PCI Compliance and Virtual Patching

Virtual patching is the process that mitigates a particular vulnerability in software without changing the vulnerable code. The term was first used by IPS (Intrusion Prevention System) distributors a few years ago. It is not a web application-specific term and can be applied to other protocols but is currently used more generally for Web Application Firewalls (WAF). Virtual patching is also known as External Patching or Just-in-time Patching.

See Also: Patching for Complying with PCI DSS Requirement 6

Patching is the quick job of repairing a program part. A typical patch is developed and distributed as a replacement or addition to compiled code. A virtual patch analyzes transactions using the security audit layer to prevent malicious traffic from reaching the vulnerable application.

The security policy prevents the exploitation of a vulnerability, also known as the application layer. If virtual patching is enabled, it prevents the exploit from happening without modifying the application’s source code.

Several different tools can be used for virtual patching; these are:

  • Intermediary devices such as WAF or IPS
  • Web server plugin like ModSecurity
  • Application layer filters like ESAPI WAF

What are the Virtual Patch Types?

The virtual patch was first pioneered by the IPS/IDS community. Subsequently, the virtual patch continued to offer similar capabilities in WAFs and the latest RASP products. Placing a proxy or inline packet manipulator between the program and the source of its inputs and outputs is the most frequent technique to construct a virtual patch. Virtual patching can be done in three ways.

  • The first type of virtual patch relies solely on analyzing network traffic. The system that delivers such virtual patches uses signatures, regular expressions, and pattern matching to identify malicious activity and block corresponding requests.
  • The second type of virtual patch is based on the same principles. However, it provides a more robust way to set criteria to block requests using a rule set and capabilities such as state management. A virtual patching solution like ModSecurity is an example.
  • The third type uses the Just-in-Time compilers of concurrent runtime platforms (such as the Java Virtual Machine).

The virtual patching approach offers several advantages over traditional patching:

  • A virtual patch protects mission-critical components that need to be online, so operations are not interrupted in an emergency as with a traditional patch.
  • Until application distributors test and release an effective and permanent patch, virtual patching reduces the risk of exploitation.
  • The virtual patch ensures that if a security vulnerability is discovered before the scheduled patch is deployed, the organization continues operations until the scheduled patch is released.
  • The virtual patch only needs to be installed in a few locations, not all hosts on a network.
  • Provides a scalable solution as it is applied in several places rather than installing patches on all hosts.

The disadvantages or risks of virtual patching include:

  • It may not have addressed all possible ways or possible locations in which an exploit could occur due to a particular vulnerability.
  • Once the virtual patch has been implemented and proven effective, an organization may be less motivated to create a permanent patch.
  • While a virtual patch can prevent a crisis, it is unlikely to be as beneficial in the long run as a permanent patch would because the virtual patch cannot eliminate inherent bugs in an application program.

How Does Virtual Patching Work?

The virtual patch performs scans on servers at specified intervals. It identifies existing vulnerabilities by identifying the operating system and applications on it. If the patch that covers the identified vulnerabilities and is published by the manufacturer is not passed, the rule that will prevent the exposure is added to the network card.

When a signature matching the added rule is detected, the connection is terminated at the network level. This process is called Virtual Patching. In this way, the security vulnerability is closed without waiting for the release of the patch or any product that the manufacturer has withdrawn its support. If the relevant patch is detected on the server in the following scan, the rule is automatically removed.

Can it be used as a Virtual Patch Compensating Control for PCI DSS?

In any case, you must meet many requirements to meet PCI DSS Compliance, but you may feel helpless when you cannot upgrade a security patch because you have an application that does not support it. Because you cannot upgrade your unsupported application, you cannot meet PCI DSS requirement 6.2 and 11.2.

PCI DSS requirement 6.2 states that you must ensure that all system components and software are protected from known vulnerabilities by installing valid vendor-supplied security patches. You must also install critical security patches within one month of their release.

Internal and external network vulnerability assessments and scans should be performed at least quarterly and after any significant network infrastructure modifications, according to PCI DSS requirement 11.2.

The legitimate use for virtual patching according to the PCI DSS requirements above will apply to the following situations:

  • In cases where the application does not support specific patch updates,
  • Where transition activity requires time beyond the compliance cycle,
  • Available when upgrading or patching costs more than the acceptable limit.

Before applying any compensating control or deciding on compensating control, you must understand that compensating control is not a permanent solution. It is a temporary control to address the risk that is defined during the time that actual control is not exercised. In addition, compensating control must be discussed and accepted by the QSA before deployment.

Possible compensatory controls for PCI DSS requirement 6.2 and 11.2 could be a combination of:

  • Virtual Patching – Virtual patching is a solution that aims to prevent the exploitation of security vulnerabilities by creating a new layer on the operating system and application layer. Various proprietary solutions are available on the market for Virtual Patching.
  • Host-Based IPS – These solutions aim to prevent unauthorized changes at the system level.
  • Network Segmentation and Restricted Internet Connection – Placing unpatched systems in the secure network segment and isolating them from other systems can limit their exposure to attacks.

For many organizations, the end of life of specific systems brings many challenges along with security risks. In such cases, a compensating control for PCI DSS compliance may be considered. However, it should be noted that compensating control must be above and beyond the original control.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Related posts

Latest posts

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!