The last 3 days of my life have been spent wallowing in the deep grave of mud and syrup which is (drum-roll please) “Security Metrics’ PCI-DSS Vulnerability Scanner“.
I could rant for 3 pages, oh I really could. I admin a half-dosen of Linux boxes (shortly to be replaced with quite a few more) – which I take as much pride over as I do my own property. In fact, I probably take more pride in them than I do my own property.
If someone were to so much as accidently cancel a page load (port 80, HTTP) to our customer facing site, I’d know about it. Once I caught the telephone system glitching out – I wondered why there were several 404 errors for “ourdomain.com/dotheyanswerthephones”. Yes, I’m that observant.
These boxes are so secure, I’d happily put everything I own against them not being hacked. They are the essence of epic. Every T is crossed and lower-case J dotted. And then some. And then some more.
Alas, I digress.
So what’s led me to blog this?
Well it’s not the score of 45 points which didn’t exist 4 weeks ago. (Yes, I’m that proud of my work – I won’t settle for even the “warning” points). Oh no. It’s not the repetative emails saying “You’re not PCI-DSS compliant” (which is a load of rubbish – we are PCI-DSS compliant – we’re just just flagging some false positives on some third party’s Nessus install), and it’s not even the “Open SMTP relay” which relays mail for our own domains! (Google reveals I’m not the only one with this problem … some sanity remains). It’s not even even even even the POP3 and SMTP ports which provide outdated SSL certificates (because obviously POP3S is POP3 with the S standing for “super”-SSL. Oh no wait…). And I will skip the detecting my Debian Lenny box as a Buffalo Wireless Access Point. Idiots.
No today, this one started over the “You’re using an outdated OpenSSH version, please upgrade it – or wait for your vendor to provide a new version” (which is in-line with PCI-DSS) – yet continually report me as failing while I wait.
And then it finished with this (and I’m only a third of the way through fixing over 300 points of fail):
Description: scan may have been dynamically blocked by an IPS Severity: Potential Problem Impact: The scan results may be inconclusive. Background: An Intrusion Prevention System (IPS) is a device which protects a system or network from attackers. An IPS works by monitoring a network for malicious activity, and blocking that activity. Resolution Temporarily disable the Intrusion Prevention System or configure an exception for the scanner’s IP address before starting the scan.
Oh my goodness. You’re actually giving me a score of 3 points because you’ve (incorrectly) detected a possible IPS – which is protecting my servers from attacks?!
</life>
</sanity>
FYI… SecurityMetrics now gives a score of *4* – i.e. a PCI DSS FAIL – for the IPS Port Scan nonsense.
LOL – we found that out just a few days ago.
I cannot begin to describe my frustrations on the subject!
The question is, how do you get around it?
err… anyone figure this out? Failing now cos their scanner sux
I rang them up, got little to no help.
Most of the failures I’ve seen resolve themselves within a few days of “doing nothing” – I guess because they update their rulesets…