Professional Documents
Culture Documents
Training Labs
All Material contained herein is the Intellectual Property of Qualys and cannot be
reproduced in any way, or stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, without the express written consent of Qualys, Inc.
Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is
prohibited.
Introduction
The purpose of this class is to familiarize you with the functionality of the QualysGuard PCI interface.
The primary focus will be on the 11.2.2 requirement of the PCI Data Security Standard (DSS).
PCI Compliance is an operational task. In order to properly manage this task, the following steps have
been outlined as best practices for use with QualysGuard PCI.
Here is the outline of what you will be reviewing in the lab today:
1. Obtain a Trial account You will create your own trial account in the lab. You will use this
account to walk through the process for the 11.2.2 requirement.
2. Set up IP assets - Configure your IP addresses within the user interface, so they can be scanned
for PCI compliance.
3. Map (Discover) the network Discover devices within the environment and verify the
QualysGuard scanners can reach the public, external IP addresses youll be scanning for
compliance.
4. Scan the network Scan your network for vulnerabilities and review which ones you will need
to fix to be compliant.
5. Remediate any necessary risks Patch/resolve the failing vulnerabilities for the IP addresses
which are part of your Cardholder Data Environment (CDE).
6. Submit False Positives
7. Report on scans Build your reports, which will include an Executive and Technical Report.
8. Submit Attestation to ASV
9. Submit Report to Acquiring Bank
Maintaining the ongoing progress of PCI Compliance is necessary for business and security purposes. In
order to process credit cards, you must be PCI Compliant. The process repeats itself every 90 days. The
QualysGuard PCI application will require a scan within 30 days of the report submission.
The labs within this workbook are based on the best practices outlined above, and each lab builds on the
last.
Introduction
Geographical Considerations
Process Considerations
Staffing Considerations
Introduction
While many of you will have already deployed QualysGuard Vulnerability Management or QualysGuard
PCI in an enterprise environment, there are still deployment considerations that can be useful as your
deployment scales to meet the needs of the enterprise. QualysGuard can help with your compliance
initiative in various locations of the PCI Data Security Standard. This particular class will focus on the
external 11.2.2 requirement.
Scan Customer The merchant or service provider required to be compliant. The Scan Customer will
use the scan solution provided by the ASV to meet the 11.2.2 requirement for compliance.
Qualys (and some Qualys Partners) is an Approved Scanning Vendor (ASV). As a Scan Customer, you will
use the service provided by the ASV to scan your environment for vulnerabilities. The QualysGuard PCI
interface allows you to go through the entire process for this 11.2.2 requirement.
Geographical Considerations
With most enterprises existing in multiple locations, geographic considerations need to be included in
the deployment design. Time zone challenges, manned and unmanned facilities do play a role in the
deployment.
The 11.2.2 requirement of the PCI DSS requires those publically accessible IP addresses of your
Cardholder Data Environment (CDE) to be scanned for vulnerabilities. The QualysGuard Cloud Platform
allows you to scan those IP addresses (wherever they are in the world) with no additional software or
equipment to maintain.
2. Are there internal and external segments that need to be scanned? For PCI
compliance (DSS 11.2.2), the bank requires a report on all externally facing devices.
For PCI compliance (DSS 11.2.1), merchants are required to scan internally, but no
report submission is typically required for internal devices.
3. Are VLANs being used?
Understanding the architectural foundation of the network is paramount to understanding the needs of
your enterprise.
Process Considerations
Process Considerations must also be considered. These are the QualysGuard PCI processes
you will refine over time, but to start, there needs to be a general understanding of the need.
1. What are the sizes of the proposed scanning windows? Depending on the policies
within your enterprise, there may be a specific amount of time during which devices can
be scanned.
2. How often will you need to scan your externally facing devices? Every 90 days or every
quarter you are required to send a passing report to your bank. As a best practice,
Qualys recommends you scan at least every 30 days to ensure remediation of any found
vulnerabilities. You will also want to allow time to submission of false positive requests.
