Does anyone do weekly/monthly external network scans? We currently do monthly through our PCI compliance vendor but that may be changing so I’m looking at alternatives.
Do you need to continue to stay PCI compliant? Honestly most orgs this size who don’t have a compliance reason are much better off just auditing firewall rules and keeping up on patches.
After doing additional research, I found out that the way we now accept cards, we are considered a "virtual terminal’ and therefore we don’t have to maintain PCI compliance standards for our external scans (which due to recent rule changes means no remote access/VPN without going through a process quarterly to justify it). We do not have any traditional credit card terminals nor do we have any credit card processing software riding on our network. When we take cards its through a third party site and no card information ever resides on the devices itself. Since we will be dropping the PCI scans we do now, I still want to do monthly scans of our external IP’s to make sure that nothing has changed from a security standpoint. These scans have been very helpful in the past to alert us of possible issues when firewalls or external systems are changed in a way that opens up a potential security risk so we can mitigate against those risks. Usually any changes to the firewall or external systems I usually do a manual scan to make sure we are still secured. Hope this makes sense.
For a belt and suspenders product, I’d recommend a HackerTarget subscription. It’s affordable and should cover your needs fine.
Hope that helps!
I used Acunetix before for website scanning. Very effective in testing websites for vulnerabilities. Kind of simulate what hackers try to do. But it is at a premium. They did give universities and non-profits free scans a number of years ago so you can try writing in.