Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PCI DSS Compliance

from [Steve Kerns] Network Security [Permanent Link]
Subject: RE: PCI DSS Compliance
Date: Thu, 15 Dec 2005 07:53:10 -0600 
The Security Scanning Requirements for Vendors (March 2005) state:

Scanning the environment might trigger the IDS which will in some cases
automatically shut off any communication with the originating IP address
used by the scanning tool. This could produce false reports, so the
vendor should make sure it can
detect such an event. Under no circumstance should an IDS/IPS (intrusion
prevention system) interfere with the results of a vulnerability
assessment.

When the infrastructure contains an IDS, the following options should be
considered:

* The IDS/IPS should be disabled for specific IP addresses (the
originating IP
addresses of the vendor). This is the preferred solution.

Or

* The vendor scans at a network location where the IDS/IPS can not
interfere with the operation.

So you have those 2 options.

Steve Kerns
Security Team Lead
NetSPI
www.netspi.com
800 Washington Ave N, Suite 463
Minneapolis, MN 55401
Cell: 952-250-2143
Office: 612-465-8880
Fax: 612-677-3407



-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez@gmail.com] 
Sent: Tuesday, December 13, 2005 10:37 AM
To: webappsec@securityfocus.com
Subject: PCI DSS Compliance


A shared hosting client needs to get his site PCI DSS certified.
He forwarded us the following request from the company doing the
assessment.

"Your site could not be certified. Your site appears to be running
scan detection software, that has prevented a reliable port scan. This
test is inconclusive. Please add our scanner ip: ##.##.##.## to your
scan detection software exclusion list to allow our scanner to make a
complete assessment of your system."

Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most of the
time the people running
this automated scans knows nothing at all about security nor anything
else and it becomes a pain dealing with the client on one end that
wants his website certified and the other guy on the security company
that wants you to open your firewall so hi can run his nmap or
whatever it is they run. It looks like the client runs the risk of not
being certified 'cause his website is over-protected. How would you
proceed in this situation ?


ciao ciao
ademar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PCI DSS Compliance, Richard Moore
Next by Date:  Re: PCI DSS Compliance, Ademar Gonzalez
Previous by Thread:  RE: PCI DSS Compliance, Sebastien Deleersnyder
Next by Thread:  Re: PCI DSS Compliance, Ademar Gonzalez
Indexes:  [Date] [Thread] [Top] [All Lists]