You are on page 1of 28

PCI Compliance

Training Labs

All Material contained herein is the Intellectual Property of Qualys and cannot be
reproduced in any way, or stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, without the express written consent of Qualys, Inc.
Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is
prohibited.

Introduction
The purpose of this class is to familiarize you with the functionality of the QualysGuard PCI interface.
The primary focus will be on the 11.2.2 requirement of the PCI Data Security Standard (DSS).
PCI Compliance is an operational task. In order to properly manage this task, the following steps have
been outlined as best practices for use with QualysGuard PCI.
Here is the outline of what you will be reviewing in the lab today:
1. Obtain a Trial account You will create your own trial account in the lab. You will use this
account to walk through the process for the 11.2.2 requirement.
2. Set up IP assets - Configure your IP addresses within the user interface, so they can be scanned
for PCI compliance.
3. Map (Discover) the network Discover devices within the environment and verify the
QualysGuard scanners can reach the public, external IP addresses youll be scanning for
compliance.
4. Scan the network Scan your network for vulnerabilities and review which ones you will need
to fix to be compliant.
5. Remediate any necessary risks Patch/resolve the failing vulnerabilities for the IP addresses
which are part of your Cardholder Data Environment (CDE).
6. Submit False Positives
7. Report on scans Build your reports, which will include an Executive and Technical Report.
8. Submit Attestation to ASV
9. Submit Report to Acquiring Bank
Maintaining the ongoing progress of PCI Compliance is necessary for business and security purposes. In
order to process credit cards, you must be PCI Compliant. The process repeats itself every 90 days. The
QualysGuard PCI application will require a scan within 30 days of the report submission.
The labs within this workbook are based on the best practices outlined above, and each lab builds on the
last.

Planning Qualys PCI Compliance Deployment


Section Outline

Introduction

Qualys and Internal Scanning

Qualys and External Scanning

Geographical Considerations

Architectural / Network Considerations

Process Considerations

Staffing Considerations

Introduction
While many of you will have already deployed QualysGuard Vulnerability Management or QualysGuard
PCI in an enterprise environment, there are still deployment considerations that can be useful as your
deployment scales to meet the needs of the enterprise. QualysGuard can help with your compliance
initiative in various locations of the PCI Data Security Standard. This particular class will focus on the
external 11.2.2 requirement.

Qualys and Internal Scanning


While this class will focus on the external requirement, there are other parts of the DSS where Qualys
can help you with compliance. The 11.2.1 requirement of the DSS requires the scanning for
vulnerabilities on the internal Cardholder Data Environment (CDE).
The 6.1 requirement of the DSS now requires you to resolve all internal vulnerabilities classified as
High. Combined with the 11.2.1 requirement, it specifies the Scan Customer must rescan internally
until all vulnerabilities labeled as High are resolved.
This process differs, however, from the 11.2.2 requirement because there is no attestation process
needed.
You can use the QualysGuard Vulnerability Management application and a QualysGuard Scanner
Appliance youve installed in your environment to help you meet the 11.2.1 requirement of the DSS.

Qualys and External Scanning


The external scanning requirement of the DSS has a unique process. It involves several different parties
working together to achieve a common goal: PCI Compliance. To fully understand the requirement, you
need to understand the parties involved.
Payment Brands The payment brands (ex. Visa, MasterCard, etc) is the entity enforcing the overall PCI
standard.
Acquiring Bank (Acquirer) The bank that processes the credit card payments for the merchant.
Approved Scanning Vendor (ASV) A company approved by the PCI Security Standards Council allowing
it to perform external scans for the 11.2.2 requirement.

Scan Customer The merchant or service provider required to be compliant. The Scan Customer will
use the scan solution provided by the ASV to meet the 11.2.2 requirement for compliance.
Qualys (and some Qualys Partners) is an Approved Scanning Vendor (ASV). As a Scan Customer, you will
use the service provided by the ASV to scan your environment for vulnerabilities. The QualysGuard PCI
interface allows you to go through the entire process for this 11.2.2 requirement.

