f you are regular readers of our blog (we do have a few), you may have remembered I started looking into PCI Compliance scanning services. Rolling out our new dedicated server backup service put my PCI work on hold for a couple of weeks, but now I am back to wrap it up. I set out to review several approved scanning vendors (ASVs) in terms of cost, ease of use and additional service offerings. This post concludes the project which included information on PCI Scanning, approved scanning vendor, and the initial security scan results. After working with several companies, the results are in and ControlScan is a clear winner.
As mentioned in our first report, we took a standard CentOS 5 server and subjected it to scans from ScanAlert, Comodo, and ControlScan. After the scanning we reviewed the reports, installed the Plesk control panel and conducted follow-up scans. Lastly, we corrected the broken items and re-scanned again.
Consistency
One of the key factors I wanted was consistency. During our ScanAlert trial, we found inconsistent scan alerts. Differential results on consecutive scans hinders our ability to properly secure a system, increases analysis time, and presents a confusing picture about a systems compliance status.
New security signatures could lead to different reports, but in our trial, scans at different times revealed different ports being open — though no changes had occurred on the server. To be effective, you need consistent audits between scans on identical systems.
During our trial, we found ScanAlert produced 3 different results. This delays PCI compliance by requiring us to repeatedly re-check newly found items. While I understand that new signatures may contribute to differential results, any ASV should be able to produce consistent open port results.
The other vendors we tested produced consistent scan results. This allows us to schedule a single review period and eliminate any security items with a single pass over the audit. This reduces the time required to achieve PCI compliance and lowers total costs.
Note: Since we started the project, McAfee has re-branded and re-priced their service. From what I can tell, they are now calling it the McAfee Certified PCI Compliance Program.
Pricing
Comodo’s HackerGuardian was very attractive given the price, just $79.00 for a scan. However, the low price comes at a huge productivity cost. The organization of the reporting format complicated efforts to identify key results. Few meta-reporting options, useful for client or executive reports, were available or at least easily producible. Though I love the low price point, the additional time required to read the reports would negate total cost savings. On average, I would expect it to take an additional 30-40 minutes per audit due to their reporting format. With PCI consulting rates ranging from $125 to $250 per hour, this quickly negates any cost savings. So while Comodo’s offering may be the least expensive for a do-it-yourself approach, if you have to hire a consultant to help you with your audits, the total costs could be greater than you anticipate.
Reporting
ControlScan’s system, though slow at times, works very well. I suspect the slowness may be due to some javascript related items on FireFox. You can product a number of reports for the bosses or clients. The results are clearly displayed by category, system, and threat level. Here are a couple of examples:
PCI Report
If you have multiple domains, there are many consolidated reporting options that can give you a quick overview of your security status.
False Positives
The most time consuming issue when dealing with PCI-related security scans is the documentation of false positives. Having an easy to use false positive reporting system is critical. We did not even get to the false-positive stage with Comodo due to the onerous nature of the reports. But with ScanAlert and ControlScan the reporting is easy. ScanAlert has a web based system to report issue. ControlScan uses email. You just indicate your scan number and submit the documentation required to arbitrate a false positive.
Emails to ControlScan were answered promptly, often same day. With some other vendors, such as Trustwave and SecurityMetrics we found poor communication hampered resolving false positives.
If you are using rackAID’s server management service, most of the issues on an audit will be a false positive, so having an reliable reporting systems is critical.
Recommendation
We currently recommend ControlScan as our preferred PCI Compliance vendor. We found their service reliable, support is prompt and the pricing comparable to other vendors. The report organization and formatting are some of the best available and we had no issues dealing with false positives.
I had the opportunity to meet with ControlScan representatives this week while at HostingCon. My conversations with their sales and technical teams further assured me that we’ve made the right decision in recommending their services.
Managed Security Scans
We like ControlScan so much that we are currently working on a partnership with them. Look for an announcement in the coming weeks about a new managed PCI compliance and security scanning service. This new service will provide routine security audits by ControlScan with fixes delivered by rackAID. This will be available as an add-on to our monthly support plans. Pricing will be comparable to using a 3rd party scanner and using rackAID‘s services for repairing issues. With the managed service, you don’t have to worry about co-ordinating the audits every quarter. We will handle them for you.