I designed the scanning solution for one of the ASV's and also handled the process of getting the solution approved as an ASV. All of the PCI Scanning solutions out there are supposed to be programmed to look for pretty much the same thing, and in (almost) exactly the same way. You would think that this would lead to accurate results. You would also think that this would lead to consistent scan results across ASV PCI Scan solutions. Unfortunately, I don't believe that is the case.
'PCI Scans' are not the same as a Vulnerability Assessment
Here are a few examples:
- The PCI Scan finds that port 53 tcp is open inbound to a branch of your restaurant. The PCI Scan doesn't find any known DNS service vulnerabilities so there are "no vulnerabilities detected" and the PCI Scan report shows that the host passed. The results do not raise any questions about this port being open. The tools don't understand the context of the environment. Why in the world would you need to have DNS traffic allowed inbound to a restaurant?
- The PCI Scan checked a few limited ports and concluded that the host is "dead" and therefore the scan service did not perform a vulnerability scan. Your PCI report doesn't show any vulnerabilities, so it's considered compliant. The problem is that the host is not "dead" and has some TCP ports open and could very well be running a vulnerable service on one of those ports.
- The PCI Scan found that port 443 (SSL) is open on a host and reports it as a Level 1 (Informational) finding. The PCI Scan report shows that this host is compliant. The problem is that this is one of your remote locations that uses a UTM (Unified Theat Management) device and has web-based remote management enabled from the Internet without the use of two-factor authentication. This system does not meet the requirements of the PCI DSS.
- The PCI Scan found that port 3389 (RDP) is open on a host and reports it as a Level 1 (Informational) finding. The PCI Scan report shows that this host is compliant. The problem is that this is an Internet-facing host that’s part of the card data environment (CDE) and is setup to allow connections from any source address via Terminal Services without the use of two-factor authentication. This system does not meet the requirements of the PCI DSS.
PCI Scan products can vary greatly in their findings
Earlier this year I did an ASV Scan Vendor Bake-off. I had narrowed it down to two vendors. The test scans were performed against the same hosts and under the same conditions. One report concluded that the scan FAILED and the systems were not compliant. This first report shows these vulnerabilities categorized as: 2 Critical, 1 High, 3 Medium, and 1 Low. The other report concluded that the scan PASSED and that the systems are compliant. According to the report, this scan solution had found 0 Vulnerabilities, and 16 informational comments.
What does this say about the effectiveness and value of PCI Scanning? To me it seems that PCI Scanning today is robotic and inconsistent. And since scan tools don't understand the role or context of a system being scanned, it's my feeling that they should not be trusted as the sole method of assessing vulnerabilities.
Walgreens emailing notice regarding "unauthorized access to an email list of customers" resulting in phishing
December 10, 2010\
Dear Valued Customer, We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you. We want to assure you that the only information that was obtained was your email address. Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems. We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue. As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident. We encourage you to continue to be aware of increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information. Always be cautious when opening links or attachments from unsolicited third parties. Also know that Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. So if ever asked for this information, you can be confident it is not from Walgreens. If you have any questions regarding this issue, please contact us at 1-888-980-0963. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. Sincerely, Walgreens Customer Service Team