In today’s security environment, conducting accurate PCI Assessments are an important part of an overall security strategy. I have been looking more closely at the approved scanning vendor (ASV) scans per requirement 11.2 and have noticed that many users are not configuring the scans correctly. It’s a long story on how this came to light (this is not a new requirement), but the short version is that organizations should be configuring their ASV scans to scan all known URLs, not just the IP address ranges.
How to Fix ASV Scan Configuration to Include All Known URLs
In Qualys, which many companies use for their ASV scanning, there is a PCI wizard that instructs each entity to do this. I would encourage organizations to review their existing processes right now, and if your existing process does not include inputting all URLs / domain names, etc. as required in the ASV program guide (see below), that you do this now and rerun your most recent scan.
I’ll walk you through the Qualys setting and how they should be configured. (I’m not picking on or endorsing Qualys, but since so many people use it, its the best example.)
In the PCI version of Qualys click on Asset Wizard
Then this comes up. If its blank…its almost guaranteed to be incorrectly configured.
Then add your full domain info AND URL Path.
Then you will be asked about load balancers.
Finally, when everything is inputted correctly it should look like this at the bottom of the screen:
Additionally, it may be helpful to periodically refresh one’s memory on certain PCI requirements. I would encourage everyone to read the entire ASV Program Guide, but for brevity I have copied over the section that includes the specific guidance regarding URLs starting on page 12. https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf
Scan Customers Provide Internet-facing IP Addresses and Domains
In addition to providing all external-facing IP addresses, the scan customer must also supply all fully qualified domain names (FQDN) and other unique entryways into applications for the entire in-scope infrastructure. This includes, but is not limited to:
- Domains for all web-servers
- Domains for mail servers
- Domains used in name-based virtual hosting
- Web-server URLs to “hidden” directories that cannot be reached by crawling the website from the home page
- Any other public-facing domains or domain aliases
Making this slight alteration in your formatting will result in a smoother and more accurate scan ensuring a more effective and productive assessment.
For more information, contact Stewart Fey, firstname.lastname@example.org or 615-309-2479.