Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0

Tenable Product Applicability Guide For Payment Card Industry (PCI) Partner Addendum VMware Compliance Reference Architecture Framework to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 June 2014 Product Applicability Guide

Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 7 SUMMARY OF RELEVANT CHANGES FROM PCI DSS 2.0 TO 3.0... 8 TENABLE PCI COMPLIANCE SOLUTION... 13 TENABLE PCI REQUIREMENTS MATRIX OVERVIEW... 15 TENABLE PCI REQUIREMENTS MATRIX (BY PRODUCT)... 16 NESSUS ENTERPRISE CLOUD... 16 NESSUS VULNERABILITY SCANNER... 21 PASSIVE VULNERABILITY SCANNER... 28 SECURITYCENTER CONTINUOUS VIEW... 34 SECURITYCENTER... 47 SUMMARY... 54 Product Applicability Guide 2

Introduction Virtualization offers the benefits of hardware consolidation and rapid provisioning and deployment of services to increase business agility and improve efficiency. It also brings new security and compliance challenges such as virtual machine sprawl, a more dynamic environment, and an attack surface that encompasses physical hosts, virtual images, and applications running on top. However, with proper tools that provide continuous monitoring of vulnerabilities and threats, organizations can achieve and maintain adherence to compliance standards and secure their physical and virtual infrastructure from configuration errors, ensure security software is enabled and updated, and monitor for changes in the virtual and physical infrastructure that impact risk and compliance status. Tenable Network Security offers a variety of solutions that enable your organization to safely implement virtualization while maintaining compliance with the Payment Card Industry Data Security Standard and protect your systems from threats. Tenable s solutions provide the following capabilities for physical, virtual, and hybrid environments: Discovers physical and virtual systems as well as mobile devices Performs compliance auditing, including PCI DSS Identifies vulnerabilities on detected assets and infrastructure Detects malware and advanced threats to protect critical physical and virtual servers as well as clients Performs network behavioral analysis to continuously monitor for changes to virtual and physical infrastructure that impact compliance status Collects and analyzes logs from virtual and physical assets Continuous Monitoring Malware Detection Compliance & Patch Monitoring Network Behavioral Analysis Log Collection Forensic Analysis Incident Response Mobile, Virtual, Cloud Coverage Product Applicability Guide 3

Tenable Scanning Solutions To protect physical and virtual environments and demonstrate compliance, Tenable offers two families of solutions - the Nessus family and the SecurityCenter family. The Nessus family consists of Nessus and PVS products which offer active vulnerability scanning and passive monitoring for organizations that are interested in individual scanner deployments. The SecurityCenter solutions offer centralized administration of distributed scanners (Nessus, Passive Vulnerability Scanner (PVS), and Log Correlation Engine (LCE)) for continuous, real-time vulnerability, compliance, and threat management. Pre-configured and customizable scanning and audit policies ( plugins ) as well as extensive dashboards and reports through its security app store provide the flexibility to meet an organization s unique requirements for identifying vulnerabilities, monitoring event logs, and confirming compliance. Figure 1: Tenable Solution Overview VMware Approach to PCI Compliance The Payment Card Industry Data Security Standard (PCI DSS) is applicable to all types of environments that Store, Process, or Transmit Card Holder Data. This includes information such as Personal Account Numbers (PAN), as well as any other information that has been defined as Card Holder Data by the PCI DSS v3.0. Cloud computing is no exception to the PCI DSS audit process, and many of the cloud s advantages over earlier paradigms -- sharing of resources, workload mobility, consolidated management plane, etc. themselves necessitate that adequate controls are adopted to help meet the PCI DSS audit. PCI considerations are essential for assessors to help to understand what they might need to know about an environment in order to be able to determine whether a PCI DSS requirement has been met. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the infrastructure and the applications running in that environment. Product Applicability Guide 4

Many enterprise computing environments in various vertical industries are subject to PCI DSS compliance, and generally those that deal in any kind of financial transaction for exchanging goods and services rely on VMware and VMware Technology Partner solutions to deliver those enterprise computing environments. As such, these enterprises seek ways to reduce overall IT budget while maintaining an appropriate overall risk posture for the in-scope environment. One of the greatest challenges in hosting the next generation enterprise computing environment is consolidating many modes of trust required such as those required for a Cardholder Data Environment (CDE) and a Non-Cardholder Data Environment. For these reasons VMware has enlisted its Audit Partners such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities and then to document these capabilities in a set of reference architecture documents. The first of these documents is this Product Applicability Guide, which contains a mapping of the VMware products and features that should be considered for implementing PCI DSS controls. The next two documents that, together with this Guide, comprise the PCI DSS Reference Architecture are the Architecture Design Guide and the Validated Reference Architecture, which will provide guidance on the considerations to be made when designing a vcloud environment for PCI DSS as well as a lab validation exercise analyzing an instance of this reference architecture which utilizes the concepts and approaches outlined therein. For more information on these documents and the general approach to compliance issues please review VMware's Approach to Compliance. In addition, VMware and Coalfire are engaged with VMware Technology Partners such as Tenable Network Security to analyze their products and solutions (available on VMware Solution Exchange) with the goal of providing continuing examples to the industry. While every environment is unique, together VMware and its partners can provide a solution that potentially addresses over 70% of the PCI DSS technical requirements. Figure 2: PCI Requirements Product Applicability Guide 5

Figure 3: VMware + Partner Product Capabilities for a Trusted Cloud Product Applicability Guide 6

Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the Payment Card Industry Data Security Standards (DSS). Failure to meet PCI DSS requirements may lead to fines, penalties, or inability to process credit cards, in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010. These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud computing environments. Version 3.0 (and version 2.0) of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). Product Applicability Guide 7

Figure 4: Navigating PCI DSS The existing virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. Summary of Relevant Changes from PCI DSS 2.0 to 3.0 With the recent release of the PCI DSS (Data Security Standard) 3.0, while little additional guidance has been released with regard to virtualization specifically, there have been a number of enhancements and clarifications that may potentially have significant design & operational considerations above and beyond those which were required for compliance with the PCI DSS 2.0. It should be noted that none of the new PCI DSS 3.0 requirements or considerations are inconsistent with or materially different from those found in version 2.0, but rather are simply additions, enhancements, and clarifications. An updated Navigating PCI DSS document for version 3.0 has not been released by the PCI SSC (Security Standards Council) as of the time of this writing. With every iteration of the PDI DSS and the associated changes & updates, particularly when new requirements are presented, organizations are given additional time to implement these controls through the Sunrise process. While entities can choose to manage their cardholder data environments under the PCI DSS 2.0 until December 31, 2014 at the latest, after this point all PCI DSS programs and audits must adhere to version 3.0. Additionally, many of the new requirements under the PCI DSS 3.0 are considered best practices until July 1, 2015, giving organizations additional time to prepare to meet these new requirements in an appropriate manner. Product Applicability Guide 8

Many of the new controls and changes in PCI DSS 3.0 reflect the growing maturity of the Payment Card Industry, and the need to focus more on a risk-based approach and deal with the threats and associated risks which most commonly lead to incidents involving the compromise of cardholder data. Along with the new controls and focus areas, version 3.0 provides PCI organizations and assessors with additional guidance and flexibility around designing, implementing, and validating the requisite PCI DSS controls. It should also be noted that with increased guidance and flexibility in the standard and individual controls, a greatly increased level of stringency is required in the validation of those controls and the risk-based approach to managing PCI DSS requirements. At a high level, the updates to version 3.0 of the DSS include: Providing stronger focus on some of the greater risk areas in the threat environment Providing increased clarity on PCI DSS & PA-DSS requirements Building greater understanding on the intent of the requirements and how to apply them Improving flexibility for all entities implementing, assessing, and building to the Standards Driving more consistency among assessors Helping manage evolving risks / threats Aligning with changes in industry best practices Clarifying scoping and reporting Eliminating redundant sub-requirements and consolidate documentation We also have several key themes around managing PCI DSS 3.0 and taking a proactive business-as-usual approach to protecting cardholder data, and focusing primarily on security, as opposed to pure compliance, which have been updated in the latest version, and for which the PCI Security Standards Council has provided guidance. The following is guidance from the PCI DSS Version 3.0 Change Highlights document regarding these high-level concepts and how they apply to PCI DSS 3.0: Education and awareness Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise too many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers. Increased flexibility Changes in PCI DSS 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise such as weak passwords and authentication methods, malware, and poor self-detection providing added flexibility on ways to meet the requirements. This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organizations drive and maintain controls across their business. Security as a shared responsibility Securing cardholder data is a shared responsibility. Today s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCIDSS focus on helping organizations understand their entities PCI DSS responsibilities when working with different business partners to ensure cardholder data security. Product Applicability Guide 9

Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following (http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html): Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage.. Figure 5: Cloud Computing There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for Product Applicability Guide 10

example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off premise. To learn more about VMware s approach to cloud computing, review the following: VMware Cloud Computing Overview VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing, including safely deploying business critical applications. Figure 6: VMware Software Defined Data Center Products Product Applicability Guide 11

Figure 7: VMware End User Computing VMware provides an extensive suite of products designed to help organizations support security and compliance needs. The solutions collective functionality features, and specific PCI DSS requirements are addressed in the VMware Applicability Guide for PCI, which provide detail information about VMware s support for PCI DSS v3. If you are an organization or partner that is interested in more information on the VMware Compliance Program, please email us at compliance-solutions@vmware.com Figure 8: Tenable s Virtual Environment Monitoring Product Applicability Guide 12

Tenable PCI Compliance Solution Tenable Nessus and SecurityCenter product offerings provide comprehensive vulnerability scanning, monitoring, and reporting, including pre-configured scanning policies for PCI DSS v3 internal and external scanning requirements. ** Organizations can use Tenable products to continually monitor PCI compliance using pre-configured and customized scanning policies to provide for ongoing, continual vulnerability monitoring. Table 2: Tenable Solutions Solution Description Nessus Enterprise Cloud Nessus Enterprise Cloud provides cloud-based vulnerability management. Nessus Enterprise Cloud customers have the ability to manage all internal and external scanning from the cloud. Nessus Enterprise Cloud acts as the Primary Nessus Scanner and can control multiple secondary Nessus scanners whether they are located on premise within your corporate network, production environment, data center, remote locations, or in the cloud. Nessus Enterprise Cloud meets PCI DSS 11.2 requirements for quarterly scanning requirements. Tenable s PCI Scanning Service is an Approved Scanning Vendor solution. Nessus Vulnerability Scanner Nessus Vulnerability Scanner is a vulnerability scanner that supports PCI DSS internal scanning requirements including pre-configured PCI scanning scripts, while allowing for organization configurable scanning policies that meet specific needs of the organization. Use Nessus to perform configuration and compliance audits and to monitor numerous technical controls to capture issues before regularly scheduled scans and/or PCI DSS compliance assessments allowing for an organization to remain continuously compliant and address issues prior to the arrival of QSAs. Used in conjunction with SecurityCenter or SecurityCenter CV, enhanced reporting, and a web-based dashboard, an organization can obtain a comprehensive and easily readable view into the state of the enterprise or drill down to view the state of the cardholder data environment or other critical network zones. This enables continuous monitoring of the organization s compliance with the PCI security standards. Passive Vulnerability Scanner Tenable Passive Vulnerability Scanner (PVS ) continuously monitors for vulnerabilities, and new or transient assets. PVS analyzes network traffic for insight into services, suspicious network relationships, and compliance violations. Using pre-configured or custom built scanning policies, an organization can have real-time monitoring. PVS detects transmission of unencrypted cardholder data. It can also be used to continuously monitor the integrity of the cardholder data environment. Used in conjunction with SecurityCenter CV, enhanced reporting and a web-based dashboard an organization can obtain a comprehensive and easily readable view into the state of the enterprise or drill down to view the state of the cardholder data environment or other critical network zones. PVS is available as a subscription or as part of SecurityCenter CV. SecurityCenter For organizations that have deployed multiple Nessus vulnerability scanners to meet periodic vulnerability scanning needs requirements, SecurityCenter accelerates and Product Applicability Guide 13

simplifies vulnerability and compliance management. SecurityCenter provides a single console for managing distributed Nessus vulnerability scanners and provides advanced analytics with its dashboards. SecurityCenter Continuous View SecurityCenter Continuous View (CV) brings real-time monitoring and integrated log analysis for vulnerability management, allowing organizations to continuously monitor for advanced threats and compliance violations. SecurityCenter CV offers the benefits of Nessus periodic scanning with passive network monitoring to provide continuous evaluation of the network and security information and event management (SEIM) to deliver centralized event storage; log monitoring, analysis, and correlation; and file integrity monitoring capabilities. SecurityCenter CV centralizes asset discovery with complete and continuous vulnerability assessment by integrating data from the following Tenable Products: SecurityCenter management console Unlimited Nessus vulnerability scanners Unlimited Passive Vulnerability Scanners Log Correlation Engine Nessus Enterprise Cloud (optional) Used as part of an organization s operational and auditing procedures, SecurityCenter CV provides information from scanning activities and its Log Correlation Engine that support security administration activities and sound vulnerability management decisions. Product Applicability Guide 14

