What is an ASV scan and why do you have to perform it for your business network?
While this sounds too technical, its not that technical as it sounds. You don’t have to be a computer engineer to understand what it means. Your bank (acquirer) mandates the scan based on your business profiling and determines if you need a scan or not. If your payment processing is completely/partially handled by your network, you might need to scan your network. But if your payment processing is handled by a third party payment gateway service, you might not need to do an ASV scan because your third party payment gateway service provider will be doing the ASV scans already, on behalf of their customers. Your profiling determines if you need a scan or not and incorrect profiling will cost you dimes. Therefore, its crucial to understand your network architecture and how you answer the profiling questionnaire.
ASV stands for Approved Scanning Vendor; scanning vendors are approved by PCI SSC (Payment Card Industry Security Standards Council). A PCI ASV scan is a an external vulnerability scan (a scan which originates outside of your network) and the primary motive of this scan is to discover vulnerabilities in your network before they are discovered by an attacker or a person with harmful intentions (like damaging your business or your business network).
It might seem like your bank is draining your finances with the penalties towards your non compliance, but going through ASV scans help detect flaws in your security posture and rectify them. Any risk to your information systems or your network is a risk to your business – it involves financial loss and reputational loss. You might say you have a firewall installed on your computer or your network but that’s not enough because emerging attacks require stronger approaches than having just a firewall. These emerging attacks require a way to be deployed into your network and the ASV scans help if your network is posing them any.
Why do you need to open your firewall for your PCI approved scanning vendor?
ASVs ask you to whitelist (allow) their IP addresses in your firewall because without the ASV’s IPs whitelisted, your firewall will block the scan and the scan would be incomplete or inaccurate in some cases. When a scan is incomplete, the ASV will report is as a failed scan because PCI mandates the ASV to produce a failing report for a scan that is incomplete. (Reference – PCI-ASV guidelines version 3.1)
When a scan is inaccurate, the ASV reports it accordingly and the report would not mention the flaws in your security posture effectively, since the scanner wasn’t allowed to perform the scan effectively. When we do not see the flaws in our network, we believe that our network is fail safe and in the event of failure of the firewall, those flaws lead the attackers to take over our business secrets, whatever our network contains.
If the scanner is whitelisted and is allowed to scan our network without any interferences, the scanner detects the flaws present so that would give us an opportunity to address these flaws. When there are no flaws (vulnerabilities), in the event of a firewall breach, the scope of attack would be minimal and therefore the risk to our business would be minimal.
If my firewall blocks the ASV scan, doesn’t that mean my network is secure ?
No, absolutely not. Just because your firewall is working the way its expected to, does not mean your network is secure. Your network security depends on not just your firewall but on every device in your network. Each device in your network may have an operating system or may be running applications that you require to keep your business running. These operating systems/applications might have vulnerabilities that need to be patched. If you do not know the vulnerabilities in your network, you wont patch them and this poses a risk to those devices once the firewall fails. Therefore, it is important to go through a quarterly ASV scan and keep patching your systems from time to time.
samuelrajkandru.wordpress.com 