06-14-13 | Blog Post

A Quick InfoSec Tutorial: Vulnerability Scanning for HIPAA and PCI Compliance

Blog Posts

Vulnerability scanning is an automated tool used for assessing security weaknesses.  Online Tech recommends monthly vulnerability scans to regularly identify any new vulnerabilities that may have inadvertently been opened in your system.  Learn as our technical team gives a quick overview of vulnerability scanning in the interview below.

Q:  What is vulnerability scanning?
A:  Vulnerability scanning is a protection mechanism Online Tech uses in the PCI stack(PCI hosting) for security.  What vulnerability scanning does is looks for vulnerabilities in switches, firewalls, servers, software applications. It will look for over 5,000 different vulnerabilities. Online Tech adds new vulnerabilities to look for and update its engines every day.

Q: How does it work?
A:   Online Tech grabs an IP address and then we start attacking that IP Address with a probe that is looking for vulnerabilities.  Once that is done, it sends back a report and hopefully most of the items are green.  Some items may be yellow.  Some may be red.  Those are going to be the things we are going to look at.  That is where human intervention comes in to remediate any possible vulnerabilities.  So, someone is going to look at the report and decide what actions should be taken.

Vulnerability Scanning

Q: Who should be using vulnerability scanning and how often should this be done?
A: PCI requirements dictate that it is done quarterly.  Online Tech does this monthly and any one with PCI data or other sensitive data like health care or social security numbers should be using vulnerability scanning.

Companies that need to meet PCI compliance must meet PCI requirement 11.2 that requires scanning of their environments:

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). – PCI DSS Requirements and Security Assessment Procedures, Version 2.0

While not explicitly stated to meet HIPAA compliance, “automated vulnerability scanning tools” can be used to proactively test system security, as stated in the Risk Management Guide for Information Technology Systems and recommended by the National Institute of Standards and Technology (NIST).

Interested in learning more?  Download Online Tech’s PCI Compliant Hosting whitepaper.  It explores the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing and vendor selection criteria.

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved