Penetration Testing mailing list archives
Re: PCI Compliance (Vulnerability Scans)
From: bf <illuminatus.master () gmail com>
Date: Thu, 21 Dec 2006 10:38:02 -0500
As others have stated there are two needs that must be met, internal and external scans. We use Control Scan for an external scan vendor (www.controlscan.com), it's cost effective and they really help you resolve any false positives that may occur. We dropped our initial external scan vendor because they insisted on arguing the point on a series of false positives (even after we provided documentation and proof confirming the false positives). The FP were causing our scans to have a status of "Failed" which screws your PCI compliance an audit time. (note: I don't care whether you use them or not I'm just relating my experience with them.) For internal scanning I use a scheduled nmap scan (cron job from a Linux machine). It's free and it works for me. I don't need a full blown "vulnerability scanner" on the LAN as I have other layered controls in place and a lot of that information would be redundant. YMMV. On 12/18/06, David M. Zendzian <dmz () dmzs com> wrote:
Your right, I'm so use to dealing with Level 1 people that I forgot all the others needed approved scanning vendors http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=l2|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp%2Ehtml|Merchants#anchor_2 But back to my original question, why are you looking for pci scanning software? The process of becoming an approved vendor usually takes multiple tools as well as the "human factor". I don't think you will find 1 solution for scanning that you can buy and say "we're done". David Vivek Chudgar wrote: > Correction - Level 2 and 3 merchants are also required to have > external vuln scans by an ASV. Level 4 merchants are exempt but their > acquirer can still require them to be scanned by an ASV. > > If a tool is just looking for ports 22,23,25,80 and 445 for service > discovery, I highly doubt if it can pass the certification > requirement. > > You are also right about the level of automation possible. Manual > verification is necessary to eleminate false positives. > > - Vivek > > On 12/17/06, David M. Zendzian <dmz () dmzs com> wrote: >> First, why are you looking for a PCI compliant tool? >> >> Second there are only 2 reasons to do vulnerability scanning. If you are >> level 1 (merchant, service provider or hacked entity:) then you are >> required to have external vulnerability scans by one of the authorized >> scanning providers. There is no need here for software as the service >> provider does all the work and provides you results. >> >> If you are looking to do your scans internally, there is no specific >> needs outlined by PCI for internal vulnerability scans. PCI only says >> you need to perform vulnerability scans. With that in mind, Nessus scans >> work internally :) >> >> What are you trying to accomplish? >> >> David (Visa-QDSP) >> >> 09sparky () gmail com wrote: >> > Thanks for all the great information (all). I am now wondering >> though, if you use an automated tool (VA Scanner that claims to be PCI >> compliant), does that mean whatever it finds and whatever it rates it >> (i.e. HIGH), is the final word, and the company fails? I guess what I >> am asking, I was under the impression that PCI scans could be much >> automated and very little to no user intervention was required (unlike >> a Vulnerability Assessment/Penetration test). However, many automated >> tools have false positives. Doesn't a company fail if they have any >> "HIGH" findings? With that said, are you required to go through each >> finding and validate? If so, then you have just turned it into a >> Vulnerability Assessment. >> > >> > Also, The Automated Tool I have been evaluating claims to be PCI >> compliant. However, for its discovery phase, it only uses ports >> 22,23,25,80 and 445. Upon finding any Host with these ports open, it >> will then run a common port scan. Is this way off? What do most of >> you do for host discovery (i.e. nmap scans of what ports? or different >> tools? >> > >> > Any thoughts? >> > Thanks, >> > Sparky >> > >> > >> ------------------------------------------------------------------------ >> > This List Sponsored by: Cenzic >> > >> > Need to secure your web apps? >> > Cenzic Hailstorm finds vulnerabilities fast. >> > Click the link to buy it, try it or download Hailstorm for FREE. >> > >> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW >> >> > >> ------------------------------------------------------------------------ >> > >> > >> >> ------------------------------------------------------------------------ >> This List Sponsored by: Cenzic >> >> Need to secure your web apps? >> Cenzic Hailstorm finds vulnerabilities fast. >> Click the link to buy it, try it or download Hailstorm for FREE. >> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW >> >> ------------------------------------------------------------------------ >> >> >
Current thread:
- PCI Compliance (Vulnerability Scans) 09sparky (Dec 16)
- RE: PCI Compliance (Vulnerability Scans) Erin Carroll (Dec 16)
- <Possible follow-ups>
- Re: RE: PCI Compliance (Vulnerability Scans) 09sparky (Dec 17)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 17)
- Re: PCI Compliance (Vulnerability Scans) Vivek Chudgar (Dec 19)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 19)
- Re: PCI Compliance (Vulnerability Scans) bf (Dec 21)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 21)
- Banner Grabbing Michael J Condon (Dec 21)
- Message not available
- Re: Banner Grabbing Jamie Riden (Dec 21)
- Message not available
- Re: Banner Grabbing Jamie Riden (Dec 21)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 17)
- Re: Banner Grabbing Dan Catalin Vasile (Dec 22)
- Re: Banner Grabbing sami ghourabi (Dec 22)
- Message not available
- Re: Banner Grabbing sami ghourabi (Dec 26)
- Re: Banner Grabbing Vikas Singhal (Dec 28)
- Re: Banner Grabbing Eric Kollmann (Dec 29)