Professional Documents
Culture Documents
PCI Slides Merged
PCI Slides Merged
Agenda
q PCI Compliance Overview and Setup (LAB 1)
q PCI Compliance Scanning (LAB 2)
q PCI Compliance Reporting (LAB 3)
q Web Application Scanning for PCI
q Self Assessment Questionnaire (LAB 4)
q Qualys Policy Compliance (PC) (LAB 5)
PCI DSS BASICS
3. 1.
Report Assess
2.
Repair
1https://www.pcisecuritystandards.org/
PCI Stakeholders
Payment Brands – Defines Compliance Standards
Acquirer – Bank that verifies compliance
Approved Scanning Vendor – Required by PCI DSS for
performing PCI compliance scans
Scan Customer or Merchant – Responsible for defining
PCI scope and maintaining compliance with the PCI DSS.
PCI Security Standards Council
“The PCI Security Standards Council is a global forum for the ongoing
development, enhancement, storage, dissemination and
implementation of security standards for account data protection.”1
1https://www.pcisecuritystandards.org/
Role of the PCI SSC
Validated
Requirements
Requirements Recommendations
PCI
DSS
http://www.pcisecuritystandards.org
PCI DSS1
2. Do not use vendor
1. Install and maintain a 4. Encrypt transmission
supplied defaults for
secure firewall 3. Protect stored of cardholder data
system passwords and
configuration to protect cardholder data. across open, public
other security
cardholder data. networks
parameters.
https://www.pcisecuritystandards.org/document_library?category=pcidss&documen
t=pci_dss
Approved Scanning Vendor
**https://www.pcisecuritystandards.org/documents/asv_program_guide_v2.0.pdf
PCI SCOPE
**https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Network Segmentation
**Source: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf
QUALYS COVERAGE OF PCI DSS
• Current Vulnerabilities
Approval
Request Review
• Compliance Reports
Counter-signed Attestation
Navigation
Quick Answers
And Help
SAQ
Navigation
• View existing IP
addresses and
Domains.
• Add/Remove IPs
• View Out of
Scope IPs.
• Launch Discovery
Scan.
Getting started - IP Wizard
PCI COMPLIANCE SCANNING
Cloud Asset
Internal Scanner
QUALYS PLATFORM
• Strong Data Encryption
• Firewalls
• IDS
• TLS communications
Internal
Asset
External Scanner Pool
External
Asset
Qualys User
Corporate Environment
Appliances support Vulnerability Management, Policy Compliance, and Web Application Scanning
PCI DSS Requirement 11.2
Connect
and share • Open compliance Submit attestation
status page Counter-signed
Approval
Log in
• Scan
Submit to
Certified acquiring bank
report
PCI Network Scanning
Search for
IP
Filtering
Mechanisms
Vulnerabilities
Severity Level
Vulnerability Details
Compliance Scanning Objective
4. Submit
False
positives.
PCI COMPLIANCE
WITH
VULNERABILITY MANAGEMENT
Scan again to
Remediate the
verify those
“High”
vulnerabilities
Vulnerabilities
are fixed
Lab 2
View Vulnerabilities
Overall
Reports must be
submitted to your
5. Submit 3. False
acquiring bank on a Report for Positives
Attestation Process
Quarterly basis. 4.
Generate
Report
Reports – Reporting Wizard
• Merchant/Service
Provider will
submit report to
ASV.
• Generated
• Pending Review
• Attested
• Submitted
Submit to Bank
• Validates
Merchant
compliance.
• Report to Credit
Card companies.
DSS – Open Services
Section 1.1.6
Compliance Report
1 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Qualys WAS
Overview
WASC www.webappsec.org
divides Web vulnerabilities into
six categories
• Authentication
• Authorization
• Client-side Attacks
• Command Execution
• Information Disclosure
• Logical Attacks
Web Application Scanning
Introduction of Web Application Security
Testing a Web App for Vulnerabilities
Internal
Web Application Architecture
Application Database
Client
Browser
IE, FF, Web Server Application Legacy
Safari, iCab HTTP/H
Service
ec… TML
Application Merchant
Services,
etc
Qualys WAS Lifecycle
1. Define
the
Application
4. Report 2. Discovery
Scan
3.
Vulnerability
Scan
Qualys PCI
Web Application Setup
New Web applications are created in the ACCOUNT section of navigation pane.
Qualys PCI
Web Application Auth Record
Crawl via authenticated or non-authenticated user.
