PCI ASV scanning not a panacea

Oct 28, 2009

Going through drafts of the upcoming information security breaches report, and it reveals things that some will find unnerving and others unsurprising. 

Here is a snippet:


100% of the organisations that had satisfied the requirements of PCI DSS Approved Scan Vendor (ASV) vulnerability scanning were not sufficiently protected to prevent against being compromised by a combination of attacks that such scanning is purported to detect.  ASV scanning is an automated, computer driven task that does not involve human interpretation of results.

An analogy may assist in describing the shortfalls of automated vulnerability scanning.  Let us assume that a burglar invents a robot that identifies houses that are easy targets for the burglar to subsequently break into.  The robot is programmed to go to the front door of each house, check to see of the door is unlocked, and if it is locked, to look under the door mat for a key. 

The robot sets off around the neighbourhood and comes across the first house, tries to open the door but it is locked.  It then follows the next instruction which is to check under the doormat, but there is no key there.  The house is therefore marked as not vulnerable.  However, the key was actually sitting on top of the door mat – right in front of the robot – but because the robot was not programmed to deal with this, it missed it.

 In this analogy the robot is the vulnerability scanner, an automated program that will provide some level of checking for vulnerabilities, but with shortfalls.  The criminal hackers who break into organisations are not robots and, like the burglar, would have noticed the key sitting there on top of the door mat.  This is the reason that penetration tests, technical security assessments carried out by humans, exist.