First I have done a dissertation on vulnerability testing and have shown it to
be 25-35% as effective as a full audit done by competant and unhindered staff,
so I have no issues with arguing that automated scans are ineffective.
The PCI DSS does not just require a scan for patches. This is the error in your
comments.
Further, obscurity is less than no defence and usually makes a site less
secure.
You are commenting on the accurace of a document you have not read in full.
This is not a good practice and definately not scientific. There are issues in
that many companies are doing "scans" that do not meet the PCI DSS requirements
- this is a separate issue. There are a few issues here:
1 is the company autorised to do the work (ie on the PCI DSS approved list)
2 are they approved at the required level
If they are, and they do not do the tests correctly and fully they should be
removed from the pannel
If they are not on the pannel they can not do the work. (full stop)
What the hosted company is doing comes into the level of assessment as well.
The company conducting the "scan" has to be assured to a material level (as
defined in audit terms) that the site complies with the standards. This is a
compliance issue. Further securtiy measures are a separate issue. The company
seeking the test is seeking compliance not necessary security. These are very
different things.
The "scanning" company has to for example be assured to a material level that
the hosts are all single purpose and not "virtual" servers. Thus this is more
than a simple scan.
Craig
-----Original Message-----
From: Pete Herzog [mailto:lists@isecom.org]
Sent: Tue 20/12/2005 2:03 AM
To: Craig Wright
Cc: syedma@microland.net; mjohnso6@optonline.net; Ademar Gonzalez;
webappsec@securityfocus.com
Subject: Re: PCI DSS Compliance
Craig Wright wrote:
> An automated, not verified process does not meet the scaning/testing
> requirements. It is thus entirely irrelivant to the discussion as it
> will not help you be compliant.
The question was about whether assuring all known vulns are patched by
disabling all security controls is correct. That was the question which
prompted my discussion about PCI. For me, vuln scanning an entire
network is very wrong and a pointless task. And I think it's important
we challenge notions we suspect to be wrong either to fix them or
correct ourselves. I am proud of you for reading the whole PCI document
and all associated pages but what good does it do you if it isn't
correct?
-pete.
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