N U M B E R O F P C I S N U M B E R O F C O N T R O L S M E T B Y N E S S U S E N T E R P R I S E C L O U D N U M B E R O F C O N T R O L S M E T B Y N E S S U S V U N E R A B I L I T Y S C A N N E R N U M B E R O F C O N T R O L S M E T B Y P A S S I V E V U L N E R A B I L I T Y S C A N N E R N U M B E R O F C O N T R O L S M E T B Y S E C U R I T Y C E N T E R - C O N T I N U O U S V I E W N U M B E R O F C O N T R O L S M E T B Y S E C U R I T Y C E N T E R T O T A L N U M B E R O F M E T O R A U G M E N T E D B Y T E N A B L E ** VMware Compliance Reference Architect Framework Tenable PCI Requirements Matrix Overview Tenable s PCI DSS Compliance Solution includes extensive vulnerability scanning, log analysis, and reporting using preconfigured scanning policies and providing the capability for client defined scanning policies for organization specific customization. When properly deployed and configured, the Tenable solution either fully meets or augments the following PCI DSS requirements: Table 3: Tenable PCI DSS Requirements Matrix for PCI DSS v3 PCI DSS REQUIREM ENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data 35 8 13 21 8 21 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 32 14 14 14 14 14 Requirement 3: Protect stored cardholder data 44 1 1 2 1 2 Requirement 4: Encrypt transmission of cardholder data across open, public networks 11 3 6 7 7 6 7 Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 11 5 4 6 5 6 Requirement 6: Develop and maintain secure systems and applications 42 13 14 10 14 14 14 Requirement 7: Restrict Access to cardholder data by business need to know 10 7 7 7 7 Requirement 8: Identify and authenticate access to system components 43 13 19 13 19 Requirement 9: Restrict physical access to cardholder data 44 1 1 Requirement 10: Track and monitor all access to network resources and cardholder data 41 3 2 23 3 23 Requirement 11: Regularly test security systems and processes. 36 6 12 4 16 * 12 16 Requirement 12: Maintain a policy that addresses the information security for all personnel. 47 2 2 5 8 2 8 Requirement A.1: Shared hosting providers must protect the cardholder data environment 8 2 2 TOTAL 404 30 85 60 140 85 140 ** Notes: When comparing partner tables, be aware that some VMware partner applicability whitepapers could be assessed using PCI DSS v2. * Includes requirements addressed by Nessus Enterprise Cloud which is an optional offering with SecurityCenter CV. ** Note that there is some duplication of DSS v3 requirements addressed across multiple Tenable products. Product Applicability Guide 15

Tenable PCI Requirements Matrix (By Product) Nessus Enterprise Cloud Nessus Enterprise Cloud enables remote, cloud-based management and sharing of multiple Nessus scanners, scan schedules, scan policies, and, most importantly, scan results. It is easy to share vulnerability and compliance information with users and groups: system owners, IT or Security Analysts, Internal Audit, and risk & compliance auditors. Users connect to the Nessus Enterprise Cloud console to access all Nessus scanners and scan results. Users may also perform external scans of their Internetfacing IPs for network and web application vulnerabilities. Figure 9: Nessus Enterprise Cloud Nessus Enterprise Cloud provides the following key capabilities: Scans your Internet-facing systems Unlimited scans of unlimited IP addresses Web application vulnerability assessments External network scans according to current PCI DSS standards Executive, attestation, and detailed reports offering proof of compliance Submission of reports to an acquiring bank, card brand, or merchant customer Receive quarterly PCI ASV attestation from Tenable s PCI-certified experts Nessus Enterprise Cloud customers have the ability to manage all internal and external scanning from the cloud. Nessus Enterprise Cloud acts as the Primary Nessus Scanner and can control multiple secondary Nessus Scanners whether they are located on premise within the corporate network, production environment, data center, remote locations, or in the cloud. Optionally, Nessus Enterprise Cloud can be managed by SecurityCenter CV. Product Applicability Guide 16

Tenable provides solutions to support or meet PCI DSS controls. Additional policies, processes or technologies are needed to be used in conjunction with Tenable s solutions to fully comply with PCI DSS. The following product matrix explains which PCI controls are supported or supplemented by Nessus Enterprise Cloud. Product Applicability Guide 17

Table 4: Applicability of PCI DSS v3.0 Controls to Nessus Enterprise Cloud P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X N E S S U S E N T E R P R I S E C L O U D Requirement 1: Install and maintain a firewall configuration to protect cardholder data N/A No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications N/A N/A 4.1.a, 4.1.c, and 4.1.d N/A 6.1.a, 6.2.a, 6.5.d, 6.5.1, 6.5.2, 6.5.4, 6.5.5, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6 No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. Nessus Enterprise Cloud can be used by an organization to verify required safeguards are in place and appropriately configured for transmitting sensitive cardholder data (4.1.a) over open, public networks by scanning all web portals or internet access points used for transmitting credit card data to collect information about allowed protocols and other encryption parameters (4.1.c & 4.1.d) such as of host names related to SSL keys, and age of SSL keys to ensure they are up-to-date. No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. Nessus Enterprise Cloud can support an organization s vulnerability and patch management procedures by providing the organization the ability to scan external facing systems for vulnerabilities (6.1.a) and the status of patching (6.2.a) on those systems. Organizations that develop custom software for their cardholder data environment are required to ensure that secure coding practices, such as those identified in OWASP, are used. Nessus Enterprise Cloud can be used as part of the software development and testing processes to test for common coding vulnerabilities identified during external scanning. Implemented into a test environment that simulates the production environment, Tenable products can be used with other testing tools to check for well-known Product Applicability Guide 18

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X N E S S U S E N T E R P R I S E C L O U D vulnerabilities (6.5.d) before being introduced into production. Nessus Enterprise Cloud can: be used to monitor live websites to look for errors that might be indicative of an injection flaw (such as SQL injection, OS command injection, LDAP and XPath injection flaws) (6.5.1) Nessus can check for a variety of SQL injection flaws in web applications. (6.5.1) be used to identify well known vulnerabilities, including buffer overflows(6.5.2) perform checks for communication over a variety of protocols and can recognize and report on insecure communication protocols(6.5.4) observe responses to web probes return a catch all error page or error codes that can provide information that could be used to breach the system (6.5.5) observe responses to web probes and return a catch all error page or error codes that can provide information that could be used to breach the system (6.5.5) check for well-known attacks against web applications, operating systems, and other software. Nessus Enterprise Cloud scans provide CVSS2 scores and criticality risk rankings which can be used to identify high risk vulnerabilities that need to be addressed prior to deployment of code changes (6.5.6) check for cross-site scripting vulnerabilities (6.5.7) perform checks for known access control vulnerabilities such as directory traversals and authentication bypass issues (6.5.8) can perform checks for cross-site request forgery vulnerabilities (6.5.9) can perform checks for broken authentication and session management vulnerabilities (6.5.10) Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to systems components Requirement 9: Restrict physical access to cardholder data N/A N/A N/A While Tenable does not evaluate web application source code, Nessus, PVS and the Log Correlation Engine can be customized to identify changes to web applications for changes. Management can use information provided to determine if changes are significant and if an application security review is appropriate as required by DSS 6.6. No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. Product Applicability Guide 19

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X N E S S U S E N T E R P R I S E C L O U D Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment N/A 11.2.2.a, 11.2.2.b, 11.2.2.c, 11.2.3.a, 11.2.3.b, 11.2.3.c 12.2.a, 12.10.5 N/A No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. Tenable supports the following specific controls: Nessus Enterprise Cloud supports the PCI DSS 11.2.2 external vulnerability scanning requirements and can be scheduled to automatically run quarterly and thus guaranteeing an organization four quarterly external scans (11.2.2.a) occurring in the last 12 month period and provides for rescanning after addressing identified vulnerabilities (11.2.2.b). To fully achieve this testing procedure, an organization must hire an Approved Scanning Vendor (ASV), such as Tenable, to perform external scans (11.2.2.c). As part of an organizations change control process, Nessus Enterprise Cloud meet PCI DSS 11.2.3.a requirements for running vulnerability scans when significant changes are introduced into the environment. Identified high vulnerabilities (11.2.3.b) can be addressed and scans rerun until vulnerabilities have been resolved. While use of an ASV is not required for non-quarterly scans, Tenable ASV (11.2.3.c) are available for assisting with these scans when qualified internal resources are not available. Nessus Enterprise Cloud external scan results can (and should) be included in risk assessment processes, and should also be reviewed to support incident response monitoring and review: Along with other organizations risk management processes and tools, Nessus Enterprise Cloud can be used to identify critical external facing vulnerabilities requiring management s attention (12.2.a) As part of an organizations incident response plan, critical and high risk vulnerabilities identified during scanning activities can be used to assist in the incident response process, provide information about vulnerabilities that might have been exploited, or used to monitor for possible incidents that need to initiate a response. (12.10.5) No controls in this PCI requirement are addressed by Nessus Enterprise Cloud. Product Applicability Guide 20