Geographical Considerations
With most enterprises existing in multiple locations, geographic considerations need to be included in
the deployment design. Time zone challenges, manned and unmanned facilities do play a role in the
deployment.
The 11.2.2 requirement of the PCI DSS requires those publically accessible IP addresses of your
Cardholder Data Environment (CDE) to be scanned for vulnerabilities. The QualysGuard Cloud Platform
allows you to scan those IP addresses (wherever they are in the world) with no additional software or
equipment to maintain.

Architectural and Network Considerations


After any geographical considerations are taken into account, the next step needs to be determining the
best deployment for a given geographical location, based on architectural and network requirements.
Here are some considerations you might need to take into account when scanning a network for PCI
Compliance.
1.

How many segments will need to be scanned?


a. How many hosts are on each segment?
b. Can you segment hosts off the network that dont need to be scanned to
reduce the scope for PCI Compliance?

2. Are there internal and external segments that need to be scanned? For PCI
compliance (DSS 11.2.2), the bank requires a report on all externally facing devices.
For PCI compliance (DSS 11.2.1), merchants are required to scan internally, but no
report submission is typically required for internal devices.
3. Are VLANs being used?
Understanding the architectural foundation of the network is paramount to understanding the needs of
your enterprise.

Process Considerations
Process Considerations must also be considered. These are the QualysGuard PCI processes
you will refine over time, but to start, there needs to be a general understanding of the need.
1. What are the sizes of the proposed scanning windows? Depending on the policies
within your enterprise, there may be a specific amount of time during which devices can
be scanned.
2. How often will you need to scan your externally facing devices? Every 90 days or every
quarter you are required to send a passing report to your bank. As a best practice,

Qualys recommends you scan at least every 30 days to ensure remediation of any found
vulnerabilities. You will also want to allow time to submission of false positive requests.
3. What are the remediation windows for the hosts? Another process to take into
consideration is the remediation time frames an enterprise may have. Those
vulnerabilities which impact private data may have to be remediated in a very small
time frame.

Using Qualys PCI Compliance Application


Set up a Trial Account
Navigate to the QualysGuard PCI Trial page: http://www.qualys.com/forms/trials/pci_compliance/

Ensure you follow the instructions below, when filling out the form for your Trial Account. Use the
illustration above as an example.
1. Type your First and Last Name.
2. Enter your personal or work e-mail address (marketing materials will be suppressed from the
address you provide). Do NOT use any e-mail address that has already been used to create a
PCI account.
3. For Company, use QualysTraining followed by an underscore character, and your e-mail
address (QualysTraining_yourEmailAddress.com). Your Qualys Instructor will use this
company name to locate your account, and provide additional privileges.
4. Enter any Job Title you like (the word Other is acceptable).
5. Enter any Phone number you like (i.e., does not have to be an actual phone number).

6. As a special adjustment for TRAINING accounts, change the country to Antarctica.


7. Choose any number for Company Size.
8. Click the Create Account button.
Please notify your Qualys Instructor, once you have clicked the Create Account button. Once your
account has been located, your instructor will update your account with additional privileges.

Logging In
Prerequisites/System Requirements
Essential: QualysGuard PCI account (created
above)
Modern Browser: Firefox 3, IE7, Safari
v3
Java Browser Plug-in
Useful:
For PDF Reports: Adobe Acrobat
Reader or comparable
For ZIP Archives: An un-zipping
program
Tip: QualysGuard download/verification windows sometimes are obstructed by browser pop-up blockers.
Enable/whitelist pop-up windows from the qualys.com domain.
1. You will receive an email message with your trial account information. Click the one-time link
in this email to obtain your login info - credentials and login URL.
2. The link in the email sent to your email account will have you open your browser and navigate
to the login URL:

3. Fill in your login credentials and click Login.

4. To use this tool you must agree to the Service User Agreement. Click I agree.

Organization/Navigation and Menus


Navigation: Home Menu
1. View the home page and the navigation menu on the left. Click on Network and see your
choices under it.