Best Practice: Test Web applications from the perspective of multiple user levels.
Qualys PCI
Web Application Scan
Qualys PCI
Web App Scan Results
View Scan results and report
SELF-ASSESSMENT QUESTIONNAIRE
Merchant Levels 2, 3, and 4 are eligible for the Security Assessment Questionnaire.
SAQ - A
training@qualys.com
Please be advised that all labs and tests are to be conducted within
The parameters outlined within the text. The use of other domains or IP addresses is
prohibited.
2
Contents
PCI Compliance ........................................................................................................................................ 1
Training Labs ......................................................................................................................................... 1
Introduction ................................................................................................................................................. 3
Qualys and Internal Scanning .................................................................................................................. 3
Qualys and External Scanning .................................................................................................................. 4
Geographical Considerations ................................................................................................................... 4
Architectural and Network Considerations ............................................................................................. 4
Process Considerations ............................................................................................................................ 5
LAB 1: Account Activation and Setup .......................................................................................................... 6
Prerequisites/System Requirements ....................................................................................................... 6
Login to Qualys ........................................................................................................................................ 7
Update User Profile ............................................................................................................................... 10
General Information .......................................................................................................................... 11
User Role............................................................................................................................................ 11
Notification Options .......................................................................................................................... 12
Security .............................................................................................................................................. 13
Account Settings .................................................................................................................................... 14
Activate PCI Compliance Application ..................................................................................................... 15
LAB 2: PCI Scanning ................................................................................................................................... 18
External Scan using Vulnerability Management (VM) ........................................................................... 18
Share with PCI .................................................................................................................................... 20
External Scan using PCI Compliance ...................................................................................................... 22
Scan Results and Vulnerabilities ........................................................................................................ 23
Submit False Positive ............................................................................................................................. 26
LAB 3: PCI Compliance Reports.................................................................................................................. 28
Individual Host Vulnerability Report...................................................................................................... 28
Generate Compliance Reports............................................................................................................... 29
Open Services Report ............................................................................................................................ 31
LAB 4: Security Assessment Questionnaire ............................................................................................... 32
SAQ User Roles and Participants ........................................................................................................... 32
Create Recipient ................................................................................................................................ 32
Create Reviewer ................................................................................................................................ 33
Create Approver ................................................................................................................................ 34
Create a Campaign................................................................................................................................. 35
1
Answer Questions .................................................................................................................................. 39
Monitor Campaign Progress .............................................................................................................. 40
LAB 5: Policy Compliance PCI-DSS Policy ................................................................................................... 43
Policy Scope and Asset Groups .............................................................................................................. 43
Create Windows Compliance Asset Group ........................................................................................ 43
Create Unix Compliance Asset Group ................................................................................................ 44
Compliance Scanning ............................................................................................................................. 46
Authentication Records ......................................................................................................................... 46
Create Unix Authentication Record ................................................................................................... 46
Create Windows Authentication Record ........................................................................................... 48
Create Custom Compliance Profile ........................................................................................................ 50
Launch Compliance Scans ...................................................................................................................... 52
Unix Compliance Scan........................................................................................................................ 52
Windows Compliance Scan ................................................................................................................ 53
LAB 6: PCI mandate Report (30 min.) ........................................................................................................ 55
Add Technologies to Policy ................................................................................................................ 55
Define Policy Scope............................................................................................................................ 56
Add PCI controls to Policy .................................................................................................................. 57
Mandate Report Template .................................................................................................................... 59
Create Mandate Report ......................................................................................................................... 60
Viewing PCI Compliance Resources ........................................................................................................... 61
Contacting Support .................................................................................................................................... 61
2
Introduction
The purpose of this class is to familiarize you with the functionality of the Qualys PCI Compliance
application. The primary focus will be on the 11.2.2 requirement of the PCI Data Security Standard
(DSS).
PCI Compliance is an operational task. In order to properly manage this task, the following steps have
been outlined as best practices for use with Qualys PCI.
Here is an outline of tasks you will perform in this lab:
I. Obtain a Trial account – You will create your own trial account in this lab. You will use this
account to walk through the process for the 11.2.2 requirement.
II. Set up IP assets - Configure your IP addresses within the user interface, so they can be scanned
for PCI compliance.
III. Map (Discover) the network – Discover devices within the environment and verify the Qualys
scanners can reach the public, external IP addresses you’ll be scanning for compliance.
