At FlowTraq, we’re fanatical about security and we want to make it as difficult as possible for bad actors to find and exploit vulnerabilities, be they technical or human. David Kopacz is the CTO of a Web hosting company (and a FlowTraq customer) and he’s equally passionate about protecting clients’ assets. David is concerned about a trend he sees in the industry and he’s sharing his concerns with us in this guest post. If your company relies on a hosting company, you should be worried, too. Even if your business isn’t subject to PCI DSS requirements, this practice could put your company at risk.
How PCI Scanning Practices Put Hosting Companies – and Their Clients’ Sites and Servers – at Risk
A Guest Post By David Kopacz, CTO of ASPwebhosting.com
Vulnerability scanning and testing companies offer a valuable service. And the advent of the Payment Card Industry Data Security Standard (PCI DSS) gave rise to a thriving market of PCI scanning and testing services. These services regularly test for vulnerabilities that may compromise credit card data – and this is a good thing. But many of these companies are asking Web hosting providers to break security protocols in order to “test” their clients’ systems by asking them to white list their IPs. This is not only unnecessary, it should not be permitted.
Again, let me state that PCI compliance scanning isn’t necessarily a bad thing. Consider, however, what it is. In most cases, the PCI scanning company is attempting to exploit your network, device, application, or database. If an exploit exists, we want to know about it, right? Of course we do, which is exactly why we permit PCI scanning companies to perform their exploit tests against our networks, devices, applications, and databases. But what happens when the Web hosting company detects this exploit attempt and mitigates it?
What happens today when scanning companies run PCI tests
In many cases, PCI scanning companies run into Web hosting companies’ self-defending networks (at ASPwebhosting.com, we use FlowTraq as part of our security arsenal) and are shut down at the front door. Most of the hosting companies’ customers should feel good about this. The problem for the scanning company, though, is that it cannot continue its exploit activity once the threat has been mitigated. So what does it do? In some cases, the scanning company is large enough to have many IP addresses and they simply pick another IP and continue to scan. Issue resolved. But what about those smaller PCI scanning companies? What happens when they get their IP address blocked? They either let enough time elapse for the block to fall off the block list or they have to contact the host and ask to be removed. Unfortunately, many don’t want to incur the expense and time of contacting the hosting company, so they simply fail the customer’s scan and inappropriately report to the bank that the customer failed the PCI compliance test. This is fraud.
This approach of failing the scan is becoming increasingly prevalent for many PCI scanning companies. They simply fail the scan when their IP address is blocked and then they tell their (our) client to instruct the host to white list their scanning IP addresses so that the test (exploits) can bypass the security measures implemented by the host. But wait a minute, isn’t that in violation of PCI DSS itself? I think it is.
The PCI scanning company will argue (in our case, in vain) that white listing their IP addresses does not create a security risk because they aren’t really hacking or exploiting your security, only testing to see if the vulnerability exists. Well, I beg to differ. In order to properly test whether a vulnerability exists, you must exploit it. Furthermore, since the PCI scanning company is a third-party entity, you are not subject to the information security policy of the merchant or the host, so who is watching their employees? Who is ensuring their scanning servers aren’t being hacked or exploited or infected with viruses? Yet they want carte blanche access to the Web hosting company’s network and devices behind their security systems?
Here’s the problem
Opening the network to dozens of PCI security scanning companies would be irresponsible – even reckless. I think it should be illegal. Why, you ask? Well, let’s examine one scenario. I am a hacker and I want to access some servers behind a Web hosting company’s security systems. As a hacker, I know how to spoof IP addresses. Whose IPs do you think I’m going to try first? You guessed it – the PCI security scanning company that so gracefully social-engineered the Web hosting company for me and got their IPs white listed for every known exploit.
So ask yourself, what is the goal of PCI compliance? Is it to truly secure your networks, devices, applications, and databases? Or is it to pass a PCI compliance test performed by a for-profit PCI scanning company? Remember, this is a self-regulated industry. So, who is regulating the PCI scanning companies? The PCI security standards council. Who runs the PCI Security Standards Council? Well, your guess is as good as mine, but my guess is the PCI scanning companies that are approved by the council along with a few merchant banks and perhaps representatives from the credit card companies. In any event, I sent them a version of this article back in 2013 and asked them how they can permit their “approved” vendors to ask Web hosting companies to white list their IP address. It’s 2015 and I have yet to receive a response. In my opinion, that is quite telling.
Just say no…to white listing IP addresses
It is my strong opinion that Web hosting companies concentrate their efforts on securing their clients’ networks, devices, applications, and databases without regard for the PCI scanning companies’ exploit testing. It should be the responsibility of the scanning companies to figure out the best order to run scans so that their IP addresses are able to perform the less-intrusive tests first and then realize that when their IP does get blocked, the customer is secure and in compliance with PCI security standards.
Under no circumstances should a Web hosting company ever white list a single external publicly facing IP address, especially for a company deliberately trying to exploit vulnerabilities on their network.