11 – Test Security Systems and Processes Regularly
In the Reports Portal, select > > > Reports or Dashboards > .
PCI Requirement 11 focuses on frequently testing your processes and the security system components of your cardholder data environment, such as performing regular vulnerability scans. PCI expects your enterprise to keep your processes and systems current with evolving security issues.
To assess your enterprise's compliance with this requirement, use the following dashboards and reports:
Attacks and Suspicious Activities Overview
Provides, in charts and a table, an overview of attacks and suspicious events. You can view the IP addresses generating the most attacks, the systems that are the target of most attacks, a trend of attacks over time, and the top events.
Drill Down Assets with Buffer Overflow Vulnerabilities
Lists assets that might be vulnerable to buffer overflow. This type of vulnerability occurs when a developer fails to appropriately manage memory for user-controlled data. A malicious user could put more data into a pre-allocated memory buffer than the buffer can hold, dramatically impacting the operation of a program.
Drill Down Assets with High Risk Vulnerabilities
Reports assets that might be vulnerable to listed high-risk security threats. High-risk vulnerabilities represent those that are relatively easy for attackers to exploit and gain control over system components. Many high-risk vulnerabilities can temporarily or permanently disrupt enterprise operations.
Drill Down Assets with SSL and TLS Vulnerabilities
Reports assets that might have the listed TLS or SSL vulnerability. For example, malicious users can exploit a known vulnerability in SSL with the Heartbleed Bug.
Drill Down CSRF Vulnerable Assets
Reports assets that might be vulnerable to the listed cross-site request forgery (XSRF or CSRF) attack. In a CSRF attack, also known as a one-click attack or session riding, a malicious user submits unauthorized commands to a web application from a user account that the application trusts.
Drill Down SQL Injection Vulnerable Assets
Reports assets that might be vulnerable to the listed SQL injection attacks. In a SQL injection attack, a malicious user can interfere with the queries that an application makes to its database. The user could view, delete, or modify data not usually available for retrieval. A malicious user could also use SQL injections to start a denial-of-service attack or compromise other services, servers, or infrastructure.
Drill Down XSS Vulnerable Assets
Reports assets that might be vulnerable to the listed cross-site scripting (XSS) attacks. Vulnerabilities associated with XSS enable malicious users to inject code in legitimate web pages or applications that executes harmful scripts in the user’s web browser when the browser parses data. The scripts might hijack user sessions, deface websites, or redirect users to harmful sites. A web application or web page becomes vulnerable when it includes untrusted data, data without proper validation or escaping, or data supplied by users through an API that can create HTML or Java-script. XSS attacks tend to occur in forums, message boards, and web pages that allow comments. Malicious users can execute XSS attacks in VBSCript, ActiveX, Flash, and CSS. However, this type of injection attack most commonly occurs in Java Script.
Reports events that indicate an attempt to exploit a given detected vulnerability. The table provides results by the vulnerability, IP address and name of the affected system, number of events associated with the vulnerability, and when the most recent event occurred.
Reports events that indicate file integrity might be compromised in your environment. File integrity monitoring, also known as change monitoring, checks operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The table provides results by the signature ID, IP address and name of the affected system, the number of events, and when the most recent event occurred.
Reports the systems with the greatest likelihood of being exploited based on the reported vulnerabilities. The table provides results by the vulnerability, the signature ID, name of the affected system, and when the most recent event occurred.
Information Interception Events
Reports traffic interception events that indicate spoofing or man-in-the-middle attacks. The table provides results by the signature ID, details of the source and destination addresses, the number of events, and when the most recent event occurred.
Reports rogue wireless access points (AP) found in your environment. A user might install a rogue AP unintentionally or maliciously in an office or data center without the knowledge or permission from the system administrator via the wired infrastructure. The chart shows rogue APs found over time. The table provides results by the device ID and name, when the event occurred, and the number of events.
Traffic Anomaly on Application Layer
Reports all the traffic anomalies found in the application layer. Malicious users attack the application layer of an application, which specifies the communication protocols and interface methods used by hosts in the network, to disrupt processes and services on a web server or application. The table provides results by signature ID, details of the affected system or product, the number of events, and when the most recent event occurred.
Traffic Anomaly on Network Layer
Reports all the traffic anomalies found in the network layer. This layer supports communications by sending packets of data back and forth between different networks, and thus can be vulnerable to a large variety of attacks. The table provides results by the destination and source systems, the number of events, and when the most recent event occurred.
Traffic Anomaly on Transport Layer
Reports all the traffic anomalies found in the transport layer. In this layer, a malicious user might hijack session by taking control of a session between two nodes after the initial authentication process is complete. The table provides results by signature ID, the destination and source systems, the number of events, and when the most recent event occurred.
Reports vulnerabilities by CVE and severity. The table provides results by the CVE, its severity, the affected asset, and when the most recent event occurred.
Reports vulnerabilities found by host. The table provides results by the CVE, its severity, the affected asset, and when the most recent event occurred.
Vulnerability Summary Overview
Reports all the vulnerabilities found in the PCI environment. The table provides results by the vulnerability name, CVE, the common vulnerability score (CVSS), signature ID, the affected asset, and when the most recent event occurred.
Provides, in several charts, the details of reported vulnerabilities over time. You can view the assets with the most high-risk vulnerabilities, the most reported vulnerabilities, and the assets with vulnerabilities including the hostnames.
Provides charts for an overview of vulnerabilities by category: SQL, XSS, CSRF, SSL, high-risk, and buffer overflow. You can drill down in the charts to identify the affected assets.