2. Also find the Quick Answers section, which will help get you started.

3. In the upper right hand corner is your login, merchant name, and help section. Open up the
Help menu for further investigation on any question you might have.

Exercises (5 Minutes)
Goal:

Familiarize yourself with Account Settings.

Why? To get started, we need to understand our Account Settings and the IP Assets we will scan.
How? Click on Account on the left.
1. Go to Account > Settings

Here is where you will find information about your company, primary contact information,
acquiring bank, and account information.
2. Choose Edit under Bank Information. Scroll to the bottom of the page, and fill in Bank of
Qualys under Other Banks and click Save.

This bank will get your PCI Compliance report when you submit the report. Normally, you would
select your Acquiring Bank. This step is required in order for you to submit the report to your
Acquirer.
3. View your subscription information so you know how many IPs you can scan.

The page within Settings gives you all your account information. You can find the following:

IPs purchased
IPs in account
Web Applications Purchased
Web Applications in account
Scan Customer (Merchant) information
Primary Contact information
Bank information

Add IP addresses to your subscription


Goal:

Ensure the account has IP assets.

Why? In order to scan your environment and ultimately submit a report for PCI compliance, you
need to first add IP assets to your account.
How? Navigate to Account Settings and use the IP Wizard.
4. Navigate to Account > IP Assets.
5. Click on Walk me through Wizard. The PCI Council requires you to enter all of your IPs and
domains considered in-scope.
The scope for the 11.2.2 requirement is any part of your network that is in, or has a path to,
your CDE.
6. Click Next and then Add new IPs. Add the following IP range:

64.39.106.242-64.39.106.244
It is very important to enter these addresses correctly! Please note within this
lab you only have permission to scan this block of IP addresses.
7.

Click Next through domains.

8. Notice the Wizard asks you whether there are load balancers in your environment.
In this case, we are not using any Load Balancers. In your actual environment, youll need to
ensure the Load Balancers are configured correctly.
9. Click No for Load Balancers, and then Next.
Youll also need to ensure you are white listing the Qualys scanners on your IPS systems. The list
includes the following IPs.
64.39.96.0/20 (64.39.96.1-64.39.111.254)
10. Click Finish to close the Wizard.

Network Discovery
Section Outline
Discovery Overview
Launching a Discovery Scan
Viewing Discovery Results

Discovery Overview
Discovery Scans find host devices, their operating systems, and where they live in the network. They
discover those hosts configured with an IP address using TCP SYN and UDP port scans. ICMP (ping) is
also used during the Discovery Scan. The Discovery Scan is a good first step in conducting your
assessment because you can verify whether the host is accessible from the external scanners before
launching a full vulnerability scan.

Launching A Map
Discovery can be an initial task in QualysGuard PCI. It will allow us to see what devices we have in our
environment.
1. Navigate to the Network, and select Discovery.

2. Select New Scan

10

3. In the Title field, type in Discovery Scan 1.


Leave the bandwidth setting at Medium. You can change the bandwidth settings for the scan to
speed up for slow down the scan.

4. Click on Select IPs.


5. Highlight your block of IPs, and select Expand. Select all of the IPs in your block of IPs, and
click Add. Click Close to close the pop-up window.
6. Launch your Discovery Scan by pressing OK.

View Discovery Scan List


If you navigate back to Network > Discovery, you can see the history of your Discovery Scans. Youll be
able to view the scan results after the scan completes.

Actions:
This will tell you the details of the Scan. It will give the scan settings and the IPs.
If you want to view the results of the scan, you can click on the magnifying glass.

Viewing Discovery Results


7. View the discovery results by clicking its

view icon.