IV. Scan the network – Scan your network for vulnerabilities and review which ones you will need
to fix to be compliant.
V. Remediate any necessary risks – Patch/resolve the failing vulnerabilities for the IP addresses
which are part of your Cardholder Data Environment (CDE).
VI. Submit False Positives
VII. Report on scans – Build your reports, which will include an Executive and Technical Report.
VIII. Submit Attestation to ASV
IX. Submit Report to Acquiring Bank
Maintaining the ongoing progress of PCI Compliance is necessary for business and security purposes. In
order to process credit cards, you must be PCI Compliant. The process repeats itself every 90 days. The
Qualys PCI Compliance application will require a scan within 30 days of the report submission.
The labs within this workbook are based on the best practices outlined above, and each lab builds on the
last.
3
The 6.1 requirement of the DSS now requires you to resolve all internal vulnerabilities classified as
“High”. Combined with the 11.2.1 requirement, it specifies the Scan Customer must rescan internally
until all vulnerabilities labeled as “High” are resolved.
This process differs, however, from the 11.2.2 requirement because there is no attestation process
needed.
You can use the Qualys Vulnerability Management application and a Qualys Scanner Appliance you’ve
installed in your environment to help you meet the 11.2.1 requirement of the DSS.
Geographical Considerations
With most enterprises existing in multiple locations, geographic considerations need to be included in
the deployment design. Time zone challenges, manned and unmanned facilities do play a role in the
deployment.
The 11.2.2 requirement of the PCI DSS requires those publically accessible IP addresses of your
Cardholder Data Environment (CDE) to be scanned for vulnerabilities. The Qualys Cloud Platform allows
you to scan those IP addresses (wherever they are in the world) with no additional software or
equipment to maintain.
4
2. Are there internal and external segments that need to be scanned? For PCI
compliance (DSS 11.2.2), the bank requires a report on all externally facing devices.
For PCI compliance (DSS 11.2.1), merchants are required to scan internally, but no
report submission is typically required for internal devices.
3. Are VLANs being used?
Understanding the architectural foundation of the network is paramount to understanding the needs of
your enterprise.
Process Considerations
Process Considerations must also be considered. These are the Qualys PCI processes you will
refine over time, but to start, there needs to be a general understanding of the need.
1. What are the sizes of the proposed scanning windows? Depending on the policies
within your enterprise, there may be a specific amount of time during which devices can
be scanned.
2. How often will you need to scan your externally facing devices? Every 90 days or every
quarter you are required to send a passing report to your bank. As a best practice,
Qualys recommends you scan at least every 30 days to ensure remediation of any found
vulnerabilities. You will also want to allow time to submission of false positive requests.
3. What are the remediation windows for the hosts? Another process to take into
consideration is the remediation time frames an enterprise may have. Those
vulnerabilities which impact private data may have to be remediated in a very small
time frame.
5
LAB 1: Account Activation and Setup
This lab will address the steps needed to activate your Qualys student account, followed by steps to
enable the Qualys PCI Compliance application. Please complete all the Lab 1 exercise steps, before
advancing to subsequent labs.
Prerequisites/System Requirements
To perform the exercises in this lab, you will need:
1. Qualys Account (Qualys student accounts are active for 14 days)
2. Web Browser
– Internet Explorer 9, 10, 11, or greater
– Mozilla Firefox (latest version from stable release channel)
– Google Chrome (latest version from stable release channel)
– Safari (latest version)
3. Java Browser Plug-in
4. PDF file reader
Tip: Your browser’s Pop-up Blocking configuration can interfere with the proper functioning of the
Qualys User Interface. Please modify the settings of your Web browser to allow pop-ups from the
qualys.com domain.
6
Login to Qualys
Student account credentials for Self-Paced training classes are automatically generated and sent to your
email inbox, within 2 business days (please enroll with your business or company email address…public
email accounts are not supported).
Student account credentials for Instructor-Led training classes are provided by the Qualys class
instructor.
Your student account is active for 14 days (from the date it was created). Please contact
training@qualys.com with account credential issues or questions.
7
For security, the Login username on this page appears partially obfuscated with ******.
4. On the activation page, enter the OTP code found from the registration document and click
Submit (If it’s been over 30 minutes since you received the registration document, the OTP
code will not work; use the Resend button to generate a new OTP code.
For security, the Login username on this page appears partially obfuscated with ******.
