RE: nessus to PCI

["Vic N" <vic778 () hotmail com>]

Nessus can be used to help make statements about being compliant with 
various requirements of the PCI specification beyond just prioritizing 
vulnerabilities returned.  This is a slightly different tangent from 
demonstrating no vulnerabilities (sadly, security and compliance may not 
always be the same exact thing).

A good portion of the PCI specification iinvolves self-reporting.  For 
example, requirement 1.1.5 of the PCI 1.0 spec calls for a documented list 
of ports and services required for business.  You can use nessus to verify 
your statements.

Using the nmap poriton of nessus, you can easily run an assessment *daily* 
and compare the results against your 1.1.5 documentation.  If a port turns 
up open that shouldn't be (based on your 1.1.5 doc) you have an exception.  
Update your document or shutdown that port.

Because this audit is an audit that deals with compliance (which hopefully 
equals secure business practices), nessus can be used to demonstrate your 
network has been compliant (or non compliant) for any point in time in which 
you've run nessus against your own stated documentation.

Everybody has vulnerabilities show up, but you can also run nessus to show 
you patched the problem within 30 days.  That demonstrates compliance and 
implies a more secure status.  The beauty of nessus here is you can do so 
over and over in a non-manpower-intensive manner.

All of section 1 is a target-rich environment for nessus to make these types 
of affirmations.

The hydra module can be used for some of section 2 as well.

Nessus can be used in conjunction with 6.1 and 6.2 -- to verify that timely 
patching does occur.

Also, where configuration standards are called for nessus could be used to 
confirm a system was brought online in accordance with that standard  -- 
weak password checking, ports / services disabled, etc...  Every time you 
bring a system online, run a specific config of nessus against the device.  
Save the results as an audit trail.

And then, next year (yes PCI isn't going away) you can pull out your big box 
of print outs / email / electronic tracking tickets with report results 
etc... and demonstrate that not only were you compliant 2 days before the 
auditors showed up, you were compliant throughout the year.

Of course, this requires intelligent planning and usage.  The devil is 
really in the details.  Nessus has to be placed in the "right spot" and 
configured in a relevant way.  If you're using the tool effectively, an 
external audit should only confirm your findings from your ongoing 
assessment & remediation cycle.

You can probably toss snort into the mix to monitor for things like 
unencrypted credit card numbers in key network locations and so forth too.

P.S. at least one of the approved auditors on that PCI list is using a 
modified version of Nessus.

Good luck,
Vic

> Has anyone had any luck mapping nessus results to the Payment Card Industry 
> (PCI) Data Security standard?