Internal vs. External Vulnerability Scans: Why You Need Both

May 15, 2014 • Published Categories PCI 101Tags , , , ,

The Ins and Outs of Vulnerability Scanning

If you’re a merchant trying to get started with PCI compliance, you’re likely to hear the word “scan” from your acquiring bank or the PCI partner they’ve enlisted to help you with the process.

In our conversations with merchants, we often find that there is an expectation for a single scan that will satisfy their PCI DSS requirements. For most merchants, however, there is actually a requirement to conduct two separate scans: one from the inside (i.e., an “internal scan”) and one from the outside (i.e., an “external scan”).

In this post I’ll cover the differences between these two types of scans, including how they’re performed, the types of vulnerabilities they seek out and why they’re necessary. For the purpose of this article I’ll be referencing PCI DSS v3.0, which becomes effective January 1, 2015.

The PCI Security Standards Council (SSC) created Requirement 11.2 to help merchants spot security vulnerabilities within their business network and applications:

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).  (Source: PCI DSS v3.0, p. 91)

Internal and external vulnerability scans are conducted in a similar manner. Both scans are automatically administered via a computer program and an Internet connection; however, that doesn’t mean there is one program that can simultaneously conduct both scans. An external vulnerability scan looks for holes in your network firewall(s), where malicious outsiders can break in and attack your network.

By contrast, an internal vulnerability scan operates inside your business’s firewall(s) to identify real and potential vulnerabilities inside your business network.

Why Both Scans are Critical to Your Business

Imagine your business as a house in which a couple and their child reside. The doors and windows are locked to keep intruders from getting inside, but one day the child lets a stranger in the back door while the parents are out working in the front yard.  The stranger quietly rummages through the house looking for valuables, gathers them up and throws them out an upstairs window.

Hackers and malware aren’t just present outside your firewall; they can be on the inside as well. The idea that threats may originate from the internet makes sense to most, but what are less commonly understood are threats originating from within the internal network. These types of threats can include disgruntled employees who have targeted systems from the inside, or malware (such as viruses or Trojans) that is downloaded onto a networked computer via the Internet or a USB stick. Once the malware is on the internal network, it sets out to identify other systems and services on the internal network—especially services it would not have been able to “see” from the Internet.

So according to the house example above, an external scan would check to be sure all doors and windows of the house are locked and impassable, while an internal scan would search the inside of the house to ensure that the family’s valuables are hidden from plain sight and properly secured.

Want to learn more about how the PCI DSS applies to your business?

Click here to request more information or give us a call at 1-800-825-3301 x 2. We’d be happy to help.

Leave a Comment