Payment Card Industry (PCI) Executive Report 10/27/2015



Similar documents
Payment Card Industry (PCI) Executive Report 08/04/2014

Payment Card Industry (PCI) Executive Report. Pukka Software

ASV Scan Report Attestation of Scan Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

PCI Security Scan Procedures. Version 1.0 December 2004

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Vulnerability Scans. Bomgar 14.2

CS5008: Internet Computing

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Automated Vulnerability Scan Results

Vulnerability Scans. Security

Payment Card Industry (PCI) Approved Scanning Vendors. Program Guide Reference 1.0 PCI DSS Version 1.2

Vulnerability Scans Remote Support 15.1

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Nessus Report. Report 21/Mar/2012:16:43:56 GMT

Cyber Security Scan Report

IBM. Vulnerability scanning and best practices

Global Partner Management Notice

Client logo placeholder XXX REPORT. Page 1 of 37

Cyber Essentials. Test Specification

How To Pass An Asv Scan

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Firewall Firewall August, 2003

Web App Security Audit Services

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

Vulnerability Scan. January 6, 2015

Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Attack Vector Detail Report Atlassian

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

April 11, (Revision 2)

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

1 Scope of Assessment


PCI Vulnerability Validation Report

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

My FreeScan Vulnerabilities Report

Web Application Vulnerability Testing with Nessus

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Cyber Essentials PLUS. Common Test Specification

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Introduction of Intrusion Detection Systems

locuz.com Professional Services Security Audit Services

Linux Network Security

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

Firewall Testing Methodology W H I T E P A P E R

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Why Is Compliance with PCI DSS Important?

Network Security Fundamentals

Becoming PCI Compliant

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Network and Services Discovery

GFI White Paper PCI-DSS compliance and GFI Software products

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

How To Understand A Network Attack

White Paper. Managing Risk to Sensitive Data with SecureSphere

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

74% 96 Action Items. Compliance

Ed Ferrara, MSIA, CISSP Fox School of Business

Development of a Network Intrusion Detection System

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Divide and Conquer Real World Distributed Port Scanning

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Topics in Network Security

CDM Vulnerability Management (VUL) Capability

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Installing and Configuring Nessus by Nitesh Dhanjani

Protecting Critical Infrastructure

Basics of Internet Security

Payment Card Industry (PCI) Data Security Standard

Locking down a Hitachi ID Suite server

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Reference Architecture: Enterprise Security For The Cloud

CONTENTS. PCI DSS Compliance Guide

PCI DSS Reporting WHITEPAPER

ASV Scan Report Vulnerability Details PRESTO BIZ

For more information or call

SNI Vulnerability Assessment Report

March

Vulnerability Scan 05 May 2015 at 08:58

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

IDS : Intrusion Detection System the Survey of Information Security

Cryptography and network security

noway.toonux.com 09 January 2014

Transcription:

Payment Card Industry (PCI) Executive Report 10/27/2015 ASV Scan Report Attestation of Scan Compliance Scan Customer Information Approved Scanning Vendor Information Company: Rural Computer Consultants Company: SecureWorks Contact: Jason Buetow Title: Administrator Contact: Joseph Avarista Title: Operations Telephone: 320-365-4027 Email: jbuetow@rccbi. com Telephone: 8884563210 Email: vms@secureworks. com Business Address: 211 S. 10th St., Business Address: One Concourse Parkway, Ste. 500 City: Bird Island State/Province: Minnesota City: Atlanta State/Province: Georgia ZIP: 55310 URL: ZIP: 30328 URL: http://www. secureworks. com/ Scan Status * Compliance Status : * Number of unique components scanned: 1 * Number of identified failing vulnerabilities: 0 * Number of components found by ASV but not scanned because scan customer confirmed components were out of scope: 2 * Date scan completed: 10/22/2015 * Scan expiration date (90 days from date scan completed): 01/20/2016 Scan Customer Attestation Rural Computer Consultants attests on 10/27/2015 at 12:31:01 GMT that this scan includes all components* which should be in scope for PCI DSS, any component considered out-of-scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan exceptions is accurate and complete.rural Computer Consultants also acknowledges the following: 1) proper scoping of this external scan is my responsibility, and 2) this scan result only indicated whether or not my scanned systems are compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status with PCI DSS or provide any indication of compliance with other PCI DSS requirements. ASV Attestation This scan and report was prepared and conducted by SecureWorks under certificate number 3761-02-06, according to internal processes that meet PCI DSS requirement 11.2 and the PCI DSS ASV Program Guide. SecureWorks attests that the PCI DSS scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, and 3) active scan interference. This report and any exceptions were reviewed by Joseph Avarista Payment Card Industry (PCI) Executive Report page 1

