Search
PatchingPCI DSS Requirement 6Security Patches

PCI Compliance and Virtual Patching

Read More
Surkay Baykara
Surkay Baykara
12026
0
Table of Contents show

Virtual patching is the process that mitigates a particular vulnerability in software without changing the vulnerable code. The term was first used by IPS (Intrusion Prevention System) distributors a few years ago. It is not a web application-specific term and can be applied to other protocols but is currently used more generally for Web Application Firewalls (WAF). Virtual patching is also known as External Patching or Just-in-time Patching.

See Also: Patching for Complying with PCI DSS Requirement 6

Patching is the quick job of repairing a program part. A typical patch is developed and distributed as a replacement or addition to compiled code. A virtual patch analyzes transactions using the security audit layer to prevent malicious traffic from reaching the vulnerable application.

The security policy prevents the exploitation of a vulnerability, also known as the application layer. If virtual patching is enabled, it prevents the exploit from happening without modifying the application’s source code.

Several different tools can be used for virtual patching; these are:

  • Intermediary devices such as WAF or IPS
  • Web server plugin like ModSecurity
  • Application layer filters like ESAPI WAF

What are the Virtual Patch Types?

The virtual patch was first pioneered by the IPS/IDS community. Subsequently, the virtual patch continued to offer similar capabilities in WAFs and the latest RASP products. Placing a proxy or inline packet manipulator between the program and the source of its inputs and outputs is the most frequent technique to construct a virtual patch. Virtual patching can be done in three ways.

  • The first type of virtual patch relies solely on analyzing network traffic. The system that delivers such virtual patches uses signatures, regular expressions, and pattern matching to identify malicious activity and block corresponding requests.
  • The second type of virtual patch is based on the same principles. However, it provides a more robust way to set criteria to block requests using a rule set and capabilities such as state management. A virtual patching solution like ModSecurity is an example.
  • The third type uses the Just-in-Time compilers of concurrent runtime platforms (such as the Java Virtual Machine).

The virtual patching approach offers several advantages over traditional patching:

  • A virtual patch protects mission-critical components that need to be online, so operations are not interrupted in an emergency as with a traditional patch.
  • Until application distributors test and release an effective and permanent patch, virtual patching reduces the risk of exploitation.
  • The virtual patch ensures that if a security vulnerability is discovered before the scheduled patch is deployed, the organization continues operations until the scheduled patch is released.
  • The virtual patch only needs to be installed in a few locations, not all hosts on a network.
  • Provides a scalable solution as it is applied in several places rather than installing patches on all hosts.

The disadvantages or risks of virtual patching include:

  • It may not have addressed all possible ways or possible locations in which an exploit could occur due to a particular vulnerability.
  • Once the virtual patch has been implemented and proven effective, an organization may be less motivated to create a permanent patch.
  • While a virtual patch can prevent a crisis, it is unlikely to be as beneficial in the long run as a permanent patch would because the virtual patch cannot eliminate inherent bugs in an application program.

How Does Virtual Patching Work?

The virtual patch performs scans on servers at specified intervals. It identifies existing vulnerabilities by identifying the operating system and applications on it. If the patch that covers the identified vulnerabilities and is published by the manufacturer is not passed, the rule that will prevent the exposure is added to the network card.

When a signature matching the added rule is detected, the connection is terminated at the network level. This process is called Virtual Patching. In this way, the security vulnerability is closed without waiting for the release of the patch or any product that the manufacturer has withdrawn its support. If the relevant patch is detected on the server in the following scan, the rule is automatically removed.

Can it be used as a Virtual Patch Compensating Control for PCI DSS?

In any case, you must meet many requirements to meet PCI DSS Compliance, but you may feel helpless when you cannot upgrade a security patch because you have an application that does not support it. Because you cannot upgrade your unsupported application, you cannot meet PCI DSS requirement 6.2 and 11.2.

PCI DSS requirement 6.2 states that you must ensure that all system components and software are protected from known vulnerabilities by installing valid vendor-supplied security patches. You must also install critical security patches within one month of their release.

Internal and external network vulnerability assessments and scans should be performed at least quarterly and after any significant network infrastructure modifications, according to PCI DSS requirement 11.2.

The legitimate use for virtual patching according to the PCI DSS requirements above will apply to the following situations:

  • In cases where the application does not support specific patch updates,
  • Where transition activity requires time beyond the compliance cycle,
  • Available when upgrading or patching costs more than the acceptable limit.

Before applying any compensating control or deciding on compensating control, you must understand that compensating control is not a permanent solution. It is a temporary control to address the risk that is defined during the time that actual control is not exercised. In addition, compensating control must be discussed and accepted by the QSA before deployment.

Possible compensatory controls for PCI DSS requirement 6.2 and 11.2 could be a combination of:

  • Virtual Patching – Virtual patching is a solution that aims to prevent the exploitation of security vulnerabilities by creating a new layer on the operating system and application layer. Various proprietary solutions are available on the market for Virtual Patching.
  • Host-Based IPS – These solutions aim to prevent unauthorized changes at the system level.
  • Network Segmentation and Restricted Internet Connection – Placing unpatched systems in the secure network segment and isolating them from other systems can limit their exposure to attacks.

For many organizations, the end of life of specific systems brings many challenges along with security risks. In such cases, a compensating control for PCI DSS compliance may be considered. However, it should be noted that compensating control must be above and beyond the original control.

Previous article
Privileged Access Management Considerations
Next article
Data Center Audit Checklist
Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

Security 0
In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.
Read more

Common Cyber Threats in Ecommerce and How to Mitigate Them

Ecommerce 0
In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.
Read more

Managing Cyber Risk in the Age of Cloud Computing

Cloud Security 0
The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.
Read more

Related posts

Application Security

What Does PCI Compliant Software Development Mean for Developers

PCI compliant secure software applications must be developed in accordance with industry best practices to meet PCI DSS software requirements.

Latest posts

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

0
In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.

Common Cyber Threats in Ecommerce and How to Mitigate Them

0
In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

0
The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!

PCI DSS GUIDE's aim is to clarify the process of PCI DSS compliance as well as to provide some common sense for that process and to help people preserve their security while they move through their compliance processes.

Latest Posts

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

0
In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.

Common Cyber Threats in Ecommerce and How to Mitigate Them

0
In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

0
The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

Most Popular

PCI DSS Requirements

2
The PCI DSS requirements apply to all system components, including people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data, included in or connected to the cardholder data environment.

What’s New in PCI DSS v4.0?

0
PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

0
When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Fast Access

© PCI DSS GUIDE | All rights reserved