3. What are the remediation windows for the hosts? Another process to take into
consideration is the remediation time frames an enterprise may have. Those
vulnerabilities which impact private data may have to be remediated in a very small
time frame.
Ensure you follow the instructions below, when filling out the form for your Trial Account. Use the
illustration above as an example.
1. Type your First and Last Name.
2. Enter your personal or work e-mail address (marketing materials will be suppressed from the
address you provide). Do NOT use any e-mail address that has already been used to create a
PCI account.
3. For Company, use QualysTraining followed by an underscore character, and your e-mail
address (QualysTraining_yourEmailAddress.com). Your Qualys Instructor will use this
company name to locate your account, and provide additional privileges.
4. Enter any Job Title you like (the word Other is acceptable).
5. Enter any Phone number you like (i.e., does not have to be an actual phone number).
Logging In
Prerequisites/System Requirements
Essential: QualysGuard PCI account (created
above)
Modern Browser: Firefox 3, IE7, Safari
v3
Java Browser Plug-in
Useful:
For PDF Reports: Adobe Acrobat
Reader or comparable
For ZIP Archives: An un-zipping
program
Tip: QualysGuard download/verification windows sometimes are obstructed by browser pop-up blockers.
Enable/whitelist pop-up windows from the qualys.com domain.
1. You will receive an email message with your trial account information. Click the one-time link
in this email to obtain your login info - credentials and login URL.
2. The link in the email sent to your email account will have you open your browser and navigate
to the login URL:
4. To use this tool you must agree to the Service User Agreement. Click I agree.
2. Also find the Quick Answers section, which will help get you started.
3. In the upper right hand corner is your login, merchant name, and help section. Open up the
Help menu for further investigation on any question you might have.
Exercises (5 Minutes)
Goal:
Why? To get started, we need to understand our Account Settings and the IP Assets we will scan.
How? Click on Account on the left.
1. Go to Account > Settings
Here is where you will find information about your company, primary contact information,
acquiring bank, and account information.
2. Choose Edit under Bank Information. Scroll to the bottom of the page, and fill in Bank of
Qualys under Other Banks and click Save.
This bank will get your PCI Compliance report when you submit the report. Normally, you would
select your Acquiring Bank. This step is required in order for you to submit the report to your
Acquirer.
3. View your subscription information so you know how many IPs you can scan.
The page within Settings gives you all your account information. You can find the following:
IPs purchased
IPs in account
Web Applications Purchased
Web Applications in account
Scan Customer (Merchant) information
Primary Contact information
Bank information
Why? In order to scan your environment and ultimately submit a report for PCI compliance, you
need to first add IP assets to your account.
How? Navigate to Account Settings and use the IP Wizard.
4. Navigate to Account > IP Assets.
5. Click on Walk me through Wizard. The PCI Council requires you to enter all of your IPs and
domains considered in-scope.
The scope for the 11.2.2 requirement is any part of your network that is in, or has a path to,
your CDE.
6. Click Next and then Add new IPs. Add the following IP range:
64.39.106.242-64.39.106.244
It is very important to enter these addresses correctly! Please note within this
lab you only have permission to scan this block of IP addresses.
7.
8. Notice the Wizard asks you whether there are load balancers in your environment.
In this case, we are not using any Load Balancers. In your actual environment, youll need to
ensure the Load Balancers are configured correctly.
9. Click No for Load Balancers, and then Next.
Youll also need to ensure you are white listing the Qualys scanners on your IPS systems. The list
includes the following IPs.