Nessus Vulnerability Scanner Nessus vulnerability scanners can be deployed as a hardware appliance or software solution, providing vulnerability scanning capabilities within an organization s corporate network, production or cardholder data environments, cloud based networks, and across networks. Figure 10: Nessus Vulnerability Scanner Nessus scanners provide on-premise vulnerability scanning capability for: Network devices: Juniper, Cisco, Palo Alto Networks, firewalls, printers, and more Virtual hosts: VMware ESX, ESXi, vsphere, vcenter Operating systems: Windows, Mac OS X, Linux, Solaris, BSD, Cisco ios, IBM iseries Databases: Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL Web applications: Web servers, web services, OWASP vulnerabilities Compromise detection: Viruses, malware, backdoors, hosts communicating with botnet-infected systems, web services linking to malicious content Networks: IPv4/IPv6/hybrid networks Nessus Vulnerability Scanner is an internal vulnerability scanner that supports PCI DSS internal scanning requirements including pre-configured PCI scanning scripts, while allowing for organization configurable scanning policies that meet specific vulnerability scanning needs of the organization. Use Nessus to perform configuration and compliance audits and to monitor numerous technical controls to capture issues before regularly scheduled mandated scans and/or PCI DSS compliance audits allowing for an organization to remain continuously compliant and address issues prior to the arrival of auditors. Tenable Network Security also offers an evaluation version of the Nessus Vulnerability Scanner as well as a free home version limited to personal use in a non-commercial environment. This whitepaper describes the full enterprise version of Nessus which provides unlimited scanning of unlimited IP addresses/ranges and full functionality including credentialed checks for monitoring ongoing PCI compliance. Product Applicability Guide 21

Used in conjunction with SecurityCenter or SecurityCenter CV, enhanced reporting, and a web-based dashboard, an organization can obtain a comprehensive and easily readable view into the state of the enterprise or drill down to view the state of the cardholder data environment or other critical network zones. Tenable provides solutions to support or meet PCI DSS controls. Additional policies, processes or technologies are needed to be used in conjunction with Tenable s solutions to fully comply with PCI DSS. The following product matrix explains which PCI controls are supported or supplemented by Nessus Vulnerability Scanner. Product Applicability Guide 22

Table 5: Applicability of PCI DSS v3.0 Controls to Nessus Vulnerability Scanner P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - N E S S U S Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 1.1.1.c, 1.2.1.b, 1.2.1.c, 1.2.2.a, 1.2.2.b, 1.2.3.b, 1.4.b, 1.5 2.1.a, 2.1.b, 2.1.c, 2.1.1.b, 2.1.1.e, 2.2.a, 2.2.1.a, 2.2.1.b, 2.2.2.a, 2.2.3, 2.2.4.b, 2.2.5.a, 2.3.b, 2.4.a Nessus Vulnerability Scanners can be used by network administrators to ensure that their organization s policies and procedures are appropriately implemented with Tenable provided and custom developed scans: Ensure that documented processes for approving changes to networks are in place and operating appropriately by using audit scan results to confirm that identified changes match change control documents. (1.1.1.c) Monitor firewall configurations to ensure that devices are configured to meet organization established policies and PCI DSS requirements for restricting connections between untrusted networks and systems components in the cardholder data environment are in place. (1.2.1.b) and that all other inbound and outbound traffic is specifically denied (1.2.1.c). Monitor router configurations to verify the configurations are secured from unauthorized access (1.2.2.a) and that router configurations are synchronized (1.2.2.b) Monitor firewalls between cardholder environment and wireless networks deny traffic or only allow authorized traffic (1.2.3.b) Using customized Nessus configuration audits, Nessus can be used to audit devices used to access the organization s network remotely to ensure that the required software is installed, running, and configured correctly. (1.4.b). Organizations can supplement network documentation when administrators include management of configuration policies scripted in Nessus Vulnerability Scanner with the organization s documented configuration policies and its change control processes, thus providing a means for verifying that firewalls are configured as documented. (1.5) Nessus Vulnerability Scanner augments the following specific controls: By scanning for the use of default passwords, systems administrators can implement procedures for ensuring that newly installed systems are not using default passwords (2.1.a and b) and inappropriate default security parameters or accounts (2.1.c)). Checking for common SNMP and login settings on wireless devices to ensure that all wireless vendor defaults have been changed (2.1.1.b). Additionally, Nessus can audit the active wireless domain of each Windows device to develop a complete list of all wireless devices. (2.1.1.e) Configured with an organization s approved configuration standards to allow for audit policies to log into Windows, Unix, Linux, Mac OS X, AIX, HP-UX, and other systems to confirm compliance to organizational standards (2.2.a) or to profile systems (2.2.1. a and b), discover open ports (2.2.2.a), identify security features and parameters implemented (2.2.3 and 2.2.4.b), and identify Product Applicability Guide 23

Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications 3.1.b 4.1.a, 4.1.c, 4.1.d, 4.1.e, 4.1.f, 4.1.g 5.1, 5.2.a, 5.2.b, 5.2,c, 5.4 6.1.a, 6.2.b, 6.5.d, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.6, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - N E S S U S vulnerabilities (2.2.5.a). Used to look for any non-encrypted services on organization-specified assets that are required to use SSH or SSL for administration (2.3.b). Create asset inventory, including systems and software, using the asset discovery information that can be provided by Nessus scans. (2.4.a) Nessus can be used by an organization to identify the occurrence of unencrypted PAN (primary account numbers) 3.1.b and to monitor protection of encryption keys. As part of risk assessment process to identify all occurrences of PAN, organizations can use information provided by Nessus scanners to determine whether all instances of PAN storage are needed by the business and drill down to secure the data. Nessus Vulnerability Scanner can be used by an organization to verify safeguards are in place and appropriately configured for transmitting sensitive cardholder data (4.1.a) over open, public networks by scanning all web portals or internet access points used for transmitting credit card data to collect information about allowed protocols and other encryption parameters (4.1.c and 4.1.d). Nessus Vulnerability Scanner tests all SSL systems for compliance with PCI DSS, using periodic or continual scans to identify issues; such verification of host names related to SSL keys, secure protocols enabled when cardholder data is transmitted, and strength and age of SSL keys to ensure they are up-todate. (4.1.e, 4.1.f, & 4.1.g) Nessus Vulnerability Scanner can supplement as part of a comprehensive malware prevention program to safeguard an organization from malware by supporting procedures for ensuring ongoing compliance. Nessus scans can be configured to scan for anti-virus instances on system types susceptible to malware software, verify that AV protection is installed on all systems, and check that it is appropriately configured and up-to-date.(5.1 & 5.2.a, b, c) Organizations can supplement anti-virus policies and procedures supporting controls 5.1 and 5.2 to ensure that documented procedures are current and processes for supporting policies and procedures are working as documented. (5.4) Tenable updates Nessus Vulnerability Scanner regularly for new vulnerabilities. In conjunction with other external resources, Nessus scanners can support the vulnerability (6.1.a) and patch management (6.2.b) processes by continuously scanning the network, allowing the organization to identify new vulnerabilities provided in Tenable updates or as vulnerabilities are introduced into the network. Nessus provides CVSS2 scores for vulnerabilities identified, assigning a risk ranking to any vulnerabilities identified (6.1.a), which can be used in an organization s risk ranking process. Organizations that develop custom software for their cardholder data environment are required to ensure Product Applicability Guide 24

Requirement 7: Restrict access to cardholder data by business need to know 7.1.a, 7.1.2.b, 7.1.3, 7.2.1, 7.2.2, 7.2.3. 7.3 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - N E S S U S that secure coding practices, such as those identified in OWASP, are used. Nessus Vulnerability Scanners can be used as part of the software development and testing processes to test for common coding vulnerabilities (6.5.d). Implemented into a test environment that simulates the production environment, Tenable can be used with other testing tools to check for well-known vulnerabilities before being introduced into production: Nessus scans can be used to monitor live websites to look for errors that might be indicative of an injection flaw (such as SQL injection, OS command injection, LDAP and XPath injection flaws) (6.5.1) Nessus can check for a variety of SQL injection flaws in web applications. (6.5.1) Nessus can be used to identify well known vulnerabilities, including buffer overflows. ( 6.5.2) Nessus can be used as a discovery tool to identify content of files by looking for cardholder data to determine whether encryption is required (6.5.3) Nessus scans check for communication over a variety of protocols and can recognize and report on insecure communication protocols (6.5.4) Nessus will observe responses to web probes and return a catch all error page or error codes that can provide information that could be used to breach the system (6.5.5) Nessus can be used to check for well-known attacks against web applications, operating systems, and other software. Nessus can provide CVSS2 scores and criticality risk rankings which can be used to identify high risk vulnerabilities that need to be addressed prior to deployment of code changes (6.5.6) Nessus scanners can check for cross-site scripting vulnerabilities (6.5.7) Nessus can perform checks for known access control vulnerabilities such as directory traversals and authentication bypass issues (6.5.8) Nessus can perform checks for cross-site request forgery vulnerabilities (6.5.9) Nessus can perform checks for broken authentication and session management vulnerabilities. (6.5.10) While Tenable does not evaluate web application source code, Nessus, PVS and the Log Correlation Engine can be customized to identify changes to web applications for changes. Management can use information provided to determine if changes are significant and if an application security review is appropriate as required by DSS 6.6. While Nessus Vulnerability Scanner does not actively perform access control functionality, Nessus compliance checks can supplement an organization s Access Control Processes and Procedures by providing information that can be used to assess compliance and alert an administrator when access control processes could be weak or out of compliance. Using Nessus compliance checks can be used to audit user accounts and provide information about: Linux and Windows servers and desktops, including information about access control lists implemented to meet an organization s requirements, provide a list of users authorized to access Product Applicability Guide 25

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - N E S S U S Requirement 8: Identify and authenticate access to systems components Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. 8.1.1, 8.1.2, 8.1.6.a, 8.1.7, 8.2, 8.2.1.a, 8.2.3.a, 8.2.4.a, 8.3.a, 8.5.a, 8.5.1, 8.7.a N/A a system, and how authentication is performed and logged. (7.1.a, 7.1.2.b, 7.1.3) Audit security parameters to ensure that access control settings meet PCI requirements, including ensuring that access controls systems are in place (7.2.1 7.2.3), that privileged access is assigned to individuals based upon job classifications, and that access is denied to all unless explicitly allowed. Provide data necessary to support access control operational procedures, including management review of access rights as part of periodic access monitoring (7.3) An organization can use Nessus to supplement identification management procedures by auditing account and password configuration parameters and auditing log records for compliance, including: Nessus scans can augment account administration activities by providing management with information that can be used for monitoring/assessing account administration activities, including reviewing account lists for possible shared accounts (8.1.1), and reviewing access rights are assigned based upon roles (8.1.2). Operating system account and password security parameters can be audited using Nessus scans, including whether lockout thresholds and duration are set as required by DSS 8.1.6.a and 8.1.7. Nessus scans that audit Unix and Windows operating systems can be used to ensure that each user is configured per organization policy, including ensuring that passwords or another authentication method is required (8.2), ensuring that password files are encrypted (8.2.1.a), password construction parameters are set to ensure complex passwords (8.2.3.a), require password changes at least every 90 days (8.2.4.a), and do not allow any of the last 4 passwords to be used when a passwords is changed (8.2.5.a). Nessus configuration audits ensure that generic or shared accounts are not used (8.5.a) including checking that passwords are not used across a service provider's customers (8.5.1). Nessus can be used to audit database (Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL) configurations to ensure that users are required to authenticate prior to access (8.7.a) No controls in this PCI requirement are addressed by the Tenable solution. 10.2.4, 10.4, 10.4.1.b Nessus can supplement control 10.2.4 by auditing log settings to identify compliance issues, for instance if all systems are configured to log failed access attempts as well as allowed access attempts. 11.1.b,, 11.1.d, 1.1.1, 11.2.1.a, 11.2.1.b, 11.2.1.c, 11.2.3.a, An organization can use Nessus scans to monitor for use of time synchronization technologies and determine if they are current. (10.4, 10.4.1.b) Quarterly internal and external scanning supports PCI DSS 11 requirements. Tenable supports the following specific controls: Product Applicability Guide 26