5. Record the PASSWORD from this document and save it in a secure place.
8
6. Use the link provided to login and activate you Qualys student trial account.
NOTE: All the student accounts are located on the following Qualys Cloud Platform. It
is recommended to bookmark the following URL in your web browser for the ease of
access.
USPOD 3 - https://qualysguard.qg3.apps.qualys.com/
7. Select the check box to accept the “Service User Agreement” and click the “I Agree” button.
9
8. Enter your current password, and then chose a new password.
Record this new password, you will need it to activate the PCI Compliance application.
10. Log back in to your student account using your new credentials.
1. Click on your User ID (located between “Help” and “Logout”) and select the “User Profile”
option.
10
General Information
Make any necessary adjustments to the “General Information” section of your user profile.
2. Update the “E-mail Address” field with your current e-mail address (notifications and
password reset information will be sent to the address you provide).
User Role
Different Qualys user accounts, take on different user roles.
3. Click “User Role” in the navigation pane (left), and make note that your student account “User
Role” is: Manager, and you can access your account using the Graphical User Interface (GUI) or
the Application Program Interface (API).
11
Notification Options
All notifications will be sent to the e-mail address specified in the “General Information” section.
4. Click “Options” in the navigation pane (left), and make the appropriate selections for the type of
notifications you would like to receive.
12
Security
Individual security settings can be configured for two-factor authentication, and Security Questions are
provided to facilitate any attempt to reset a user password.
5. Click “Security” in the navigation pane (left), and take a moment to complete the Security
Questions.
6. Click the “Save” button.
Completing these Security Questions is a requirement for using the “Forgot Password” link found on
the Qualys Login page.
13
Account Settings
Changes made to account settings will affect all user accounts in your Qualys subscription.
1. Click on your User ID (located between “Help” and “Logout”) and select the “Account
Settings” option.
14
Activate PCI Compliance Application
Once you have activated your Qualys student account, you’ll need to enable the PCI Compliance
application.
1. Click the application drop-down menu, and select the “PCI Compliance” application.
3. To make your company name unique, simply append your email address to the existing
company name (e.g., Qualys Training_me@mail.com).
4. Enter the password you selected for your Qualys student account, and click the “Save” button.
Once an “account link” of this type has been created, it can be viewed, modified, or deleted using
the “PCI Account Links” setup option.
16
All PCI Account Links will initially appear with a FAIL status. This however will change, as new or
additional scan results are collected. Each unique link is identified by its merchant name and
merchant user account. You can create additional links from this window and/or delete existing
links.
7. Click the “Cancel” button, return to the Scans Setup options.
17
LAB 2: PCI Scanning
This lab will have you perform two external PCI scans, using two separate Qualys applications, to
demonstrate your options when meeting this PCI DSS requirement.
The first scan will be performed using Qualys Vulnerability Management (VM), where you will learn how
to share the VM scan results with PCI.
The second scan will be performed using Qualys PCI Compliance (PCI).
4. In the “IPs” field, type the IP address range for the target host assets (64.41.200.243-
64.41.200.250).
5. Select the “Add to Policy Compliance Module” check box.
6. Click the “Add” button, followed by the “Apply” button.
7. Use the “Quick Actions” menu to launch a scan against these host assets.
18
8. Enter “External PCI Scan using VM” in the “Title” field.
9. Select “Payment Card Industry (PCI) Options” in the “Option Profile” field.
This Option Profile is required for external PCI scans.
10. Set the target IP address range to “64.41.200.245-64.41.200.247” and click the “Launch”
button.
11. When the “Scan Status” window is displayed, click the “Close” button.
12. Navigate to A) the “Scans” section and B) the “Scans” tab, to monitor your scan.
19
Share with PCI
When your external PCI scan has reached the “Finished” status, you can share its results and findings
with the PCI Compliance application.
4. From the “Share PCI Scan” window, select the radio button for your “PCI Merchant” account,
and click the “Share” button.
20
6. Scroll down and accept the Service User Agreement, and click the “I Agree” button.
7. Click “Network” in the navigation pane (left) and click the “Scan Results” option.
You can now work with and process the shared results, using many of the PCI Compliance tools
and features, that will be demonstrated in the labs that follow.
21
External Scan using PCI Compliance
The same network scan performed in the previous exercise, will now be performed using Qualys PCI
Compliance. Both types of scan results (created with VM or PCI) will benefit from the “Advanced
Workflow” features found in the PCI Compliance application.
