Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PCI DSS Compliance

from [Sebastien Deleersnyder] Network Security [Permanent Link]
Subject: RE: PCI DSS Compliance
Date: Thu, 15 Dec 2005 08:28:30 +0100 
Hi Ademar,

No, it is not stupid.

One of the requirements of a PCI DSS audit is that the company 
who has to perform the scan must be able to do this without being
blocked by IDS (=scan detection software).

The IDS should only be disabled for the scanning company, of course.

Other - more preferable - workaround is to test through a VPN tunnel
that bypasses the IDS, if your network set-up permits it. 
That way you do not have to add specific exclusion rules to the IDS
based 
on source IP addresses.

One can argue that the presence of IDS is part of the tested
infrastructure,
but Visa/Mcard wanted the scans to be performed without interference of
an
IDS system.
The goal is to test for vulnerabilities on the tested servers. An IDS
will 
result in a "distorted" view of the servers.
If the IDS became unavailable for some reason, the servers will become 
unprotected if they are not correctly patched and hardened.

Kind regards,

Seba


-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez@gmail.com] 
Sent: dinsdag 13 december 2005 17:37
To: webappsec@securityfocus.com
Subject: PCI DSS Compliance

A shared hosting client needs to get his site PCI DSS certified.
He forwarded us the following request from the company doing 
the assessment.

"Your site could not be certified. Your site appears to be 
running scan detection software, that has prevented a 
reliable port scan. This test is inconclusive. Please add our 
scanner ip: ##.##.##.## to your scan detection software 
exclusion list to allow our scanner to make a complete 
assessment of your system."

Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most 
of the time the people running this automated scans knows 
nothing at all about security nor anything else and it 
becomes a pain dealing with the client on one end that wants 
his website certified and the other guy on the security 
company that wants you to open your firewall so hi can run 
his nmap or whatever it is they run. It looks like the client 
runs the risk of not being certified 'cause his website is 
over-protected. How would you proceed in this situation ?


ciao ciao
ademar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PCI DSS Compliance, Ademar Gonzalez
Next by Date:  Re: PCI DSS Compliance, Richard Moore
Previous by Thread:  Re: PCI DSS Compliance, Peter Watkins
Next by Thread:  RE: PCI DSS Compliance, Steve Kerns
Indexes:  [Date] [Thread] [Top] [All Lists]