8. If you click on Details directly underneath the title of the scan, youll also see the
information on the scan.
9. Click on the Details listed below Total Hosts. (You will only have three Total Hosts).
10. What is the DNS name for device 64.39.106.243? _____________
11. How did we discover device 64.39.106.244? _____________
12. Were any of the devices found New Hosts? _____________

11

Network Scanning
Section Outline

Prelude
Launch a Scan
Scan Results
Vulnerabilities
Submit False Positives

Prelude
So far, you have launched a Discovery Scan to see what was in our network. However, you dont learn
about any vulnerabilities on your hosts systems using a Discovery Scan. In order to find the
vulnerabilities you need to fix to be PCI Compliant, you need to launch a Network Scan.

Launch a scan
1. Navigate to the Network > New Scan.

2. Enter your Title, and Select all the IP addresses in the subscription (you will use the 3 IP address
you entered earlier).

12

3. Press OK to launch your Scan.


As you can see, launching a PCI scan is relatively easy. There is no spot to modify your scan settings,
as the PCI Security Standards Council dictates the scan requirements to the Approved Scanning
Vendor.

Scan Results List


The Scan Results screen lists running, finished, and canceled scans. You can also cancel
running scans from here.

Actions:
Cancel a running scan.
Re-run a scan using the same parameters.
View a scan.
Download the scan results.
View vulnerabilities found during the scan.
Obtain information about the scan such as what IPs were scanned, the date of the scan, and bandwidth.

Scan Results
4. Click the Scan Results on the left to see the scans results. Then download your results into a
PDF by clicking
.

13

5. How many LOW vulnerabilities were in your network? _________


6. How many combined MEDIUM and HIGH vulnerabilities were there? _________
7. Did any of the devices pass for PCI Compliance? ________
8. How long did the scan take? ________

Rescan
To perform a new scan with the same options as a previous scan, you can click on the Rescan icon to the
left of the status column:
QualysGuard will attempt to use the same details and choose a new title with the current date. You
dont have to do this for the purposes of this lab.

Vulnerabilities
Within QualysGuard PCI, the application looks for vulnerabilities in your environment that tell you
whether the device is compliant or non-compliant based on requirements defined in the DSS. There are
exceptions to the CVSS scoring system, where a vulnerability below a score of 4.0 could cause a Fail.
Qualys takes the guesswork out of the equation, by marking vulnerabilities causing a fail with a FAIL
label. In most cases, if the vulnerability has either a confirmed or a potential severity level of HIGH or
MEDIUM, it causes a Fail.

1. Now go back to the QualysGuard PCI. Navigate to Vulnerabilities. (Network > Vulnerabilities)
The Vulnerabilities page is where you go to find all of the issues you need to resolve in order to be
PCI Compliant for the 11.2.2 requirement. You can sort by vulnerability title, IP address, or Severity
level.
Up at the top of the document you have other ways to filter. If you want to see the vulnerabilities
for one IP address, you can plug that IP address into the Search by IP address field.

14

You can sort by potential and confirmed vulnerability, and their different severity levels. You can
also take a look at pending false positives.

2. Step 2. Click on filter results, and type in SSH.


You can also search on QID (the numeric identifier Qualys gives to each vulnerability it tracks),
or you can display only the vulnerabilities that cause a failed report. Remove SSH from the
filter field.
3. Search on QID 86737. What devices have this vulnerability? ___________
4. How would one fix this vulnerability? _________
5. Will this particular vulnerability cause us to fail PCI Compliance? _________
6. What is the CVSS base and CVSS temporal score for this vulnerability? ________

Submit a False Positive


It is possible there will be an occasion where Qualys reports a vulnerability you feel doesnt apply to a
particular host. The False Positive process should be started after youve remediated all that you can
remediate.
You can submit an exception that will be considered a false positive. If the particular false positive
you submit is approved, it will NOT cause a PCI fail for 90 days. All false positives must be resubmitted

15

every quarter as per the PCI Data Security Standard. If the false positive is rejected, you must resolve
the vulnerability and confirm the fix worked with another scan.
Once the false positive is approved, it will also be removed from the most recent Scan Results Report.
The vulnerability for the host will also be removed from the vulnerability list for the appropriate host.
When you submit your PCI report to your bank, both the technical and executive reports will be
submitted.
1. Find a failing vulnerability, and click on the checkbox next to it.