1. Click “Network” in the navigation pane (left) and select the “New Scan” option.
PCI compliance scans do not provide many scanning options, because the PCI Security Standards
Council dictates the scanning requirements to all Approved Scanning Vendors.
22
5. After successfully launching your PCI Compliance Scan, Click the “Go to Scan Results” option.
Icons:
Cancel a running scan.
View a scan.
Obtain information about the scan such as what IPs were scanned, the date of the scan, and bandwidth.
You can also cancel running scans from here. From the Scan Results, you can take actions on any scan.
1. When your scan is “Finished” click to download your results into PDF file format.
23
The Qualys PCI application identifies host vulnerabilities, and whether or not each vulnerability results in
a compliant or non-compliant host status (based on requirements defined in the PCI DSS).
In most cases, if a vulnerability has a severity level of HIGH or MEDIUM, it causes a PCI “Fail” status.
There are some exceptions, where a LOW severity vulnerability (i.e., below a score of 4.0) could also
cause a “Fail” status. The Qualys PCI Compliance application removes the guesswork for you, by
marking vulnerabilities that cause a “Fail” status, with an easy-to-see label.
1. Expand the “Network” menu in the navigation pane, and select the “Vulnerabilities” option.
24
Click A) the “Search for IP Address” field to search for vulnerabilities by host IP address. Click any
check box under B) “Potential Severity Level” to filter “Potential” vulnerabilities. Click any check
box under C) “Confirmed Severity Level” to filter “Confirmed” vulnerabilities. Other filtering
options include “False Positive” status and “PCI Fail Vulnerabilities.”
25
Submit False Positive
You can request a review of any suspected “false positive” vulnerability detection. If the request you
submit is approved, it will NOT cause a PCI fail for 90 days. All false positives must be resubmitted every
quarter as per the PCI Data Security Standard. If the false positive is rejected, you must resolve the
vulnerability and confirm the fix worked with another scan.
Once the false positive is approved, it will also be removed from the most recent Scan Results Report.
The vulnerability for the host will also be removed from the vulnerability list for the appropriate host.
The False Positive process should begin after you’ve remediated all that you can remediate.
It’s important to do your due diligence when you are submitting a false positive. When Qualys
(the ASV) receives the false positive, it will review whether it’s valid.
4. Enter the following text: “Student Test Submission – Please auto reject.”
5. Click the “Submit False Positive Request” button.
Obviously, this is where you would normally put a reason to indicate the vulnerability is in fact a
false positive.
26
6. Click the link (upper left).
7. Navigate to Network > False Positive History. Here you will see whether your False Positive
was requested, approved, rejected, or expired.
If you click on the information button, you can see all the information pertaining to a false
positive, and track where it is in the submission process. Listed below are the possible statuses
for a false positive.
27
LAB 3: PCI Compliance Reports
Individual Host Vulnerability Report
You can create an individual Vulnerability Report for any “scanned” host. The report can be sent to your
Operations team or those people responsible for remediation.
1. Expand the “Compliance” menu in the navigation pane, and select the “Compliance Status”
option.
2. Select the checkbox next to any “non-compliant” host IP, and then click the “Download Report”
button.
The downloaded report identifies current vulnerabilities. It will indicate a “fail” or a “pass” next to
each vulnerability to help you identify the vulnerabilities that must be fixed for PCI Compliance.
You can use the search tool within your browser or document reader to find a specific QID number.
28
Generate Compliance Reports
After you pull the report to see the vulnerabilities, you need to remediate all the issues in your
environment that have a next to them. After the vulnerabilities are all resolved, and the false
positives are approved, you can submit the passing report for attestation and then to the bank.
1. Navigate to Compliance > Compliance Status.
3. Click “Next,” and then click “Enter a single comment for all issues.”
4. For the question, “Is the software securely implemented?” You can click “No.” Enter your
comment, and click “Next”.
5. Click “Next.” Then enter your name and your title.
Remember, you will need to agree that the scope of your scan is your responsibility, not that of the
ASV. You must also take into account that the report you are submitting does not represent your
overall compliance status.
6. Enter your submission title. For instance, “Q1 –PCI report” Press Generate Report.
Here, you will see the status of your report. You have not yet submitted your report for Attestation.
You can view the Executive Report and the Technical Report. You can also submit the report to your
bank, which is the final step in the PCI Compliance process.
