Microsoft My Bulletins & PCI Compliance
Microsoft just released a new tool for their Security TechCenter. Its a pretty straight-forward service called My Bulletins 1. Basically it provides a customized dashboard to present Microsoft security bulletins. The nice thing is that you can customize the dashboard to only receive notices for those Microsoft products you use and care about.
The interesting use case for My Bulletins is that it can help businesses and merchants meet their PCI compliance obligations. PCI DSS version 2.0 (req. 6.2) and version 3.0 (req. 6.1) both include requirements for monitoring outside sources for vulnerabilities. PCI DSS version 3.0 requirement 6.1 states:
Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.2
Everyone that needs to be PCI compliant must leverage outside sources to monitor security vulnerabilities. Incorporating this practice into your patch management and security program will ensure that you are up-to-date and protected from new threats. There are many resources you can use to meet the intent of this requirement. Vendors, security companies, and government organizations provide security notices, bulletins, and mailing lists to disclose newly discovered vulnerabilities and the relevant patches and fixes. You can subscribe to these lists and stay up to date on security issues affecting your environment.
Some common sources used to meet this requirement are:
Although the sources listed above are very popular and reliable, they also cover all known vulnerabilities, whether they pertain to your infrastructure or not. For instance, if a new issue is detected in Linux but you are 100% a Windows shop, you will still receive the notices for Linux vulnerabilities. The nice thing about the new Microsoft My Bulletins service, and other vendor specific bulletins, is that they are specific to the applications and services actually used throughout your network. These are the vulnerabilities you are most concerned with and should take top priority in responding to with updates and patches. Although the Microsoft service doesn't currently provide any email or notification functionality, the dashboard is easy to configure and gives you a nice place to review vulnerabilities. To get started with the service you just need to sign in with a Microsoft account, or create one right there. Figure out what Microsoft applications you use in your network and add them to your dashboard to monitor. Then the last thing you need to do is add to your schedule the task of regularly logging in and viewing any new items that need your attention. The whole intent behind PCI DSS requirement 6.1 is for you to stay updated with new vulnerabilities so you can quickly respond to issues that impact your environment. By taking advantage of this new Microsoft service, meeting the objectives of PCI compliance will become a little easier and a little more effective.