) change requirements for release schedules,

2) make code changes and go through Q/A processes,

4) change priorities for entire infrastructure teams,

5) ask various application teams to go through testing and Q/A for webserver configuration changes.

6) Go through all the normal change control documentation and bureaucracy associated with any decent sized IT shop’s change control process.

7) Validate all of the vulnerabilities have been resolved.

Wait! So that 40 days (not business days, only about 28 business days, or around 5-6 weeks at best) doesn’t seem very long anymore. The more mature of an IT company you are, with more mature testing and Q/A and prioritization requirements you have around your business, the harder it is for you to stop on a dime and change priorities.

What is the alternative???

I feel the true intent of requiring a 90 day window for vulnerability scans and remediation is to ensure that you are regularly looking for and resolving security vulnerabilities.  I propose that measuring “Vulnerability Duration” is more important that requiring quarterly scans. I explain why below.

Vulnerability Duration?

Vulnerability Duration can be defined as the duration of time between when a vulnerability is found, and the time when it is resolved.

What is the difference between Vulnerability Duration and Quarterly scans?

The important difference is that requiring quarterly scans assumes that you have short window of time needed to scan and report vulnerabilities. However, for large companies this simply isn’t possible yet. So requiring quarterly scans and remediation requires a large company to typically only have a month or less to remediate vulnerabilities, because much time is needed to get “workable” findings, and run validation scans on the vulnerabilities within that 90 day window also.

This means that requiring quarterly scans only gives large companies about 30 days or so to react to vulnerabilities. Is this the true intent of the quarterly scan requirement???

Also, the quarterly scan requirement also allows vulnerabilities to exist in environments for over 90 days. If a vulnerability is created shortly after a scan, it can exist undetected for a full 90 days (or more) until the next scan in the next quarter is run.

What is the Point I really want to make??

Vulnerability Duration focuses on the true amount of time that a vulnerability exists in an environment, and doesn’t focus on an arbitrary 90 day window for performing specific actions of vulnerability management. Vulnerability duration focuses on the important stuff. It focuses on how long a vulnerability exists and keeps that duration small.

Measuring “Vulnerability Duration” requires the “Continuous Compliance” mindset. If I can scan  for vulnerabilities every 2 weeks or as often as possible, I have the ability to distribute scan findings much more often than every 90 days. This should create a much smaller window of time that vulnerabilities can exist in my environment because vulnerabilities are….

1) Being found much more quickly.. And

2) Vulnerabilities are resolved much closer to the time that they are found.

What does it take to pull this off?

In order for the focus on Vulnerability Duration to be effective you must be scanning for vulnerabilities as often as possible. This means as soon as one scan ends, the next begins. This constant scanning and reporting of vulnerabilities creates the time saving loop that should create a much shorter window of time that vulnerabilities exist.

Analogy – Leaky Boat

I have a leaky boat. The general estimate is that the boat can keep afloat for a week with a leak. So I only check for leaks once a week. Some weeks, no leaks at all. Some weeks, there is a lot of water in the engine room. On a really bad week, there are several leaks and the boat sinks. If I check for leaks and fix them every day there is much shorter amount of time available for any leaks to flood the boat and cause damage. Although not perfect, I think this analogy makes sense.

Why post this at all?

My whole point is that a PCI assessor,  PCI QSA, acquiring banks, and the PCI Council should consider that quarterly scans are a bare minimum that has been set. Requiring the outdated mindset of having to create quarterly reports can hamper the ability for companies to move forward with a “Continuous Compliance” mindset where they are scanning and remediating all the time and measuring vulnerability duration instead of focusing on this quarterly scan and report requirement.

Alternative to the PCI Quarterly Scan requirement?

Allow an alternative reporting method instead of quarterly scans only. Something like having a PCI ASV attest that scans are taking place more often than every 90 days and that the vulnerability duration of any PCI impacting findings do not reside more than 90 days. Anything open more than 90 days would require some type of documentation.