PCI DSS 4.0 – Those Vulnerability Scans Just Got A LOT Tougher
Posted by: Carla Brinker
Vulnerability scans are very configurable and range in efficacy based on the settings chosen. For instance, the scan can be authenticated or unauthenticated scans (I’ll cover these a bit later). Admins can also edit scan profiles to remove certain vulnerabilities from the scan in order to generate a clean scan for their auditor (this is not recommended, by the way). The configuration of your scan profile can make all the difference in the vulnerabilities detected during the scan, which then impacts the level of security achieved on your network.
Authenticated or credentialed vulnerability scans use a valid set of user credentials (username and password) to access the in-scope systems. This approach enables the tool to log in and interact with each machine to identify vulnerabilities that may not be visible if the tool was assessing the machine from the outside (not logged in). Authenticated scans are better at identifying configuration issues such as weak or default passwords, weak encryption settings, or unsecured network ports. Authenticated scans are also better at identifying privilege escalation issues and application-specific vulnerabilities (depending on the application). Typically, with an authenticated scan, the number of false positives is reduced because the scanning tool can verify the vulnerability exists by probing the configuration in more depth.
The authenticated scan should be configured with a user account with admin-level privileges. If the user account does not have access to the in-scope machine, the scan will indeed be authenticated but will not provide the same level of assessment as if the account had full permission–so does it really count as an authenticated scan at that point? Probably not. The user account should be dedicated for scanning purposes only and have a very long password that is stored in a password vault. It would be pointless to have an elevated account like this with a weak password, only to allow the penetration tester (or attacker, for that matter) to compromise the network using the very account you set aside for scanning for vulnerabilities. This account should not have the ability to login from a keyboard (interactive logon), access the VPN, check email, surf the Internet, etc. (the vendor will provide specifics for each scanning account).
Authenticated scans have some disadvantages. They take longer to run and they are more resource-intensive than unauthenticated scans, as they require deeper access to the system being scanned. Plan accordingly.
Unauthenticated or uncredentialed vulnerability scans are conducted without valid user credentials and cannot log in to an in-scope system. This type of scan is faster and less resource-intensive than authenticated scans, as it does not require deeper access to the system being scanned. Unauthenticated scans are typically conducted from the outside (via the Internet), using publicly available information and tools, such as port scanners, network mapping tools, and vulnerability scanners. This allows you to see how your devices look from the internet, but it should not be the end of your scanning. You should also scan these externally-facing systems from the inside using an authenticated scan to ensure a higher level of assessment is performed.
Unauthenticated scans have some disadvantages, the largest being that they can provide a false sense of security. Unauthenticated scans cannot identify vulnerabilities that may be present but are not visible from the outside, such as misconfigurations, default passwords, and weak user permissions. Additionally, the severity of vulnerabilities identified in unauthenticated scans may not be accurate, as the scanner cannot verify the presence of the vulnerability or the impact it may have on the system or network.
A little real-world application: In working with two clients, one of which thought they had a very secure network and the other knew they had work to do, each client realized a 300% increase in the number of vulnerabilities that were identified when credentialed scans were used. This wasn’t the number of hosts that were affected; this was just the number of unique vulnerabilities found. That’s a huge amount of work to remediate. For instance, on a network of 10,000 hosts, I would not be surprised to see the number of newly discovered vulnerabilities in the thousands (obviously it’s impossible to predict, but based on past experience, it is thousands, not hundreds).
To secure your network, both authenticated and unauthenticated vulnerability scans have their purpose. Weigh the pros and cons of both approaches to determine which one is best suited for your environment. In general, authenticated scans are recommended for critical systems or environments that require a high level of security, while unauthenticated scans are recommended for less critical systems or environments that require a quick and simple security assessment. Authenticated scans will be a requirement for PCI environments as of March 31, 2025. Best to start running authenticated scans now. If you’re lucky, and your QSA has already expected you to run credentialed scans, this requirement will be easy for you to pass.
GuidePoint is providing PCI DSS 4.0 briefings right now for customers and groups. Contact your Account Executive to schedule a briefing today.
Carla Brinker
Principal Cybersecurity Consultant,
GuidePoint Security
Carla Brinker, Principal Cybersecurity Consultant at GuidePoint Security, began her career in the security industry in 2000. Her professional experience includes PCI assessments ranging from Fortune 25 companies to small companies, risk assessments, IT governance, oversight of new controls implementation, technical writing, and security education. She has both led and participated in assessments for industries such as banking, retail, ecommerce, and hospitality and has managed teams of consultants delivering information security services. Carla holds several industry certifications, including Certified Information Security Assessor (CISA), Certified Information Security Manager (CISM), and PCI Qualified Security Assessor (PCI QSA).