64.39.96.0/20 (64.39.96.1-64.39.111.254)
10. Click Finish to close the Wizard.
Network Discovery
Section Outline
Discovery Overview
Launching a Discovery Scan
Viewing Discovery Results
Discovery Overview
Discovery Scans find host devices, their operating systems, and where they live in the network. They
discover those hosts configured with an IP address using TCP SYN and UDP port scans. ICMP (ping) is
also used during the Discovery Scan. The Discovery Scan is a good first step in conducting your
assessment because you can verify whether the host is accessible from the external scanners before
launching a full vulnerability scan.
Launching A Map
Discovery can be an initial task in QualysGuard PCI. It will allow us to see what devices we have in our
environment.
1. Navigate to the Network, and select Discovery.
10
Actions:
This will tell you the details of the Scan. It will give the scan settings and the IPs.
If you want to view the results of the scan, you can click on the magnifying glass.
view icon.
8. If you click on Details directly underneath the title of the scan, youll also see the
information on the scan.
9. Click on the Details listed below Total Hosts. (You will only have three Total Hosts).
10. What is the DNS name for device 64.39.106.243? _____________
11. How did we discover device 64.39.106.244? _____________
12. Were any of the devices found New Hosts? _____________
11
Network Scanning
Section Outline
Prelude
Launch a Scan
Scan Results
Vulnerabilities
Submit False Positives
Prelude
So far, you have launched a Discovery Scan to see what was in our network. However, you dont learn
about any vulnerabilities on your hosts systems using a Discovery Scan. In order to find the
vulnerabilities you need to fix to be PCI Compliant, you need to launch a Network Scan.
Launch a scan
1. Navigate to the Network > New Scan.
2. Enter your Title, and Select all the IP addresses in the subscription (you will use the 3 IP address
you entered earlier).
12
Actions:
Cancel a running scan.
Re-run a scan using the same parameters.
View a scan.
Download the scan results.
View vulnerabilities found during the scan.
Obtain information about the scan such as what IPs were scanned, the date of the scan, and bandwidth.
Scan Results
4. Click the Scan Results on the left to see the scans results. Then download your results into a
PDF by clicking
.
13
Rescan
To perform a new scan with the same options as a previous scan, you can click on the Rescan icon to the
left of the status column:
QualysGuard will attempt to use the same details and choose a new title with the current date. You
dont have to do this for the purposes of this lab.
Vulnerabilities
Within QualysGuard PCI, the application looks for vulnerabilities in your environment that tell you
whether the device is compliant or non-compliant based on requirements defined in the DSS. There are
exceptions to the CVSS scoring system, where a vulnerability below a score of 4.0 could cause a Fail.
Qualys takes the guesswork out of the equation, by marking vulnerabilities causing a fail with a FAIL
label. In most cases, if the vulnerability has either a confirmed or a potential severity level of HIGH or
MEDIUM, it causes a Fail.
1. Now go back to the QualysGuard PCI. Navigate to Vulnerabilities. (Network > Vulnerabilities)
The Vulnerabilities page is where you go to find all of the issues you need to resolve in order to be
PCI Compliant for the 11.2.2 requirement. You can sort by vulnerability title, IP address, or Severity
level.
Up at the top of the document you have other ways to filter. If you want to see the vulnerabilities
for one IP address, you can plug that IP address into the Search by IP address field.
14
You can sort by potential and confirmed vulnerability, and their different severity levels. You can
also take a look at pending false positives.
15
every quarter as per the PCI Data Security Standard. If the false positive is rejected, you must resolve
the vulnerability and confirm the fix worked with another scan.
Once the false positive is approved, it will also be removed from the most recent Scan Results Report.
The vulnerability for the host will also be removed from the vulnerability list for the appropriate host.
When you submit your PCI report to your bank, both the technical and executive reports will be
submitted.
1. Find a failing vulnerability, and click on the checkbox next to it.
16
6. Navigate to Network > False Positive History. Here you will see whether your False Positive
was requested, approved, rejected, or expired.
If you click on the information button, you can see all of the information pertaining to that
particular false positive, and track where it is in the submission process. Below, you can see all
of the possible statuses for a false positive.