2. Click the Review 1 False Positive button.

3. Click the plus sign next to Vulnerability Details and Results.


Its important to do your due diligence when you are submitting a false positive. When Qualys
(the ASV) receives the false positive, it will review whether its valid.
4. Enter the following text: Student Test Submission Please auto reject. Press Submit
False Positive Request.
Obviously, this is where you would normally put a reason to indicate the vulnerability is in fact a
false positive.
5. Then click on Home.

16

6. Navigate to Network > False Positive History. Here you will see whether your False Positive
was requested, approved, rejected, or expired.
If you click on the information button, you can see all of the information pertaining to that
particular false positive, and track where it is in the submission process. Below, you can see all
of the possible statuses for a false positive.

17

Compliance
Section Outline
Current Vulnerability Report
Generate Attestation Report
Submitted Reports Page
Executive Report
Technical Report

Current Vulnerability Report


You can pull a full report with all of the vulnerabilities in your environment and find what vulnerabilities
are causing you to fail PCI Compliance. The report can be sent to the Operations team or those people
responsible for remediation.
1. Navigate to Compliance > Compliance Status.
2. Click the checkbox next to 64.39.106.243 and 64.39.106.244.
3. Click Download Report.

The downloaded report tells you all about the current vulnerabilities on these two hosts. It will
indicate a fail or a pass next to each vulnerability so you know which specific vulnerabilities need
to be fixed for PCI Compliance.
4. How many vulnerabilities are there on 64.39.106.244? ________
5. Locate 105359 QID. What category is this type of vulnerability? ________
6. Why is it a failing vulnerability? _______

Generate Attestation Report


After you pull the report to see the vulnerabilities, you need to remediate all of the issues in you
environment that have a
next to them. After the vulnerabilities are all resolved, and the false
positives are approved, you can submit the passing report for attestation and then to the bank.
7. Navigate to Compliance > Compliance Status.
8. Click Generate Report.

18

The next thing that comes up is the Wizard that will walk you through submitting your report to your
ASV. Your ASV will need to attest to your report before you can submit it to your bank for
compliance purposes.
9. Click Next, and then click Enter a single comment for all issues. For the question, Is the
software securely implemented? You can click No. Enter your comment, and click next.
10. Enter a single comment for all non-compliant IPs. Click Next. Then enter your name and your
title.
Remember, you will need to agree that the scope of your scan is your responsibility, not that of the
ASV. You must also take into account that the report you are submitting does not represent your
overall compliance status.
11. Enter your submission title. For instance, Q1 PCI report. Press Generate Report.
12. Once your report is generated, you can click Next. Then, click Save for Later.
Here, you will see the status of your report. You have not yet submitted your report for Attestation.
You can pull the information on the report, the Executive Report, and the Technical Report. You can
also submit the report to your bank, which is the final step in the PCI Compliance process.
13. Click on the Executive and Technical Reports.
Both of these reports get submitted to your ASV when you click Request Review. The technical
report can help with identifying vulnerabilities and assist with remediation if necessary. All
vulnerabilities marked with a FAIL will need to be resolved for PCI Compliance.
Note the Status of your report and the Next Action of your report.

19

For the purposes of this lab, you will not submit the Attestation. However, you can see the
status of each report. Currently, your report shows Request Review. If you were to click on
that link, youd be given a Wizard to submit the report for Attestation purposes. Once you
receive the report back from your ASV (Qualys in this case), the report will show as Attested.
Youd then submit to your acquiring bank by clicking Submit.

20

Open Services Report


The open services report is what you will use to meet the 1.1.6 PCI DSS requirement. You will be able
to see the open services found on each device and classify them as authorized or unauthorized. The
report is going to show you all the services, ports and protocols detected by your most recent scan.

