Matt

Is your network PCI (Payment Card Industry) compliant, are you sure?  If you are like most of us you have heard of this and other similar regulations but don’t really know what it means without taking a course on the subject.

I have been researching some tools to perform a network vulnerability assessment for a graduate class and found one worth mentioning.  It comes from a reputable company based in Columbia, Maryland called Tenable Network Security and it can be downloaded here.

The Nessus Professional Feed from Tenable Network Security is a lightweight, no-frills network vulnerability scanner. It features the ability to scan local and remote systems for the latest vulnerabilities. With the Professional Feed, users also get access to a compliance configuration audit pack, which can add credential-based auditing for NIST FDCC/SCAP, DISA STIG, CIS, and PCI compliance, along with many others.  I really liked the idea of being able to add plug-ins for regulations that I am not an expert in, such as PCI compliance.

This tool is a very straightforward install. The small server component can be installed on a medium-size machine with at least 2 GB of memory. The installation itself is easy and only takes a few minutes after launching the executable installer. After the server is installed, licensed and started, it instantly downloads the latest vulnerability checks and is ready to go. The web GUI can be accessed from any machine on the network, and scanning can begin.  I really like this product and it was simple and straightforward to get up and running.  I learned a lot and it didn’t require me to know cryptic Linux commands or jump through hoops to get it running.

Check it out if you get a chance.  They now have a cloud-based option if you don’t want to maintain a Nessus server.  Download it and run a test scan against your network.  You can scan your home network for free.  You can run a scan using a default out of the box policy or get creative and create your own scanning policies.  Start looking at the reports and fixing the high priority items in your environment.   Be pro-active about network security and cut the “low hanging fruit” off the security tree.  Then get a ladder and go after the rest.

The downside to this tool is that it is not free for business use.  It costs $1,200 a year for a subscription.  However, this is a small cost compared to what you may pay in fines and loss of reputation when a hacker penetrates your network.  For instance, banks can be fined up to $100,000 per month for PCI compliance violations.  For a little upfront effort and cost to comply with PCI, you greatly reduce your risk from facing these extremely unpleasant and costly consequences.

Happy and Safe Computing!


Leave a Reply