Enabling Clients to Cope with ASV Scans

February 22, 2019, Marco Brown, Associate, CoalfireOne Scanning Services

Gathering evidence, applying patches, and configuring your systems in preparation for submitting your vulnerability disputes can be a nerve-wracking and daunting task. To better enhance your understanding of the Approved Scanning Vendor (ASV) process, I’ve outlined some coping mechanisms and tools to use.

First, let’s start with WHY:

You may be wondering why you must repeatedly resubmit the same disputes. According to the ASV Guide 3.1, the ASV must “not carry dispute findings forward from one quarterly scan to the next. . . . Dispute evidence must be verified and resubmitted by the scan customer, and evaluated again by the ASV, for each quarterly scan.”

What that means is, we, your humble ASV, have to abide by their prescribed rules. The good thing about our CoalfireOne Scanning platform is that you can submit a dispute once per quarter, and once it’s accepted, you don’t have to resubmit it for the next 90 days.

So, how do we simplify this continuous process?

Aside from the obvious of keeping your systems up to date and staying abreast of the latest threats, customers are urged to utilize the secure evidence library located in the CoalfireOne Portal. By uploading your organization’s evidence into the CoalfireOne platform, your evidence will always be a few mouse clicks away for dispute submissions.

Now let’s improve upon your documentation

Keeping a living document in a centralized location that you and your teammates can continually add to is a great way to grow and expand your personal vulnerability database. This dynamic document will also help your team keep track of all the changes that have been made to a system or network, enhancing not only your Coalfire experience but also your environmental awareness. 

When submitting your living document for evidence, simply inform your ASV of the reason for the dispute and highlight which sections of the document is applicable to the vulnerability in question. We’ll take it from there.

One example of how to deal with a failing finding

Recently, many of you have seen a spike in the vulnerability “HTTP OPTIONS Method Enabled” on your scans. While HTTP OPTIONS itself does not constitute a vulnerability, there is a potential for risk and failure with PCI DSS Requirement 2.2. The requirement states:

  • Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards

A few ways for disputing HTTP OPTIONS are as follows:

  1. Verify that the HTTP OPTIONS Method is not in use in your cardholder data environment (CDE) and file a False Positive
    1. Sometimes a network appliance (VPN, Firewall, etc.) will advertise an HTTP Method as available, but any attempt to use it will result in null/405 response
    2. Evidence suggestions: Screenshot of failed/405’d curl, vendor documentation, web configuration screenshots
    3. Note: To file a False Positive, you must provide reasonable assurance and evidence that the HTTP OPTIONS Method is not actually used (prove the scanner to be wrong)
  2. Validate a Compensating Control (CC) and file a CC Dispute
    1. At a minimum, we are looking for an acknowledgment that the HTTP Method is in use, has a business need, and has some level of insight/protection
    2. Logging, Intrusion Detection/Prevention, Access Control, SIEM, etc.
    3. We do NOT need a high level of detail to describe these controls in order to consider them for acceptance. These details at the minimum need to be clear, specific, and direct

Health check 1,2,1,2. We’re contacting you!

Over the past month, we’ve conducted health checks on many of our clients to improve your experience and garner feedback. These checks are all about you, and we encourage you to speak freely and ask questions. Tell us how we can improve our service and our service platform to best suit your needs.

To ensure we’re connecting with the appropriate parties, please log into the CoalfireOne portal and update your contact information so that we can better serve you. Also, please remember we are here to support you on anything scans-related – feel free to contact us at any time in order to cope and deal with your ASV and related scans.

Marco Brown

Author

Marco Brown — Associate, CoalfireOne Scanning Services

Recent Posts

Post Topics

Archives

Top