Security
Storm virtual and dedicated servers: Premium PCI external vulnerability scans, for free | Storm Internet
Times are always interesting. If that not-so-ancient “ancient” Chinese curse – “May you live in interesting times” – is anything to go by, then it seems there’s someone out there who has it in for modern civilisation: war, COVID, and climate change. Major digital security threats are now so abundant that citing individual instances is a bit pointless.
Accompanying this non-stop turmoil is an undercurrent of apprehension: organisations fear an interruption to their daily grind. This is according to AGS CEO Joachim Mueller who summarised 2022 (thus far) quite neatly:
“For most companies the biggest fear is not being able to produce their products or deliver their services. 2021 saw unprecedented levels of disruption, caused by various triggers. Crippling cyber-attacks, the supply chain impact from many climate change-related weather events, as well as pandemic-related manufacturing problems and transport bottlenecks wreaked havoc. This year only promises a gradual easing of the situation, although further COVID-19-related problems cannot be ruled out. Building resilience against the many causes of business interruption is increasingly becoming a competitive advantage for companies.”
PCI Scans: Keeping hosting resilient
COVID and its assorted variants are beyond our control. In our capacity, we’re doing what we can to reduce the impact of climate change. But perhaps the most significant contribution we can make is to help our customers build the resilience required to stay protected against cyber attacks.
One of the many ways Storm delivers safe hosting is through PCI external vulnerability scans included with all dedicated and virtual servers. These scans are run by SecurityMetrics, which is a Payment Card Industry Data Security Standard (PCI DSS) Approved Scanning Vendor (ASV) – quite a mouthful, I know. But it’s important to know that these scans are performed per a globally recognised set of security standards by a vetted and accredited institution. More on PCI DSS below.
What is an external vulnerability scan?
An external vulnerability scan, like the one described above, takes the perspective of a would-be attacker. Here the publicly-accessible network perimeter is probed as well as the server or network component (a.k.a. “target”) which, in this case, is your dedicated or virtual server.
The scan tests for thousands of potential vulnerabilities, not least misconfigured firewalls, malware hazards, remote access vulnerabilities, and even SQL injection vulnerabilities.
An external vulnerability scan should not be confused with an internal vulnerability scan, which takes the perspective of someone who may already have access to your systems. Internal vulnerability scans look for, among other things, weaknesses in access controls, outdated or ineffective virus protection, as well as common and uncommon unpatched vulnerabilities.
With a bit of sysadmin experience, you could run your own external vulnerability scans. But PCI external vulnerability scans offer the benefit of a continuously evolving scan feature capable of identifying the newest vulnerabilities. They are also a requirement for full PCI DSS certification.
What is PCI DSS?
PCI DSS is an acronym for Payment Card Industry Data Security Standard which was formed by Visa Inc., MasterCard, American Express, Discover Financial Services, and JCB. The standard is developed and maintained by the PCI Security Standards Council (PCI SSC).
While the original purpose of PCI DSS was to facilitate interoperability between the various card issuers’ (listed above) own security programs, it has since evolved to become a de facto set of technical and operational requirements to protect card data.
PCI DSS applies to organisations that store, process or transmit cardholder data and/or sensitive authentication data. These include merchants, payment card issuing banks, processors, developers and other vendors.
But even if you don’t accept payments or store user card data, aiming for PCI compliance makes sense since, according to the PCI SSC, “PCI DSS follows common-sense steps that mirror security best practices.”
From the PCI DSS Quick Reference Guide:
There are three ongoing steps for adhering to the PCI DSS:
Assess — identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
Repair — fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
Report — documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
Storm’s PCI external vulnerability scans assist with the first two steps – assess and repair:
Scans are run once every three months, with reports delivered to your inbox and your Storm Support Pod – your dedicated six-person Storm Support Pod. Any red flags and vulnerabilities are immediately investigated and addressed by your Storm Support Pod.
Additional external vulnerability scans, as well as website scans, can be ordered on demand to stress test server or site changes. On-demand scans are available at below vendor rates thanks to industry partnerships.
Given the evolving nature of online threats, PCI DSS compliance is a continuous process (which is why we run them automatically every three months). The standard itself evolves to protect against emerging threats, with v4 the latest release. As such, with Storm’s PCI external vulnerability scan, your dedicated or shared server will be tested against the newest vulnerabilities and exploits.
Conclusion
Quarterly PCI external vulnerability scans go a long way to protect your dedicated and / or virtual servers by identifying vulnerabilities that need to be addressed. Since PCI compliance is fully-managed by Storm, there’s a reduced need for in-house expertise. This ensures that ‘business as usual’ is available to everyone, and provides a measure of protection against “interesting times”.
Speak with a Storm Expert
Please leave us your details and we'll be in touch shortly
A Trusted Partner