9. Click on the Executive and Technical Reports icons, to view their contents.
Both of these reports get submitted to Qualys (ASV) when you click “Request Review.” The
technical report can help with identifying vulnerabilities and assist with remediation if necessary. All
vulnerabilities marked with a “FAIL” will need to be resolved for PCI Compliance.
10. Make note of the “Status” and “Next Action” columns in your report.
The following table provides “Status” and “Next Action” descriptions:
29
For this lab, you will NOT submit the Attestation; the “Request Review” link is normally used for this
purpose. An “Attested” report received from Qualys, could then be submitted to your acquiring
bank.
30
Open Services Report
The open services report meets requirement 1.1.6 of the PCI DSS. It allows you to view the open ports
and active services found on each device, and classify them as authorized or unauthorized. This report
will reflect the services, ports and protocols detected in your most recent scan.
1. Click “Network” in the navigation pane and select the “Open Services Report” option.
Here you will see all of your open services per host and you can download a report in PDF or CVS
format for your devices.
2. Click the check box next to any service running on any host.
4. Add the following comments: “This service is an approved service for this device”.
Services should be marked in accordance with your organization’s security policies and system
hardening standards.
6. Click on any item in the “Classification” column to change an existing classification, or click any
item in the “Comments” column to view or add comments.
The service will record your comments along with the date the comments were updated.
31
LAB 4: Security Assessment Questionnaire
Through automated campaigns and data collection, Qualys Security Assessment Questionnaire expands
the scope of compliance data to include administrative and procedural controls.
Here are just a few examples of the things you can accomplish with Qualys SAQ:
• Third-Party Risk Assessment – Identify and assess the compliance of your vendor, partner,
supplier and other third-party relationships.
• Internal Audit Management – Expand the scope of your compliance visibility by querying and
evaluating internal infrastructure and IT processes.
• Security Training and Awareness – Evaluate employee and contractor comprehension of
security policies, procedures, and training curricula - before and after security training sessions.
• End-to-End Security Compliance – Accelerate and extend security compliance by combining
technical controls assessment (Qualys Policy Compliance) with procedural controls assessment
(Qualys Security Assessment Questionnaire).
Create Recipient
A “Recipient” will receive an invitation to join a “Campaign” you have created and is
responsible for answering and responding to Questionnaire questions.
32
Use a valid email address, one you can access from your present location.
3. Click the “Add User” button.
Create Reviewer
A “Reviewer” is responsible for reviewing the responses submitted by any given recipient.
33
Create Approver
An “Approver” is ultimately responsible for approving responses submitted by any given
recipient.
34
Create a Campaign
A “Campaign” contains one Questionnaire and identifies all campaign participants.
35
6. Select “PCI” in the left navigation pane.
7. Select Payment Card Industry (PCI) Data Security Standard – Self-Assessment Questionnaire
(SAQ) A and Attestation of Compliance.
8. Click the “Add” button and then click “Next”.
9. Use the “Workflow” drop-down menu to select the “Full (4-Stage Workflow)” option.
10. Use the “Reviewer” drop-down menu to select the SAQ Reviewer user.
11. Use the “Approver” drop-down menu to select the SAQ Approver user.
36
12. Click the “Next” button.
13. Click the “Take me to Recipients list” button.
14. Place a check to the left of the SAQ Recipient user and click the “Add” button.
15. Click on the “Next” button twice and click “Create & Launch”.
37
16. Click the “Send” button to email the invitation to the SAQ Recipient user.
38
Answer Questions
1. Using the email account/address, specified when creating the “Recipient” user, open the
email invitation and click the “Start Questionnaire” button.
39
3. Click the “Quick Actions” menu, and select the “View Questions” option.
4. Fill in the input fields for A) Company Name, B) Contact Name, and C) Contact Title.
5. Click the “Save & Exit” button.
40
3. From the SAQ “Dashboard”, click the “PCI Compliance Campaign” link to view the campaign
details.
You can monitor the progress of each campaign, and review question responses.
41
7. Click the “Download” button and select “Portable Document Format (PDF)” and click .
8. When your report reaches the “Complete” status, double-click to download and view.
42
LAB 5: Policy Compliance PCI-DSS Policy
The Policy Compliance application can be used to assess host compliance with various regulations,
frameworks, and security policies.
In this lab exercise, you’ll launch a compliance scan to collect data points from the host assets you
target. This scan will check whether the scan target is configured as per the technical requirements “PCI-
DSS” Policy.
1. Navigate to A) the “Assets” section, and click B) the “Asset Groups” tab.
2. Click the “New” button and select C) the “Asset Group…” option.
3. Give your Asset Group the title, “Windows Compliance AG”.
43
4. Click “IPs” in the navigation pane and then click the “Select IPs/Ranges” link.
44
3. Click “IPs” in the navigation pane.
4. Click the “Select IPs/Ranges” link.
The “Asset Groups” tab now contains two Asset Groups that will be used later to define the SCOPE of
your policies.
45
Compliance Scanning
A compliance scan collects data points (defined in the Qualys Control Library) from the host
assets you target.
While some policies can be created in the absence of compliance scan data, the availability of
compliance scan data will help you test and evaluate controls as you add them to a policy.
Before you launch your first compliance scan, you will need to create authentication records
for the Windows and Unix hosts, and build a Compliance Profile with your custom scanning
preferences.
Authentication Records
Authentication is a requirement of the Policy Compliance application. Authentication is
available for multiple OS platforms, services, and software applications. The lab exercise steps
that follow, will create two authentication records: one for Unix and one for Windows.
46
4. Click “Login Credentials” in the navigation pane, and enter the following credentials:
User Name: qscanner
Password: abc1234!
5. Click “Root Delegation” in the navigation pane and click the “Add Root Delegation” button on
the right. Select “Sudo” from the dropdown menu for “Root Delegation”.
Enter password: abc1234!
6. Click the “Save” button.
The ‘qscanner’ account has been configured for root delegation via Sudo.
Please use a text editor to review and clean your input, if using Copy & Paste.
9. Click the “Create” button.
47
Create Windows Authentication Record
4. Click “Login Credentials” in the navigation pane, and ensure the “Domain” radio button is
selected (under Windows Authentication).
5. Select “Active Directory” using the “Domain Type” drop-down menu.
6. Type “trn.qualys.com” (omit quotes) in the “Domain name” field.
7. Type the following Username and Password (case sensitive):
User Name: qscanner
48
Password: abc1234!
8. Click “Save”.
NOTE: Qualys Scanner Appliances use an Active Directory API call that retrieves the IP
addresses for all domain members. Therefore, IP address information is NOT required, when
creating an Active Directory Authentication Record.
49
Create Custom Compliance Profile
A Compliance Profile contains your scanning options and is a required component of every
compliance scan. Create a custom Compliance Profile that contains all the required options
for your compliance scans.
1. Navigate to A) the “Scans” section, and select B) the “Option Profiles” tab.
2. Click the “New” button and select C) the “Compliance Profile” option.
3. Name the profile “Custom Compliance Profile”.
4. Click “Scan” in the navigation pane (left) and select the “Auto Update expected value” check
box, under the Integrity Monitoring section.
5. Select (check) both Control Types: “File Integrity Monitoring” and “WMI Query Checks.”
These special control types work together with user defined controls (UDCs) you create for File
Integrity Monitoring and WMI Query Checks.
• File Integrity Monitoring – Enable to collect the hash values needed to perform file
integrity checks on both Unix and Windows systems.
• WMI Query Checks – Enable to perform WMI queries that collect the kind of data that
cannot be acquired from Active Directory or the Windows Registry.
6. Click the “Dissolvable Agent” link to activate the Dissolvable Agent for your subscription.
7. When prompted, click the “Accept” button, followed by the “Close” button.
50
8. Once the Dissolvable Agent has been accepted, select all of the “Dissolvable Agent” check
boxes.
Only a Manager can activate the Dissolvable Agent, allowing users to leverage its functionality:
• Password Auditing – Perform password auditing tests to identify user accounts with: empty
passwords (CID 3893), passwords equal to the user name (CID 3894), or passwords found in
your own custom password dictionary (CID 3895).
• Windows Share Enumeration - Find Windows shares that are readable by everyone and report
the number of files for each share on each host (Control ID 4528) and whether the files are
writable. This is good for identifying groups of files that may need tighter access control.
• Windows Directory Search - Select this option to include one or more Windows Directory
Search UDCs in the scan, that search for files/directories using many criteria such as file name,
user accounts, and specific user access permissions.
At scan time, Dissolvable Agent is installed on Windows devices to collect data, and once the
scan is complete it removes itself completely from target systems.
