External Vulnerability Scanning FAQ: What is External Vulnerability Scanning?

What is External Vulnerability Scanning?

External vulnerability scanning is a security practice that involves scanning and assessing the external-facing network infrastructure, systems, and applications of an organization for potential vulnerabilities. It is a key requirement of the PCI DSS and an important aspect of overall network security.

Here's an overview of how external vulnerability scanning works:

1. Purpose: The primary goal of external vulnerability scanning is to identify weaknesses, misconfigurations, or vulnerabilities in the external network perimeter that could potentially be exploited by attackers.
2. Scope: The scanning process focuses on assessing the security posture of externally accessible systems, such as web servers, firewalls, routers, and any other devices or services that interact with the external network. It aims to identify vulnerabilities that could be leveraged by malicious individuals to gain unauthorized access or compromise the network.
3. Process: External vulnerability scanning involves using specialized software tools or services to scan the external IP addresses or domain names associated with the organization's infrastructure. The scanning tools conduct automated scans to identify known vulnerabilities, open ports, and potential security weaknesses.
4. Vulnerability Detection: The scanning tools compare the discovered vulnerabilities against a database of known vulnerabilities and common misconfigurations. They may also perform additional tests to assess the security of the identified systems and applications.
5. Reporting: After the scanning process is complete, a detailed report is generated, providing information about the identified vulnerabilities, their severity, and recommended mitigation measures. The report helps organizations understand their security weaknesses and take appropriate actions to address them.
6. Compliance: External vulnerability scanning is a requirement for compliance with various security standards, including PCI DSS. Organizations that handle payment card data must conduct regular scans by an Approved Scanning Vendor (ASV) to ensure compliance with PCI DSS requirements.

By performing external vulnerability scanning, organizations can proactively identify and address security weaknesses in their external network perimeter, reducing the risk of unauthorized access and data breaches. It helps maintain a secure environment and demonstrates a commitment to protecting sensitive information.

What is the difference between internal and external vulnerability scanning?

The main difference between internal and external vulnerability scanning lies in the scope and focus of the scanning process. 

• ‍External vulnerability scanning focuses on assessing the security of an organization's external-facing network infrastructure, systems, and applications. It examines the systems accessible from the internet and assesses potential vulnerabilities that can be exploited by external attackers.‍
• Internal vulnerability scanning is concerned with assessing the security of an organization's internal network infrastructure, systems, and applications. The main objective of internal scanning is to identify vulnerabilities that could be exploited by attackers who have already gained access to the internal network. 

Both internal and external vulnerability scanning play vital roles in maintaining a secure network environment. By conducting regular scans of both the internal and external infrastructure, organizations can identify and address vulnerabilities from multiple perspectives, enhancing their overall security posture.

What is an ASV Scan?

ASV stands for “Approved Scanning Vendor.” The Payment Card Industry Data Security Standard (PCI DSS) requirement 11.2.2 calls for regular vulnerability scanning from an ASV.

These are vendors with scanning solutions that have been tested, approved, and added to a list of approved solutions that can help fulfill this PCI compliance requirement. Learn about what qualities to look for in an ASV.

What does a vulnerability scan do?

An external vulnerability scan is performed outside of your network (e.g., at your network perimeter), identifying known exploitable weaknesses in a network.

When am I required to scan?

The PCI SSC requires a vulnerability scan to be performed minimally every three months or after any significant network change (i.e., add/remove network device, updates to segmentation rules).

What IP addresses or domains need to be scanned?

Any Internet-facing connection that processes, stores, or transmits cardholder data. This includes IP addresses that are used in the event of a failover or backup.

My vendor said my hardware was PCI compliant. Do I still need to validate compliance?

Yes, you will still need to validate compliance. There is more to PCI compliance than just the hardware you use. Using tested and secure hardware for credit card processing, viewing, and storing are important aspects of PCI Compliance, but those are only a few.

Credit card information is often compromised through the lack of secure connections and other misconfigured connections to that secure hardware. Scanning will help identify vulnerabilities to be fixed.