Nessus can be used to help make statements about being compliant with
various requirements of the PCI specification beyond just prioritizing
vulnerabilities returned. This is a slightly different tangent from
demonstrating no vulnerabilities (sadly, security and compliance may not
always be the same exact thing).
A good portion of the PCI specification iinvolves self-reporting. For
example, requirement 1.1.5 of the PCI 1.0 spec calls for a documented list
of ports and services required for business. You can use nessus to verify
your statements.
Using the nmap poriton of nessus, you can easily run an assessment *daily*
and compare the results against your 1.1.5 documentation. If a port turns
up open that shouldn't be (based on your 1.1.5 doc) you have an exception.
Update your document or shutdown that port.
Because this audit is an audit that deals with compliance (which hopefully
equals secure business practices), nessus can be used to demonstrate your
network has been compliant (or non compliant) for any point in time in which
you've run nessus against your own stated documentation.
Everybody has vulnerabilities show up, but you can also run nessus to show
you patched the problem within 30 days. That demonstrates compliance and
implies a more secure status. The beauty of nessus here is you can do so
over and over in a non-manpower-intensive manner.
All of section 1 is a target-rich environment for nessus to make these types
of affirmations.
The hydra module can be used for some of section 2 as well.
Nessus can be used in conjunction with 6.1 and 6.2 -- to verify that timely
patching does occur.
Also, where configuration standards are called for nessus could be used to
confirm a system was brought online in accordance with that standard --
weak password checking, ports / services disabled, etc... Every time you
bring a system online, run a specific config of nessus against the device.
Save the results as an audit trail.
And then, next year (yes PCI isn't going away) you can pull out your big box
of print outs / email / electronic tracking tickets with report results
etc... and demonstrate that not only were you compliant 2 days before the
auditors showed up, you were compliant throughout the year.
Of course, this requires intelligent planning and usage. The devil is
really in the details. Nessus has to be placed in the "right spot" and
configured in a relevant way. If you're using the tool effectively, an
external audit should only confirm your findings from your ongoing
assessment & remediation cycle.
You can probably toss snort into the mix to monitor for things like
unencrypted credit card numbers in key network locations and so forth too.
P.S. at least one of the approved auditors on that PCI list is using a
modified version of Nessus.
Good luck,
Vic
Has anyone had any luck mapping nessus results to the Payment Card Industry
(PCI) Data Security standard?
