Gone: Performing monthly security scans via vendor security appliances and manually reviewing reports in their entirety for every host in the network.
Incoming: Daily security audits initiated via a RedHat Enterprise Linux 5 VM running Nessus Professional software, updated with latest plugins, and reports automatically compared against any previous for each specific ip address. Differences are also automatically prioritized and our sysadmin staff are notified when they first login for the day of any changes. The scan configuration is setup to be comprehensive, but non-destructive or dangerous. Also, all PCI DSS requirements are checked.
Vulnerability scanning will also now include the scanning device logging into a restricted user account in each target VM and running OS, Application, and Database level checks (not just network visible checks).
The scanner will also attempt to download the complete content of all target websites and run as much automated code sanity checks on applications as possible.
In summary, vulnerability scanning technology has advanced substantially and we're going to try to take as much advantage of it as possible -- with the caveat that with vulnerability scanning, hardware and the network is usually not the limiting factor (physical human time to review results is). Any checks that require intensive human review will still need to be performed monthly, but 99% of all checks should now be possible to be done daily.
Note that vulnerability scanning is a free service we provide to all our hosting clients in our San Diego Datacenter. This service would normally itself run from $25-$80/month from prominent security service providers, without being near as complete.
References:
http://www.nessus.org/nessus/
http://www.nessus.org/whitepapers/sec_test_sc3_nessus.pdf
http://www.nessus.org/news/#204
http://www.autonessus.com/home
http://cgi.tenablesecurity.com/demos/PCI_Audit/PCI_audit.htm
http://www.nessus.org/plugins/index.php?view=all
http://www.alertra.com/pricing.php
http://www.mcafeesecure.com/us/pci-intro.jsp
Incoming: Daily security audits initiated via a RedHat Enterprise Linux 5 VM running Nessus Professional software, updated with latest plugins, and reports automatically compared against any previous for each specific ip address. Differences are also automatically prioritized and our sysadmin staff are notified when they first login for the day of any changes. The scan configuration is setup to be comprehensive, but non-destructive or dangerous. Also, all PCI DSS requirements are checked.
Vulnerability scanning will also now include the scanning device logging into a restricted user account in each target VM and running OS, Application, and Database level checks (not just network visible checks).
The scanner will also attempt to download the complete content of all target websites and run as much automated code sanity checks on applications as possible.
In summary, vulnerability scanning technology has advanced substantially and we're going to try to take as much advantage of it as possible -- with the caveat that with vulnerability scanning, hardware and the network is usually not the limiting factor (physical human time to review results is). Any checks that require intensive human review will still need to be performed monthly, but 99% of all checks should now be possible to be done daily.
Note that vulnerability scanning is a free service we provide to all our hosting clients in our San Diego Datacenter. This service would normally itself run from $25-$80/month from prominent security service providers, without being near as complete.
References:
http://www.nessus.org/nessus/
http://www.nessus.org/whitepapers/sec_test_sc3_nessus.pdf
http://www.nessus.org/news/#204
http://www.autonessus.com/home
http://cgi.tenablesecurity.com/demos/PCI_Audit/PCI_audit.htm
http://www.nessus.org/plugins/index.php?view=all
http://www.alertra.com/pricing.php
http://www.mcafeesecure.com/us/pci-intro.jsp