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - N E S S U S Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment 11.2.3,b, 12.2.3.c, 11.3, 11.5.a, 11.5.1 12.2.a, 12.3.3 Nessus scans in conjunction with operational procedures can be used to meet an organization s requirements for performing quarterly audits for unauthorized wireless access points (11.1.b), and once configured, can be scheduled to run quarterly. In conjunction with operating procedures, Nessus scans can identify wireless access points, and custom scans developed to identify unauthorized access points from those authorized by management (11.1.1) and generate alerts should possible rogue wireless access point be identified (11.1.d) Nessus Vulnerability Scanner supports the PCI DSS 11.2.1 internal vulnerability scanning requirements and can be scheduled to automatically run quarterly, thus guaranteeing an organization four quarterly internal scans occurring in the last 12 month period (11.2.a). Preconfigured or customized scanning perimeters can be used by an organization to meet their vulnerability scanning needs, and identify high risk vulnerabilities as required by PCI DSS 6.1 (11.2.b). While use of an ASV is not required for internal scanning, Tenable ASV (11.2.1.c) is available for assisting with these scans when qualified internal resources are not available. As part of an organization s change control process, Nessus Vulnerability Scanner can help meet PCI DSS 11.2.3 requirements for running vulnerability scans when significant changes are introduced into the environment. Identified vulnerabilities can be addressed and scans rerun until vulnerabilities have been resolved. Nessus scans can be used to discover systems that may be in scope for penetration testing (11.3) While Nessus is not a file-integrity monitoring tool, organizations can deploy custom Nessus scans policies which can be used to detect changes or derivations from an organization s approved system settings. To meet the requirements of 11.5.a, the organization needs to implement these scans to run at least weekly and to generate alerts when changes are detected (11.5.1). Information provided from SecurityCenter can be used by management to audit and maintain compliance with policies, including: Using scanning activities to assess an organization s vulnerabilities can provide valuable information for management s risk assessment activities (12.2.a) Using scans to identify critical end user computing technology, including identifying wireless access points and modems, and their locations can support management of end user technologies and the acceptable use policy requirements (12.3.3) N/A No controls in this PCI requirement are addressed by the Tenable solution. Product Applicability Guide 27

Passive Vulnerability Scanner Passive Vulnerability Scanner (PVS) provides continuous monitoring of network security supported by pre-configured scanning scripts ( plugins ) and the ability to customize plugins for an organization s unique scanning requirements. Continuous monitoring provides real-time analysis of the state of an organization s security. Figure 11: Passive Vulnerability Scanner (PVS) Key capabilities of the Passive Vulnerability Scanner (PVS) include: Full asset discovery including mobile and virtual devices and cloud-based applications Uncovers assets difficult to detect - unauthorized devices such as BYOD and 'Shadow IT'. Identification of risks from assets, applications, and services Insight into services, security vulnerabilities, suspicious network relationships, and compliance violations. Available as an individual product subscription or as part of SecurityCenter CV, PVS analyzes network traffic for insight into services, suspicious network relationships, and compliance violations. Used in conjunction with SecurityCenter CV, enhanced reporting, and a web-based dashboard, an organization can obtain a comprehensive and easily readable view into the state of the enterprise or drill down to view the state of the cardholder data environment or other critical network zones. Tenable provides solutions to support or meet PCI DSS controls. Additional policies, processes or technologies are needed to be used in conjunction with Tenable s solution. The following product matrix explains which PCI controls are supported or supplemented by Passive Vulnerability Scanner. Product Applicability Guide 28

Table 6: Applicability of PCI DSS v3.0 Controls to Passive Vulnerability Scanner P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - P V S Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 1.1.1.c, 1.2.1.a, 1.2.1.b, 1.2.1.c,, 1.2.3.a, 1.2.3.b, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7 2.1.a, 2.1.b, 2.1.c, 2.1.1.b, 2.1.1.e, 2.2.1.a, 2.2.1,b, 2.2.2.a, 2.2.3, 2.2.4.b, 2.2.5.a, 2.3.b, 2.3.d, 2.4.a Passive Vulnerability Scanner can be used by network administrators to ensure that their organization s policies and procedures are appropriately implemented with Tenable provided and custom developed scans: Ensure that documented processes for approving changes to networks are in place and operating appropriately by using audit scan results to confirm that identified changes match change control documents(1.1.1.c) Monitor firewall configurations to ensure that devices are configured to meet organization established policies and PCI DSS requirements for restricting connections between untrusted networks and systems components in the cardholder data are in place(1.2.1.b). PVS can enumerate both served and browsed firewall ports, as well as which systems accept connections from the Internet, to assist with the ongoing maintenance of a firewall configuration (1.2.1.a & c). PVS can be configured to passively scan between a perimeter firewall separating a wireless network from the CDE to look for unauthorized traffic (1.2.3.a & 1.2.3.b) or changes to the firewall rules that might allow unapproved traffic. Continuous passive monitoring with PVS looks for systems that allow connections between untrusted networks, and between the Internet and systems within the CDE including examining firewall and router configurations to address DSS 1.3 requirements DMZ implemented to limit inbound traffic to only system components that provide authorized public accessible services(1.3.1) Inbound internet traffic limited to IP addresses within DMZ (1.3.2) Prohibit direct connections between internet and cardholder data environment (1.3.3) Implementation of anti-spoofing meassures1.3.4) Outbound traffic from cardholder data environment to Internet is explicitly authorized (1.3.5) Stateful-inspection performed (1.3.6) Cardholder data stores are on internal network zone segregated from DMZ and other untrusted networks (1.3.7). Nessus Vulnerability Scanner augments the following specific controls: By scanning for the use of default passwords, systems administrators can implement procedures for ensuring that newly installed systems are not using default passwords (2.1.a & b) and inappropriate default security parameters or accounts. PVS can detect many vendor default passwords or login settings (2.1.c) Checking for common SNMP and login settings on wireless devices to ensure that all wireless vendor defaults have been changed (2.1.1b). Additionally, Nessus can audit the active wireless domain of each Windows device to develop a complete list of all wireless devices. PVS can Product Applicability Guide 29

Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 3.1.b 4.1.a, 4.1.c, 4.1.d, 4.1.e, 4.1.f, 4.1.g, 4.2.a P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - P V S detect common or default SNMP community strings in use (2.1.1.e) Configured with an organization s approved configuration standards to allow for audit policies to log into Windows, Unix, Linux, Mac OS X, AIX, HP-UX, and other systems to confirm compliance to organizational standards (2.2.a). PVS can be used to profile systems (2.2.1.a & b), discover open ports and identify vulnerabilities (2.2.2.a), identify security features and parameters implemented (2.2.3 and 2.2.4.b), and identify vulnerabilities (2.2.5.a). PVS can check for the presence of encryption including SSH, VPN, or SSL/TLS in network connections. (2.3.b & 2.3.d). PVS has the ability to assist with the maintenance of asset lists of systems, including the identification ofsoftware found to be installed on systems found within the cardholder data environment. (2.4.a) Passive Vulnerability Scanner (PVS) can be used by an organization to identify the occurrence of unencrypted PAN (primary account numbers (3.1.b) and to monitor protection of encryption keys. As part of risk assessment process to identify all occurrences of PAN, organizations can use information provided by passive vulnerability scanning to determine whether all instances of PAN storage are needed by the business and drill down to secure the data. PVS can also detect PII and card data in motion when unencrypted and identify which hosts are serving this information. Passive Vulnerability Scanner (PVS) can be used by an organization to verify safeguards are in place and appropriately configured for transmitting sensitive cardholder data (4.1.a) over open, public networks by scanning all web portals or internet access points used for transmitting credit card data to collect information about allowed protocols and other encryption parameters (4.1.c & 4.1.d). PVS tests all SSL systems for compliance with PCI DSS, using continuous monitoring to identify issues.(4.1) to identify issues; such verification of host names related to SSL keys, secure protocols enabled when cardholder data is transmitted, and strength and age of SSL keys to ensure they are up-todate (4.1.e, 4.1.f, & 4.1.g). As part of an organization s risk assessment and vulnerability management efforts, PVS can be used to verify that PAN are communicated encrypted by scanning for transmission of unencrypted PAN. The results can be analyzed to detect emails that have been sent by system scripts, and emails sent with unencrypted PAN.(4.2.a) Product Applicability Guide 30

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - P V S Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications 5.1, 5.2.a, 5.2.b, 5.2.c Passive Vulnerability Scanner (PVS) can supplement a comprehensive malware prevention program to safeguard an organization from malware by supporting procedures for ensuring ongoing compliance. PVS can detect traffic to and from anti-virus update servers. This information can be used to supplement Nessus scans which scan for anti-virus instances on system types susceptible to malware software; verify that AV protection is installed on all systems and check that it is appropriately configured and up-todate.(5.1 & 5.2,a, b & c) 6.1.a, 6.2.b, 6.5.d, 6.5.1, 6.5.2, 6.5.4, 6.5.5, 6.5.6, 6.5.8, 6.6 Tenable updates PVS regularly for new vulnerabilities. In conjunction with other external resources, PVS can support the vulnerability (6.1.a) and patch management (6.2.b) processes by continuously scanning the network, allowing the organization to identify new vulnerabilities provided in Tenable updates or as vulnerabilities are introduced into the network. PVS can also be used to complement patch audits to correlate if certain software has been updated based on the version numbers detected in network traffic. (6.2.b). PVS provides CVSS2 scores for vulnerabilities identified, assigning a risk ranking to any vulnerabilities identified (6.1.a) Organizations that develop custom software for their cardholder data environment are required to ensure that secure coding practices, such as those identified in OWASP, are used. Nessus and PVS can be used as part of the software development and testing processes to test for common coding vulnerabilities (6.5.d). Implemented into a test environment that simulates the production environment, Tenable products can be used with other testing tools to check for well-known vulnerabilities before being introduced into production: PVS can be used to monitor live websites to look for errors that might be indicative of an injection flaw (such as SQL injection, OS command injection, LDAP and XPath injection flaws) (6.5.1). PVS can check for a variety of SQL injection flaws in web applications. (6.5.1) PVS can be used to identify well-known vulnerabilities, including buffer overflows. It also detects many cross-site scripting and cross-site request forgery vulnerabilities. (6.5.2) PVS checks for communication over a variety of protocols and can recognize and report on insecure communication protocols (6.5.4) PVS will observe responses to web probes that return a catch all error page or error codes, which can provide information that could be used to breach the system (6.5.5) PVS can be used to check for well-known attacks against web applications, operating systems, and other software. Nessus can provide CVSS2 scores and criticality risk rankings which can be used to identify high risk vulnerabilities that need to be addressed prior to deployment of code changes (6.5.6) PVS can perform checks for known access control vulnerabilities such as directory traversals and authentication bypass issues (6.5.8) Product Applicability Guide 31

Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to systems components Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. N/A N/A N/A 10.4.2.a, 10.4.2.b 11.1.b, 11.2.3.a, 11.3,11.4.a, P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - P V S While Tenable does not evaluate web application source code, PVS can be customized to identify changes to web applications. Management can use information provided to determine if changes are significant and if an application security review is appropriate as required by DSS 6.6. No controls in this PCI requirement are addressed by the Tenable solution. No controls in this PCI requirement are addressed by the Tenable solution. No controls in this PCI requirement are addressed by the Tenable solution. An organization can use PVS to monitor for use of unauthorized NTP services, detecting all NTP queries and alerting when an unauthorized NTP service is accessed.( 10.4.2.a & b) Passive Vulnerability Scanner supplements Nessus Enterprise Cloud and Vulnerability Scanners compliance scanning activities by providing continuous, real-time scanning for vulnerabilities. Organizations can customize scanning parameters to meet their specific organizational needs, and with information provided can address vulnerabilities as they are introduced to an organization s environment. Tenable supports the following specific controls: PVS can be configured to continuously monitor for unauthorized wireless access points through the use of customized policies, showing end system nodes that belong to wireless networks, and highlighting exposed management interfaces and rogue access points. (11.1.b) PVS can be used to identify changes introduced into the environment. Organizations can use the information provided to determine if changes are significant and to determine when Nessus scans are required for compliance to 11.2.3.a requirement for running internal and external scans when significant changes are made. PVS can be used to discover systems that may be in scope for penetration testing (11.3) PVS can be used to monitor all traffic at the perimeter of the cardholder data environment as well as critical points in the cardholder data environment, and alert personnel to suspected compromises (11.4.a) Product Applicability Guide 32

Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment 12.2.a, 12.3.3, 12.3.9, 12.8.4, 12.10.5 N/A P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X - P V S Passive Vulnerability Scanner can be used to provide critical information to management for supporting their risk assessment and incident response planning activities. Results for PVS scanning activities can be used to identify vulnerabilities that need to be addressed in management s risk management activities. Providing continuous real-time vulnerability analysis allows for the risk assessment process to be an ongoing business process rather than a once a year activity. (12.2.a) Using PVS to collect information, an organization can monitor their usage policy compliance by identifying and reporting new devices (12.3.3) introduced to the network, to initiate review to verify that new technology does not introduce new vulnerabilities, and to maintain an up-to-date list of devices. For remote access technology used by vendors, PVS can identify and alert on activity so that an organization can monitor its network use by the external entity and verify that it has been de-activated when no longer needed (12.3.9) PVS can be used to supplement monitoring of vendor activities by placing a scanner on network segments where third-parties connect to the network and using PVS to monitor vendor connections including type of connection and time (12.8.4). PVS can be used to support an organization s Incident Response Plans by providing alerts to the Incident Response Team when scans, audits, or automated log monitoring activities indicate that a possible breach has occurred (12.10.5). Additionally, information provided by PVS can be used in analyzing the breach. No controls in this PCI requirement are addressed by the Tenable solution. Product Applicability Guide 33

SecurityCenter Continuous View SecurityCenter Continuous View provides Nessus Vulnerability Scanners, Passive Vulnerability Scanner, and the Log Correlation Engine as a full vulnerability management suite of tools. Figure 12: SecurityCenter Continuous View SecurityCenter Continuous View offers the following benefits: Vulnerability management with security and compliance checks for physical hosts and operating systems, VMware virtual systems, and applications on guest systems. Real-time compliance monitoring continuously monitors for out-of-compliance systems so you can address issues before the next audit. SecurityCenter CV can make use of more than 500 individual audit policies to ensure the integrity of a broad range of physical, virtual and mobile assets. Correlates network usage and behavior information with vulnerability scan data Collects log data from across the IT environment to provide constant visibility into the real-time activity occurring in your network and on your devices. Integration with patch management systems Analyzes and archives critical security data from across your network including mobile, virtual and cloud devices, and allows forensic analysts to quickly examine this data to pinpoint security and compliance issues Detects the presence of malicious processes on physical, virtual and devices. Identifies devices on your network communicating with known botnets and command and control (CnC) servers. Audit anti-virus tools to ensure they are up to date and operational Product Applicability Guide 34

Log Correlation Engine The Log Correlation Engine (LCE) is an integral part of SecurityCenter Continuous View that normalizes, correlates, and analyzes log data and detects vulnerabilities of devices not accessible by other techniques such as active or passive scanning and can also add context to scans. LCE collects data from physical and virtual systems and network infrastructure such as firewalls, intrusion detection and prevention systems, as well as raw network traffic, application logs, and user activity to demonstrate compliance and helps isolate and pinpoints threats, misconfigurations, and audit violations. SecurityCenter Continuous View offers continuous asset discovery, vulnerability assessment, and compliance auditing by integrating the following technologies: o Unlimited Nessus vulnerability scanners o Unlimited Passive Vulnerability Scanners o Log Correlation Engine (5 TB storage) o Nessus Enterprise Cloud (Separate Subscription) Used as part of an organization s operational and auditing procedures, SecurityCenter CV provides information from scanning activities and its Log Correlation Engine that support security administration activities and sound vulnerability management decisions. Tenable provides solutions to support or meet PCI DSS controls. Additional policies, processes or technologies are needed to be used in conjunction with Tenable s solutions to fully comply with PCI DSS. The following product matrix explains which PCI controls are supported or supplemented by SecurityCenter Continuous View. Product Applicability Guide 35

Table 7: Applicability of PCI DSS v3.0 Controls to SecurityCenter Continuous View P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1.1.c, 1.1.2.a, 1.1.6.a, 1.1.7.a, 1.2.1.a, 1.2.1.b, 1.2.1.c, 1.2.2.a, 1.2.2.b, 1.2.3.a, 1.2.3.b, 1.3.1, 1.3.2, 13.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8.a, 1.4.b, 1.5 SecurityCenter CV can be used to supplement the firewall configuration controls required in PCI DSS Requirement 1. Continuous and periodic scanning results can be used to compare an organization s configuration policies to running configurations; administrators can monitor the state of compliance and take corrective measures as appropriate as they are identified. Using pre-configured PCI compliance policies and organization-specific policies, administrators can utilize SecurityCenter CV reporting provided with the web-based dashboard, providing network views and alerting administrators when compliance parameters are not maintained or when customized vulnerability thresholds are exceeded. Tenable augments the following specific controls: SecurityCenter CV can be used to support the documentation requirements outlined in DSS 1.1 for firewall and router configuration standards through the use of customized policy plug-ins used for ongoing/continuous monitoring and reporting, and ensuring that all firewall rule changes have been approved and documentation updated (1.1.1.c). SecurityCenter CV directly supports DSS 1.1.7.a requirement to review firewall and router rule sets at least every six months by allowing administrators to schedule audits to compare administrator-configured CV configuration policies to actual rule sets, and identify, report, and alert administrators of discrepancies. The 3D Tool can also be used to create and maintain a current network diagram as required by PCI DSS requirement 1.1.2.a SecurityCenter CV s analytical tools and Log Correlation Engine can be used to monitor firewall configurations to ensure that devices are configured to meet organization established policies and PCI DSS requirements for restricting connections between untrusted networks and systems components in the cardholder data are in place (1.2. b). PVS can enumerate both served and browsed firewall ports, as well as which systems accept connections from the Internet, to assist with the ongoing maintenance of a firewall configuration (1.2.1.a & c). SecurityCenter CV s analytical tools with Nessus scan can be used to monitor router configurations to verify the configurations are secured from unauthorized access (1.2.2.a) and that router configurations are synchronized (1.2.2.b) PVS as part of SC CV can be configured to passively scan between a perimeter firewall separating a wireless network from the CDE to look for unauthorized traffic (1.2.3.a & b) or changes to the firewall rules that might allow unapproved traffic. SecurityCenter CV can be used to analyze network traffic by reviewing information provided by the Log Correlation Engine and PVS, which identifies which assets are communicated with each other and what ports are used for the communication. Using this information, an organization can assess network traffic to ensure that firewalls are configured to prohibit direct public access between the internet and components in the cardholder data environment (1.3.1). Nessus can Product Applicability Guide 36

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1.a, 2.1.b, 2.1.c, 2.1.1.b, 2.1.1.e, 2.2.a, 2.2.1.a, 2.2.1.b, 2.2.2.a, 2.2.3, 2.2.4.b, 2.2.5.a, 2.3.b, 2.4.a scan the systems themselves to detect open ports and used protocols (1.1.6.a) and can detect private IP addresses (1.3.8.a). Continuous passive monitoring with PVS looks for systems that allow connections between untrusted networks, and between the Internet and systems within the CDE including examining firewall and router configurations to address DSS 1.3 requirements DMZ implemented to limit inbound traffic to only system components that provide authorized public accessible services(1.3.1) Inbound internet traffic limited to IP addresses within DMZ (1.3.2) Prohibit direct connections between internet and cardholder data environment (1.3.3) Implementation of anti-spoofing meassures1.3.4) Outbound traffic from cardholder data environment to Internet is explicitly authorized (1.3.5) Stateful-inspection performed (1.3.6) Cardholder data stores are on internal network zone segregated from DMZ and other untrusted networks (1.3.7). Using customized Nessus configuration audits, SecurityCenter CV can be used to audit devices used to access the organization s network remotely to ensure that the required software is installed, running, and configured correctly.(1.4.b) Organizations can supplement network documentation requirements when administrators include management of SecurityCenter CV s configuration policies into the documentation and change control processes (1.5) SecurityCenter CV, using information provided by Nessus and Passive Vulnerability Scanner, can be used to supplement implemented processes and controls for administration of security parameters required in PCI DSS Requirement 2. Through continuous and periodic scanning/auditing of configuration policies to running configurations, administrators can monitor the state of compliance and take corrective measures as appropriate. Tenable augments the following specific controls: SecurityCenter CV can be used by systems administrators to implement procedures for ensuring that newly installed systems are not using default passwords (2.1.a & b) and inappropriate default security parameters or accounts (2.1.c). SecurityCenter CV can use Nessus and PVS to check for common SNMP and login settings on wireless devices to ensure that all wireless vendor defaults have been changed (2.1.1.b). Additionally, Nessus can audit the active wireless domain of each Windows device to develop a complete list of all wireless devices. (2.1.1.e) SecurityCenter CV can be configured with an organization s approved configuration standards to allow for audit policies to log into Windows, Unix, Linux, Mac OS X, AIX, HP-UX, and other Product Applicability Guide 37

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 3.1.b, 3.5 4.1.a, 4.1.c, 4.1.d, 4.1.e, 4.1.f, 4.1.g,,4.2.a systems to confirm compliance to organizational standards (2.2.a) or PVS and Nessus can be used to profile systems (2.2.1.a & b), discover open ports (2.2.2.a), identify security features and parameters (2.2.3 & 2.2.4.b) and identify vulnerabilities (2.2.5.a). SecurityCenter CV and Nessus can be used to look for any non-encrypted services on organization-specified assets that are required to use SSH or SSL for administration (2.3.b). Using the Log Correlation Engine, an organization can correlate network traffic with logins to verify that only encrypted protocols are being used. SecurityCenter CV has the ability to maintain inventory of assets on the network using data provided by Nessus and PVS scans, including both systems and software found on the systems. (2.4.a) SecurityCenter CV, using Nessus and Passive Vulnerability Scanner, can be used by an organization to identify the occurrence of unencrypted PAN (primary account numbers) and to monitor protection of encryption keys. As part of risk assessment process to identify all occurrences of PAN, organizations can use information provided by SecurityCenter CV to determine whether all instances of PAN storage are needed by the business and drill down to secure the data. SecurityCenter and the LCE can help identify systems and report on their security issues and log access to these devices including insertion and removal of USB devices.(3.1.b) There are many physical and electronic methods to storing cryptographic keys. An organization can use SecurityCenter CV and the Log Correlation Engine as part of their key management procedures for protecting encryption keys by using the tools to identify systems storing keys, report security issues on these systems, and log access to the devices, including insertion and removal of USB devices. (3.5) SecurityCenter CV can be used by an organization to safeguard sensitive cardholder data during transmission over open, public networks, scanning all web portals or internet entrance points accepting credit card data to collect information about allowed protocols and other encryption parameters. Nessus Vulnerability Scanner can be used by an organization to verify safeguards are in place and appropriately configured for transmitting sensitive cardholder data (4.1.a) over open, public networks by scanning all web portals or internet access points used for transmitting credit card data to collect information about allowed protocols and other encryption parameters (4.1.c and 4.1.d). Nessus Vulnerability Scanner tests all SSL systems for compliance with PCI DSS, using periodic or continual scans to identify issues; such verification of host names related to SSL keys, secure protocols enabled when cardholder data is transmitted, and strength and age of SSL keys to ensure they are up-todate. (4.1.e, 4.1.f, & 4.1.g) Product Applicability Guide 38

