Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PCI DSS Compliance

from [null0] Network Security [Permanent Link]
Subject: Re: PCI DSS Compliance
Date: Mon, 19 Dec 2005 09:53:38 +1100
The wording of the standard is in section 2-3. It basically states that an IPS/IDS is not to interfere with the scan. It does not NOT say that it "MUST be disabled at least for the IP address conducting the vulnerability scan".

It lists a number of options, that can be used in order to prevent the IPS/IDS interfering with the scan.

At the end of the day, is it such a bad thing for the CC companies to be laying down an industry benchmark for the safe use of Credit Card processing and storage?

I understand that there may be issues with the state if security at companies, but since when has security through obscurity been the 'done thing'.

Personally I would very much like to know about my network, and applications, especially if they had issues that could ultimately prevent my company doing business with Visa or Mastercard.

null0



-----Original Message-----
From: Lyal Collins [mailto:lyal.collins@key2it.com.au] Sent: Thursday, 15 December 2005 9:34 AM
To: 'Ademar Gonzalez'; webappsec@securityfocus.com
Subject: RE: PCI DSS Compliance

If you read the PCI scanning requirements, any IPS/IDP solution MUST be
disabled at least for the IP address conducting the vulnerability scan,
for
the duration of the test.
See the documentation on scanning on sdp.mastercardintl.com, page 2-2 of
"Security Scanning
Requirements for Vendors."

However, if it's a firewall that's actively blocking/locking out the
port
scanning IP, then maybe the port scan can be conducted slower to get
under
the threshold, or a firewall rule adjustment performed for the duration
of
the test period.

PCI requires a accurate vulnerability scan. Any PCI accredited scanner
provider would imho, be within their obligated rights to not issue a
'compliant' report in the event they can't perform a meaningful
vulnerability test.

Ultimately, I think its up to your client, the scanning company and
youur
firm to negotiate a way for a meaningful vulnerability scan to be
conducted.

Of course, it may be that the message they provided is boilerplate, and
not
accurately reporting the situation they see.

My 2cents

Lyal



-----Original Message-----
From: Ademar Gonzalez [mailto:ademar.gonzalez@gmail.com] Sent: Wednesday, 14 December 2005 3:37 AM
To: webappsec@securityfocus.com
Subject: PCI DSS Compliance


A shared hosting client needs to get his site PCI DSS certified. He
forwarded us the following request from the company doing the
assessment.

"Your site could not be certified. Your site appears to be running scan
detection software, that has prevented a reliable port scan. This test
is
inconclusive. Please add our scanner ip: ##.##.##.## to your scan
detection
software exclusion list to allow our scanner to make a complete
assessment
of your system."

Is this request plain stupid or what ? Comments ?

I have deal with this kind of requests in the past and most of the time
the
people running this automated scans knows nothing at all about security
nor
anything else and it becomes a pain dealing with the client on one end
that
wants his website certified and the other guy on the security company
that
wants you to open your firewall so hi can run his nmap or whatever it is
they run. It looks like the client runs the risk of not being certified
'cause his website is over-protected. How would you proceed in this
situation ?


ciao ciao
ademar


_____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com 

**********************************************************************
This e-mail message and any attachments are intended only for the use of the 
addressee(s) named above and may contain information that is privileged and 
confidential. If you are not the intended recipient, any display, 
dissemination, distribution, or copying is strictly prohibited.   If you 
believe you have received this e-mail message in error, please immediately 
notify the sender by replying to this e-mail message or by telephone to (02) 
9646 9222. Please delete the email and any attachments and do not retain the 
email or any attachments in any form.
**********************************************************************


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PCI DSS Compliance, Pete Herzog
Next by Date:  RE: PCI DSS Compliance, Craig Wright
Previous by Thread:  RE: PCI DSS Compliance, Steven Jones
Next by Thread:  RE: PCI DSS Compliance, Craig Wright
Indexes:  [Date] [Thread] [Top] [All Lists]