The Ins and Outs of Vulnerability Scanning
If you’re a merchant trying to get started with PCI compliance, you’re likely to hear the word “scan” from your acquiring bank or the PCI partner they’ve enlisted to help you with the process.
In our conversations with merchants, we often find that there is an expectation for a single scan that will satisfy their PCI DSS requirements. For most merchants, however, there is actually a requirement to conduct two separate scans: one from the inside (i.e., an “internal scan”) and one from the outside (i.e., an “external scan”).
In this post I’ll cover the differences between these two types of scans, including how they’re performed, the types of vulnerabilities they seek out and why they’re necessary. For the purpose of this article I’ll be referencing PCI DSS v4.0, which became effective April 1st, 2022.
The PCI Security Standards Council (SSC) includes Requirement 11.3 to help merchants spot security vulnerabilities within their business network and applications:
11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed. (Source: PCI DSS v4.0, p. 237)
Internal and external vulnerability scans are conducted in a similar manner. Both scans are automatically administered via a computer program and an Internet connection; however, that doesn’t mean there is one program that can simultaneously conduct both scans. An external vulnerability scan looks for holes in your network firewall(s), where malicious outsiders can break in and attack your network.
By contrast, an internal vulnerability scan operates inside your business’s firewall(s) to identify real and potential vulnerabilities inside your business network.
Why Both Scans are Critical to Your Business
Imagine your business as a house in which a couple and their child reside. The doors and windows are locked to keep intruders from getting inside, but one day the child lets a stranger in the back door while the parents are out working in the front yard. The stranger quietly rummages through the house looking for valuables, gathers them up and throws them out an upstairs window.
Hackers and malware aren’t just present outside your firewall; they can be on the inside as well. The idea that threats may originate from the internet makes sense to most, but what are less commonly understood are threats originating from within the internal network. These types of threats can include disgruntled employees who have targeted systems from the inside, or malware (such as viruses or Trojans) that is downloaded onto a networked computer via the Internet or a USB stick. Once the malware is on the internal network, it sets out to identify other systems and services on the internal network—especially services it would not have been able to “see” from the Internet.
So according to the house example above, an external scan would check to be sure all doors and windows of the house are locked and impassable, while an internal scan would search the inside of the house to ensure that the family’s valuables are hidden from plain sight and properly secured.
Want to learn more about how the PCI DSS applies to your business?
Check out the blog post PCI DSS v4.0: Authenticated Scans for more information about how PCI DSS 4.0 has evolved the Standard's internal vulnerability scan requirements and now calls for internal vulnerability scans to be performed via Authenticated Scanning.
Click here to contact the VikingCloud team for information.