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications 5.1, 5.2.a, 5.2.b, 5.2.c, 5.2.d, 5.4 6.1.a, 6.2.b, 6.4.1.a, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6,5,10, 6.6 As part of an organization s risk assessment and vulnerability management efforts, PVS can be used to verify that PAN are communicated encrypted by scanning for transmission of unencrypted PAN. The results can be analyzed to detect emails that have been sent by system scripts, and emails sent with unencrypted PAN (4.2.a) SecurityCenter CV with Passive Vulnerability Scanner (PVS) can supplement as part of a comprehensive malware prevention program to safeguard an organization from malware by supporting procedures for ensuring ongoing compliance. PVS scans can be configured to scan for anti-virus instances on systems types susceptible to malware software, verify that AV protection is installed on all systems, and check that it is appropriately configured and up-to-date (5.1 & 5.2,a, b & c). PVS can detect traffic to and from antivirus update servers. The Log Correlation Engine augments an organizations compliance for anti-virus technology logs retention by providing log monitoring, retention and analytics to verify that logs are retained as required (5.2.d) Organizations can supplement anti-virus policies and procedures supporting controls 5.1 and 5.2 to ensure that documented procedures are current and processes for supporting policies and procedures are working as documented. (5.4) Tenable regularly updates Nessus Vulnerability Scanner and Passive Vulnerability Scanner for new vulnerabilities. In conjunction with other external resources, SecurityCenter CV can use information provided by these tools to support the vulnerability and patch management processes by providing reports and dashboards from PVS continuously scanning of the network, allowing the organization to identify new vulnerabilities provided in Tenable updates or as vulnerabilities are introduced into the network (6.1.a). Nessus scans can also be used in patch audits of the network to ensure that patching on Unix, Linux, and Windows servers are up-to-date and to report when patches are implemented (6.2.b). SecurityCenter CV reports can use PVS provided CVSS2 scores for vulnerabilities identified, assigning a risk ranking any vulnerabilities identified (6.1.a) PVS can also be used to complement patch audits to correlate if certain software has been updated based on the version numbers detected in network traffic. (6.2.b). Used within an organization s formal change control process, SecurityCenter CV can be used to monitor separation of the environments by monitoring activity between the test and production environments, monitor for changes in the cardholder environment to ensure that all changes to production have been introduced under proper change control procedures, and use the Log Correlation Engine to monitor file MD5 checksums in real-time to detect modifications made during a change control process. (6.4.1.a) Organizations that develop custom software for their cardholder data environment are required to ensure that secure coding practices, such as those identified in OWASP, are used. When running in a Product Applicability Guide 39

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W development/test environment, SecurityCenter CV reports can be used in the software development and testing process to check for common coding vulnerabilities, allowing the development team to address identified vulnerabilities prior to deployment. Tenable can be used with other testing tools to check for wellknown vulnerabilities before being introduced into production: PVS can be used to monitor live websites to look for errors that might be indicative of an injection flaw (such as SQL injection, OS command injection, LDAP and XPath injection flaws) (6.5.1) Nessus can check for a variety of SQL injection flaws in web applications. (6.5.1) Nessus can be used to identify well known vulnerabilities, including buffer overflows(6.5.2) Nessus and PVS can be used as a discovery tool to identify content of files by looking for cardholder data to determine whether encryption is required(6.5.3) PVS checks for communication over a variety of protocols and can recognize and report on insecure communication protocols (6.5.4) Nessus and PVS will observe responses to web probes return a catch all error page or error codes that can provide information that could be used to breach the system (6.5.5) The Log Correlation Engine can be used to read error logs from web servers, monitoring logs can be used analyze possible error messages that provide information that could be used to breach the system (6.5.5) Nessus can be used to check for well-known attacks against web applications, operating systems, and other software. Nessus can provide CVSS2 scores and criticality risk rankings which can be used to identify high risk vulnerabilities that need to be addressed prior to deployment of code changes (6.5.6) Nessus and PVS can check for cross-site scripting vulnerabilities (6.5.7) Nessus and PVS can perform checks for known access control vulnerabilities such as directory traversals and authentication bypass issues (6.5.8) Nessus and PVS can perform checks for cross-site request forgery vulnerabilities (6.5.9) Nessus can perform checks for broken authentication and session management vulnerabilities. (6.5.10) While SecurityCenter CV does not evaluate web application source code, Nessus, PVS and the Log Correlation Engine can be customized to identify changes to web applications for changes. Management can use information provided to determine if changes are significant and if an application security review is appropriate as required by PCI DSS. (6.6) Requirement 7: Restrict access to cardholder data by 7.1.a, 7.1.2.b, 7.1.3, 7.2.1, 7.2.2, 7.2.3, 7.3 While Nessus and SecurityCenter CV do not actively perform access control functionality, Nessus compliance checks and SecurityCenter CV s Log Correlation Engine can supplement an organization s Access Control Processes and Procedures by providing information that can be used to assess Product Applicability Guide 40

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W business need to know Requirement 8: Identify and authenticate access to systems components 8.1.1, 8.1.2, 8.1.3.a, 8.1.4, 8.1.5.b, 8.1.6.a, 8.1.7, 8.2, 8.2.1.a, 8.2.3.a, 8.2.4.a, 8.2.5.a, 8.3.a, 8.4.a, 8.5..a, 8.5.1, 8.7.a, 8.7.b, 8.7.c compliance and alert an administrator when access control processes could be weak or out of compliance. Using Nessus compliance checks and Log Correlation Engine to analyze logs, SecurityCenter CV reports can provide information about Linux and Windows servers and desktops, and firewalls have access control lists implemented to meet an organization s requirements, provide list of users authorized to access a system, provide audit reports of users logging into system and users attempting but failing to log on. (7.1.a, 7.1.2.b, 7.1.3) Audit security parameters to ensure that access control settings meet PCI requirements including ensuring that access controls systems are in place (7.2.1), that privileged access is assigned to individuals based upon job classifications (7.2.2), and that access is denied to all unless explicitly allowed (7.2.3). Provide data necessary for management s review of access rights as part of periodic access monitoring (7.3) As part of an access management process, SecurityCenter CV and the Log Correlation Engine can monitor access of privilege users and other users with high risk access to monitor for potential misuse such logging on after normal business hours, logging on more often than expected, or accessing files with sensitive data/encryption keys.(7.2 and 7.3). An organization can use SecurityCenter CV and Tenable s scanning tools to supplement identification management procedures by auditing account and password configuration parameters and auditing log records for compliance, including: Nessus scans can augment account administration activities by providing management with information that can be used for monitoring/assessing account administration activities, including reviewing account lists for possible shared accounts (8.1.1), and reviewing access rights assigned based upon roles (8.1.2). LCE can assist in managing terminated user accounts by observing user names in logs to ensure that user accounts were not used after termination (8.1.3.a). SecurityCenter CV and its Log Correlation Engine can be used to monitor account lists where the last use date is less than 90 days, and that all accounts which have not been used in over 90 days are deactivated(8.1.4) Log Correlation Engine can be used to report use of accounts assigned to vendors and reports can be used to monitor vendor account use (8.1.5.b) Operating system account and password security parameters can be audited using Nessus scans, including whether lockout thresholds and duration are set as required by PCI DSS 8.1.6.a and 8.1.7. SecurityCenter CV can use information provided from Nessus scans that audit Unix and Windows operating systems to ensure that each user is configured per organization policy, including ensuring that passwords or other authentication method is required (8.2), ensuring that password files are encrypted (8.2.1.a), password construction parameters are set to ensure complex Product Applicability Guide 41

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data 9.1.1.a 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5.a, 10.2.5.b, 10.2.5.c, 10.2.6, 10.2.7, 10.4, 10.4.1.b, 10.4.2.a, 10.4.2.b, 10.5.1, 10.5.2, 10.5.3, 10.5.4,3, 10.6.1.b, 10.6.2.a, 10.6.3.b, 10.7.a, 10.8 passwords (8.2.3.a), require password changes at least every 90 days (8.2.4.a), and do not allow any of the last 4 passwords to be used when a passwords is changed (8.2.5.a) To audit for potential failures to require two-factor authentication for remote access, the Log Correlation Engine can be used to monitor logs for remote access to verify that connections were accompanied by access control events, including use of two-factor authentication. These logs temporarily associate user IDs to IP addresses for tracking of all user accounts. (8.3.a) Nessus configuration audits and the Log Correlation Engine provide the capability for access management activities such as account additions to be audited and monitored to assess whether the security administrators are not creating generic or shared accounts(8.5.a) including checking that passwords are not used across a service providers customers (8.5.1). Nessus can be used to audit database (Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL) configurations to ensure that users are required to authenticate prior to access (8.7.a). Log analysis using SecurityCenter CV and its log correlation engine can be used to verify that access to cardholder data is through programmatic methods (8.7.b) and that direct access to the cardholder data are restricted to database administrators (8.7.c). When physical access controls provide logs of access, SecurityCenter CV s Log Correlation Engine can be used to consolidate log data and prepare access reports (9.1.1.a). If physical access controls used shared access credential and provide access logs, these logs can be supplemented to provide evidence as to who used the shared credentials by cross-referencing the shared physical access credential with information provided for virtual logons to systems located in the physical facility. Improving the physical access control events. SecurityCenter CV s Log Correlation Engine directly supports PCI DSS Requirement 10, tracking and monitoring control requirements for both hypervisors and virtual machines. Providing a front end to an organization s log server, SecurityCenter CV can provide extensive reporting and analysis tools for monitoring logs and ensuring that servers are properly configured to capture PCI DSS required logs. Systems administrators can implement parameters for automated alerts of critical events triggering network/system administrators actions, thus through continuous and periodic scanning/auditing of configuration policies to running configurations, administrators can monitor the state of compliance and take corrective measures as appropriate. Tenable supports the following specific controls: SecurityCenter CV s Log Correlation Engine can be used to aggregate logs from multiple sources, using user defined data, such as date, time, and IP address, to chain events from different sources to provide the end-to-end audit trail.(10.1) With results from Nessus scans, PVS, and LCE, SecurityCenter CV can be configured to audit servers (including virtual machines and hypervisors) for compliance of PCI DSS logging Product Applicability Guide 42

