Qualys Webex 24 June 2008


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Qualys Webex 24 June 2008

  1. 1. <ul><li>Using Qualys to manage risks in vulnerability scanning and patch and configuration management. </li></ul><ul><li>Vladimir Jirasek </li></ul><ul><li>DSG International plc </li></ul>
  2. 2. Content <ul><ul><li>About DSG International </li></ul></ul><ul><ul><li>DSGi PCI DSS requirements </li></ul></ul><ul><ul><li>Patch management standard </li></ul></ul><ul><ul><li>Qualys in facts </li></ul></ul><ul><ul><li>Feedback, issues and challenges </li></ul></ul>
  3. 3. DSG International plc <ul><ul><li>DSG international is one of Europe's leading specialist electrical retailers. </li></ul></ul><ul><ul><li>We have more than 1,300 stores and on-line stores, spanning 28 countries and employing 40,000 people. More than 100 million customers shop in-store and on-line with us every year. </li></ul></ul><ul><ul><li>Grown by investing in Europe ’s largest electrical retailers </li></ul></ul><ul><ul><li>We own brads like Currys, PC World, Pixmania, The TechGuys, PC City, Electroworld, Elkjop </li></ul></ul>
  4. 4. PCI DSS defines 4 levels of merchants source: http://www.pcistandard.com/merchantlevels.html # of transactions Review by Vulnerability scan Level 1 over 6m in any channel QSA ASV (e.g. Qualys) Level 2 1m - 6m in any channel self questionnaire ASV (e.g. Qualys) Level 3 20k-1m online transactions self questionnaire ASV (e.g. Qualys) Level 4 less then 20k online or up-to 1m in any channel self questionnaire (not mandatory) ASV (e.g. Qualys) (not mandatory)
  5. 5. DSGi ’s PCI DSS project <ul><li>Programme started in Q2 2007 </li></ul><ul><li>Gap analysis identified some control weaknesses </li></ul><ul><ul><ul><li>No system to fulfil requirements of PCI DSS v1.1: </li></ul></ul></ul><ul><ul><ul><li>11.2 - external and internal vulnerability scanning </li></ul></ul></ul><ul><ul><ul><li>6.6 - web application scanning </li></ul></ul></ul><ul><ul><ul><li>2.2 - system hardening/configuration </li></ul></ul></ul><ul><li>DSGi ’s requirements for the system: </li></ul><ul><ul><ul><li>Approved Scaning Vendor (ASV) certified by PCI SSC </li></ul></ul></ul><ul><ul><ul><li>Software as a Service - no HW or SW to maintain </li></ul></ul></ul><ul><ul><ul><li>Minimum admin overhead </li></ul></ul></ul><ul><ul><ul><li>Scales to large international implementations </li></ul></ul></ul><ul><ul><ul><li>Easy to use with out of the box PCI DSS reports </li></ul></ul></ul><ul><ul><ul><li>Internal scanning managed via the same interface </li></ul></ul></ul><ul><ul><ul><li>Clear roadmap for compliance checking and web application scanning </li></ul></ul></ul>
  6. 6. System classification for patch management and risk management Internet Internal network Head office DMZ POS server mainframe eBusiness VPN GW acquirer setlement Network or Host IPS may lower the level by 2 Store network Critical Important High Medium Low 5 24 hours 5 days 14 days 20 days 40 days 4 5 days 10 days 20 days 1 month 2 months 3 10 days 20 days 1 month 2 months 3 months 2 6 months* Next release* Next release Next release No fix 1 no fix* no fix* no fix no fix No fix
  7. 7. Authenticated scan proved to address false positives and increased visibility of issues <ul><li>Non authenticated scan can only reveal a limited number vulnerabilities without breaking into the system </li></ul><ul><li>Authenticated scan has a lower number of false positives and gives better picture of the patch and configuration status of a system </li></ul>Authenticated scan Normal scan 134 804
  8. 8. DSG ’s Qualys implementation facts <ul><li>Started in February 2008 </li></ul><ul><li>1200 IP addresses - of which 150 external </li></ul><ul><li>7 Business units </li></ul><ul><li>17 Qualys appliances </li></ul><ul><li>External and internal scans weekly - over 300 scans in 4 months </li></ul><ul><li>Daily maps of external IPs and DMZs </li></ul><ul><li>Two Qualys managers </li></ul><ul><li>Reader/Scanner accounts of IT administrators and 3rd parties </li></ul><ul><li>Testing the Compliance module </li></ul><ul><li>Preparing to test the Web application scanning module in Q3 08 </li></ul>
  9. 9. Overall feedback is positive <ul><ul><li>IT teams now see Qualys as useful tool-set rather than something for security managers to beat them up (which we do anyway :) </li></ul></ul><ul><ul><li>Even diligent IT managers were surprised what Qualys found on their systems while they had believed their systems had been properly patched </li></ul></ul><ul><ul><li>Reports for PCI DSS are well structured and understand by PCI DSS team </li></ul></ul><ul><ul><li>Modular architecture of Qualys could help us utilise future functionality improvements easily (compliance and web application scanning) </li></ul></ul>
  10. 10. Contact details <ul><li>Vladimir Jirasek </li></ul><ul><li>Information security & compliance manager </li></ul><ul><li>DSG International plc </li></ul><ul><li>[email_address] </li></ul>