hello I'm professor wool
discussing PCI and how to link
vulnerabilities to business applications
so if you're running any kind of
operation that involves credit card
processing you are clearly subject to
PCI and what are the requirements of PCI
that I'm sure you're familiar with is
PCI requirements 6.1 which basically
requires you to run a vulnerability scan
on the systems that you have in the PCI
zone so here's your PCI is only one of
these black squares represents a system
that's in scope
you have your vulnerability scanner it
scans all of these systems on a schedule
let's say every night and produces a
report it's usually a very voluminous
report with lots of findings and each of
these findings has the CVE number and a
severity code and you get a very long
list of these things for each the IP
address of each of these servers you get
the list of all the vulnerabilities that
were found on it prioritized by level of
severity as determined by the
vulnerability scanner and then well you
need to go in and fix all these findings
whenever they pop up but in terms of the
PCI process you are okay because you
have a vulnerability scanner process
going on and you get the report so
you're on top of it and you're you're in
reasonably good shape but you can do
better because you need to make you need
to fix these things and typically this
is a lot of work it is also not
risk-free because if you patch a system
to eliminate one of these
vulnerabilities you potentially are
going to have a change control window in
which you turn the system down you're
reducing availability and this could be
problematic from a business perspective
so in order to prioritize these findings
and to
schedule them into patching in the
reasonable order you need to know what
they're doing you need to know what each
of these servers is actually functioning
for why it's there and that means which
business applications rely on it so
imagine you have a business application
such as e-commerce that relies on these
two servers and you have another
business application that handles backup
that relies on these two servers and
there's overlap obviously but they're
not the same servers that are being used
for all of these applications and it
would both enhance your PCI reporting
and also what you need to do to improve
if you had inside the PCI compliance
report a list of all of the applications
all the business applications that rely
on servers in the PCI zone and next to
each of these applications you get an
aggregated score color-coded somehow to
tell you that the business application
for instance ecommerce that relies on
these two servers the aggregated score
of all the vulnerabilities currently
detected on on these servers is coded by
orange whereas the backup system relying
on these other servers has an aggregated
score that is red this isn't where this
information is highly valuable in the
course of a PCI audit so you'd need to
see this and know that you're not quite
in good shape overall but in addition to
helping you pass the PCI audit it
actually moves you along a great
distance into prioritizing and fixing
these things because now you know what
the business applications that rely on
the vulnerable servers do which ones are
more business critical and which one and
you can balance the severity of the
findings against the criticality of the
application and make a conscious
decision what to patch when thank you
for your attention
you
