Security Basics mailing list archives

RE: Opinions on vulnerability scanning practice?

From: "Krpata, Tyler" <tkrpata () bjs com>
Date: Fri, 4 Aug 2006 13:28:27 -0400

Wanting to run the scan is normal, doing so without coordinating it with
your organization first was in poor taste at best.

-----Original Message-----
From: rgutter () gmail com [mailto:rgutter () gmail com] 
Sent: Wednesday, August 02, 2006 6:20 PM
To: security-basics () securityfocus com
Subject: Opinions on vulnerability scanning practice?

I'd like to get a community opinion on this. We're a union that provides
free web hosting to a number of related non-profit organizations. Some
of them have gone to a third-party provider for e-commerce
functionality, and obviously want to link to that provider from their
sites on our server.

Wanting to set up merchant accounts for these organizations, that
provider's e-commerce service (Beanstream) had a risk management firm
run a vulnerability scan on our server, stating that Visa requires AIS
end-to-end compliance within the Visa payment system.

Now, I recognize the desire to prevent pharming and similar attacks that
could occur were my system to be compromised, but my first response was:
"Who the ^*$$* do you think you are to run a scan on my system without
permission?"

What's the deal here? Am I out of line? Is this normal practice? 

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Opinions on vulnerability scanning practice? rgutter (Aug 03)
- RE: Opinions on vulnerability scanning practice? David Gillett (Aug 04)
- Re: Opinions on vulnerability scanning practice? Mitch Pope (Aug 04)
  - Re: Opinions on vulnerability scanning practice? Ansgar -59cobalt- Wiechers (Aug 05)
  - Re: Opinions on vulnerability scanning practice? Eric Furman (Aug 05)
- Re: Opinions on vulnerability scanning practice? Irwan Ismail (Aug 04)
- <Possible follow-ups>
- RE: Opinions on vulnerability scanning practice? Jeffrey Wei (Aug 04)
- Re: Opinions on vulnerability scanning practice? krymson (Aug 04)
- RE: Opinions on vulnerability scanning practice? Krpata, Tyler (Aug 04)
- Re: Opinions on vulnerability scanning practice? knox . justin (Aug 04)
- Re: Opinions on vulnerability scanning practice? benjaminz (Aug 04)
- Re: Opinions on vulnerability scanning practice? gazwj (Aug 04)
- Re: Opinions on vulnerability scanning practice? simonis (Aug 04)