When Qualys detects the service, it will show up in your list as Unreviewed.

Now you will walk through the steps of marking a service as authorized.
1. Navigate to Network > Open Services Report.
Here you will see all of your open services per host and you can download a report in PDF or CVS
format for your devices.
2. Find the open services on 64.39.106.243. Click the check box next to the service running on port
139. Click the Classify As button.

You must determine whether this is a service that should be running in our environment. In this
example case, you will approve this particular service.
3. Add the following comments: This service is an approved service for this device in our
environment.
When doing this in your own environment, you can continue to mark these services accordingly.
Note that you can change the classification right away. The service will enter your comments along
with the date the comments were changed.
4. Click on Authorized next to the comment you just put into the interface.

5. Change the classification to unauthorized. Enter comments indicating this is no longer a supported
service, and press Submit.
6. Click on your username under comments to view the comments. The most recent comments will
be on top.

21

22

Web Application Scan


During the beginning of the day, you focused on Network scanning to meet the 11.2 DSS Section
requirement.
Next, you will take a look at Web Application Scanning which will enable individual web applications to
be checked for vulnerabilities. This will satisfy DSS section 6.6. Web Application Scanning (WAS) is
based on the premise that not only is a host vulnerable, but how an application is deployed can also be
vulnerable. WAS crawls and checks links for vulnerabilities such as:

SQL Injection
Blind SQL injection
XSS
Sensitive Content leakage

In QualysGuard PCI WAS, the setup is pretty straightforward.

Navigate to Web Applications > New Scan


Create a Web Application Record
Select authentication (optional)
Launch Scan

Web Application Scan


1. Navigate to Web Applications > New Scan.
2. Title the Scan Web App Scan 1.
In order to run a Web Application Scan, you need first create a Web Application Record.
3. Click on New next to Application.
4. Type Web Application Record.
5. For the site, use https://demo6.sea.qualys.com. It is an application in the Qualys lab environment.

It is very important to enter this site information correctly. Please note within
this lab you only have permission to scan this particular site
(demo6.sea.qualys.com).
6. The port will be port 443 and we will use / as the starting URI. Press Save.
To perform an authenticated scan, youll need to create an authentication record.
7. Click on the Edit icon to set up an Authentication Record. Then, click Add to set up the record.

23

Title: Auth Record


You will use Form Authentication.
User Name: admin
Password: abc123
8. Save the Authentication Record. Save the Web Application Record.
You have built an application within QualysGuard along with its authentication record, which will
allow the service to log in as an authenticated user.
9. Click Scan next to the application you just created.
10. Give the Scan a title.
11. Ensure your Application Record is selected as well as your Authentication Record. Select GET
&POST for form submission.
Use the rest of the default settings in your scan, and click OK to launch the scan. Some time will
need to pass before the scan finishes. When Qualys performs the crawl and vulnerability checks, its
pulling down the whole FQDN and testing it.
12. Once the Scan completes, navigate to Web Applications > Scan Results. Download the report.
Did the scan find any SQL injection vulnerabilities? __________
What were there QIDs? _________
What is blind SQL injection? ___________
How might you resolve QID 150029? _________
If you want to edit this particular web application or its authentication record, you can do so by
navigating to Account > Web Applications.

24

Contacting Support
Overview
Try as we may, inevitably, you will need to contact support. In order for us to properly, and efficiently
troubleshoot issues, we will need information from you.
There are 3 ways to contact support:

The QualysGuard PCI Interface


Email to support@qualys.com
For Critical issues call Support:
U.S. and Canada: +1.866.801.6161 24x7
Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7
UK: +44 1753 872102 24x7

With the QualysGuard PCI interface, you will have all the necessary information at your fingertips.
From QualysGuard PCI on the left, click Contact Support.

25

Viewing Resources
Also, there is a user guide, PCI frequently asked questions, and PCI Council information. Its located right
under the Contact support section.

26

You might also like