Adhering to the PCI DSS requirements is not only important but essential in ensuring your organization is prepared for the increased spending and shopping this holiday season. Today we’re doing a deep dive into one of the 12 requirements found in the PCI DSS v. 3.2 document. Keep reading to see why Requirement 11 is important and how you can tackle it with Core Impact in your toolkit.
11.1 Implement processes to test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. Maintain an inventory of authorized wireless access points and implement incident response procedures in the event unauthorized wireless access points are detected.
Core Impact has the ability to detect and inventory all wireless access points within range, as well as any devices connected to these access points. Devices “beaconing” (powered on, but not connected and looking for an access point) can also be identified. Users can then compare the list of identified access points to a list of approved access points and determine if there are any unauthorized access points running.
11.2 Run internal and external vulnerability scans at least quarterly or after any significant change in the network. include rescans as needed until all “high” vulnerabilities are resolved, and must be performed by qualified personnel.
Core Impact has the ability to automatically validate both vulnerabilities found during a scan as well as remediation efforts made to patch those vulnerabilities. Through the “Vulnerability Scanner Validator” Core Impact can automatically take the results from a vulnerability scan and test the vulnerabilities directly to confirm they are present in the target. With the “Remediation Validator” Core Impact can retest a list of targets to ensure that remediation efforts were successful, then produce a report that will highlight the changes from the original test.
11.2.2 Quarterly external vulnerability scans must be performed via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
Both internal and external scans can be imported into Core Impact and correlated, and “Remediation Validation” can be run against the results. All critical vulnerabilities can be retested once remediation is complete.
Core Security is certified as ASV per the Security Consulting Services team (SCS). Then after remediation efforts, Core Impact can take in the results and validate if patching was successful.
11.3 Implement a methodology for penetration testing that includes external and internal penetration testing.
Core Impact provides a comprehensive, intuitive, and repeatable methodology for penetration testing through its “Rapid Penetration Test” (or RPT) wizards. Core Impact offers comprehensive testing across the Network, Web Application, and Client-Side/Social engineering Vectors and how these vectors interrelate, as well as the ability to test Wireless/WiFi networks and mobile devices.
Though this is not the only requirement to pay attention to, it might be the perfect place for you to start.
*This blog was recently updated from a previous blog found here to reflect product improvements and the latest release of PCI DSS v3.2.