ASV Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Rural Computer Consultants ASV Company: SecureWorks Date scan was completed: 10/22/2015 Scan expiration date: 01/20/2016 Part 2. Component Compliance Summary IP Address: Part 2. Component Compliance Summary - (Hosts Not Current) Part 3a. Vulnerabilities Noted for each IP Address IP Address port 443/tcp port 443/tcp-SSL port 443/tcp-SSL Vulnerabilities Noted per IP address Severity Level 150085 - Slow HTTP POST vulnerability 6.8 42366 - SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) CVE-2011-3389 38601 - SSL/TLS use of weak RC4 cipher CVE-2013-2566, CVE-2015-2808 CVSS Score 4.3 4.3 Compliance Status Exceptions, False Positives, or Compensating Controls Noted by the ASV for this Vulnerability The vulnerability is not included in the NVD. This denial of service is out of scope of PCI. ASV Score 2.6: The ASV access complexity is High for server side, because Javascript injection and MiTM capabilities and a vulnerable client that is not using record splitting are required to exploit this vulnerability. ASV Score 2.6: The ASV access complexity is High for server side, because MiTM capabilities and a vulnerable client are required to exploit this vulnerability. Part 3b. Special Notes by IP Address IP Address Note Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely or disabled/removed. Item Noted (remote access software, POS software, etc.) 42017 - Remote Access or Management Service Detected (SSH:port 22/TCP) Scan customer's declaration that software is implemented securely (see next column if not implemented securely) Yes Scan customer's description of actions taken to either: 1) remove the software or 2) implement security controls to secure the software FTPS server used to move non-card holder data Payment Card Industry (PCI) Executive Report page 2

Report Summary Company: Rural Computer Consultants Hosts in Account: 1 Hosts Scanned: 1 Hosts Active: 1 Scan Date: 10/22/2015 at 18:37:03 GMT Report Date: 10/27/2015 at 12:31:11 GMT Report Title: Oct 2015 with FTPS notes for PCI Template Title: Payment Card Industry (PCI) Executive Report Summary of Vulnerabilities Vulnerabilities Total 40 Average Security Risk 3.0 by Severity Severity Confirmed Potential Information Gathered Total 5 0 0 0 0 4 0 0 0 0 3 2 1 1 4 2 0 0 4 4 1 0 0 32 32 Total 2 1 37 40 by PCI Severity PCI Severity Confirmed Potential Total High 0 0 0 Medium 2 1 3 Low 0 0 0 Total 2 1 3 Payment Card Industry (PCI) Executive Report page 3

Vulnerabilities by PCI Severity Potential Vulnerabilities by PCI Severity Payment Card Industry (PCI) Executive Report page 4

Vulnerabilities by Severity Potential Vulnerabilities by Severity Payment Card Industry (PCI) Executive Report page 5

Appendices Hosts Scanned Option Profile Scan Scanned TCP Ports: Full Scanned UDP Ports: Standard Scan Scan Dead Hosts: Off Load Balancer Detection: Off Password Brute Forcing: Standard Vulnerability Detection: Complete Windows Authentication: Disabled SSH Authentication: Disabled Oracle Authentication: Disabled SNMP Authentication: Disabled Perform 3-way Handshake: Off Advanced Hosts Discovery: TCP Standard Scan, UDP Standard Scan, ICMP On Ignore RST packets: Off Ignore firewall-generated SYN-ACK packets: Off Do not send ACK or SYN-ACK packets during host discovery: Off Payment Card Industry (PCI) Executive Report page 6

Report Legend Payment Card Industry (PCI) Status An overall PCI compliance status of PASSED indicates that all hosts in the report passed the PCI compliance standards. A PCI compliance status of PASSED for a single host/ip indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host. An overall PCI compliance status of FAILED indicates that at least one host in the report failed to meet the PCI compliance standards. A PCI compliance status of FAILED for a single host/ip indicates that at least one vulnerability or potential vulnerability, as defined by the PCI DSS compliance standards set by the PCI Council, was detected on the host. Vulnerability Levels A Vulnerability is a design flaw or mis-configuration which makes your network (or a host on your network) susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host. 1 Minimal Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities. 2 Medium Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions. 3 Serious Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying. 4 Critical Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host. 5 Urgent Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors. Low Medium High A vulnerability with a CVSS base score of 0.0 through 3.9. These vulnerabilities are not required to be fixed to pass PCI compliance. A vulnerability with a CVSS base score of 4.0 through 6.9. These vulnerabilities must be fixed to pass PCI compliance. A vulnerability with a CVSS base score of 7.0 through 10.0. These vulnerabilities must be fixed to pass PCI compliance. Potential Vulnerability Levels A potential vulnerability is one which we cannot confirm exists. The only way to verify the existence of such vulnerabilities on your network would be to perform an intrusive scan, which could result in a denial of service. This is strictly against our policy. Instead, we urge you to investigate these potential vulnerabilities further. 1 Minimal If this vulnerability exists on your system, intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities. 2 Medium If this vulnerability exists on your system, intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions. 3 Serious If this vulnerability exists on your system, intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying. Payment Card Industry (PCI) Executive Report page 7

4 Critical If this vulnerability exists on your system, intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host. 5 Urgent If this vulnerability exists on your system, intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilit es at this level may include full read and write access to files, remote execution of comma ds, and the presence of backdoors. Low Medium High A potential vulnerability with a CVSS base score of 0.0 through 3.9. These vulnerabilities are not required to be fixed to pass PCI compliance. A potential vulnerability with a CVSS base score of 4.0 through 6.9. These vulnerabilities must be fixed to pass PCI compliance. A potential vulnerability with a CVSS base score of 7.0 through 10.0. These vulnerabilities must be fixed to pass PCI compliance. Information Gathered Information Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or a list of reachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services. 1 Minimal Intruders may be able to retrieve sensitive information related to the host, such as open UDP and TCP services lists, and detection of firewalls. 2 Medium Intruders may be able to determine the operating system running on the host, and view banner versions. 3 Serious Intruders may be able to detect highly sensitive data, such as global system user lists. Payment Card Industry (PCI) Executive Report page 8

Payment Card Industry (PCI) Executive Report page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information