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W requirements including ensure that auditing includes: o Individual user access to cardholder data (10.2.1) o All action taken by root or administrative privilege (10.2.2) o Access to audit trails (10.2.3) o Invalid logical access attempts (10.2.4) o Use of identification and authentication mechanism is logged (10.2.5.a) o Elevation of privileges are logged (10.2.5.b) o Changes, additions, and deletions with root or administrative privilege are logged (10.2.5.c) o Logging of initialization, stopping, or pausing of audit logs (10.2.6) o Creation or deletion of system-level objects (10.2.7) SecurityCenter CV can be used to communicate information provided by Nessus and PVS on the state of time services throughout an organization s network, and if appropriate, on remote servers. SecurityCenter CV can be used identify whether NTP is properly configured and current, and identify whether any of the organization s systems are making NTP queries to an external service or an unauthorized internal time service. (10.4.1.a) SecurityCenter CV s Log Correlation Engine can be used to provide log reports and, as required, alert of any changes made to time synchronization settings and logs (10.4.2.a & b) SecurityCenter CV s Log Correlation Engine (LCE) protects audit records by: o Limiting access to log records stored in LCE or other central log servers (10.5.1) o Limiting all access by the LCE to read access (10.5.2). An organization can grant users, such as auditors, access to view logs via LCE and never touch the actual audit records. o Encrypting log records in motion (10.5.2) o Supporting an organization s central log server (10.5.3) o Storing external facing devices log records to the LCE managed log server (10.5.4) SecurityCenter CV s Log Correlation Engine can aggregate and normalize the information to provide reports and dashboards, showing the results of the compliance audits and highlighting compliance issues with its enhanced reporting and dashboard o o o o o o Highlight exceptions, while allowing the user to drill down to detailed audit records for additional analysis or investigation (10.6.1.b & 10.6.2.a & 10.6.3.b) Report security events and activity on systems that perform security functions such as firewall, LDAP, Active Directory, intrusion detection, etc.) (10.6.1.b) Report access to systems that store, process, or transmit cardholder and/or sensitive authentication data (10.6.1.b) Report access to organization-defined critical system components(10.6.1.b) Normalized audit records that cross multiple systems and servers Provide alerts to phones, email, or SecurityCenter CV dashboards that are configured by Product Applicability Guide 43

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 11: Regularly test security systems and processes. 11.1.b, 11.1.d, 11.1.1, 11.2.1.a, 11.2.1.b, 11.2.1.c,, 11.2.3.a, 11.2.3.b, 11.2.3.c, 11.3, 11.4.a, 11.5.a, 11.5.1 If optional Nessus Enterprise Cloud used: 12.2.2.a, b & c users who define reportable exceptions, anomalies, and thresholds defined in an organization s policies/procedures. (10.6.3.b) SecurityCenter CV s Log Correlation Engine can support user defined log storage retention requirements by (10.7.a): o Storing all log records online for maximum retention, or o Storing only most current three months records online and store older records in archive. Analysis of archived logs can be performed with the LCE by date. Organizations can, configure the archive for SAN or NAS storage. SecurityCenter CV dashboards, reports and information provided using the Log Correlation Engine can be integrated into an organization s operational procedures for monitoring access to network resources and cardholder data reducing the time required to review raw system log records (10.8) SecurityCenter CV directly supports security testing control requirements outlined in PCI DSS requirement 11. SecurityCenter CV can coordinate the reporting and monitoring of scanning and testing activities by providing a single interface for Nessus Vulnerability Scanners, Passive Vulnerability Scanners and provides the Log Correlation Engine for monitoring logs to supplement the scanning and testing activities. SecurityCenter CV can be: Configured to continuously monitor for unauthorized wireless access points through the use of customized policies, showing end system nodes that belong to wireless networks, and highlighting exposed management interfaces and rogue access points. (11.1.b). Additionally, in conjunction with an organizations operating procedures, Nessus can be used to scheduled quarterly scans to identify wireless access points, develop custom scans to identified unauthorized access points from those authorized for management (11.1.1) and generate alerts should possible rogue wireless access points be identified (11.1.d). Used to supports the PCI DSS 11.2.1 internal vulnerability scanning requirements and can be used to schedule to automatically run quarterly, thus guaranteeing an organization four quarterly internal scans occurring in the last 12 month period (11.2.1.a). Pre-configured or customized Nessus scanning perimeters can be used by an organization to meet their vulnerability scanning needs, and identify high risk vulnerabilities as required by PCI DSS 6.1 (11.2.1.b). While use of an ASV is not required for internal scanning, Tenable ASV (11.2.1.c) is available for assisting with these scans when qualified internal resources are not available. Used to identify changes introduced into the environment. Organizations can use the information provided to determine if changes are significant and to determine when Nessus scans are required for compliance to 11.2.3.a s requirements for running internal when significant changes are made. Note that with optional Nessus Enterprise Cloud licenses, PCI s requirements for quarterly external scanning can also be met.(11.2.2.a, b, & c) Used to discover systems that may be in scope for penetration testing (11.3) Product Applicability Guide 44

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement 12: Maintain a policy that addresses the information security for all personnel. 12.2.a, 12.3.3, 12.3.8, 12.3.9, 12.5.2, 12.5.3, 12.8.4, 12.10.5 Used to monitor all traffic at the perimeter of the cardholder data environment as well as critical points in the cardholder data environment, and alert personnel to suspected compromises (11.4.a) While SecurityCenter CV is not a file-integrity monitoring tool, organizations can deploy custom Nessus scans policies which can be used to detect changes or derivations from an organization s approved system settings. To meet the requirements of 11.5.a, the organization needs to implement these scans to run at least weekly and to generate alerts when changes are detected (11.5.1). SecurityCenter CV, with its dashboard and enhanced reporting for information gathered from its Log Correlation Engine, Nessus scanner, and Passive Vulnerability Scanner, provides critical information about the state of the organization s network and cardholder data environment to support management s risk management activities, 3 rd party processor monitoring activities, and incident response plan. Using SecurityCenter CV, complex relationships between identified vulnerabilities, IDS events, logs, system configurations, and asset classes can be simplified for use in risk assessments, thus helping organizations to identify asset groups, technologies, and business units that are at risk (12.2.a) Using SecurityCenter CV s reporting capabilities an organization can address PCI DSS requirements for usage policy documentation, including inventory of critical devices 12.3.3) and identify systems with modems (12.3.8), which will need to be included in the organizations usage policy. This information can be a foundation for managing end user access technologies by providing a view of this technology as found on an organization s network. PVS can identify and report new devices introduced to the network and initiate their review to verify that the devices do not introduce new vulnerabilities. For remote access technology used by vendors, PVS can identify and alert on activity so that an organization can monitor its use by the external entity and verify that it has been de-activated when no longer needed (12.3.9) PVS can be used to supplement monitoring of vendor activities by placing a scanner on network segments where third-parties connect to the network and using PVS to monitor vendor connections including type and time of connection. (12.8.4) For the individual or team in an organization assigned responsibility for monitoring and analyzing security alerts such as assigning tickets to personnel and groups (12.5.2) and for the individual or team in an organization assigned responsibility for the incident response process (12.5.3), information available from the SecurityCenter CV reports and dashboard can provide resources for managing those activities as well as tickets and assignments SecurityCenter CV can be used to support an organization s Incident Response Plans by providing alerts to the Incident Response Team when scans, audits, or automated log monitoring activities indicate that a possible breach has occurred (12.10.5). Additionally, information Product Applicability Guide 45

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R C O N T I N U O U S V I E W Requirement A.1: Shared hosting providers must protect the cardholder data environment A.1.3, A.1.4 available through SecurityCenter CV s reporting system and reports generated using the Log Correlation Engine can be used in analyzing the breach. Using information provided by an organization s Nessus vulnerability scanners, SecurityCenter can be used to confirm that hosting provider has appropriately configured logging and audit trail parameters for merchant and service provider s cardholder environments as required by PCI DSS Requirement 10. SecurityCenter with multiple Nessus Vulnerability Scanners can support hosted service providers PCI compliance controls by: Verifying that logs are enabled and appropriately configured for physical servers, hypervisors, and virtual systems (A.1.3) Providing valuable information from both historic scan results and scans run as part of forensic investigations. (A.1.4) Product Applicability Guide 46

SecurityCenter SecurityCenter provides enterprise-class vulnerability assessment, compliance management, and threat assessment along with a centralized console to administer policies, alerts, reports, and plugin updates. It offers distributed scanning and enhanced dashboards, reports, and analytics with role-based access for organizations that distribute responsibilities across multiple departments. Figure 13: SecurityCenter For organizations with large and complex networks, SecurityCenter combines the power of Nessus scanning with an enterprise-class vulnerability management platform. SecurityCenter offers the following benefits: Simplifies administration using a single console that manages distributed Nessus scanners for enterprisewide security and compliance visibility Accelerates scans with distributed and load balanced scanning, using a centralized database for faster and more efficient scans Delivers advanced analytics including extensive dashboards, built-in and customizable reports that aggregate scan data to help you identify and respond to security and compliance issues Tenable provides solutions to support or meet PCI DSS controls. Additional policies, processes and/or technologies are required for use in conjunction with Tenable s solutions to fully comply with PCI DSS. The following product matrix explains which PCI controls are supported or supplemented by SecurityCenter. Product Applicability Guide 47

Table 8: Applicability of PCI DSS v3.0 Controls to SecurityCenter P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 1.1.1.c, 1.2.b, 1.2.c, 1.2.2.a, 1.2.2,b, 1.2.3.b, 1.4.b, 1.5 2.1.a, 2.1.b, 2.1.c, 2.1.1.b, 2.1.1.e, 2.2.a, 2.2.1.a, 2.2.1.b, 2.2.2.a, 2.2.3, 2.2.4.b, 2.2.5.a, 2.3.b, 2.4.a SecurityCenter consolidates and aggregates information from multiple Nessus Vulnerability Scanners, providing the network administrators with data to ensure that their organizations policies and procedures are appropriately implemented with Tenable provided and custom developed scans: Ensure that documented processes for approving changes to networks are in place and operating appropriately by using audit scan results to confirm that identified changes match change control documents(1.1.1.c) Monitor firewall configurations to ensure that devices are configured to meet organization established policies and PCI DSS requirements for restricting connections between untrusted networks and systems components in the cardholder data are in place(1.2.b). and that all other inbound and outbound traffic is specifically denied (1.2.1.c). Monitor router configurations to verify the configurations are secured from unauthorized access (1.2.2.a) and that router configurations are synchronized (1.2.2.b) Monitor firewalls between cardholder environment and wireless networks deny traffic or only allow authorized traffic (1.2.3.b) Using customized configuration audits, Nessus can be used to audit devices used to access the organization s network remotely to ensure that the required software is installed, running, and configured correctly (1.4.b). Organizations can supplement network documentation when administrators include management of configuration policies scripted in Nessus Vulnerability Scanner with the organizations documented configuration policies and its change control processes thus providing a means for verifying that firewalls are configured as documented (1.5) SecurityCenter can be used to consolidate and aggregate data from Nessus Vulnerability Scanners to augment the following specific controls: By scanning for the use of default passwords, systems administrators can implement procedures for ensuring that newly installed systems are not using default passwords (2.1.a & b) and inappropriate default security parameters or accounts (2.1.c). Checking for common SNMP and login settings on wireless devices to ensure that all wireless vendor defaults have been changed (2.1.1.b). Additionally, Nessus can audit the active wireless domain of each Windows device to develop a complete list of all wireless devices(2.1.1.e) Configured with an organization s approved configuration standards to allow for audit policies to log into Windows, Unix, Linux, Mac OS X, AIX, HP-UX, and other systems to confirm compliance to organizational standards (2.2.a) or to profile systems (2.2.1.a & 2.2.1.b), discover open ports (2.2.2.a), identify security features and parameter implemented (2.2.3 & 2.2.4.b), and identify Product Applicability Guide 48

Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 3.1.b 4.1.a, 4.1.c, 4.1.d, 4.1.e, 4.1.f, 4.1.g P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R vulnerabilities (2.2.5.a). Used to look for any non-encrypted services on organization-specified assets that are required to use SSH or SSL for administration (2.3.b). Create asset inventory, including systems and software, using the asset discovery information that can be provided by Nessus scans (2.4.a). SecurityCenter pulls together information provided by multiple Nessus Scanners that can be used by an organization to identify the occurrence of unencrypted PAN (primary account numbers) (3.1.b) and to monitor protection of encryption keys. As part of risk assessment process to identify all occurrences of PAN, organizations and use information provided by Nessus scanners to determine whether all instances of PAN storage are needed by the business and drill down to secure the data. SecurityCenter pulls together information provided by multiple Nessus Vulnerability Scanners that can be used by an organization to verify safeguards are in place and appropriately configured for transmitting sensitive cardholder data (4.1.a) over open, public networks by scanning all web portals or internet access points used for transmitting credit card data to collect information about allowed protocols and other encryption parameters (4.1.c & 4.1.d). Nessus Vulnerability Scanner tests all SSL systems for compliance with PCI DSS, using periodic or continual scans to identify issues; such verification of host names related to SSL keys, secure protocols enabled when cardholder data is transmitted, and strength and age of SSL keys to ensure they are up-todate. (4.1.e, 4.1.f, & 4.1.g) Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications 5.1, 5.2.a, 5.2.b, 5.2.c, 5.4 6.1.a, 6.2.b, 6.5.d, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6 SecurityCenter pulls together information provided by multiple Nessus Vulnerability Scanners that can supplement a comprehensive malware prevention program to safeguard an organization from malware by supporting procedures for ensuring ongoing compliance. Nessus scans can be configured to scan for anti-virus instances on systems types susceptible to malware software; verify that AV protection is installed on all systems; and check that it is appropriately configured and up-to-date (5.1 and 5.2.a, b, c) Organizations can supplement anti-virus policies and procedures supporting controls 5.1 and 5.2 to ensure that documented procedures are current can processes for supporting policies and procedures are working as documented. (5.4) Tenable updates Nessus Vulnerability Scanner regularly for new vulnerabilities including CVSS2 scores to assist an organization in risk ranking. In conjunction with other external resources, Nessus scanners can support the vulnerability (6.1.a) and patch management (6.2.b) processes by continuously scanning the network, allowing the organization to identify new vulnerabilities provided in Tenable updates or as vulnerabilities are introduced into the network. Product Applicability Guide 49

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R Organizations that develop custom software for their cardholder data environment are required to ensure that secure coding practices, such as those identified in OWASP, are used. SecurityCenter can use the information provided by Nessus to improve the software development and testing process by providing enhanced reporting of common code vulnerabilities (6.5.d), when integrated into the software development lifecycle. Implemented into a test environment that simulates the production environment, Tenable can be used with other testing tools to check for well-known vulnerabilities before being introduced into production: SecurityCenter with Nessus can check for a variety of SQL injection flaws in web applications. (6.5.1) SecurityCenter with Nessus scanner can be used to identify well known vulnerabilities, including buffer overflows (6.5.2) SecurityCenter with Nessus can be used as a discovery tool to identify content of files by looking for cardholder data to determine whether encryption is required(6.5.3) SecurityCenter using Nessus scans checks for communication over a variety of protocols and can recognize and report on insecure communication protocols(6.5.4) SecurityCenter with Nessus will observe responses to web probes return a catch all error page or error codes that can provide information that could be used to breach the system (6.5.5) SecurityCenter with Nessus can be used to check for well-known attacks against web applications, operating systems, and other software. Nessus can provide CVSS2 scores and criticality risk rankings which can be used to identify high risk vulnerabilities that need to be addressed prior to deployment of code changes (6.5.6) SecurityCenter with Nessus can check for cross-site scripting vulnerabilities (6.5.7) SecurityCenter with Nessus can perform checks for known access control vulnerabilities such as directory traversals and authentication bypass issues (6.5.8) SecurityCenter with Nessus can perform checks for cross-site request forgery vulnerabilities (6.5.9) Nessus can perform checks for broken authentication and session management vulnerabilities. (6.5.10) Requirement 7: Restrict access to cardholder data by business need to know 7.1.a, 7.1.2.b, 7.1.3, 7.2.1, 7.2.2, 7.2.3. 7.3 While Tenable does not evaluate web application source code, Nessus can be customized to identify changes to web applications for changes. Management can use information provided by the SecurityCenter enhanced reporting to look across the entire network to determine if changes are significant and if an application security review is appropriate as required by PCI DSS 6.6. While SecurityCenter does not actively perform access control functionality, Nessus compliance checks can supplement an organizations Access Control Processes and Procedures by providing information that can be used to assess compliance and alert an administrator when access control processes could be weak or out of compliance. Product Applicability Guide 50

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R Requirement 8: Identify and authenticate access to systems components 8.1.1, 8.1,2, 8.1.6.a, 8.1.7, 8.2, 8.2.1.a, 8.2.3.a, 8.2.4.a, 8.2.5.a, 8.3.a, 8.5.a, 8.5.1, 8.7.a Using Nessus compliance checks and the enhanced reporting and dashboard provided by SecurityCenter the tools can be used to audit user accounts and provide information about Unix and Windows server and desktops including information about access control lists implemented to meet an organization s requirements, provide list of users authorized to access a system, and how authentication is performed and logged. (7.1.a, 7.1.2.b, 7.1.3) Audit security parameters to ensure that access control settings meet PCI requirements including ensuring that access controls systems are in place (7.2.1 7.2.3), that privileged access is assigned to individuals based upon job classifications, and that access is denied to all unless explicitly allowed. Provide data necessary for to support access control operational procedures including managements review of access rights as part of periodic access monitoring (7.3) An organization can use SecurityCenter with multiple Nessus Vulnerability Scanners to supplement identification management procedures by auditing account and password configuration parameters and auditing log records for compliance, including: Nessus scans can augment account administration activities by providing management with information that can be used for monitoring/assessing account administration activities, including reviewing account lists for possible shared accounts (8.1.1), and reviewing access rights assigned based upon roles (8.1.2). Operating system account and password security parameters can be audited using Nessus scans, including whether lockout thresholds and duration are set as required by DSS 8.1.6.a and 8.1.7. Nessus scans that audit Unix and Windows operating systems can be used to ensure that each user is configured per organization policy, including ensuring that passwords or other authentication method is required (8.2), ensuring that password files are encrypted (8.2.1.a), password construction parameters are set to ensure complex passwords (8.2.3.a), require password changes at least every 90 days (8.2.4.a), and do not allow any of the last 4 passwords to be used when a passwords is changed (8.2.5.a). To audit for potential failures to require two-factor authentication for remote access (8.3.a) Nessus configuration audits provide the capability for access management activities such as account additions to be audited and monitored to assess whether the security administrators are not creating generic or shared accounts(8.5.a) including checking that passwords are not used across a service providers customers (8.5.1). Nessus can be used to audit database (Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL) configurations to ensure that users are required to authenticate prior to access (8.7.a) Product Applicability Guide 51

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. N/A No controls in this PCI requirement are addressed by the Tenable solution. 10.2.4, 10.4, 10.4.1.b Nessus can supplement control 10.2.4 by auditing log settings to identify compliance issues - for instance, if all systems are configured to log failed access attempts as well as allowed access attempts. An organization can use Nessus scans to monitor for use of time synchronization technologies and determining if they are current. (10.4 & 10.4.1.b)) Nessus supports NTP audits, while SecurityCenter reports can be used to document any NTP vulnerabilities that might be identified 11.1.b,, 11.1.d, 1.1.1, 11.2.1.a, 11.2.1.b, 11.2.1.c, 11.2.3.a, 11.2.3.b, 11.2.3.c, 11.3, 11.5.a, 11.5.1 SecurityCenter supplements Nessus Vulnerability Scanner support of security testing control requirements outlined in PCI DSS requirement 11. Tenable supports the following specific controls: Nessus scans in conjunction with operational procedures can be used to meet an organization s requirements for performing quarterly audits for unauthorized wireless access points (11.1.b) and once configured can be scheduled to run quarterly. In conjunction with operating procedures, SecurityCenter and Nessus scans can identify wireless access points, and custom scans developed to identify unauthorized access points from those authorized by management (11.1.1) and generate alerts.2should possible rogue wireless access point be identified (11.1.d) Nessus Vulnerability Scanner supports the PCI DSS 11.2.1 internal vulnerability scanning requirements and can be scheduled to automatically run quarterly and thus guaranteeing an organization four quarterly internal scans occurring in the last 12-month period. Pre-configured or customized scanning perimeters can be used by an organization to meet their vulnerability scanning needs, and identify high-risk vulnerabilities as required by PCI DSS 6.1 (11.2.b). SecurityCenter can be used to ensure that all appropriate scans have been run in complex networks where multiple Nessus scanners need to be managed. While use of an ASV is not required for internal scans, Tenable ASV (11.2.1.c) are available to assist with this scanning when qualified internal resources are not available As part of an organization s change control process, SecurityCenter with Nessus Vulnerability Scanners meet PCI DSS 11.2.3 requirements for running vulnerability scans when significant changes are introduced into the environment. Identified vulnerabilities can be addressed and scans rerun until vulnerabilities have been resolved. Results from scans can be used to assist in identifying scope of penetration testing required by PCI DSS 11.3. While not a file-integrity monitoring tool, organizations can deploy custom Nessus scans policies Product Applicability Guide 52

P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X S E C U R I T Y C E N T E R Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment 12.2.a, 12.3.3 which can be used to detect changes or derivations from an organization s approved system settings. To meet the requirements of 11.5.a, the organization needs to implement these scans to run at least weekly and to generate alerts when changes are detected (11.5.1). SecurityCenter using information provided by Nessus Vulnerability Scanners can prepare consolidated reports showing potential vulnerabilities and information about security settings that can supplement management s efforts: Perform the annual risk assessment and provide ongoing monitoring of newly introduced vulnerability to continuously monitor risk (12.2.a) Identify new end user computing devices, including modems, into a network thus initiating updates to the end user computing policy (12.3.3) N/A No controls in this PCI requirement are addressed by the Tenable solution.. Product Applicability Guide 53

Summary Cloud computing and threats to sensitive data such as that covered by the Payment Card Industry under their Data Security Standards are both evolving. The benefits and maturity of cloud computing led by VMware and the Software Defined Data Center have led VMware's customers and partners to host most (and approaching all) of the enterprise applications on this platform. To answer that need VMware and its Technology and Audit partners have delivered a set of documentation pertinent to mainstream regulations such as PCI DSS version 3.0. Internalizing the information available on VMware Solution Exchange is the first step in understanding which of the VMware products can be leveraged along with features and capabilities that should be considered. This paper gives guidance on Tenable s product suite s applicability for addressing support of PCI DSS version 3.0 control requirements by using Tenable s vulnerability assessment and SIEM data analysis tools for managing risk. Acknowledgements: VMware would like to recognize the efforts of Tenable Network Security, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire Systems Inc. VMware Team www.coalfire.com/partners/vmware for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 3.0 and the Reference Architecture described herein. The information provided by Coalfire Systems and contained in this document is for educational and informational purposes only. Coalfire Systems makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire Systems is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, visit www.coalfire.com. VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW_YYQQ_DS_ProgramName 03/13 Product Applicability Guide 54