A robust vulnerability scanning program can help your organization reduce the risk of cyberattacks and ensure the security of your information assets. The RedLens InfoSec team executes internal and external vulnerability scanning services that go beyond basic automated scanning to provide manual validation and analysis of vulnerabilities. Our vulnerability scans bring assurance and confirmation that your systems are protected. We are an Approved Scanning Vendor (ASV) under the PCI Security Standards Council (PCI SSC).
What is Vulnerability Scanning?
Vulnerability scanning involves the process of systematically identifying, assessing, and prioritizing security vulnerabilities in computer systems, networks, applications, and other IT infrastructure. It is a critical component of a proactive approach to cybersecurity and helps organizations discover potential weaknesses before malicious actors can exploit them.
How do I request a new Vulnerability Scan?
If you are an established scanning customer with CampusGuard/RedLens Infosec, you can request a vulnerability scan within the CampusGuard Central® portal from the primary SCAN dashboard or within an individual merchant account. Your dedicated CRM/SA team will review/approve the scan request based on your scanning/support contract terms, and you will then receive a notification from the Operations Support team once the scan has been configured.
If you are new to scanning with the CampusGuard/RedLens Infosec team, please connect with your dedicated CRM to discuss the overall scanning process and scope review before submitting individual requests. If you are interested in learning more about CampusGuard’s services, contact us.
What is the process for external scanning?
The following outlines the process for external vulnerability scans:
- We will take the list of your externally-facing IP address(es) or DNS hostname(s) and set them up in our scanning software.
- Every three months, one week before the scan begins, you will receive a reminder email and a request to validate the IP information.
- At the appointed time, the scan will run.
- Upon completion, one of our ASV staff members will review the results and generate two versions of the report: an Executive Summary and a Technical Report.
- The Operations Support team will upload these reports to the designated folder/Document Locker within CampusGuard Central®.
- If your team wishes, we can schedule a call with the RedLens InfoSec ASV team to discuss the results and possible remediation options (if applicable).
a. If available, your dedicated Security Advisor/QSA can also attend the call. If they are unable to join, they will be kept in the loop, so they are aware of any identified vulnerabilities or questions regarding scope.
Why do we need an Approved Scanning Vendor (ASV) for PCI?
The PCI SSC requires organizations to utilize an external ASV to meet the scanning requirements under PCI DSS Requirement 11.3.2. As an ASV, we perform thorough vulnerability scanning and are authorized to attest the scan reports to help you achieve PCI DSS compliance.
What IP addresses should we include?
Regarding external scanning for PCI, you will want to include IP addresses for any Internet-facing systems or web applications within your cardholder data environment (CDE). Any IP that stores, processes, or transmits cardholder data is in scope. If it is possible to access the in-scope IP address from another address, then that address should also be considered in scope. This would include any filtering devices such as firewalls or external routers, web servers, application servers, domain name servers, mail servers, virtual hosts, and any other systems in the same network segment. If you have any questions on what may or may not be in scope, please reach out to your Security Advisor for guidance.
How do we know what to scan for an SAQ A under PCI DSS v4.0?
Please work with your dedicated CRM/SA team to review your e-commerce merchants. As part of your Annual Support Agreement/Consulting hours, they can assist in reviewing your SAQ A/e-commerce inventory and associated payment flows to designate which merchants require ASV scans. Read our article discussing vulnerability scanning for SAQ A merchants for additional insight.
Will scanning disrupt any normal services?
Vulnerability scanning should not disrupt operations. If necessary, the team can throttle the scan so it will run at a slower speed. Our RedLens team will usually suggest this only if they believe it necessary. Running the scans in a throttled setting does cause them to take longer to complete.
How long will our scan take to complete?
Determining the duration of scans ahead of their initial completion is challenging. Once the initial scan has been completed, it is a good indicator of the approximate length of time that the scan requires to complete. However, if there are any changes to the scanned assets that will also affect the scan runtime.
When and how will we receive our scan reports?
Custom reports from the RedLens InfoSec team outline valuable insights into validated vulnerabilities, risk ratings, and remediation recommendations. Once the scan is complete and the reports are reviewed and prepared, a notification with any findings is sent to the scanning contacts. The reports are uploaded within the CampusGuard Central portal to the appropriate scanning folder or merchant folders depending on the process that was defined with the customer.
Why can’t I find my scan reports?
In order to provide attested PCI scan results, per the PCI SSC ASV Program Guide, we must receive validation of the in-scope IP addresses within the organization’s CDE. Each quarter, you will receive a notification from the OpSupport team requesting confirmation of the included systems. Until you have replied/confirmed the scope for scanning, we are not able to deliver the scan reports.
Why do we validate IP addresses every quarter?
CampusGuard is required by the PCI Security Standards Council and the ASV Program Guide to collect confirmation once a quarter that the IP addresses/DNS Hostnames included in your scan comprise your full CDE. You will receive an encrypted email from the OpSupport team asking for your review and confirmation of the included IPs. Once the validation is received, the team can release and upload the quarterly scan reports for your team to review.
How do I share the results with multiple merchant areas?
The standard external ASV quarterly scan report consists of all the included IPs/merchant areas within your organization. If your organization would like separate scans and/or reports for individual merchant areas, you can discuss available options with your dedicated CRM. Options may include the use of your allotted ASA hours to allow for separate scans/reports, or the ASV team may be able to provide a separate .csv document of findings that your PCI team can use to parse out the findings to individual merchant areas for remediation.
Our scan resulted in information that we believe is false positive. How do we get this reflected in our reports?
The supporting documentation for the false positive should be submitted to the Operations Support team and will be reviewed and applied to the report, as applicable, by our ASV team. For example, RedHat/Linux may backport a patch for Apache, which can cause the scanner to flag an older version as vulnerable even when the most current version is in use. In such cases, please provide a screenshot from the web server showing that the latest version is installed. If the reports are less than 30 days old, new reports will be generated. If the reports are older than 30 days, a rescan is required.
Can we request assistance with remediation?
Yes, your CRM can schedule time with the ASV team upon request to discuss any questions you have on the scan findings or remediation. This is a service provided under the ASA/consulting hours.
Have questions or want to learn more about our vulnerability scanning services? Contact us to learn more!