17
Compliance
Section Outline
Current Vulnerability Report
Generate Attestation Report
Submitted Reports Page
Executive Report
Technical Report
The downloaded report tells you all about the current vulnerabilities on these two hosts. It will
indicate a fail or a pass next to each vulnerability so you know which specific vulnerabilities need
to be fixed for PCI Compliance.
4. How many vulnerabilities are there on 64.39.106.244? ________
5. Locate 105359 QID. What category is this type of vulnerability? ________
6. Why is it a failing vulnerability? _______
18
The next thing that comes up is the Wizard that will walk you through submitting your report to your
ASV. Your ASV will need to attest to your report before you can submit it to your bank for
compliance purposes.
9. Click Next, and then click Enter a single comment for all issues. For the question, Is the
software securely implemented? You can click No. Enter your comment, and click next.
10. Enter a single comment for all non-compliant IPs. Click Next. Then enter your name and your
title.
Remember, you will need to agree that the scope of your scan is your responsibility, not that of the
ASV. You must also take into account that the report you are submitting does not represent your
overall compliance status.
11. Enter your submission title. For instance, Q1 PCI report. Press Generate Report.
12. Once your report is generated, you can click Next. Then, click Save for Later.
Here, you will see the status of your report. You have not yet submitted your report for Attestation.
You can pull the information on the report, the Executive Report, and the Technical Report. You can
also submit the report to your bank, which is the final step in the PCI Compliance process.
13. Click on the Executive and Technical Reports.
Both of these reports get submitted to your ASV when you click Request Review. The technical
report can help with identifying vulnerabilities and assist with remediation if necessary. All
vulnerabilities marked with a FAIL will need to be resolved for PCI Compliance.
Note the Status of your report and the Next Action of your report.
19
For the purposes of this lab, you will not submit the Attestation. However, you can see the
status of each report. Currently, your report shows Request Review. If you were to click on
that link, youd be given a Wizard to submit the report for Attestation purposes. Once you
receive the report back from your ASV (Qualys in this case), the report will show as Attested.
Youd then submit to your acquiring bank by clicking Submit.
20
When Qualys detects the service, it will show up in your list as Unreviewed.
Now you will walk through the steps of marking a service as authorized.
1. Navigate to Network > Open Services Report.
Here you will see all of your open services per host and you can download a report in PDF or CVS
format for your devices.
2. Find the open services on 64.39.106.243. Click the check box next to the service running on port
139. Click the Classify As button.
You must determine whether this is a service that should be running in our environment. In this
example case, you will approve this particular service.
3. Add the following comments: This service is an approved service for this device in our
environment.
When doing this in your own environment, you can continue to mark these services accordingly.
Note that you can change the classification right away. The service will enter your comments along
with the date the comments were changed.
4. Click on Authorized next to the comment you just put into the interface.
5. Change the classification to unauthorized. Enter comments indicating this is no longer a supported
service, and press Submit.
6. Click on your username under comments to view the comments. The most recent comments will
be on top.
21
22
SQL Injection
Blind SQL injection
XSS
Sensitive Content leakage
It is very important to enter this site information correctly. Please note within
this lab you only have permission to scan this particular site
(demo6.sea.qualys.com).
6. The port will be port 443 and we will use / as the starting URI. Press Save.
To perform an authenticated scan, youll need to create an authentication record.
7. Click on the Edit icon to set up an Authentication Record. Then, click Add to set up the record.
23
24
Contacting Support
Overview
Try as we may, inevitably, you will need to contact support. In order for us to properly, and efficiently
troubleshoot issues, we will need information from you.
There are 3 ways to contact support:
With the QualysGuard PCI interface, you will have all the necessary information at your fingertips.
From QualysGuard PCI on the left, click Contact Support.
25
Viewing Resources
Also, there is a user guide, PCI frequently asked questions, and PCI Council information. Its located right
under the Contact support section.
26