9. Save your Option Profile.
Your “Custom Compliance Profile” will now become the default profile for your compliance
scans, giving you all the functionality needed for the exercises in this lab.
51
Launch Compliance Scans
In this section you’ll launch two separate compliance scans. The first scan will target the Unix
Asset Group, and the second scan will target the Windows Asset Group.
52
3. Give your scan the title “Unix Compliance Scan” and use the “Custom Compliance Profile” you
created.
4. Select the “Unix Compliance AG” Asset Group as your scan target.
5. Click the “Launch” button to start the scan.
6. Click the “Close” button to close the “Scan Status” window.
2. Give your scan the title “Windows Compliance Scan” and use the “Custom Compliance Profile”
you created.
3. Select the “Windows Compliance AG” Asset Group as your scan target.
4. Click the “Launch” button to start the scan.
5. Click the “Close” button to close the “Scan Status” window.
53
You can monitor the status of any scan, from the “PC Scans” tab.
All scans are initially queued, before they begin running. Note: The scans you just launched will
only collect data points for controls already in the Controls Library.
Wait for a scan to finish, before attempting to work with its results.
6. When your scans have FINISHED, use the “Quick Actions” menu to view results.
Successful authentication is critical to the Policy Compliance application. All authentication
issues must be addressed to ensure accurate compliance results.
Use the “Authentication Issues” information provided in the scan report, to help you find
authentication issues encountered during a specific scan.
Please make note of any host IPs that were found to have authentication issues. Data points will
not be available for these host assets, until the authentication issue is corrected.
54
LAB 6: PCI mandate Report
We can start by creating a ‘blank’ policy, and manually adding all policy components (i.e.,
technologies, assets, and controls) related to PCI-DSS .
1. Navigate to the “Policies” section and click the “Policies” tab.
2. From the “Policies” tab, click A) the “New” button, followed by B) “Policy” and select C)
“Create from Scratch…”.
3. Use the “Search technologies” drop-down menu to select the following UNIX and Windows
technologies:
• CentOS 6.x
• Oracle Enterprise Linux 5.x
• Oracle Enterprise Linux 7.x
4. Click the “Next” button.
55
Define Policy Scope
5. Add the “Unix Compliance AG” Asset Groups to this policy and click the “Next” button.
6. Name your policy: “PCI Policy” and click the “Create” button.
The Policy Editor displays a blank policy. Controls have yet to be added.
7. Change the section title from “Untitled” to “PCI Controls.”
56
Add PCI controls to Policy
2. Click the “Search” button and select the “Payment Card Industry Data Security Standard (PCI-
DSS) Ver 3.2” framework.
3. Set the criticality to “URGENT” and click the “Search” button.
57
4. Select all controls by clicking on the checkbox located below the “Search” button.
5. Click the “Add” button to add the controls to the policy.
6. Select the “Evaluate now” checkbox and save the policy by clicking on the “Save” button.
7. Close the “Policy editor” window.
58
Mandate Report Template
The Mandate Report Template provides some very useful report filtering options. The next
few steps will create a custom Report Template that focuses on PASSED and FAILED control
tests.
1. Navigate to the “Reports” section and click the “Templates” tab.
2. Click A) the “New” button and select B) the “Mandate Template” option.
3. Type “Failed Controls Template” in the “Title” field.
59
Create Mandate Report
1. From the “Templates” tab, use the “Quick Actions” menu for the “Failed Controls Template”
to Run a report.
5. Under “Mandates” select the “Payment Card Industry Data Security Standard (PCI-DSS)”.
6. Under “Policies” select the “PCI Policy”, which was created earlier.
7. Under “Report Source” select the “All Assets in Policy” and click the “Run” button.
8. When your report is displayed, scroll past the trend and data to view the PASS and FAIL results
for various hosts.
60
Viewing PCI Compliance Resources
Also, there is a user guide, PCI frequently asked questions, and PCI Council information. It’s located right
under the Contact support section.
Contacting Support
Try as we may, inevitably, you will need to contact support. In order for us to properly, and efficiently
troubleshoot issues, we will need information from you.
There are 3 ways to contact support:
• The Qualys PCI Interface
• Email to support@qualys.com
• For Critical issues – call Support:
U.S. and Canada: +1.866.801.6161 24x7
Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7
UK: +44 1753 872102 24x7
61
With the Qualys PCI interface, you will have all the necessary information at your fingertips. From
Qualys PCI on the left, click “Contact Support.”
62